]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - tools/testing/selftests/bpf/test_verifier.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
[mirror_ubuntu-bionic-kernel.git] / tools / testing / selftests / bpf / test_verifier.c
CommitLineData
3c731eba
AS		 1/*
2 * Testsuite for eBPF verifier
3 *
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of version 2 of the GNU General Public
8 * License as published by the Free Software Foundation.
9 */
5aa5bd14 10
2c460621 11#include <endian.h>
1da8ac7c
AS		 12#include <asm/types.h>
13#include <linux/types.h>
702498a1 14#include <stdint.h>
3c731eba 15#include <stdio.h>
702498a1 16#include <stdlib.h>
3c731eba 17#include <unistd.h>
3c731eba 18#include <errno.h>
3c731eba 19#include <string.h>
614cd3bd 20#include <stddef.h>
bf508877 21#include <stdbool.h>
5aa5bd14
DB		 22#include <sched.h>
23
d02d8986 24#include <sys/capability.h>
bf508877 25#include <sys/resource.h>
3c731eba 26
5aa5bd14
DB		 27#include <linux/unistd.h>
28#include <linux/filter.h>
29#include <linux/bpf_perf_event.h>
30#include <linux/bpf.h>
31
2ee89fb9
MS		 32#include <bpf/bpf.h>
33
02ea80b1
DB		 34#ifdef HAVE_GENHDR
35# include "autoconf.h"
36#else
37# if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
38# define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
39# endif
40#endif
41
5aa5bd14
DB		 42#include "../../../include/linux/filter.h"
43
5aa5bd14
DB		 44#ifndef ARRAY_SIZE
45# define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
46#endif
3c731eba 47
5aa5bd14
DB		 48#define MAX_INSNS 512
49#define MAX_FIXUPS 8
fb30d4b7 50#define MAX_NR_MAPS 4
bf508877 51
02ea80b1 52#define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
614d0d77 53#define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
02ea80b1 54
3c731eba
AS		 55struct bpf_test {
56 const char *descr;
57 struct bpf_insn insns[MAX_INSNS];
5aa5bd14
DB		 58 int fixup_map1[MAX_FIXUPS];
59 int fixup_map2[MAX_FIXUPS];
60 int fixup_prog[MAX_FIXUPS];
fb30d4b7 61 int fixup_map_in_map[MAX_FIXUPS];
3c731eba 62 const char *errstr;
bf508877 63 const char *errstr_unpriv;
3c731eba 64 enum {
bf508877 65 UNDEF,
3c731eba
AS		 66 ACCEPT,
67 REJECT
bf508877 68 } result, result_unpriv;
d691f9e8 69 enum bpf_prog_type prog_type;
02ea80b1 70 uint8_t flags;
3c731eba
AS		 71};
72
48461135
JB		 73/* Note we want this to be 64 bit aligned so that the end of our array is
74 * actually the end of the structure.
75 */
76#define MAX_ENTRIES 11
5aa5bd14 77
48461135 78struct test_val {
5aa5bd14 79 unsigned int index;
48461135
JB		 80 int foo[MAX_ENTRIES];
81};
82
3c731eba
AS		 83static struct bpf_test tests[] = {
84 {
85 "add+sub+mul",
86 .insns = {
87 BPF_MOV64_IMM(BPF_REG_1, 1),
88 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
89 BPF_MOV64_IMM(BPF_REG_2, 3),
90 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
91 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
92 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
93 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
94 BPF_EXIT_INSN(),
95 },
96 .result = ACCEPT,
97 },
98 {
99 "unreachable",
100 .insns = {
101 BPF_EXIT_INSN(),
102 BPF_EXIT_INSN(),
103 },
104 .errstr = "unreachable",
105 .result = REJECT,
106 },
107 {
108 "unreachable2",
109 .insns = {
110 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
111 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
112 BPF_EXIT_INSN(),
113 },
114 .errstr = "unreachable",
115 .result = REJECT,
116 },
117 {
118 "out of range jump",
119 .insns = {
120 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
121 BPF_EXIT_INSN(),
122 },
123 .errstr = "jump out of range",
124 .result = REJECT,
125 },
126 {
127 "out of range jump2",
128 .insns = {
129 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
130 BPF_EXIT_INSN(),
131 },
132 .errstr = "jump out of range",
133 .result = REJECT,
134 },
135 {
136 "test1 ld_imm64",
137 .insns = {
138 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
139 BPF_LD_IMM64(BPF_REG_0, 0),
140 BPF_LD_IMM64(BPF_REG_0, 0),
141 BPF_LD_IMM64(BPF_REG_0, 1),
142 BPF_LD_IMM64(BPF_REG_0, 1),
143 BPF_MOV64_IMM(BPF_REG_0, 2),
144 BPF_EXIT_INSN(),
145 },
146 .errstr = "invalid BPF_LD_IMM insn",
bf508877 147 .errstr_unpriv = "R1 pointer comparison",
3c731eba
AS		 148 .result = REJECT,
149 },
150 {
151 "test2 ld_imm64",
152 .insns = {
153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
154 BPF_LD_IMM64(BPF_REG_0, 0),
155 BPF_LD_IMM64(BPF_REG_0, 0),
156 BPF_LD_IMM64(BPF_REG_0, 1),
157 BPF_LD_IMM64(BPF_REG_0, 1),
158 BPF_EXIT_INSN(),
159 },
160 .errstr = "invalid BPF_LD_IMM insn",
bf508877 161 .errstr_unpriv = "R1 pointer comparison",
3c731eba
AS		 162 .result = REJECT,
163 },
164 {
165 "test3 ld_imm64",
166 .insns = {
167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
168 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
169 BPF_LD_IMM64(BPF_REG_0, 0),
170 BPF_LD_IMM64(BPF_REG_0, 0),
171 BPF_LD_IMM64(BPF_REG_0, 1),
172 BPF_LD_IMM64(BPF_REG_0, 1),
173 BPF_EXIT_INSN(),
174 },
175 .errstr = "invalid bpf_ld_imm64 insn",
176 .result = REJECT,
177 },
178 {
179 "test4 ld_imm64",
180 .insns = {
181 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
182 BPF_EXIT_INSN(),
183 },
184 .errstr = "invalid bpf_ld_imm64 insn",
185 .result = REJECT,
186 },
187 {
188 "test5 ld_imm64",
189 .insns = {
190 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
191 },
192 .errstr = "invalid bpf_ld_imm64 insn",
193 .result = REJECT,
194 },
728a853a
DB		 195 {
196 "test6 ld_imm64",
197 .insns = {
198 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
199 BPF_RAW_INSN(0, 0, 0, 0, 0),
200 BPF_EXIT_INSN(),
201 },
202 .result = ACCEPT,
203 },
204 {
205 "test7 ld_imm64",
206 .insns = {
207 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
208 BPF_RAW_INSN(0, 0, 0, 0, 1),
209 BPF_EXIT_INSN(),
210 },
211 .result = ACCEPT,
212 },
213 {
214 "test8 ld_imm64",
215 .insns = {
216 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
217 BPF_RAW_INSN(0, 0, 0, 0, 1),
218 BPF_EXIT_INSN(),
219 },
220 .errstr = "uses reserved fields",
221 .result = REJECT,
222 },
223 {
224 "test9 ld_imm64",
225 .insns = {
226 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
227 BPF_RAW_INSN(0, 0, 0, 1, 1),
228 BPF_EXIT_INSN(),
229 },
230 .errstr = "invalid bpf_ld_imm64 insn",
231 .result = REJECT,
232 },
233 {
234 "test10 ld_imm64",
235 .insns = {
236 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
237 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
238 BPF_EXIT_INSN(),
239 },
240 .errstr = "invalid bpf_ld_imm64 insn",
241 .result = REJECT,
242 },
243 {
244 "test11 ld_imm64",
245 .insns = {
246 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
247 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
248 BPF_EXIT_INSN(),
249 },
250 .errstr = "invalid bpf_ld_imm64 insn",
251 .result = REJECT,
252 },
253 {
254 "test12 ld_imm64",
255 .insns = {
256 BPF_MOV64_IMM(BPF_REG_1, 0),
257 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
258 BPF_RAW_INSN(0, 0, 0, 0, 1),
259 BPF_EXIT_INSN(),
260 },
261 .errstr = "not pointing to valid bpf_map",
262 .result = REJECT,
263 },
264 {
265 "test13 ld_imm64",
266 .insns = {
267 BPF_MOV64_IMM(BPF_REG_1, 0),
268 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
269 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
270 BPF_EXIT_INSN(),
271 },
272 .errstr = "invalid bpf_ld_imm64 insn",
273 .result = REJECT,
274 },
3c731eba
AS		 275 {
276 "no bpf_exit",
277 .insns = {
278 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
279 },
280 .errstr = "jump out of range",
281 .result = REJECT,
282 },
283 {
284 "loop (back-edge)",
285 .insns = {
286 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
287 BPF_EXIT_INSN(),
288 },
289 .errstr = "back-edge",
290 .result = REJECT,
291 },
292 {
293 "loop2 (back-edge)",
294 .insns = {
295 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
296 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
297 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
298 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
299 BPF_EXIT_INSN(),
300 },
301 .errstr = "back-edge",
302 .result = REJECT,
303 },
304 {
305 "conditional loop",
306 .insns = {
307 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
308 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
309 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
310 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
311 BPF_EXIT_INSN(),
312 },
313 .errstr = "back-edge",
314 .result = REJECT,
315 },
316 {
317 "read uninitialized register",
318 .insns = {
319 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
320 BPF_EXIT_INSN(),
321 },
322 .errstr = "R2 !read_ok",
323 .result = REJECT,
324 },
325 {
326 "read invalid register",
327 .insns = {
328 BPF_MOV64_REG(BPF_REG_0, -1),
329 BPF_EXIT_INSN(),
330 },
331 .errstr = "R15 is invalid",
332 .result = REJECT,
333 },
334 {
335 "program doesn't init R0 before exit",
336 .insns = {
337 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
338 BPF_EXIT_INSN(),
339 },
340 .errstr = "R0 !read_ok",
341 .result = REJECT,
342 },
32bf08a6
AS		 343 {
344 "program doesn't init R0 before exit in all branches",
345 .insns = {
346 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
347 BPF_MOV64_IMM(BPF_REG_0, 1),
348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
349 BPF_EXIT_INSN(),
350 },
351 .errstr = "R0 !read_ok",
bf508877 352 .errstr_unpriv = "R1 pointer comparison",
32bf08a6
AS		 353 .result = REJECT,
354 },
3c731eba
AS		 355 {
356 "stack out of bounds",
357 .insns = {
358 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
359 BPF_EXIT_INSN(),
360 },
361 .errstr = "invalid stack",
362 .result = REJECT,
363 },
364 {
365 "invalid call insn1",
366 .insns = {
367 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
368 BPF_EXIT_INSN(),
369 },
370 .errstr = "BPF_CALL uses reserved",
371 .result = REJECT,
372 },
373 {
374 "invalid call insn2",
375 .insns = {
376 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
377 BPF_EXIT_INSN(),
378 },
379 .errstr = "BPF_CALL uses reserved",
380 .result = REJECT,
381 },
382 {
383 "invalid function call",
384 .insns = {
385 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
386 BPF_EXIT_INSN(),
387 },
e00c7b21 388 .errstr = "invalid func unknown#1234567",
3c731eba
AS		 389 .result = REJECT,
390 },
391 {
392 "uninitialized stack1",
393 .insns = {
394 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
395 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
396 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
398 BPF_FUNC_map_lookup_elem),
3c731eba
AS		 399 BPF_EXIT_INSN(),
400 },
5aa5bd14 401 .fixup_map1 = { 2 },
3c731eba
AS		 402 .errstr = "invalid indirect read from stack",
403 .result = REJECT,
404 },
405 {
406 "uninitialized stack2",
407 .insns = {
408 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
409 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
410 BPF_EXIT_INSN(),
411 },
412 .errstr = "invalid read from stack",
413 .result = REJECT,
414 },
728a853a
DB		 415 {
416 "invalid fp arithmetic",
417 /* If this gets ever changed, make sure JITs can deal with it. */
418 .insns = {
419 BPF_MOV64_IMM(BPF_REG_0, 0),
420 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
421 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
422 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
423 BPF_EXIT_INSN(),
424 },
82abbf8d 425 .errstr = "R1 subtraction from stack pointer",
728a853a
DB		 426 .result = REJECT,
427 },
428 {
429 "non-invalid fp arithmetic",
430 .insns = {
431 BPF_MOV64_IMM(BPF_REG_0, 0),
432 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
433 BPF_EXIT_INSN(),
434 },
435 .result = ACCEPT,
436 },
7d95b0ab
DB		 437 {
438 "invalid argument register",
439 .insns = {
5aa5bd14
DB		 440 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
441 BPF_FUNC_get_cgroup_classid),
442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
443 BPF_FUNC_get_cgroup_classid),
7d95b0ab
DB		 444 BPF_EXIT_INSN(),
445 },
446 .errstr = "R1 !read_ok",
447 .result = REJECT,
448 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
449 },
450 {
451 "non-invalid argument register",
452 .insns = {
453 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
5aa5bd14
DB		 454 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
455 BPF_FUNC_get_cgroup_classid),
7d95b0ab 456 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
5aa5bd14
DB		 457 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
458 BPF_FUNC_get_cgroup_classid),
7d95b0ab
DB		 459 BPF_EXIT_INSN(),
460 },
461 .result = ACCEPT,
462 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
463 },
3c731eba
AS		 464 {
465 "check valid spill/fill",
466 .insns = {
467 /* spill R1(ctx) into stack */
468 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3c731eba
AS		 469 /* fill it back into R2 */
470 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3c731eba 471 /* should be able to access R0 = *(R2 + 8) */
f91fe17e
DB		 472 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
473 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3c731eba
AS		 474 BPF_EXIT_INSN(),
475 },
bf508877 476 .errstr_unpriv = "R0 leaks addr",
3c731eba 477 .result = ACCEPT,
bf508877 478 .result_unpriv = REJECT,
3c731eba 479 },
3f2050e2
DB		 480 {
481 "check valid spill/fill, skb mark",
482 .insns = {
483 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
484 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
485 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
486 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
487 offsetof(struct __sk_buff, mark)),
488 BPF_EXIT_INSN(),
489 },
490 .result = ACCEPT,
491 .result_unpriv = ACCEPT,
492 },
3c731eba
AS		 493 {
494 "check corrupted spill/fill",
495 .insns = {
496 /* spill R1(ctx) into stack */
497 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3c731eba
AS		 498 /* mess up with R1 pointer on stack */
499 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
3c731eba
AS		 500 /* fill back into R0 should fail */
501 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3c731eba
AS		 502 BPF_EXIT_INSN(),
503 },
bf508877 504 .errstr_unpriv = "attempt to corrupt spilled",
3c731eba
AS		 505 .errstr = "corrupted spill",
506 .result = REJECT,
507 },
508 {
509 "invalid src register in STX",
510 .insns = {
511 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
512 BPF_EXIT_INSN(),
513 },
514 .errstr = "R15 is invalid",
515 .result = REJECT,
516 },
517 {
518 "invalid dst register in STX",
519 .insns = {
520 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
521 BPF_EXIT_INSN(),
522 },
523 .errstr = "R14 is invalid",
524 .result = REJECT,
525 },
526 {
527 "invalid dst register in ST",
528 .insns = {
529 BPF_ST_MEM(BPF_B, 14, -1, -1),
530 BPF_EXIT_INSN(),
531 },
532 .errstr = "R14 is invalid",
533 .result = REJECT,
534 },
535 {
536 "invalid src register in LDX",
537 .insns = {
538 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
539 BPF_EXIT_INSN(),
540 },
541 .errstr = "R12 is invalid",
542 .result = REJECT,
543 },
544 {
545 "invalid dst register in LDX",
546 .insns = {
547 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
548 BPF_EXIT_INSN(),
549 },
550 .errstr = "R11 is invalid",
551 .result = REJECT,
552 },
553 {
554 "junk insn",
555 .insns = {
556 BPF_RAW_INSN(0, 0, 0, 0, 0),
557 BPF_EXIT_INSN(),
558 },
559 .errstr = "invalid BPF_LD_IMM",
560 .result = REJECT,
561 },
562 {
563 "junk insn2",
564 .insns = {
565 BPF_RAW_INSN(1, 0, 0, 0, 0),
566 BPF_EXIT_INSN(),
567 },
568 .errstr = "BPF_LDX uses reserved fields",
569 .result = REJECT,
570 },
571 {
572 "junk insn3",
573 .insns = {
574 BPF_RAW_INSN(-1, 0, 0, 0, 0),
575 BPF_EXIT_INSN(),
576 },
577 .errstr = "invalid BPF_ALU opcode f0",
578 .result = REJECT,
579 },
580 {
581 "junk insn4",
582 .insns = {
583 BPF_RAW_INSN(-1, -1, -1, -1, -1),
584 BPF_EXIT_INSN(),
585 },
586 .errstr = "invalid BPF_ALU opcode f0",
587 .result = REJECT,
588 },
589 {
590 "junk insn5",
591 .insns = {
592 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
593 BPF_EXIT_INSN(),
594 },
595 .errstr = "BPF_ALU uses reserved fields",
596 .result = REJECT,
597 },
598 {
599 "misaligned read from stack",
600 .insns = {
601 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
602 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
603 BPF_EXIT_INSN(),
604 },
f65b1849 605 .errstr = "misaligned stack access",
3c731eba
AS		 606 .result = REJECT,
607 },
608 {
609 "invalid map_fd for function call",
610 .insns = {
611 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
612 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
613 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
614 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 615 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
616 BPF_FUNC_map_delete_elem),
3c731eba
AS		 617 BPF_EXIT_INSN(),
618 },
619 .errstr = "fd 0 is not pointing to valid bpf_map",
620 .result = REJECT,
621 },
622 {
623 "don't check return value before access",
624 .insns = {
625 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
626 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
627 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
628 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 629 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
630 BPF_FUNC_map_lookup_elem),
3c731eba
AS		 631 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
632 BPF_EXIT_INSN(),
633 },
5aa5bd14 634 .fixup_map1 = { 3 },
3c731eba
AS		 635 .errstr = "R0 invalid mem access 'map_value_or_null'",
636 .result = REJECT,
637 },
638 {
639 "access memory with incorrect alignment",
640 .insns = {
641 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
642 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
643 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
644 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 645 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
646 BPF_FUNC_map_lookup_elem),
3c731eba
AS		 647 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
648 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
649 BPF_EXIT_INSN(),
650 },
5aa5bd14 651 .fixup_map1 = { 3 },
f65b1849 652 .errstr = "misaligned value access",
3c731eba 653 .result = REJECT,
f65b1849 654 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3c731eba
AS		 655 },
656 {
657 "sometimes access memory with incorrect alignment",
658 .insns = {
659 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
660 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
662 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 663 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
664 BPF_FUNC_map_lookup_elem),
3c731eba
AS		 665 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
666 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
667 BPF_EXIT_INSN(),
668 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
669 BPF_EXIT_INSN(),
670 },
5aa5bd14 671 .fixup_map1 = { 3 },
3c731eba 672 .errstr = "R0 invalid mem access",
bf508877 673 .errstr_unpriv = "R0 leaks addr",
3c731eba 674 .result = REJECT,
f65b1849 675 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3c731eba 676 },
fd10c2ef
AS		 677 {
678 "jump test 1",
679 .insns = {
680 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
681 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
682 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
683 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
684 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
685 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
686 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
687 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
688 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
689 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
690 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
691 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
692 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
693 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
694 BPF_MOV64_IMM(BPF_REG_0, 0),
695 BPF_EXIT_INSN(),
696 },
bf508877
AS		 697 .errstr_unpriv = "R1 pointer comparison",
698 .result_unpriv = REJECT,
fd10c2ef
AS		 699 .result = ACCEPT,
700 },
701 {
702 "jump test 2",
703 .insns = {
704 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
705 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
706 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
707 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
708 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
709 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
710 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
711 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
712 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
713 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
714 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
715 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
716 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
718 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
719 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
720 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
721 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
722 BPF_MOV64_IMM(BPF_REG_0, 0),
723 BPF_EXIT_INSN(),
724 },
bf508877
AS		 725 .errstr_unpriv = "R1 pointer comparison",
726 .result_unpriv = REJECT,
fd10c2ef
AS		 727 .result = ACCEPT,
728 },
729 {
730 "jump test 3",
731 .insns = {
732 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
733 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
734 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
735 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
736 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
737 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
738 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
739 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
740 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
741 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
742 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
743 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
744 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
745 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
746 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
747 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
748 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
749 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
750 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
752 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
753 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
754 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
756 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 757 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
758 BPF_FUNC_map_delete_elem),
fd10c2ef
AS		 759 BPF_EXIT_INSN(),
760 },
5aa5bd14 761 .fixup_map1 = { 24 },
bf508877
AS		 762 .errstr_unpriv = "R1 pointer comparison",
763 .result_unpriv = REJECT,
fd10c2ef
AS		 764 .result = ACCEPT,
765 },
766 {
767 "jump test 4",
768 .insns = {
769 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
771 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
772 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
773 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
779 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
783 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
784 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
786 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
788 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
793 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
798 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
799 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
801 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
804 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
805 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
806 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
807 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
808 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
809 BPF_MOV64_IMM(BPF_REG_0, 0),
810 BPF_EXIT_INSN(),
811 },
bf508877
AS		 812 .errstr_unpriv = "R1 pointer comparison",
813 .result_unpriv = REJECT,
fd10c2ef
AS		 814 .result = ACCEPT,
815 },
342ded40
AS		 816 {
817 "jump test 5",
818 .insns = {
819 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
820 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
821 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
822 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
823 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
824 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
825 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
826 BPF_MOV64_IMM(BPF_REG_0, 0),
827 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
828 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
829 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
830 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
831 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
832 BPF_MOV64_IMM(BPF_REG_0, 0),
833 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
834 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
835 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
836 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
837 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
838 BPF_MOV64_IMM(BPF_REG_0, 0),
839 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
840 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
841 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
842 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
843 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
844 BPF_MOV64_IMM(BPF_REG_0, 0),
845 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
846 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
847 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
848 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
849 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
850 BPF_MOV64_IMM(BPF_REG_0, 0),
851 BPF_EXIT_INSN(),
852 },
bf508877
AS		 853 .errstr_unpriv = "R1 pointer comparison",
854 .result_unpriv = REJECT,
342ded40
AS		 855 .result = ACCEPT,
856 },
614cd3bd
AS		 857 {
858 "access skb fields ok",
859 .insns = {
860 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
861 offsetof(struct __sk_buff, len)),
862 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
863 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
864 offsetof(struct __sk_buff, mark)),
865 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
866 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
867 offsetof(struct __sk_buff, pkt_type)),
868 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
869 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
870 offsetof(struct __sk_buff, queue_mapping)),
871 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
c2497395
AS		 872 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
873 offsetof(struct __sk_buff, protocol)),
874 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
875 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
876 offsetof(struct __sk_buff, vlan_present)),
877 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
878 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
879 offsetof(struct __sk_buff, vlan_tci)),
880 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
b1d9fc41
DB		 881 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
882 offsetof(struct __sk_buff, napi_id)),
883 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
614cd3bd
AS		 884 BPF_EXIT_INSN(),
885 },
886 .result = ACCEPT,
887 },
888 {
889 "access skb fields bad1",
890 .insns = {
891 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
892 BPF_EXIT_INSN(),
893 },
894 .errstr = "invalid bpf_context access",
895 .result = REJECT,
896 },
897 {
898 "access skb fields bad2",
899 .insns = {
900 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
901 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
902 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
903 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
904 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 905 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
906 BPF_FUNC_map_lookup_elem),
614cd3bd
AS		 907 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
908 BPF_EXIT_INSN(),
909 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
910 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
911 offsetof(struct __sk_buff, pkt_type)),
912 BPF_EXIT_INSN(),
913 },
5aa5bd14 914 .fixup_map1 = { 4 },
614cd3bd 915 .errstr = "different pointers",
bf508877 916 .errstr_unpriv = "R1 pointer comparison",
614cd3bd
AS		 917 .result = REJECT,
918 },
919 {
920 "access skb fields bad3",
921 .insns = {
922 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
923 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
924 offsetof(struct __sk_buff, pkt_type)),
925 BPF_EXIT_INSN(),
926 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
927 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
929 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 930 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
931 BPF_FUNC_map_lookup_elem),
614cd3bd
AS		 932 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
933 BPF_EXIT_INSN(),
934 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
935 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
936 },
5aa5bd14 937 .fixup_map1 = { 6 },
614cd3bd 938 .errstr = "different pointers",
bf508877 939 .errstr_unpriv = "R1 pointer comparison",
614cd3bd
AS		 940 .result = REJECT,
941 },
725f9dcd
AS		 942 {
943 "access skb fields bad4",
944 .insns = {
945 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
946 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
947 offsetof(struct __sk_buff, len)),
948 BPF_MOV64_IMM(BPF_REG_0, 0),
949 BPF_EXIT_INSN(),
950 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
951 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
952 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
953 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 954 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
955 BPF_FUNC_map_lookup_elem),
725f9dcd
AS		 956 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
957 BPF_EXIT_INSN(),
958 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
959 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
960 },
5aa5bd14 961 .fixup_map1 = { 7 },
725f9dcd 962 .errstr = "different pointers",
bf508877 963 .errstr_unpriv = "R1 pointer comparison",
725f9dcd
AS		 964 .result = REJECT,
965 },
41bc94f5
JF		 966 {
967 "invalid access __sk_buff family",
968 .insns = {
969 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
970 offsetof(struct __sk_buff, family)),
971 BPF_EXIT_INSN(),
972 },
973 .errstr = "invalid bpf_context access",
974 .result = REJECT,
975 },
976 {
977 "invalid access __sk_buff remote_ip4",
978 .insns = {
979 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
980 offsetof(struct __sk_buff, remote_ip4)),
981 BPF_EXIT_INSN(),
982 },
983 .errstr = "invalid bpf_context access",
984 .result = REJECT,
985 },
986 {
987 "invalid access __sk_buff local_ip4",
988 .insns = {
989 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
990 offsetof(struct __sk_buff, local_ip4)),
991 BPF_EXIT_INSN(),
992 },
993 .errstr = "invalid bpf_context access",
994 .result = REJECT,
995 },
996 {
997 "invalid access __sk_buff remote_ip6",
998 .insns = {
999 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1000 offsetof(struct __sk_buff, remote_ip6)),
1001 BPF_EXIT_INSN(),
1002 },
1003 .errstr = "invalid bpf_context access",
1004 .result = REJECT,
1005 },
1006 {
1007 "invalid access __sk_buff local_ip6",
1008 .insns = {
1009 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1010 offsetof(struct __sk_buff, local_ip6)),
1011 BPF_EXIT_INSN(),
1012 },
1013 .errstr = "invalid bpf_context access",
1014 .result = REJECT,
1015 },
1016 {
1017 "invalid access __sk_buff remote_port",
1018 .insns = {
1019 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1020 offsetof(struct __sk_buff, remote_port)),
1021 BPF_EXIT_INSN(),
1022 },
1023 .errstr = "invalid bpf_context access",
1024 .result = REJECT,
1025 },
1026 {
1027 "invalid access __sk_buff remote_port",
1028 .insns = {
1029 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1030 offsetof(struct __sk_buff, local_port)),
1031 BPF_EXIT_INSN(),
1032 },
1033 .errstr = "invalid bpf_context access",
1034 .result = REJECT,
1035 },
1036 {
1037 "valid access __sk_buff family",
1038 .insns = {
1039 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1040 offsetof(struct __sk_buff, family)),
1041 BPF_EXIT_INSN(),
1042 },
1043 .result = ACCEPT,
1044 .prog_type = BPF_PROG_TYPE_SK_SKB,
1045 },
1046 {
1047 "valid access __sk_buff remote_ip4",
1048 .insns = {
1049 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1050 offsetof(struct __sk_buff, remote_ip4)),
1051 BPF_EXIT_INSN(),
1052 },
1053 .result = ACCEPT,
1054 .prog_type = BPF_PROG_TYPE_SK_SKB,
1055 },
1056 {
1057 "valid access __sk_buff local_ip4",
1058 .insns = {
1059 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1060 offsetof(struct __sk_buff, local_ip4)),
1061 BPF_EXIT_INSN(),
1062 },
1063 .result = ACCEPT,
1064 .prog_type = BPF_PROG_TYPE_SK_SKB,
1065 },
1066 {
1067 "valid access __sk_buff remote_ip6",
1068 .insns = {
1069 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1070 offsetof(struct __sk_buff, remote_ip6[0])),
1071 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1072 offsetof(struct __sk_buff, remote_ip6[1])),
1073 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1074 offsetof(struct __sk_buff, remote_ip6[2])),
1075 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1076 offsetof(struct __sk_buff, remote_ip6[3])),
1077 BPF_EXIT_INSN(),
1078 },
1079 .result = ACCEPT,
1080 .prog_type = BPF_PROG_TYPE_SK_SKB,
1081 },
1082 {
1083 "valid access __sk_buff local_ip6",
1084 .insns = {
1085 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1086 offsetof(struct __sk_buff, local_ip6[0])),
1087 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1088 offsetof(struct __sk_buff, local_ip6[1])),
1089 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1090 offsetof(struct __sk_buff, local_ip6[2])),
1091 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1092 offsetof(struct __sk_buff, local_ip6[3])),
1093 BPF_EXIT_INSN(),
1094 },
1095 .result = ACCEPT,
1096 .prog_type = BPF_PROG_TYPE_SK_SKB,
1097 },
1098 {
1099 "valid access __sk_buff remote_port",
1100 .insns = {
1101 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1102 offsetof(struct __sk_buff, remote_port)),
1103 BPF_EXIT_INSN(),
1104 },
1105 .result = ACCEPT,
1106 .prog_type = BPF_PROG_TYPE_SK_SKB,
1107 },
1108 {
1109 "valid access __sk_buff remote_port",
1110 .insns = {
1111 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1112 offsetof(struct __sk_buff, local_port)),
1113 BPF_EXIT_INSN(),
1114 },
1115 .result = ACCEPT,
1116 .prog_type = BPF_PROG_TYPE_SK_SKB,
1117 },
ed85054d
JF		 1118 {
1119 "invalid access of tc_classid for SK_SKB",
1120 .insns = {
1121 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1122 offsetof(struct __sk_buff, tc_classid)),
1123 BPF_EXIT_INSN(),
1124 },
1125 .result = REJECT,
1126 .prog_type = BPF_PROG_TYPE_SK_SKB,
1127 .errstr = "invalid bpf_context access",
1128 },
1129 {
f7e9cb1e
JF		 1130 "invalid access of skb->mark for SK_SKB",
1131 .insns = {
1132 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1133 offsetof(struct __sk_buff, mark)),
1134 BPF_EXIT_INSN(),
1135 },
1136 .result = REJECT,
1137 .prog_type = BPF_PROG_TYPE_SK_SKB,
1138 .errstr = "invalid bpf_context access",
1139 },
1140 {
1141 "check skb->mark is not writeable by SK_SKB",
ed85054d
JF		 1142 .insns = {
1143 BPF_MOV64_IMM(BPF_REG_0, 0),
1144 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1145 offsetof(struct __sk_buff, mark)),
1146 BPF_EXIT_INSN(),
1147 },
f7e9cb1e 1148 .result = REJECT,
ed85054d 1149 .prog_type = BPF_PROG_TYPE_SK_SKB,
f7e9cb1e 1150 .errstr = "invalid bpf_context access",
ed85054d
JF		 1151 },
1152 {
1153 "check skb->tc_index is writeable by SK_SKB",
1154 .insns = {
1155 BPF_MOV64_IMM(BPF_REG_0, 0),
1156 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1157 offsetof(struct __sk_buff, tc_index)),
1158 BPF_EXIT_INSN(),
1159 },
1160 .result = ACCEPT,
1161 .prog_type = BPF_PROG_TYPE_SK_SKB,
1162 },
1163 {
1164 "check skb->priority is writeable by SK_SKB",
1165 .insns = {
1166 BPF_MOV64_IMM(BPF_REG_0, 0),
1167 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1168 offsetof(struct __sk_buff, priority)),
1169 BPF_EXIT_INSN(),
1170 },
1171 .result = ACCEPT,
1172 .prog_type = BPF_PROG_TYPE_SK_SKB,
1173 },
1174 {
1175 "direct packet read for SK_SKB",
1176 .insns = {
1177 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1178 offsetof(struct __sk_buff, data)),
1179 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1180 offsetof(struct __sk_buff, data_end)),
1181 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1183 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1184 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1185 BPF_MOV64_IMM(BPF_REG_0, 0),
1186 BPF_EXIT_INSN(),
1187 },
1188 .result = ACCEPT,
1189 .prog_type = BPF_PROG_TYPE_SK_SKB,
1190 },
1191 {
1192 "direct packet write for SK_SKB",
1193 .insns = {
1194 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1195 offsetof(struct __sk_buff, data)),
1196 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1197 offsetof(struct __sk_buff, data_end)),
1198 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1199 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1200 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1201 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1202 BPF_MOV64_IMM(BPF_REG_0, 0),
1203 BPF_EXIT_INSN(),
1204 },
1205 .result = ACCEPT,
1206 .prog_type = BPF_PROG_TYPE_SK_SKB,
1207 },
1208 {
1209 "overlapping checks for direct packet access SK_SKB",
1210 .insns = {
1211 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1212 offsetof(struct __sk_buff, data)),
1213 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1214 offsetof(struct __sk_buff, data_end)),
1215 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1217 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1218 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1220 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1221 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1222 BPF_MOV64_IMM(BPF_REG_0, 0),
1223 BPF_EXIT_INSN(),
1224 },
1225 .result = ACCEPT,
1226 .prog_type = BPF_PROG_TYPE_SK_SKB,
1227 },
d691f9e8
AS		 1228 {
1229 "check skb->mark is not writeable by sockets",
1230 .insns = {
1231 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1232 offsetof(struct __sk_buff, mark)),
1233 BPF_EXIT_INSN(),
1234 },
1235 .errstr = "invalid bpf_context access",
bf508877 1236 .errstr_unpriv = "R1 leaks addr",
d691f9e8
AS		 1237 .result = REJECT,
1238 },
1239 {
1240 "check skb->tc_index is not writeable by sockets",
1241 .insns = {
1242 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1243 offsetof(struct __sk_buff, tc_index)),
1244 BPF_EXIT_INSN(),
1245 },
1246 .errstr = "invalid bpf_context access",
bf508877 1247 .errstr_unpriv = "R1 leaks addr",
d691f9e8
AS		 1248 .result = REJECT,
1249 },
1250 {
62c7989b 1251 "check cb access: byte",
d691f9e8 1252 .insns = {
62c7989b
DB		 1253 BPF_MOV64_IMM(BPF_REG_0, 0),
1254 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1255 offsetof(struct __sk_buff, cb[0])),
1256 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1257 offsetof(struct __sk_buff, cb[0]) + 1),
1258 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1259 offsetof(struct __sk_buff, cb[0]) + 2),
1260 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1261 offsetof(struct __sk_buff, cb[0]) + 3),
1262 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1263 offsetof(struct __sk_buff, cb[1])),
1264 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1265 offsetof(struct __sk_buff, cb[1]) + 1),
1266 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1267 offsetof(struct __sk_buff, cb[1]) + 2),
1268 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1269 offsetof(struct __sk_buff, cb[1]) + 3),
1270 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1271 offsetof(struct __sk_buff, cb[2])),
1272 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1273 offsetof(struct __sk_buff, cb[2]) + 1),
1274 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1275 offsetof(struct __sk_buff, cb[2]) + 2),
1276 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1277 offsetof(struct __sk_buff, cb[2]) + 3),
1278 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1279 offsetof(struct __sk_buff, cb[3])),
1280 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1281 offsetof(struct __sk_buff, cb[3]) + 1),
1282 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1283 offsetof(struct __sk_buff, cb[3]) + 2),
1284 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1285 offsetof(struct __sk_buff, cb[3]) + 3),
1286 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1287 offsetof(struct __sk_buff, cb[4])),
1288 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1289 offsetof(struct __sk_buff, cb[4]) + 1),
1290 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1291 offsetof(struct __sk_buff, cb[4]) + 2),
1292 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1293 offsetof(struct __sk_buff, cb[4]) + 3),
1294 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1295 offsetof(struct __sk_buff, cb[0])),
1296 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1297 offsetof(struct __sk_buff, cb[0]) + 1),
1298 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1299 offsetof(struct __sk_buff, cb[0]) + 2),
1300 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1301 offsetof(struct __sk_buff, cb[0]) + 3),
1302 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1303 offsetof(struct __sk_buff, cb[1])),
1304 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1305 offsetof(struct __sk_buff, cb[1]) + 1),
1306 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1307 offsetof(struct __sk_buff, cb[1]) + 2),
1308 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1309 offsetof(struct __sk_buff, cb[1]) + 3),
1310 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1311 offsetof(struct __sk_buff, cb[2])),
1312 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1313 offsetof(struct __sk_buff, cb[2]) + 1),
1314 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1315 offsetof(struct __sk_buff, cb[2]) + 2),
1316 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1317 offsetof(struct __sk_buff, cb[2]) + 3),
1318 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1319 offsetof(struct __sk_buff, cb[3])),
1320 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1321 offsetof(struct __sk_buff, cb[3]) + 1),
1322 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1323 offsetof(struct __sk_buff, cb[3]) + 2),
1324 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1325 offsetof(struct __sk_buff, cb[3]) + 3),
1326 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1327 offsetof(struct __sk_buff, cb[4])),
1328 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1329 offsetof(struct __sk_buff, cb[4]) + 1),
1330 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1331 offsetof(struct __sk_buff, cb[4]) + 2),
1332 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1333 offsetof(struct __sk_buff, cb[4]) + 3),
1334 BPF_EXIT_INSN(),
1335 },
1336 .result = ACCEPT,
1337 },
1338 {
31fd8581 1339 "__sk_buff->hash, offset 0, byte store not permitted",
62c7989b
DB		 1340 .insns = {
1341 BPF_MOV64_IMM(BPF_REG_0, 0),
1342 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
31fd8581 1343 offsetof(struct __sk_buff, hash)),
62c7989b
DB		 1344 BPF_EXIT_INSN(),
1345 },
1346 .errstr = "invalid bpf_context access",
1347 .result = REJECT,
1348 },
1349 {
31fd8581 1350 "__sk_buff->tc_index, offset 3, byte store not permitted",
62c7989b
DB		 1351 .insns = {
1352 BPF_MOV64_IMM(BPF_REG_0, 0),
1353 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
31fd8581 1354 offsetof(struct __sk_buff, tc_index) + 3),
62c7989b
DB		 1355 BPF_EXIT_INSN(),
1356 },
1357 .errstr = "invalid bpf_context access",
1358 .result = REJECT,
1359 },
18f3d6be
YS		 1360 {
1361 "check skb->hash byte load permitted",
1362 .insns = {
1363 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 1364#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 1365 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1366 offsetof(struct __sk_buff, hash)),
1367#else
1368 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1369 offsetof(struct __sk_buff, hash) + 3),
1370#endif
1371 BPF_EXIT_INSN(),
1372 },
1373 .result = ACCEPT,
1374 },
1375 {
1376 "check skb->hash byte load not permitted 1",
1377 .insns = {
1378 BPF_MOV64_IMM(BPF_REG_0, 0),
1379 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1380 offsetof(struct __sk_buff, hash) + 1),
1381 BPF_EXIT_INSN(),
1382 },
1383 .errstr = "invalid bpf_context access",
1384 .result = REJECT,
1385 },
1386 {
1387 "check skb->hash byte load not permitted 2",
1388 .insns = {
1389 BPF_MOV64_IMM(BPF_REG_0, 0),
1390 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1391 offsetof(struct __sk_buff, hash) + 2),
1392 BPF_EXIT_INSN(),
1393 },
1394 .errstr = "invalid bpf_context access",
1395 .result = REJECT,
1396 },
1397 {
1398 "check skb->hash byte load not permitted 3",
1399 .insns = {
1400 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 1401#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 1402 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1403 offsetof(struct __sk_buff, hash) + 3),
1404#else
1405 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1406 offsetof(struct __sk_buff, hash)),
1407#endif
1408 BPF_EXIT_INSN(),
1409 },
1410 .errstr = "invalid bpf_context access",
1411 .result = REJECT,
1412 },
62c7989b
DB		 1413 {
1414 "check cb access: byte, wrong type",
1415 .insns = {
1416 BPF_MOV64_IMM(BPF_REG_0, 0),
1417 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1418 offsetof(struct __sk_buff, cb[0])),
1419 BPF_EXIT_INSN(),
1420 },
1421 .errstr = "invalid bpf_context access",
1422 .result = REJECT,
1423 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1424 },
1425 {
1426 "check cb access: half",
1427 .insns = {
1428 BPF_MOV64_IMM(BPF_REG_0, 0),
1429 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1430 offsetof(struct __sk_buff, cb[0])),
1431 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1432 offsetof(struct __sk_buff, cb[0]) + 2),
1433 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1434 offsetof(struct __sk_buff, cb[1])),
1435 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1436 offsetof(struct __sk_buff, cb[1]) + 2),
1437 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1438 offsetof(struct __sk_buff, cb[2])),
1439 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1440 offsetof(struct __sk_buff, cb[2]) + 2),
1441 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1442 offsetof(struct __sk_buff, cb[3])),
1443 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1444 offsetof(struct __sk_buff, cb[3]) + 2),
1445 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1446 offsetof(struct __sk_buff, cb[4])),
1447 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1448 offsetof(struct __sk_buff, cb[4]) + 2),
1449 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1450 offsetof(struct __sk_buff, cb[0])),
1451 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1452 offsetof(struct __sk_buff, cb[0]) + 2),
1453 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1454 offsetof(struct __sk_buff, cb[1])),
1455 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1456 offsetof(struct __sk_buff, cb[1]) + 2),
1457 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1458 offsetof(struct __sk_buff, cb[2])),
1459 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1460 offsetof(struct __sk_buff, cb[2]) + 2),
1461 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1462 offsetof(struct __sk_buff, cb[3])),
1463 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1464 offsetof(struct __sk_buff, cb[3]) + 2),
1465 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1466 offsetof(struct __sk_buff, cb[4])),
1467 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1468 offsetof(struct __sk_buff, cb[4]) + 2),
1469 BPF_EXIT_INSN(),
1470 },
1471 .result = ACCEPT,
1472 },
1473 {
1474 "check cb access: half, unaligned",
1475 .insns = {
1476 BPF_MOV64_IMM(BPF_REG_0, 0),
1477 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1478 offsetof(struct __sk_buff, cb[0]) + 1),
1479 BPF_EXIT_INSN(),
1480 },
f65b1849 1481 .errstr = "misaligned context access",
62c7989b 1482 .result = REJECT,
f65b1849 1483 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 1484 },
1485 {
31fd8581 1486 "check __sk_buff->hash, offset 0, half store not permitted",
62c7989b
DB		 1487 .insns = {
1488 BPF_MOV64_IMM(BPF_REG_0, 0),
1489 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
31fd8581 1490 offsetof(struct __sk_buff, hash)),
62c7989b
DB		 1491 BPF_EXIT_INSN(),
1492 },
1493 .errstr = "invalid bpf_context access",
1494 .result = REJECT,
1495 },
1496 {
31fd8581 1497 "check __sk_buff->tc_index, offset 2, half store not permitted",
62c7989b
DB		 1498 .insns = {
1499 BPF_MOV64_IMM(BPF_REG_0, 0),
1500 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
31fd8581 1501 offsetof(struct __sk_buff, tc_index) + 2),
62c7989b
DB		 1502 BPF_EXIT_INSN(),
1503 },
1504 .errstr = "invalid bpf_context access",
1505 .result = REJECT,
1506 },
18f3d6be
YS		 1507 {
1508 "check skb->hash half load permitted",
1509 .insns = {
1510 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 1511#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 1512 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1513 offsetof(struct __sk_buff, hash)),
1514#else
1515 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1516 offsetof(struct __sk_buff, hash) + 2),
1517#endif
1518 BPF_EXIT_INSN(),
1519 },
1520 .result = ACCEPT,
1521 },
1522 {
1523 "check skb->hash half load not permitted",
1524 .insns = {
1525 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 1526#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 1527 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1528 offsetof(struct __sk_buff, hash) + 2),
1529#else
1530 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1531 offsetof(struct __sk_buff, hash)),
1532#endif
1533 BPF_EXIT_INSN(),
1534 },
1535 .errstr = "invalid bpf_context access",
1536 .result = REJECT,
1537 },
62c7989b
DB		 1538 {
1539 "check cb access: half, wrong type",
1540 .insns = {
1541 BPF_MOV64_IMM(BPF_REG_0, 0),
1542 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1543 offsetof(struct __sk_buff, cb[0])),
1544 BPF_EXIT_INSN(),
1545 },
1546 .errstr = "invalid bpf_context access",
1547 .result = REJECT,
1548 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1549 },
1550 {
1551 "check cb access: word",
1552 .insns = {
1553 BPF_MOV64_IMM(BPF_REG_0, 0),
1554 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1555 offsetof(struct __sk_buff, cb[0])),
1556 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1557 offsetof(struct __sk_buff, cb[1])),
1558 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1559 offsetof(struct __sk_buff, cb[2])),
1560 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1561 offsetof(struct __sk_buff, cb[3])),
1562 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1563 offsetof(struct __sk_buff, cb[4])),
1564 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1565 offsetof(struct __sk_buff, cb[0])),
1566 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1567 offsetof(struct __sk_buff, cb[1])),
1568 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1569 offsetof(struct __sk_buff, cb[2])),
1570 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1571 offsetof(struct __sk_buff, cb[3])),
1572 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1573 offsetof(struct __sk_buff, cb[4])),
1574 BPF_EXIT_INSN(),
1575 },
1576 .result = ACCEPT,
1577 },
1578 {
1579 "check cb access: word, unaligned 1",
1580 .insns = {
1581 BPF_MOV64_IMM(BPF_REG_0, 0),
1582 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1583 offsetof(struct __sk_buff, cb[0]) + 2),
1584 BPF_EXIT_INSN(),
1585 },
f65b1849 1586 .errstr = "misaligned context access",
62c7989b 1587 .result = REJECT,
f65b1849 1588 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 1589 },
1590 {
1591 "check cb access: word, unaligned 2",
1592 .insns = {
1593 BPF_MOV64_IMM(BPF_REG_0, 0),
1594 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1595 offsetof(struct __sk_buff, cb[4]) + 1),
1596 BPF_EXIT_INSN(),
1597 },
f65b1849 1598 .errstr = "misaligned context access",
62c7989b 1599 .result = REJECT,
f65b1849 1600 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 1601 },
1602 {
1603 "check cb access: word, unaligned 3",
1604 .insns = {
1605 BPF_MOV64_IMM(BPF_REG_0, 0),
1606 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1607 offsetof(struct __sk_buff, cb[4]) + 2),
1608 BPF_EXIT_INSN(),
1609 },
f65b1849 1610 .errstr = "misaligned context access",
62c7989b 1611 .result = REJECT,
f65b1849 1612 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 1613 },
1614 {
1615 "check cb access: word, unaligned 4",
1616 .insns = {
1617 BPF_MOV64_IMM(BPF_REG_0, 0),
1618 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1619 offsetof(struct __sk_buff, cb[4]) + 3),
1620 BPF_EXIT_INSN(),
1621 },
f65b1849 1622 .errstr = "misaligned context access",
62c7989b 1623 .result = REJECT,
f65b1849 1624 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 1625 },
1626 {
1627 "check cb access: double",
1628 .insns = {
1629 BPF_MOV64_IMM(BPF_REG_0, 0),
1630 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1631 offsetof(struct __sk_buff, cb[0])),
1632 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1633 offsetof(struct __sk_buff, cb[2])),
1634 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1635 offsetof(struct __sk_buff, cb[0])),
1636 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1637 offsetof(struct __sk_buff, cb[2])),
1638 BPF_EXIT_INSN(),
1639 },
1640 .result = ACCEPT,
1641 },
1642 {
1643 "check cb access: double, unaligned 1",
1644 .insns = {
1645 BPF_MOV64_IMM(BPF_REG_0, 0),
1646 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1647 offsetof(struct __sk_buff, cb[1])),
1648 BPF_EXIT_INSN(),
1649 },
f65b1849 1650 .errstr = "misaligned context access",
62c7989b 1651 .result = REJECT,
f65b1849 1652 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 1653 },
1654 {
1655 "check cb access: double, unaligned 2",
1656 .insns = {
1657 BPF_MOV64_IMM(BPF_REG_0, 0),
1658 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1659 offsetof(struct __sk_buff, cb[3])),
1660 BPF_EXIT_INSN(),
1661 },
f65b1849 1662 .errstr = "misaligned context access",
62c7989b 1663 .result = REJECT,
f65b1849 1664 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 1665 },
1666 {
1667 "check cb access: double, oob 1",
1668 .insns = {
1669 BPF_MOV64_IMM(BPF_REG_0, 0),
1670 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1671 offsetof(struct __sk_buff, cb[4])),
1672 BPF_EXIT_INSN(),
1673 },
1674 .errstr = "invalid bpf_context access",
1675 .result = REJECT,
1676 },
1677 {
1678 "check cb access: double, oob 2",
62c7989b
DB		 1679 .insns = {
1680 BPF_MOV64_IMM(BPF_REG_0, 0),
1681 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1682 offsetof(struct __sk_buff, cb[4])),
1683 BPF_EXIT_INSN(),
1684 },
1685 .errstr = "invalid bpf_context access",
1686 .result = REJECT,
1687 },
1688 {
31fd8581 1689 "check __sk_buff->ifindex dw store not permitted",
62c7989b
DB		 1690 .insns = {
1691 BPF_MOV64_IMM(BPF_REG_0, 0),
31fd8581
YS		 1692 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1693 offsetof(struct __sk_buff, ifindex)),
62c7989b
DB		 1694 BPF_EXIT_INSN(),
1695 },
1696 .errstr = "invalid bpf_context access",
1697 .result = REJECT,
1698 },
1699 {
31fd8581 1700 "check __sk_buff->ifindex dw load not permitted",
62c7989b
DB		 1701 .insns = {
1702 BPF_MOV64_IMM(BPF_REG_0, 0),
1703 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
31fd8581 1704 offsetof(struct __sk_buff, ifindex)),
62c7989b
DB		 1705 BPF_EXIT_INSN(),
1706 },
1707 .errstr = "invalid bpf_context access",
1708 .result = REJECT,
1709 },
1710 {
1711 "check cb access: double, wrong type",
1712 .insns = {
1713 BPF_MOV64_IMM(BPF_REG_0, 0),
1714 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
d691f9e8
AS		 1715 offsetof(struct __sk_buff, cb[0])),
1716 BPF_EXIT_INSN(),
1717 },
1718 .errstr = "invalid bpf_context access",
1719 .result = REJECT,
62c7989b 1720 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
d691f9e8
AS		 1721 },
1722 {
1723 "check out of range skb->cb access",
1724 .insns = {
1725 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
bf508877 1726 offsetof(struct __sk_buff, cb[0]) + 256),
d691f9e8
AS		 1727 BPF_EXIT_INSN(),
1728 },
1729 .errstr = "invalid bpf_context access",
bf508877 1730 .errstr_unpriv = "",
d691f9e8
AS		 1731 .result = REJECT,
1732 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
1733 },
1734 {
1735 "write skb fields from socket prog",
1736 .insns = {
1737 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1738 offsetof(struct __sk_buff, cb[4])),
1739 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1740 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1741 offsetof(struct __sk_buff, mark)),
1742 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1743 offsetof(struct __sk_buff, tc_index)),
1744 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1745 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1746 offsetof(struct __sk_buff, cb[0])),
1747 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1748 offsetof(struct __sk_buff, cb[2])),
1749 BPF_EXIT_INSN(),
1750 },
1751 .result = ACCEPT,
bf508877
AS		 1752 .errstr_unpriv = "R1 leaks addr",
1753 .result_unpriv = REJECT,
d691f9e8
AS		 1754 },
1755 {
1756 "write skb fields from tc_cls_act prog",
1757 .insns = {
1758 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1759 offsetof(struct __sk_buff, cb[0])),
1760 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1761 offsetof(struct __sk_buff, mark)),
1762 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1763 offsetof(struct __sk_buff, tc_index)),
1764 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1765 offsetof(struct __sk_buff, tc_index)),
1766 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1767 offsetof(struct __sk_buff, cb[3])),
1768 BPF_EXIT_INSN(),
1769 },
bf508877
AS		 1770 .errstr_unpriv = "",
1771 .result_unpriv = REJECT,
d691f9e8
AS		 1772 .result = ACCEPT,
1773 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1774 },
24b4d2ab
AG		 1775 {
1776 "PTR_TO_STACK store/load",
1777 .insns = {
1778 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1780 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1781 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1782 BPF_EXIT_INSN(),
1783 },
1784 .result = ACCEPT,
1785 },
1786 {
1787 "PTR_TO_STACK store/load - bad alignment on off",
1788 .insns = {
1789 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1790 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1791 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1792 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1793 BPF_EXIT_INSN(),
1794 },
1795 .result = REJECT,
f65b1849 1796 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
24b4d2ab
AG		 1797 },
1798 {
1799 "PTR_TO_STACK store/load - bad alignment on reg",
1800 .insns = {
1801 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1802 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1803 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1804 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1805 BPF_EXIT_INSN(),
1806 },
1807 .result = REJECT,
f65b1849 1808 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
24b4d2ab
AG		 1809 },
1810 {
1811 "PTR_TO_STACK store/load - out of bounds low",
1812 .insns = {
1813 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
1815 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1816 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1817 BPF_EXIT_INSN(),
1818 },
1819 .result = REJECT,
1820 .errstr = "invalid stack off=-79992 size=8",
1821 },
1822 {
1823 "PTR_TO_STACK store/load - out of bounds high",
1824 .insns = {
1825 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1827 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1828 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1829 BPF_EXIT_INSN(),
1830 },
1831 .result = REJECT,
1832 .errstr = "invalid stack off=0 size=8",
1833 },
bf508877
AS		 1834 {
1835 "unpriv: return pointer",
1836 .insns = {
1837 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
1838 BPF_EXIT_INSN(),
1839 },
1840 .result = ACCEPT,
1841 .result_unpriv = REJECT,
1842 .errstr_unpriv = "R0 leaks addr",
1843 },
1844 {
1845 "unpriv: add const to pointer",
1846 .insns = {
1847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
1848 BPF_MOV64_IMM(BPF_REG_0, 0),
1849 BPF_EXIT_INSN(),
1850 },
1851 .result = ACCEPT,
bf508877
AS		 1852 },
1853 {
1854 "unpriv: add pointer to pointer",
1855 .insns = {
1856 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
1857 BPF_MOV64_IMM(BPF_REG_0, 0),
1858 BPF_EXIT_INSN(),
1859 },
82abbf8d
AS		 1860 .result = REJECT,
1861 .errstr = "R1 pointer += pointer",
bf508877
AS		 1862 },
1863 {
1864 "unpriv: neg pointer",
1865 .insns = {
1866 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
1867 BPF_MOV64_IMM(BPF_REG_0, 0),
1868 BPF_EXIT_INSN(),
1869 },
1870 .result = ACCEPT,
1871 .result_unpriv = REJECT,
1872 .errstr_unpriv = "R1 pointer arithmetic",
1873 },
1874 {
1875 "unpriv: cmp pointer with const",
1876 .insns = {
1877 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1878 BPF_MOV64_IMM(BPF_REG_0, 0),
1879 BPF_EXIT_INSN(),
1880 },
1881 .result = ACCEPT,
1882 .result_unpriv = REJECT,
1883 .errstr_unpriv = "R1 pointer comparison",
1884 },
1885 {
1886 "unpriv: cmp pointer with pointer",
1887 .insns = {
1888 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1889 BPF_MOV64_IMM(BPF_REG_0, 0),
1890 BPF_EXIT_INSN(),
1891 },
1892 .result = ACCEPT,
1893 .result_unpriv = REJECT,
1894 .errstr_unpriv = "R10 pointer comparison",
1895 },
1896 {
1897 "unpriv: check that printk is disallowed",
1898 .insns = {
1899 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1900 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1901 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1902 BPF_MOV64_IMM(BPF_REG_2, 8),
1903 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
5aa5bd14
DB		 1904 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1905 BPF_FUNC_trace_printk),
bf508877
AS		 1906 BPF_MOV64_IMM(BPF_REG_0, 0),
1907 BPF_EXIT_INSN(),
1908 },
0eb6984f 1909 .errstr_unpriv = "unknown func bpf_trace_printk#6",
bf508877
AS		 1910 .result_unpriv = REJECT,
1911 .result = ACCEPT,
1912 },
1913 {
1914 "unpriv: pass pointer to helper function",
1915 .insns = {
1916 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1917 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1919 BPF_LD_MAP_FD(BPF_REG_1, 0),
1920 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1921 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
5aa5bd14
DB		 1922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1923 BPF_FUNC_map_update_elem),
bf508877
AS		 1924 BPF_MOV64_IMM(BPF_REG_0, 0),
1925 BPF_EXIT_INSN(),
1926 },
5aa5bd14 1927 .fixup_map1 = { 3 },
bf508877
AS		 1928 .errstr_unpriv = "R4 leaks addr",
1929 .result_unpriv = REJECT,
1930 .result = ACCEPT,
1931 },
1932 {
1933 "unpriv: indirectly pass pointer on stack to helper function",
1934 .insns = {
1935 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1936 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1937 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1938 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 1939 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1940 BPF_FUNC_map_lookup_elem),
bf508877
AS		 1941 BPF_MOV64_IMM(BPF_REG_0, 0),
1942 BPF_EXIT_INSN(),
1943 },
5aa5bd14 1944 .fixup_map1 = { 3 },
bf508877
AS		 1945 .errstr = "invalid indirect read from stack off -8+0 size 8",
1946 .result = REJECT,
1947 },
1948 {
1949 "unpriv: mangle pointer on stack 1",
1950 .insns = {
1951 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1952 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
1953 BPF_MOV64_IMM(BPF_REG_0, 0),
1954 BPF_EXIT_INSN(),
1955 },
1956 .errstr_unpriv = "attempt to corrupt spilled",
1957 .result_unpriv = REJECT,
1958 .result = ACCEPT,
1959 },
1960 {
1961 "unpriv: mangle pointer on stack 2",
1962 .insns = {
1963 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1964 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
1965 BPF_MOV64_IMM(BPF_REG_0, 0),
1966 BPF_EXIT_INSN(),
1967 },
1968 .errstr_unpriv = "attempt to corrupt spilled",
1969 .result_unpriv = REJECT,
1970 .result = ACCEPT,
1971 },
1972 {
1973 "unpriv: read pointer from stack in small chunks",
1974 .insns = {
1975 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1976 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
1977 BPF_MOV64_IMM(BPF_REG_0, 0),
1978 BPF_EXIT_INSN(),
1979 },
1980 .errstr = "invalid size",
1981 .result = REJECT,
1982 },
1983 {
1984 "unpriv: write pointer into ctx",
1985 .insns = {
1986 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
1987 BPF_MOV64_IMM(BPF_REG_0, 0),
1988 BPF_EXIT_INSN(),
1989 },
1990 .errstr_unpriv = "R1 leaks addr",
1991 .result_unpriv = REJECT,
1992 .errstr = "invalid bpf_context access",
1993 .result = REJECT,
1994 },
1a776b9c
DB		 1995 {
1996 "unpriv: spill/fill of ctx",
1997 .insns = {
1998 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1999 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2000 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2001 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2002 BPF_MOV64_IMM(BPF_REG_0, 0),
2003 BPF_EXIT_INSN(),
2004 },
2005 .result = ACCEPT,
2006 },
2007 {
2008 "unpriv: spill/fill of ctx 2",
2009 .insns = {
2010 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2012 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2013 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
5aa5bd14
DB		 2014 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2015 BPF_FUNC_get_hash_recalc),
1a776b9c
DB		 2016 BPF_EXIT_INSN(),
2017 },
2018 .result = ACCEPT,
2019 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2020 },
2021 {
2022 "unpriv: spill/fill of ctx 3",
2023 .insns = {
2024 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2025 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2026 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2027 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2028 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
5aa5bd14
DB		 2029 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2030 BPF_FUNC_get_hash_recalc),
1a776b9c
DB		 2031 BPF_EXIT_INSN(),
2032 },
2033 .result = REJECT,
2034 .errstr = "R1 type=fp expected=ctx",
2035 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2036 },
2037 {
2038 "unpriv: spill/fill of ctx 4",
2039 .insns = {
2040 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2042 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2043 BPF_MOV64_IMM(BPF_REG_0, 1),
5aa5bd14
DB		 2044 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2045 BPF_REG_0, -8, 0),
1a776b9c 2046 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
5aa5bd14
DB		 2047 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2048 BPF_FUNC_get_hash_recalc),
1a776b9c
DB		 2049 BPF_EXIT_INSN(),
2050 },
2051 .result = REJECT,
2052 .errstr = "R1 type=inv expected=ctx",
2053 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2054 },
2055 {
2056 "unpriv: spill/fill of different pointers stx",
2057 .insns = {
2058 BPF_MOV64_IMM(BPF_REG_3, 42),
2059 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2061 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2062 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2063 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2064 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2065 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2066 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2067 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2068 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2069 offsetof(struct __sk_buff, mark)),
2070 BPF_MOV64_IMM(BPF_REG_0, 0),
2071 BPF_EXIT_INSN(),
2072 },
2073 .result = REJECT,
2074 .errstr = "same insn cannot be used with different pointers",
2075 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2076 },
2077 {
2078 "unpriv: spill/fill of different pointers ldx",
2079 .insns = {
2080 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2082 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2083 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2085 -(__s32)offsetof(struct bpf_perf_event_data,
2086 sample_period) - 8),
2087 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2088 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2089 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2090 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2091 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2092 offsetof(struct bpf_perf_event_data,
2093 sample_period)),
2094 BPF_MOV64_IMM(BPF_REG_0, 0),
2095 BPF_EXIT_INSN(),
2096 },
2097 .result = REJECT,
2098 .errstr = "same insn cannot be used with different pointers",
2099 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2100 },
bf508877
AS		 2101 {
2102 "unpriv: write pointer into map elem value",
2103 .insns = {
2104 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2105 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2106 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2107 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 2108 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2109 BPF_FUNC_map_lookup_elem),
bf508877
AS		 2110 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2111 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2112 BPF_EXIT_INSN(),
2113 },
5aa5bd14 2114 .fixup_map1 = { 3 },
bf508877
AS		 2115 .errstr_unpriv = "R0 leaks addr",
2116 .result_unpriv = REJECT,
2117 .result = ACCEPT,
2118 },
2119 {
2120 "unpriv: partial copy of pointer",
2121 .insns = {
2122 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2123 BPF_MOV64_IMM(BPF_REG_0, 0),
2124 BPF_EXIT_INSN(),
2125 },
2126 .errstr_unpriv = "R10 partial copy",
2127 .result_unpriv = REJECT,
2128 .result = ACCEPT,
2129 },
2130 {
2131 "unpriv: pass pointer to tail_call",
2132 .insns = {
2133 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2134 BPF_LD_MAP_FD(BPF_REG_2, 0),
5aa5bd14
DB		 2135 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2136 BPF_FUNC_tail_call),
bf508877
AS		 2137 BPF_MOV64_IMM(BPF_REG_0, 0),
2138 BPF_EXIT_INSN(),
2139 },
5aa5bd14 2140 .fixup_prog = { 1 },
bf508877
AS		 2141 .errstr_unpriv = "R3 leaks addr into helper",
2142 .result_unpriv = REJECT,
2143 .result = ACCEPT,
2144 },
2145 {
2146 "unpriv: cmp map pointer with zero",
2147 .insns = {
2148 BPF_MOV64_IMM(BPF_REG_1, 0),
2149 BPF_LD_MAP_FD(BPF_REG_1, 0),
2150 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2151 BPF_MOV64_IMM(BPF_REG_0, 0),
2152 BPF_EXIT_INSN(),
2153 },
5aa5bd14 2154 .fixup_map1 = { 1 },
bf508877
AS		 2155 .errstr_unpriv = "R1 pointer comparison",
2156 .result_unpriv = REJECT,
2157 .result = ACCEPT,
2158 },
2159 {
2160 "unpriv: write into frame pointer",
2161 .insns = {
2162 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2163 BPF_MOV64_IMM(BPF_REG_0, 0),
2164 BPF_EXIT_INSN(),
2165 },
2166 .errstr = "frame pointer is read only",
2167 .result = REJECT,
2168 },
1a776b9c
DB		 2169 {
2170 "unpriv: spill/fill frame pointer",
2171 .insns = {
2172 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2174 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2175 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2176 BPF_MOV64_IMM(BPF_REG_0, 0),
2177 BPF_EXIT_INSN(),
2178 },
2179 .errstr = "frame pointer is read only",
2180 .result = REJECT,
2181 },
bf508877
AS		 2182 {
2183 "unpriv: cmp of frame pointer",
2184 .insns = {
2185 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2186 BPF_MOV64_IMM(BPF_REG_0, 0),
2187 BPF_EXIT_INSN(),
2188 },
2189 .errstr_unpriv = "R10 pointer comparison",
2190 .result_unpriv = REJECT,
2191 .result = ACCEPT,
2192 },
728a853a
DB		 2193 {
2194 "unpriv: adding of fp",
2195 .insns = {
2196 BPF_MOV64_IMM(BPF_REG_0, 0),
2197 BPF_MOV64_IMM(BPF_REG_1, 0),
2198 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2199 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2200 BPF_EXIT_INSN(),
2201 },
f65b1849 2202 .result = ACCEPT,
728a853a 2203 },
bf508877
AS		 2204 {
2205 "unpriv: cmp of stack pointer",
2206 .insns = {
2207 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2209 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2210 BPF_MOV64_IMM(BPF_REG_0, 0),
2211 BPF_EXIT_INSN(),
2212 },
2213 .errstr_unpriv = "R2 pointer comparison",
2214 .result_unpriv = REJECT,
2215 .result = ACCEPT,
2216 },
2217 {
332270fd 2218 "stack pointer arithmetic",
bf508877 2219 .insns = {
332270fd
YS		 2220 BPF_MOV64_IMM(BPF_REG_1, 4),
2221 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2222 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2224 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2225 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2226 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2227 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2228 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2230 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
bf508877
AS		 2231 BPF_MOV64_IMM(BPF_REG_0, 0),
2232 BPF_EXIT_INSN(),
2233 },
bf508877
AS		 2234 .result = ACCEPT,
2235 },
3f2050e2
DB		 2236 {
2237 "raw_stack: no skb_load_bytes",
2238 .insns = {
2239 BPF_MOV64_IMM(BPF_REG_2, 4),
2240 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2241 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2242 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2243 BPF_MOV64_IMM(BPF_REG_4, 8),
2244 /* Call to skb_load_bytes() omitted. */
2245 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2246 BPF_EXIT_INSN(),
2247 },
2248 .result = REJECT,
2249 .errstr = "invalid read from stack off -8+0 size 8",
2250 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2251 },
7d95b0ab
DB		 2252 {
2253 "raw_stack: skb_load_bytes, negative len",
2254 .insns = {
2255 BPF_MOV64_IMM(BPF_REG_2, 4),
2256 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2257 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2258 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2259 BPF_MOV64_IMM(BPF_REG_4, -8),
5aa5bd14
DB		 2260 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2261 BPF_FUNC_skb_load_bytes),
7d95b0ab
DB		 2262 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2263 BPF_EXIT_INSN(),
2264 },
2265 .result = REJECT,
f65b1849 2266 .errstr = "R4 min value is negative",
7d95b0ab
DB		 2267 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2268 },
2269 {
2270 "raw_stack: skb_load_bytes, negative len 2",
2271 .insns = {
2272 BPF_MOV64_IMM(BPF_REG_2, 4),
2273 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2275 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2276 BPF_MOV64_IMM(BPF_REG_4, ~0),
5aa5bd14
DB		 2277 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2278 BPF_FUNC_skb_load_bytes),
7d95b0ab
DB		 2279 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2280 BPF_EXIT_INSN(),
2281 },
2282 .result = REJECT,
f65b1849 2283 .errstr = "R4 min value is negative",
7d95b0ab
DB		 2284 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2285 },
2286 {
2287 "raw_stack: skb_load_bytes, zero len",
2288 .insns = {
2289 BPF_MOV64_IMM(BPF_REG_2, 4),
2290 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2292 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2293 BPF_MOV64_IMM(BPF_REG_4, 0),
5aa5bd14
DB		 2294 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2295 BPF_FUNC_skb_load_bytes),
7d95b0ab
DB		 2296 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2297 BPF_EXIT_INSN(),
2298 },
2299 .result = REJECT,
2300 .errstr = "invalid stack type R3",
2301 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2302 },
3f2050e2
DB		 2303 {
2304 "raw_stack: skb_load_bytes, no init",
2305 .insns = {
2306 BPF_MOV64_IMM(BPF_REG_2, 4),
2307 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2308 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2309 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2310 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2311 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2312 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2313 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2314 BPF_EXIT_INSN(),
2315 },
2316 .result = ACCEPT,
2317 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2318 },
2319 {
2320 "raw_stack: skb_load_bytes, init",
2321 .insns = {
2322 BPF_MOV64_IMM(BPF_REG_2, 4),
2323 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2324 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2325 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2326 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2327 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2328 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2329 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2330 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2331 BPF_EXIT_INSN(),
2332 },
2333 .result = ACCEPT,
2334 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2335 },
2336 {
2337 "raw_stack: skb_load_bytes, spilled regs around bounds",
2338 .insns = {
2339 BPF_MOV64_IMM(BPF_REG_2, 4),
2340 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2341 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
5aa5bd14
DB		 2342 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2343 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3f2050e2
DB		 2344 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2345 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2346 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2347 BPF_FUNC_skb_load_bytes),
2348 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2349 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3f2050e2
DB		 2350 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2351 offsetof(struct __sk_buff, mark)),
2352 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2353 offsetof(struct __sk_buff, priority)),
2354 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2355 BPF_EXIT_INSN(),
2356 },
2357 .result = ACCEPT,
2358 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2359 },
2360 {
2361 "raw_stack: skb_load_bytes, spilled regs corruption",
2362 .insns = {
2363 BPF_MOV64_IMM(BPF_REG_2, 4),
2364 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
5aa5bd14 2366 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3f2050e2
DB		 2367 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2368 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2369 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2370 BPF_FUNC_skb_load_bytes),
2371 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3f2050e2
DB		 2372 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2373 offsetof(struct __sk_buff, mark)),
2374 BPF_EXIT_INSN(),
2375 },
2376 .result = REJECT,
2377 .errstr = "R0 invalid mem access 'inv'",
2378 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2379 },
2380 {
2381 "raw_stack: skb_load_bytes, spilled regs corruption 2",
2382 .insns = {
2383 BPF_MOV64_IMM(BPF_REG_2, 4),
2384 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
5aa5bd14
DB		 2386 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2387 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2388 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3f2050e2
DB		 2389 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2390 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2391 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2392 BPF_FUNC_skb_load_bytes),
2393 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2394 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2395 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3f2050e2
DB		 2396 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2397 offsetof(struct __sk_buff, mark)),
2398 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2399 offsetof(struct __sk_buff, priority)),
2400 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2401 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
2402 offsetof(struct __sk_buff, pkt_type)),
2403 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2404 BPF_EXIT_INSN(),
2405 },
2406 .result = REJECT,
2407 .errstr = "R3 invalid mem access 'inv'",
2408 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2409 },
2410 {
2411 "raw_stack: skb_load_bytes, spilled regs + data",
2412 .insns = {
2413 BPF_MOV64_IMM(BPF_REG_2, 4),
2414 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
5aa5bd14
DB		 2416 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2417 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2418 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3f2050e2
DB		 2419 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2420 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2421 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2422 BPF_FUNC_skb_load_bytes),
2423 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2424 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2425 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3f2050e2
DB		 2426 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2427 offsetof(struct __sk_buff, mark)),
2428 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2429 offsetof(struct __sk_buff, priority)),
2430 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2431 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2432 BPF_EXIT_INSN(),
2433 },
2434 .result = ACCEPT,
2435 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2436 },
2437 {
2438 "raw_stack: skb_load_bytes, invalid access 1",
2439 .insns = {
2440 BPF_MOV64_IMM(BPF_REG_2, 4),
2441 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2443 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2444 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2445 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2446 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2447 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2448 BPF_EXIT_INSN(),
2449 },
2450 .result = REJECT,
2451 .errstr = "invalid stack type R3 off=-513 access_size=8",
2452 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2453 },
2454 {
2455 "raw_stack: skb_load_bytes, invalid access 2",
2456 .insns = {
2457 BPF_MOV64_IMM(BPF_REG_2, 4),
2458 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2460 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2461 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2462 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2463 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2464 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2465 BPF_EXIT_INSN(),
2466 },
2467 .result = REJECT,
2468 .errstr = "invalid stack type R3 off=-1 access_size=8",
2469 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2470 },
2471 {
2472 "raw_stack: skb_load_bytes, invalid access 3",
2473 .insns = {
2474 BPF_MOV64_IMM(BPF_REG_2, 4),
2475 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2476 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2477 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2478 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
5aa5bd14
DB		 2479 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2480 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2481 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2482 BPF_EXIT_INSN(),
2483 },
2484 .result = REJECT,
f65b1849 2485 .errstr = "R4 min value is negative",
3f2050e2
DB		 2486 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2487 },
2488 {
2489 "raw_stack: skb_load_bytes, invalid access 4",
2490 .insns = {
2491 BPF_MOV64_IMM(BPF_REG_2, 4),
2492 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2494 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2495 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
5aa5bd14
DB		 2496 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2497 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2498 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2499 BPF_EXIT_INSN(),
2500 },
2501 .result = REJECT,
f65b1849 2502 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3f2050e2
DB		 2503 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2504 },
2505 {
2506 "raw_stack: skb_load_bytes, invalid access 5",
2507 .insns = {
2508 BPF_MOV64_IMM(BPF_REG_2, 4),
2509 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2511 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2512 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
5aa5bd14
DB		 2513 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2514 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2515 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2516 BPF_EXIT_INSN(),
2517 },
2518 .result = REJECT,
f65b1849 2519 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3f2050e2
DB		 2520 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2521 },
2522 {
2523 "raw_stack: skb_load_bytes, invalid access 6",
2524 .insns = {
2525 BPF_MOV64_IMM(BPF_REG_2, 4),
2526 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2527 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2528 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2529 BPF_MOV64_IMM(BPF_REG_4, 0),
5aa5bd14
DB		 2530 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2531 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2532 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2533 BPF_EXIT_INSN(),
2534 },
2535 .result = REJECT,
2536 .errstr = "invalid stack type R3 off=-512 access_size=0",
2537 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2538 },
2539 {
2540 "raw_stack: skb_load_bytes, large access",
2541 .insns = {
2542 BPF_MOV64_IMM(BPF_REG_2, 4),
2543 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2544 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2545 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2546 BPF_MOV64_IMM(BPF_REG_4, 512),
5aa5bd14
DB		 2547 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2548 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2549 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2550 BPF_EXIT_INSN(),
2551 },
2552 .result = ACCEPT,
2553 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2554 },
883e44e4 2555 {
1633ac0a 2556 "direct packet access: test1",
883e44e4
AS		 2557 .insns = {
2558 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2559 offsetof(struct __sk_buff, data)),
2560 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2561 offsetof(struct __sk_buff, data_end)),
2562 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2564 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2565 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2566 BPF_MOV64_IMM(BPF_REG_0, 0),
2567 BPF_EXIT_INSN(),
2568 },
2569 .result = ACCEPT,
2570 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2571 },
2572 {
1633ac0a 2573 "direct packet access: test2",
883e44e4
AS		 2574 .insns = {
2575 BPF_MOV64_IMM(BPF_REG_0, 1),
2576 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
2577 offsetof(struct __sk_buff, data_end)),
2578 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2579 offsetof(struct __sk_buff, data)),
2580 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
2582 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
2583 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
2584 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
2585 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
2586 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2587 offsetof(struct __sk_buff, data)),
2588 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
82abbf8d
AS		 2589 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2590 offsetof(struct __sk_buff, len)),
1f9ab38f
EC		 2591 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
2592 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
883e44e4
AS		 2593 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
2594 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
2595 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2596 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2597 offsetof(struct __sk_buff, data_end)),
2598 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
2599 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
2600 BPF_MOV64_IMM(BPF_REG_0, 0),
2601 BPF_EXIT_INSN(),
2602 },
2603 .result = ACCEPT,
2604 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2605 },
2606 {
1633ac0a 2607 "direct packet access: test3",
883e44e4
AS		 2608 .insns = {
2609 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2610 offsetof(struct __sk_buff, data)),
2611 BPF_MOV64_IMM(BPF_REG_0, 0),
2612 BPF_EXIT_INSN(),
2613 },
2614 .errstr = "invalid bpf_context access off=76",
2615 .result = REJECT,
2616 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2617 },
2618 {
7d95b0ab 2619 "direct packet access: test4 (write)",
883e44e4
AS		 2620 .insns = {
2621 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2622 offsetof(struct __sk_buff, data)),
2623 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2624 offsetof(struct __sk_buff, data_end)),
2625 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2627 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2628 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2629 BPF_MOV64_IMM(BPF_REG_0, 0),
2630 BPF_EXIT_INSN(),
2631 },
7d95b0ab 2632 .result = ACCEPT,
883e44e4
AS		 2633 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2634 },
2d2be8ca
DB		 2635 {
2636 "direct packet access: test5 (pkt_end >= reg, good access)",
2637 .insns = {
2638 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2639 offsetof(struct __sk_buff, data)),
2640 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2641 offsetof(struct __sk_buff, data_end)),
2642 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2643 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2644 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2645 BPF_MOV64_IMM(BPF_REG_0, 1),
2646 BPF_EXIT_INSN(),
2647 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2648 BPF_MOV64_IMM(BPF_REG_0, 0),
2649 BPF_EXIT_INSN(),
2650 },
2651 .result = ACCEPT,
2652 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2653 },
2654 {
2655 "direct packet access: test6 (pkt_end >= reg, bad access)",
2656 .insns = {
2657 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2658 offsetof(struct __sk_buff, data)),
2659 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2660 offsetof(struct __sk_buff, data_end)),
2661 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2662 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2663 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2664 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2665 BPF_MOV64_IMM(BPF_REG_0, 1),
2666 BPF_EXIT_INSN(),
2667 BPF_MOV64_IMM(BPF_REG_0, 0),
2668 BPF_EXIT_INSN(),
2669 },
2670 .errstr = "invalid access to packet",
2671 .result = REJECT,
2672 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2673 },
2674 {
2675 "direct packet access: test7 (pkt_end >= reg, both accesses)",
2676 .insns = {
2677 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2678 offsetof(struct __sk_buff, data)),
2679 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2680 offsetof(struct __sk_buff, data_end)),
2681 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2682 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2683 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2684 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2685 BPF_MOV64_IMM(BPF_REG_0, 1),
2686 BPF_EXIT_INSN(),
2687 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2688 BPF_MOV64_IMM(BPF_REG_0, 0),
2689 BPF_EXIT_INSN(),
2690 },
2691 .errstr = "invalid access to packet",
2692 .result = REJECT,
2693 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2694 },
2695 {
2696 "direct packet access: test8 (double test, variant 1)",
2697 .insns = {
2698 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2699 offsetof(struct __sk_buff, data)),
2700 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2701 offsetof(struct __sk_buff, data_end)),
2702 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2704 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
2705 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2706 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2707 BPF_MOV64_IMM(BPF_REG_0, 1),
2708 BPF_EXIT_INSN(),
2709 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2710 BPF_MOV64_IMM(BPF_REG_0, 0),
2711 BPF_EXIT_INSN(),
2712 },
2713 .result = ACCEPT,
2714 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2715 },
2716 {
2717 "direct packet access: test9 (double test, variant 2)",
2718 .insns = {
2719 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2720 offsetof(struct __sk_buff, data)),
2721 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2722 offsetof(struct __sk_buff, data_end)),
2723 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2725 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2726 BPF_MOV64_IMM(BPF_REG_0, 1),
2727 BPF_EXIT_INSN(),
2728 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2729 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2730 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2731 BPF_MOV64_IMM(BPF_REG_0, 0),
2732 BPF_EXIT_INSN(),
2733 },
2734 .result = ACCEPT,
2735 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2736 },
7d95b0ab
DB		 2737 {
2738 "direct packet access: test10 (write invalid)",
2739 .insns = {
2740 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2741 offsetof(struct __sk_buff, data)),
2742 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2743 offsetof(struct __sk_buff, data_end)),
2744 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2745 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2746 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
2747 BPF_MOV64_IMM(BPF_REG_0, 0),
2748 BPF_EXIT_INSN(),
2749 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2750 BPF_MOV64_IMM(BPF_REG_0, 0),
2751 BPF_EXIT_INSN(),
2752 },
2753 .errstr = "invalid access to packet",
2754 .result = REJECT,
2755 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2756 },
3fadc801
DB		 2757 {
2758 "direct packet access: test11 (shift, good access)",
2759 .insns = {
2760 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2761 offsetof(struct __sk_buff, data)),
2762 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2763 offsetof(struct __sk_buff, data_end)),
2764 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2765 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2766 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2767 BPF_MOV64_IMM(BPF_REG_3, 144),
2768 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2769 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2770 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
2771 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2772 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2773 BPF_MOV64_IMM(BPF_REG_0, 1),
2774 BPF_EXIT_INSN(),
2775 BPF_MOV64_IMM(BPF_REG_0, 0),
2776 BPF_EXIT_INSN(),
2777 },
2778 .result = ACCEPT,
2779 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2780 },
2781 {
2782 "direct packet access: test12 (and, good access)",
2783 .insns = {
2784 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2785 offsetof(struct __sk_buff, data)),
2786 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2787 offsetof(struct __sk_buff, data_end)),
2788 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2789 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2790 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2791 BPF_MOV64_IMM(BPF_REG_3, 144),
2792 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2794 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2795 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2796 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2797 BPF_MOV64_IMM(BPF_REG_0, 1),
2798 BPF_EXIT_INSN(),
2799 BPF_MOV64_IMM(BPF_REG_0, 0),
2800 BPF_EXIT_INSN(),
2801 },
2802 .result = ACCEPT,
2803 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2804 },
2805 {
2806 "direct packet access: test13 (branches, good access)",
2807 .insns = {
2808 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2809 offsetof(struct __sk_buff, data)),
2810 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2811 offsetof(struct __sk_buff, data_end)),
2812 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2813 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2814 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
2815 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2816 offsetof(struct __sk_buff, mark)),
2817 BPF_MOV64_IMM(BPF_REG_4, 1),
2818 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
2819 BPF_MOV64_IMM(BPF_REG_3, 14),
2820 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
2821 BPF_MOV64_IMM(BPF_REG_3, 24),
2822 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2824 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2825 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2826 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2827 BPF_MOV64_IMM(BPF_REG_0, 1),
2828 BPF_EXIT_INSN(),
2829 BPF_MOV64_IMM(BPF_REG_0, 0),
2830 BPF_EXIT_INSN(),
2831 },
2832 .result = ACCEPT,
2833 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2834 },
63dfef75
WT		 2835 {
2836 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
2837 .insns = {
2838 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2839 offsetof(struct __sk_buff, data)),
2840 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2841 offsetof(struct __sk_buff, data_end)),
2842 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2844 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
2845 BPF_MOV64_IMM(BPF_REG_5, 12),
2846 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
2847 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2848 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2849 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
2850 BPF_MOV64_IMM(BPF_REG_0, 1),
2851 BPF_EXIT_INSN(),
2852 BPF_MOV64_IMM(BPF_REG_0, 0),
2853 BPF_EXIT_INSN(),
2854 },
2855 .result = ACCEPT,
2856 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2857 },
02ea80b1
DB		 2858 {
2859 "direct packet access: test15 (spill with xadd)",
2860 .insns = {
2861 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2862 offsetof(struct __sk_buff, data)),
2863 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2864 offsetof(struct __sk_buff, data_end)),
2865 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2866 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2867 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2868 BPF_MOV64_IMM(BPF_REG_5, 4096),
2869 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2870 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2871 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2872 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
2873 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
2874 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
2875 BPF_MOV64_IMM(BPF_REG_0, 0),
2876 BPF_EXIT_INSN(),
2877 },
2878 .errstr = "R2 invalid mem access 'inv'",
2879 .result = REJECT,
2880 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2881 },
728a853a
DB		 2882 {
2883 "direct packet access: test16 (arith on data_end)",
2884 .insns = {
2885 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2886 offsetof(struct __sk_buff, data)),
2887 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2888 offsetof(struct __sk_buff, data_end)),
2889 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2891 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
2892 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2893 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2894 BPF_MOV64_IMM(BPF_REG_0, 0),
2895 BPF_EXIT_INSN(),
2896 },
82abbf8d 2897 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
728a853a
DB		 2898 .result = REJECT,
2899 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2900 },
614d0d77
DB		 2901 {
2902 "direct packet access: test17 (pruning, alignment)",
2903 .insns = {
2904 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2905 offsetof(struct __sk_buff, data)),
2906 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2907 offsetof(struct __sk_buff, data_end)),
2908 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2909 offsetof(struct __sk_buff, mark)),
2910 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2911 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
2912 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
2913 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2914 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
2915 BPF_MOV64_IMM(BPF_REG_0, 0),
2916 BPF_EXIT_INSN(),
2917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
2918 BPF_JMP_A(-6),
2919 },
f65b1849 2920 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
614d0d77
DB		 2921 .result = REJECT,
2922 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2923 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2924 },
6d191ed4
DB		 2925 {
2926 "direct packet access: test18 (imm += pkt_ptr, 1)",
2927 .insns = {
2928 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2929 offsetof(struct __sk_buff, data)),
2930 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2931 offsetof(struct __sk_buff, data_end)),
2932 BPF_MOV64_IMM(BPF_REG_0, 8),
2933 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2934 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2935 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2936 BPF_MOV64_IMM(BPF_REG_0, 0),
2937 BPF_EXIT_INSN(),
2938 },
2939 .result = ACCEPT,
2940 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2941 },
2942 {
2943 "direct packet access: test19 (imm += pkt_ptr, 2)",
2944 .insns = {
2945 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2946 offsetof(struct __sk_buff, data)),
2947 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2948 offsetof(struct __sk_buff, data_end)),
2949 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2950 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2951 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
2952 BPF_MOV64_IMM(BPF_REG_4, 4),
2953 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2954 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
2955 BPF_MOV64_IMM(BPF_REG_0, 0),
2956 BPF_EXIT_INSN(),
2957 },
2958 .result = ACCEPT,
2959 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2960 },
2961 {
2962 "direct packet access: test20 (x += pkt_ptr, 1)",
2963 .insns = {
2964 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2965 offsetof(struct __sk_buff, data)),
2966 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2967 offsetof(struct __sk_buff, data_end)),
2968 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
2969 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
2970 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1f9ab38f 2971 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
6d191ed4
DB		 2972 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
2973 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2974 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
1f9ab38f 2975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
6d191ed4
DB		 2976 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
2977 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
2978 BPF_MOV64_IMM(BPF_REG_0, 0),
2979 BPF_EXIT_INSN(),
2980 },
2981 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2982 .result = ACCEPT,
2983 },
2984 {
2985 "direct packet access: test21 (x += pkt_ptr, 2)",
2986 .insns = {
2987 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2988 offsetof(struct __sk_buff, data)),
2989 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2990 offsetof(struct __sk_buff, data_end)),
2991 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2992 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2993 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
2994 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2995 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
2996 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1f9ab38f 2997 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
6d191ed4
DB		 2998 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2999 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
1f9ab38f 3000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
6d191ed4
DB		 3001 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3002 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3003 BPF_MOV64_IMM(BPF_REG_0, 0),
3004 BPF_EXIT_INSN(),
3005 },
3006 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3007 .result = ACCEPT,
3008 },
3009 {
3010 "direct packet access: test22 (x += pkt_ptr, 3)",
3011 .insns = {
3012 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3013 offsetof(struct __sk_buff, data)),
3014 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3015 offsetof(struct __sk_buff, data_end)),
3016 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3018 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3019 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3020 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3021 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3022 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3023 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3024 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3025 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1f9ab38f 3026 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
6d191ed4
DB		 3027 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3028 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3029 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3030 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3031 BPF_MOV64_IMM(BPF_REG_2, 1),
3032 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3033 BPF_MOV64_IMM(BPF_REG_0, 0),
3034 BPF_EXIT_INSN(),
3035 },
3036 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3037 .result = ACCEPT,
3038 },
3039 {
3040 "direct packet access: test23 (x += pkt_ptr, 4)",
3041 .insns = {
3042 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3043 offsetof(struct __sk_buff, data)),
3044 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3045 offsetof(struct __sk_buff, data_end)),
3046 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3047 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3048 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3049 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3050 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3051 BPF_MOV64_IMM(BPF_REG_0, 31),
3052 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3053 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3054 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3055 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3056 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3057 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3058 BPF_MOV64_IMM(BPF_REG_0, 0),
3059 BPF_EXIT_INSN(),
3060 },
3061 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3062 .result = REJECT,
f65b1849 3063 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
6d191ed4
DB		 3064 },
3065 {
3066 "direct packet access: test24 (x += pkt_ptr, 5)",
3067 .insns = {
3068 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3069 offsetof(struct __sk_buff, data)),
3070 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3071 offsetof(struct __sk_buff, data_end)),
3072 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3073 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3074 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3075 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3076 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3077 BPF_MOV64_IMM(BPF_REG_0, 64),
3078 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3079 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3080 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
1f9ab38f 3081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
6d191ed4
DB		 3082 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3083 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3084 BPF_MOV64_IMM(BPF_REG_0, 0),
3085 BPF_EXIT_INSN(),
3086 },
3087 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3088 .result = ACCEPT,
3089 },
31e482bf
DB		 3090 {
3091 "direct packet access: test25 (marking on <, good access)",
3092 .insns = {
3093 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3094 offsetof(struct __sk_buff, data)),
3095 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3096 offsetof(struct __sk_buff, data_end)),
3097 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3098 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3099 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3100 BPF_MOV64_IMM(BPF_REG_0, 0),
3101 BPF_EXIT_INSN(),
3102 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3103 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3104 },
3105 .result = ACCEPT,
3106 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3107 },
3108 {
3109 "direct packet access: test26 (marking on <, bad access)",
3110 .insns = {
3111 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3112 offsetof(struct __sk_buff, data)),
3113 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3114 offsetof(struct __sk_buff, data_end)),
3115 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3117 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3118 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3119 BPF_MOV64_IMM(BPF_REG_0, 0),
3120 BPF_EXIT_INSN(),
3121 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3122 },
3123 .result = REJECT,
3124 .errstr = "invalid access to packet",
3125 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3126 },
3127 {
3128 "direct packet access: test27 (marking on <=, good access)",
3129 .insns = {
3130 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3131 offsetof(struct __sk_buff, data)),
3132 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3133 offsetof(struct __sk_buff, data_end)),
3134 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3135 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3136 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3137 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3138 BPF_MOV64_IMM(BPF_REG_0, 1),
3139 BPF_EXIT_INSN(),
3140 },
3141 .result = ACCEPT,
3142 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3143 },
3144 {
3145 "direct packet access: test28 (marking on <=, bad access)",
3146 .insns = {
3147 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3148 offsetof(struct __sk_buff, data)),
3149 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3150 offsetof(struct __sk_buff, data_end)),
3151 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3153 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3154 BPF_MOV64_IMM(BPF_REG_0, 1),
3155 BPF_EXIT_INSN(),
3156 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3157 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3158 },
3159 .result = REJECT,
3160 .errstr = "invalid access to packet",
3161 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3162 },
1633ac0a
AY		 3163 {
3164 "helper access to packet: test1, valid packet_ptr range",
3165 .insns = {
3166 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3167 offsetof(struct xdp_md, data)),
3168 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3169 offsetof(struct xdp_md, data_end)),
3170 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3171 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3172 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3173 BPF_LD_MAP_FD(BPF_REG_1, 0),
3174 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3175 BPF_MOV64_IMM(BPF_REG_4, 0),
5aa5bd14
DB		 3176 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3177 BPF_FUNC_map_update_elem),
1633ac0a
AY		 3178 BPF_MOV64_IMM(BPF_REG_0, 0),
3179 BPF_EXIT_INSN(),
3180 },
5aa5bd14 3181 .fixup_map1 = { 5 },
1633ac0a
AY		 3182 .result_unpriv = ACCEPT,
3183 .result = ACCEPT,
3184 .prog_type = BPF_PROG_TYPE_XDP,
3185 },
3186 {
3187 "helper access to packet: test2, unchecked packet_ptr",
3188 .insns = {
3189 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3190 offsetof(struct xdp_md, data)),
3191 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3192 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3193 BPF_FUNC_map_lookup_elem),
1633ac0a
AY		 3194 BPF_MOV64_IMM(BPF_REG_0, 0),
3195 BPF_EXIT_INSN(),
3196 },
5aa5bd14 3197 .fixup_map1 = { 1 },
1633ac0a
AY		 3198 .result = REJECT,
3199 .errstr = "invalid access to packet",
3200 .prog_type = BPF_PROG_TYPE_XDP,
3201 },
3202 {
3203 "helper access to packet: test3, variable add",
3204 .insns = {
3205 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3206 offsetof(struct xdp_md, data)),
3207 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3208 offsetof(struct xdp_md, data_end)),
3209 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3211 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3212 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3213 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3214 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3215 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3217 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3218 BPF_LD_MAP_FD(BPF_REG_1, 0),
3219 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
5aa5bd14
DB		 3220 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3221 BPF_FUNC_map_lookup_elem),
1633ac0a
AY		 3222 BPF_MOV64_IMM(BPF_REG_0, 0),
3223 BPF_EXIT_INSN(),
3224 },
5aa5bd14 3225 .fixup_map1 = { 11 },
1633ac0a
AY		 3226 .result = ACCEPT,
3227 .prog_type = BPF_PROG_TYPE_XDP,
3228 },
3229 {
3230 "helper access to packet: test4, packet_ptr with bad range",
3231 .insns = {
3232 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3233 offsetof(struct xdp_md, data)),
3234 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3235 offsetof(struct xdp_md, data_end)),
3236 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3237 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3238 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3239 BPF_MOV64_IMM(BPF_REG_0, 0),
3240 BPF_EXIT_INSN(),
3241 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3243 BPF_FUNC_map_lookup_elem),
1633ac0a
AY		 3244 BPF_MOV64_IMM(BPF_REG_0, 0),
3245 BPF_EXIT_INSN(),
3246 },
5aa5bd14 3247 .fixup_map1 = { 7 },
1633ac0a
AY		 3248 .result = REJECT,
3249 .errstr = "invalid access to packet",
3250 .prog_type = BPF_PROG_TYPE_XDP,
3251 },
3252 {
3253 "helper access to packet: test5, packet_ptr with too short range",
3254 .insns = {
3255 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3256 offsetof(struct xdp_md, data)),
3257 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3258 offsetof(struct xdp_md, data_end)),
3259 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3260 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3261 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3262 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3263 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3264 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3265 BPF_FUNC_map_lookup_elem),
1633ac0a
AY		 3266 BPF_MOV64_IMM(BPF_REG_0, 0),
3267 BPF_EXIT_INSN(),
3268 },
5aa5bd14 3269 .fixup_map1 = { 6 },
1633ac0a
AY		 3270 .result = REJECT,
3271 .errstr = "invalid access to packet",
3272 .prog_type = BPF_PROG_TYPE_XDP,
3273 },
7d95b0ab
DB		 3274 {
3275 "helper access to packet: test6, cls valid packet_ptr range",
3276 .insns = {
3277 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3278 offsetof(struct __sk_buff, data)),
3279 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3280 offsetof(struct __sk_buff, data_end)),
3281 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3282 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3283 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3284 BPF_LD_MAP_FD(BPF_REG_1, 0),
3285 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3286 BPF_MOV64_IMM(BPF_REG_4, 0),
5aa5bd14
DB		 3287 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3288 BPF_FUNC_map_update_elem),
7d95b0ab
DB		 3289 BPF_MOV64_IMM(BPF_REG_0, 0),
3290 BPF_EXIT_INSN(),
3291 },
5aa5bd14 3292 .fixup_map1 = { 5 },
7d95b0ab
DB		 3293 .result = ACCEPT,
3294 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3295 },
3296 {
3297 "helper access to packet: test7, cls unchecked packet_ptr",
3298 .insns = {
3299 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3300 offsetof(struct __sk_buff, data)),
3301 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3302 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3303 BPF_FUNC_map_lookup_elem),
7d95b0ab
DB		 3304 BPF_MOV64_IMM(BPF_REG_0, 0),
3305 BPF_EXIT_INSN(),
3306 },
5aa5bd14 3307 .fixup_map1 = { 1 },
7d95b0ab
DB		 3308 .result = REJECT,
3309 .errstr = "invalid access to packet",
3310 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3311 },
3312 {
3313 "helper access to packet: test8, cls variable add",
3314 .insns = {
3315 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3316 offsetof(struct __sk_buff, data)),
3317 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3318 offsetof(struct __sk_buff, data_end)),
3319 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3321 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3322 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3323 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3324 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3325 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3326 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3327 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3328 BPF_LD_MAP_FD(BPF_REG_1, 0),
3329 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
5aa5bd14
DB		 3330 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3331 BPF_FUNC_map_lookup_elem),
7d95b0ab
DB		 3332 BPF_MOV64_IMM(BPF_REG_0, 0),
3333 BPF_EXIT_INSN(),
3334 },
5aa5bd14 3335 .fixup_map1 = { 11 },
7d95b0ab
DB		 3336 .result = ACCEPT,
3337 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3338 },
3339 {
3340 "helper access to packet: test9, cls packet_ptr with bad range",
3341 .insns = {
3342 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3343 offsetof(struct __sk_buff, data)),
3344 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3345 offsetof(struct __sk_buff, data_end)),
3346 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3348 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3349 BPF_MOV64_IMM(BPF_REG_0, 0),
3350 BPF_EXIT_INSN(),
3351 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3353 BPF_FUNC_map_lookup_elem),
7d95b0ab
DB		 3354 BPF_MOV64_IMM(BPF_REG_0, 0),
3355 BPF_EXIT_INSN(),
3356 },
5aa5bd14 3357 .fixup_map1 = { 7 },
7d95b0ab
DB		 3358 .result = REJECT,
3359 .errstr = "invalid access to packet",
3360 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3361 },
3362 {
3363 "helper access to packet: test10, cls packet_ptr with too short range",
3364 .insns = {
3365 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3366 offsetof(struct __sk_buff, data)),
3367 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3368 offsetof(struct __sk_buff, data_end)),
3369 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3370 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3371 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3372 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3373 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3374 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3375 BPF_FUNC_map_lookup_elem),
7d95b0ab
DB		 3376 BPF_MOV64_IMM(BPF_REG_0, 0),
3377 BPF_EXIT_INSN(),
3378 },
5aa5bd14 3379 .fixup_map1 = { 6 },
7d95b0ab
DB		 3380 .result = REJECT,
3381 .errstr = "invalid access to packet",
3382 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3383 },
3384 {
3385 "helper access to packet: test11, cls unsuitable helper 1",
3386 .insns = {
3387 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3388 offsetof(struct __sk_buff, data)),
3389 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3390 offsetof(struct __sk_buff, data_end)),
3391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3392 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3393 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
3394 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
3395 BPF_MOV64_IMM(BPF_REG_2, 0),
3396 BPF_MOV64_IMM(BPF_REG_4, 42),
3397 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3398 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3399 BPF_FUNC_skb_store_bytes),
7d95b0ab
DB		 3400 BPF_MOV64_IMM(BPF_REG_0, 0),
3401 BPF_EXIT_INSN(),
3402 },
3403 .result = REJECT,
3404 .errstr = "helper access to the packet",
3405 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3406 },
3407 {
3408 "helper access to packet: test12, cls unsuitable helper 2",
3409 .insns = {
3410 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3411 offsetof(struct __sk_buff, data)),
3412 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3413 offsetof(struct __sk_buff, data_end)),
3414 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
3416 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
3417 BPF_MOV64_IMM(BPF_REG_2, 0),
3418 BPF_MOV64_IMM(BPF_REG_4, 4),
5aa5bd14
DB		 3419 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3420 BPF_FUNC_skb_load_bytes),
7d95b0ab
DB		 3421 BPF_MOV64_IMM(BPF_REG_0, 0),
3422 BPF_EXIT_INSN(),
3423 },
3424 .result = REJECT,
3425 .errstr = "helper access to the packet",
3426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3427 },
3428 {
3429 "helper access to packet: test13, cls helper ok",
3430 .insns = {
3431 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3432 offsetof(struct __sk_buff, data)),
3433 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3434 offsetof(struct __sk_buff, data_end)),
3435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3436 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3437 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3438 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3439 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3440 BPF_MOV64_IMM(BPF_REG_2, 4),
3441 BPF_MOV64_IMM(BPF_REG_3, 0),
3442 BPF_MOV64_IMM(BPF_REG_4, 0),
3443 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3444 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3445 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3446 BPF_MOV64_IMM(BPF_REG_0, 0),
3447 BPF_EXIT_INSN(),
3448 },
3449 .result = ACCEPT,
3450 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3451 },
3452 {
f65b1849 3453 "helper access to packet: test14, cls helper ok sub",
7d95b0ab
DB		 3454 .insns = {
3455 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3456 offsetof(struct __sk_buff, data)),
3457 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3458 offsetof(struct __sk_buff, data_end)),
3459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3460 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3462 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3463 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
3464 BPF_MOV64_IMM(BPF_REG_2, 4),
3465 BPF_MOV64_IMM(BPF_REG_3, 0),
3466 BPF_MOV64_IMM(BPF_REG_4, 0),
3467 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3469 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3470 BPF_MOV64_IMM(BPF_REG_0, 0),
3471 BPF_EXIT_INSN(),
3472 },
f65b1849
EC		 3473 .result = ACCEPT,
3474 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3475 },
3476 {
3477 "helper access to packet: test15, cls helper fail sub",
3478 .insns = {
3479 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3480 offsetof(struct __sk_buff, data)),
3481 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3482 offsetof(struct __sk_buff, data_end)),
3483 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3484 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3485 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3486 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3487 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
3488 BPF_MOV64_IMM(BPF_REG_2, 4),
3489 BPF_MOV64_IMM(BPF_REG_3, 0),
3490 BPF_MOV64_IMM(BPF_REG_4, 0),
3491 BPF_MOV64_IMM(BPF_REG_5, 0),
3492 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3493 BPF_FUNC_csum_diff),
3494 BPF_MOV64_IMM(BPF_REG_0, 0),
3495 BPF_EXIT_INSN(),
3496 },
7d95b0ab 3497 .result = REJECT,
f65b1849 3498 .errstr = "invalid access to packet",
7d95b0ab
DB		 3499 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3500 },
3501 {
f65b1849 3502 "helper access to packet: test16, cls helper fail range 1",
7d95b0ab
DB		 3503 .insns = {
3504 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3505 offsetof(struct __sk_buff, data)),
3506 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3507 offsetof(struct __sk_buff, data_end)),
3508 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3509 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3511 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3512 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3513 BPF_MOV64_IMM(BPF_REG_2, 8),
3514 BPF_MOV64_IMM(BPF_REG_3, 0),
3515 BPF_MOV64_IMM(BPF_REG_4, 0),
3516 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3517 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3518 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3519 BPF_MOV64_IMM(BPF_REG_0, 0),
3520 BPF_EXIT_INSN(),
3521 },
3522 .result = REJECT,
3523 .errstr = "invalid access to packet",
3524 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3525 },
3526 {
f65b1849 3527 "helper access to packet: test17, cls helper fail range 2",
7d95b0ab
DB		 3528 .insns = {
3529 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3530 offsetof(struct __sk_buff, data)),
3531 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3532 offsetof(struct __sk_buff, data_end)),
3533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3534 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3536 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3537 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3538 BPF_MOV64_IMM(BPF_REG_2, -9),
3539 BPF_MOV64_IMM(BPF_REG_3, 0),
3540 BPF_MOV64_IMM(BPF_REG_4, 0),
3541 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3542 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3543 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3544 BPF_MOV64_IMM(BPF_REG_0, 0),
3545 BPF_EXIT_INSN(),
3546 },
3547 .result = REJECT,
f65b1849 3548 .errstr = "R2 min value is negative",
7d95b0ab
DB		 3549 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3550 },
3551 {
f65b1849 3552 "helper access to packet: test18, cls helper fail range 3",
7d95b0ab
DB		 3553 .insns = {
3554 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3555 offsetof(struct __sk_buff, data)),
3556 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3557 offsetof(struct __sk_buff, data_end)),
3558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3559 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3560 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3561 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3562 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3563 BPF_MOV64_IMM(BPF_REG_2, ~0),
3564 BPF_MOV64_IMM(BPF_REG_3, 0),
3565 BPF_MOV64_IMM(BPF_REG_4, 0),
3566 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3567 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3568 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3569 BPF_MOV64_IMM(BPF_REG_0, 0),
3570 BPF_EXIT_INSN(),
3571 },
3572 .result = REJECT,
f65b1849 3573 .errstr = "R2 min value is negative",
7d95b0ab
DB		 3574 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3575 },
3576 {
b6ff6391 3577 "helper access to packet: test19, cls helper range zero",
7d95b0ab
DB		 3578 .insns = {
3579 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3580 offsetof(struct __sk_buff, data)),
3581 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3582 offsetof(struct __sk_buff, data_end)),
3583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3584 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3586 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3587 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3588 BPF_MOV64_IMM(BPF_REG_2, 0),
3589 BPF_MOV64_IMM(BPF_REG_3, 0),
3590 BPF_MOV64_IMM(BPF_REG_4, 0),
3591 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3592 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3593 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3594 BPF_MOV64_IMM(BPF_REG_0, 0),
3595 BPF_EXIT_INSN(),
3596 },
b6ff6391 3597 .result = ACCEPT,
7d95b0ab
DB		 3598 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3599 },
3600 {
f65b1849 3601 "helper access to packet: test20, pkt end as input",
7d95b0ab
DB		 3602 .insns = {
3603 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3604 offsetof(struct __sk_buff, data)),
3605 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3606 offsetof(struct __sk_buff, data_end)),
3607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3608 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3610 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3611 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
3612 BPF_MOV64_IMM(BPF_REG_2, 4),
3613 BPF_MOV64_IMM(BPF_REG_3, 0),
3614 BPF_MOV64_IMM(BPF_REG_4, 0),
3615 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3616 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3617 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3618 BPF_MOV64_IMM(BPF_REG_0, 0),
3619 BPF_EXIT_INSN(),
3620 },
3621 .result = REJECT,
3622 .errstr = "R1 type=pkt_end expected=fp",
3623 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3624 },
3625 {
f65b1849 3626 "helper access to packet: test21, wrong reg",
7d95b0ab
DB		 3627 .insns = {
3628 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3629 offsetof(struct __sk_buff, data)),
3630 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3631 offsetof(struct __sk_buff, data_end)),
3632 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3633 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3634 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3635 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3636 BPF_MOV64_IMM(BPF_REG_2, 4),
3637 BPF_MOV64_IMM(BPF_REG_3, 0),
3638 BPF_MOV64_IMM(BPF_REG_4, 0),
3639 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3640 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3641 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3642 BPF_MOV64_IMM(BPF_REG_0, 0),
3643 BPF_EXIT_INSN(),
3644 },
3645 .result = REJECT,
3646 .errstr = "invalid access to packet",
3647 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3648 },
48461135
JB		 3649 {
3650 "valid map access into an array with a constant",
3651 .insns = {
3652 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3653 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3654 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3655 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3656 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3657 BPF_FUNC_map_lookup_elem),
48461135 3658 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5aa5bd14
DB		 3659 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3660 offsetof(struct test_val, foo)),
48461135
JB		 3661 BPF_EXIT_INSN(),
3662 },
5aa5bd14 3663 .fixup_map2 = { 3 },
48461135
JB		 3664 .errstr_unpriv = "R0 leaks addr",
3665 .result_unpriv = REJECT,
3666 .result = ACCEPT,
3667 },
3668 {
3669 "valid map access into an array with a register",
3670 .insns = {
3671 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3672 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3674 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3675 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3676 BPF_FUNC_map_lookup_elem),
48461135
JB		 3677 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3678 BPF_MOV64_IMM(BPF_REG_1, 4),
3679 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3680 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 3681 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3682 offsetof(struct test_val, foo)),
48461135
JB		 3683 BPF_EXIT_INSN(),
3684 },
5aa5bd14 3685 .fixup_map2 = { 3 },
f65b1849 3686 .errstr_unpriv = "R0 leaks addr",
48461135
JB		 3687 .result_unpriv = REJECT,
3688 .result = ACCEPT,
02ea80b1 3689 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 3690 },
3691 {
3692 "valid map access into an array with a variable",
3693 .insns = {
3694 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3695 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3696 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3697 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3698 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3699 BPF_FUNC_map_lookup_elem),
48461135
JB		 3700 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3701 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3702 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
3703 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3704 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 3705 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3706 offsetof(struct test_val, foo)),
48461135
JB		 3707 BPF_EXIT_INSN(),
3708 },
5aa5bd14 3709 .fixup_map2 = { 3 },
f65b1849 3710 .errstr_unpriv = "R0 leaks addr",
48461135
JB		 3711 .result_unpriv = REJECT,
3712 .result = ACCEPT,
02ea80b1 3713 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 3714 },
3715 {
3716 "valid map access into an array with a signed variable",
3717 .insns = {
3718 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3719 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3720 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3721 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3722 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3723 BPF_FUNC_map_lookup_elem),
48461135
JB		 3724 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
3725 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3726 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
3727 BPF_MOV32_IMM(BPF_REG_1, 0),
3728 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3729 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3730 BPF_MOV32_IMM(BPF_REG_1, 0),
3731 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3732 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 3733 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3734 offsetof(struct test_val, foo)),
48461135
JB		 3735 BPF_EXIT_INSN(),
3736 },
5aa5bd14 3737 .fixup_map2 = { 3 },
f65b1849 3738 .errstr_unpriv = "R0 leaks addr",
48461135
JB		 3739 .result_unpriv = REJECT,
3740 .result = ACCEPT,
02ea80b1 3741 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 3742 },
3743 {
3744 "invalid map access into an array with a constant",
3745 .insns = {
3746 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3747 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3748 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3749 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3750 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3751 BPF_FUNC_map_lookup_elem),
48461135
JB		 3752 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3753 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
3754 offsetof(struct test_val, foo)),
3755 BPF_EXIT_INSN(),
3756 },
5aa5bd14 3757 .fixup_map2 = { 3 },
48461135
JB		 3758 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
3759 .result = REJECT,
3760 },
3761 {
3762 "invalid map access into an array with a register",
3763 .insns = {
3764 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3765 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3766 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3767 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3768 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3769 BPF_FUNC_map_lookup_elem),
48461135
JB		 3770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3771 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
3772 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3773 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 3774 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3775 offsetof(struct test_val, foo)),
48461135
JB		 3776 BPF_EXIT_INSN(),
3777 },
5aa5bd14 3778 .fixup_map2 = { 3 },
48461135
JB		 3779 .errstr = "R0 min value is outside of the array range",
3780 .result = REJECT,
02ea80b1 3781 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 3782 },
3783 {
3784 "invalid map access into an array with a variable",
3785 .insns = {
3786 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3787 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3789 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3790 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3791 BPF_FUNC_map_lookup_elem),
48461135
JB		 3792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3793 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3794 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3795 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 3796 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3797 offsetof(struct test_val, foo)),
48461135
JB		 3798 BPF_EXIT_INSN(),
3799 },
5aa5bd14 3800 .fixup_map2 = { 3 },
f65b1849 3801 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
48461135 3802 .result = REJECT,
02ea80b1 3803 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 3804 },
3805 {
3806 "invalid map access into an array with no floor check",
3807 .insns = {
3808 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3809 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3810 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3811 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3812 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3813 BPF_FUNC_map_lookup_elem),
48461135 3814 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
f65b1849 3815 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
48461135
JB		 3816 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3817 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3818 BPF_MOV32_IMM(BPF_REG_1, 0),
3819 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3820 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 3821 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3822 offsetof(struct test_val, foo)),
48461135
JB		 3823 BPF_EXIT_INSN(),
3824 },
5aa5bd14 3825 .fixup_map2 = { 3 },
f65b1849
EC		 3826 .errstr_unpriv = "R0 leaks addr",
3827 .errstr = "R0 unbounded memory access",
5aa5bd14 3828 .result_unpriv = REJECT,
48461135 3829 .result = REJECT,
02ea80b1 3830 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 3831 },
3832 {
3833 "invalid map access into an array with a invalid max check",
3834 .insns = {
3835 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3838 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3839 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3840 BPF_FUNC_map_lookup_elem),
48461135
JB		 3841 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3842 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3843 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
3844 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3845 BPF_MOV32_IMM(BPF_REG_1, 0),
3846 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3847 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 3848 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3849 offsetof(struct test_val, foo)),
48461135
JB		 3850 BPF_EXIT_INSN(),
3851 },
5aa5bd14 3852 .fixup_map2 = { 3 },
f65b1849 3853 .errstr_unpriv = "R0 leaks addr",
48461135 3854 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
5aa5bd14 3855 .result_unpriv = REJECT,
48461135 3856 .result = REJECT,
02ea80b1 3857 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 3858 },
3859 {
3860 "invalid map access into an array with a invalid max check",
3861 .insns = {
3862 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3863 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3864 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3865 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3866 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3867 BPF_FUNC_map_lookup_elem),
48461135
JB		 3868 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
3869 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
3870 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3871 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3873 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3874 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3875 BPF_FUNC_map_lookup_elem),
48461135
JB		 3876 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
3877 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
5aa5bd14
DB		 3878 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3879 offsetof(struct test_val, foo)),
48461135
JB		 3880 BPF_EXIT_INSN(),
3881 },
5aa5bd14 3882 .fixup_map2 = { 3, 11 },
82abbf8d 3883 .errstr = "R0 pointer += pointer",
48461135 3884 .result = REJECT,
02ea80b1 3885 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135 3886 },
57a09bf0
TG		 3887 {
3888 "multiple registers share map_lookup_elem result",
3889 .insns = {
3890 BPF_MOV64_IMM(BPF_REG_1, 10),
3891 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3892 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3893 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3894 BPF_LD_MAP_FD(BPF_REG_1, 0),
3895 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3896 BPF_FUNC_map_lookup_elem),
3897 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3898 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3899 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3900 BPF_EXIT_INSN(),
3901 },
3902 .fixup_map1 = { 4 },
3903 .result = ACCEPT,
3904 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3905 },
614d0d77
DB		 3906 {
3907 "alu ops on ptr_to_map_value_or_null, 1",
3908 .insns = {
3909 BPF_MOV64_IMM(BPF_REG_1, 10),
3910 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3911 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3912 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3913 BPF_LD_MAP_FD(BPF_REG_1, 0),
3914 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3915 BPF_FUNC_map_lookup_elem),
3916 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
3918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
3919 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3920 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3921 BPF_EXIT_INSN(),
3922 },
3923 .fixup_map1 = { 4 },
82abbf8d 3924 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
614d0d77
DB		 3925 .result = REJECT,
3926 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3927 },
3928 {
3929 "alu ops on ptr_to_map_value_or_null, 2",
3930 .insns = {
3931 BPF_MOV64_IMM(BPF_REG_1, 10),
3932 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3933 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3934 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3935 BPF_LD_MAP_FD(BPF_REG_1, 0),
3936 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3937 BPF_FUNC_map_lookup_elem),
3938 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3939 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
3940 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3941 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3942 BPF_EXIT_INSN(),
3943 },
3944 .fixup_map1 = { 4 },
82abbf8d 3945 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
614d0d77
DB		 3946 .result = REJECT,
3947 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3948 },
3949 {
3950 "alu ops on ptr_to_map_value_or_null, 3",
3951 .insns = {
3952 BPF_MOV64_IMM(BPF_REG_1, 10),
3953 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3954 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3956 BPF_LD_MAP_FD(BPF_REG_1, 0),
3957 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3958 BPF_FUNC_map_lookup_elem),
3959 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3960 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
3961 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3962 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3963 BPF_EXIT_INSN(),
3964 },
3965 .fixup_map1 = { 4 },
82abbf8d 3966 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
614d0d77
DB		 3967 .result = REJECT,
3968 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3969 },
57a09bf0
TG		 3970 {
3971 "invalid memory access with multiple map_lookup_elem calls",
3972 .insns = {
3973 BPF_MOV64_IMM(BPF_REG_1, 10),
3974 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3975 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3976 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3977 BPF_LD_MAP_FD(BPF_REG_1, 0),
3978 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
3979 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
3980 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3981 BPF_FUNC_map_lookup_elem),
3982 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3983 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
3984 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3985 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3986 BPF_FUNC_map_lookup_elem),
3987 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3988 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3989 BPF_EXIT_INSN(),
3990 },
3991 .fixup_map1 = { 4 },
3992 .result = REJECT,
3993 .errstr = "R4 !read_ok",
3994 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3995 },
3996 {
3997 "valid indirect map_lookup_elem access with 2nd lookup in branch",
3998 .insns = {
3999 BPF_MOV64_IMM(BPF_REG_1, 10),
4000 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4001 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4003 BPF_LD_MAP_FD(BPF_REG_1, 0),
4004 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4005 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4006 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4007 BPF_FUNC_map_lookup_elem),
4008 BPF_MOV64_IMM(BPF_REG_2, 10),
4009 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4010 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4011 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4012 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4013 BPF_FUNC_map_lookup_elem),
4014 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4015 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4016 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4017 BPF_EXIT_INSN(),
4018 },
4019 .fixup_map1 = { 4 },
4020 .result = ACCEPT,
4021 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4022 },
e9548901
JB		 4023 {
4024 "invalid map access from else condition",
4025 .insns = {
4026 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4027 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4028 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4029 BPF_LD_MAP_FD(BPF_REG_1, 0),
4030 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4031 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4032 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4033 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4035 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4036 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4037 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4038 BPF_EXIT_INSN(),
4039 },
4040 .fixup_map2 = { 3 },
f65b1849 4041 .errstr = "R0 unbounded memory access",
e9548901 4042 .result = REJECT,
f65b1849 4043 .errstr_unpriv = "R0 leaks addr",
e9548901 4044 .result_unpriv = REJECT,
02ea80b1 4045 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
e9548901 4046 },
3c839744
GB		 4047 {
4048 "constant register |= constant should keep constant type",
4049 .insns = {
4050 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4051 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4052 BPF_MOV64_IMM(BPF_REG_2, 34),
4053 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4054 BPF_MOV64_IMM(BPF_REG_3, 0),
4055 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4056 BPF_EXIT_INSN(),
4057 },
4058 .result = ACCEPT,
4059 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4060 },
4061 {
4062 "constant register |= constant should not bypass stack boundary checks",
4063 .insns = {
4064 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4066 BPF_MOV64_IMM(BPF_REG_2, 34),
4067 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4068 BPF_MOV64_IMM(BPF_REG_3, 0),
4069 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4070 BPF_EXIT_INSN(),
4071 },
4072 .errstr = "invalid stack type R1 off=-48 access_size=58",
4073 .result = REJECT,
4074 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4075 },
4076 {
4077 "constant register |= constant register should keep constant type",
4078 .insns = {
4079 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4081 BPF_MOV64_IMM(BPF_REG_2, 34),
4082 BPF_MOV64_IMM(BPF_REG_4, 13),
4083 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4084 BPF_MOV64_IMM(BPF_REG_3, 0),
4085 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4086 BPF_EXIT_INSN(),
4087 },
4088 .result = ACCEPT,
4089 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4090 },
4091 {
4092 "constant register |= constant register should not bypass stack boundary checks",
4093 .insns = {
4094 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4096 BPF_MOV64_IMM(BPF_REG_2, 34),
4097 BPF_MOV64_IMM(BPF_REG_4, 24),
4098 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4099 BPF_MOV64_IMM(BPF_REG_3, 0),
4100 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4101 BPF_EXIT_INSN(),
4102 },
4103 .errstr = "invalid stack type R1 off=-48 access_size=58",
4104 .result = REJECT,
4105 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4106 },
3f731d89
TG		 4107 {
4108 "invalid direct packet write for LWT_IN",
4109 .insns = {
4110 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4111 offsetof(struct __sk_buff, data)),
4112 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4113 offsetof(struct __sk_buff, data_end)),
4114 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4116 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4117 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4118 BPF_MOV64_IMM(BPF_REG_0, 0),
4119 BPF_EXIT_INSN(),
4120 },
4121 .errstr = "cannot write into packet",
4122 .result = REJECT,
4123 .prog_type = BPF_PROG_TYPE_LWT_IN,
4124 },
4125 {
4126 "invalid direct packet write for LWT_OUT",
4127 .insns = {
4128 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4129 offsetof(struct __sk_buff, data)),
4130 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4131 offsetof(struct __sk_buff, data_end)),
4132 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4134 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4135 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4136 BPF_MOV64_IMM(BPF_REG_0, 0),
4137 BPF_EXIT_INSN(),
4138 },
4139 .errstr = "cannot write into packet",
4140 .result = REJECT,
4141 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4142 },
4143 {
4144 "direct packet write for LWT_XMIT",
4145 .insns = {
4146 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4147 offsetof(struct __sk_buff, data)),
4148 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4149 offsetof(struct __sk_buff, data_end)),
4150 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4151 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4152 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4153 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4154 BPF_MOV64_IMM(BPF_REG_0, 0),
4155 BPF_EXIT_INSN(),
4156 },
4157 .result = ACCEPT,
4158 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4159 },
4160 {
4161 "direct packet read for LWT_IN",
4162 .insns = {
4163 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4164 offsetof(struct __sk_buff, data)),
4165 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4166 offsetof(struct __sk_buff, data_end)),
4167 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4168 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4169 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4170 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4171 BPF_MOV64_IMM(BPF_REG_0, 0),
4172 BPF_EXIT_INSN(),
4173 },
4174 .result = ACCEPT,
4175 .prog_type = BPF_PROG_TYPE_LWT_IN,
4176 },
4177 {
4178 "direct packet read for LWT_OUT",
4179 .insns = {
4180 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4181 offsetof(struct __sk_buff, data)),
4182 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4183 offsetof(struct __sk_buff, data_end)),
4184 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4186 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4187 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4188 BPF_MOV64_IMM(BPF_REG_0, 0),
4189 BPF_EXIT_INSN(),
4190 },
4191 .result = ACCEPT,
4192 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4193 },
4194 {
4195 "direct packet read for LWT_XMIT",
4196 .insns = {
4197 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4198 offsetof(struct __sk_buff, data)),
4199 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4200 offsetof(struct __sk_buff, data_end)),
4201 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4203 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4204 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4205 BPF_MOV64_IMM(BPF_REG_0, 0),
4206 BPF_EXIT_INSN(),
4207 },
4208 .result = ACCEPT,
4209 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4210 },
b1977682
AS		 4211 {
4212 "overlapping checks for direct packet access",
4213 .insns = {
4214 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4215 offsetof(struct __sk_buff, data)),
4216 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4217 offsetof(struct __sk_buff, data_end)),
4218 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4220 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4221 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4223 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4224 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4225 BPF_MOV64_IMM(BPF_REG_0, 0),
4226 BPF_EXIT_INSN(),
3f731d89
TG		 4227 },
4228 .result = ACCEPT,
4229 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4230 },
4231 {
4232 "invalid access of tc_classid for LWT_IN",
4233 .insns = {
4234 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4235 offsetof(struct __sk_buff, tc_classid)),
4236 BPF_EXIT_INSN(),
4237 },
4238 .result = REJECT,
4239 .errstr = "invalid bpf_context access",
4240 },
4241 {
4242 "invalid access of tc_classid for LWT_OUT",
4243 .insns = {
4244 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4245 offsetof(struct __sk_buff, tc_classid)),
4246 BPF_EXIT_INSN(),
4247 },
4248 .result = REJECT,
4249 .errstr = "invalid bpf_context access",
4250 },
4251 {
4252 "invalid access of tc_classid for LWT_XMIT",
4253 .insns = {
4254 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4255 offsetof(struct __sk_buff, tc_classid)),
4256 BPF_EXIT_INSN(),
4257 },
4258 .result = REJECT,
4259 .errstr = "invalid bpf_context access",
4260 },
6bdf6abc
DB		 4261 {
4262 "leak pointer into ctx 1",
4263 .insns = {
4264 BPF_MOV64_IMM(BPF_REG_0, 0),
4265 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4266 offsetof(struct __sk_buff, cb[0])),
4267 BPF_LD_MAP_FD(BPF_REG_2, 0),
4268 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
4269 offsetof(struct __sk_buff, cb[0])),
4270 BPF_EXIT_INSN(),
4271 },
4272 .fixup_map1 = { 2 },
4273 .errstr_unpriv = "R2 leaks addr into mem",
4274 .result_unpriv = REJECT,
4275 .result = ACCEPT,
4276 },
4277 {
4278 "leak pointer into ctx 2",
4279 .insns = {
4280 BPF_MOV64_IMM(BPF_REG_0, 0),
4281 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4282 offsetof(struct __sk_buff, cb[0])),
4283 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
4284 offsetof(struct __sk_buff, cb[0])),
4285 BPF_EXIT_INSN(),
4286 },
4287 .errstr_unpriv = "R10 leaks addr into mem",
4288 .result_unpriv = REJECT,
4289 .result = ACCEPT,
4290 },
4291 {
4292 "leak pointer into ctx 3",
4293 .insns = {
4294 BPF_MOV64_IMM(BPF_REG_0, 0),
4295 BPF_LD_MAP_FD(BPF_REG_2, 0),
4296 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
4297 offsetof(struct __sk_buff, cb[0])),
4298 BPF_EXIT_INSN(),
4299 },
4300 .fixup_map1 = { 1 },
4301 .errstr_unpriv = "R2 leaks addr into ctx",
4302 .result_unpriv = REJECT,
4303 .result = ACCEPT,
4304 },
4305 {
4306 "leak pointer into map val",
4307 .insns = {
4308 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
4309 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4310 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4312 BPF_LD_MAP_FD(BPF_REG_1, 0),
4313 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4314 BPF_FUNC_map_lookup_elem),
4315 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4316 BPF_MOV64_IMM(BPF_REG_3, 0),
4317 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
4318 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
4319 BPF_MOV64_IMM(BPF_REG_0, 0),
4320 BPF_EXIT_INSN(),
4321 },
4322 .fixup_map1 = { 4 },
4323 .errstr_unpriv = "R6 leaks addr into mem",
4324 .result_unpriv = REJECT,
4325 .result = ACCEPT,
4326 },
5722569b
GB		 4327 {
4328 "helper access to map: full range",
4329 .insns = {
4330 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4332 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4333 BPF_LD_MAP_FD(BPF_REG_1, 0),
4334 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4335 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4336 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4337 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4338 BPF_MOV64_IMM(BPF_REG_3, 0),
4339 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4340 BPF_EXIT_INSN(),
4341 },
4342 .fixup_map2 = { 3 },
4343 .result = ACCEPT,
4344 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4345 },
4346 {
4347 "helper access to map: partial range",
4348 .insns = {
4349 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4350 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4351 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4352 BPF_LD_MAP_FD(BPF_REG_1, 0),
4353 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4354 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4355 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4356 BPF_MOV64_IMM(BPF_REG_2, 8),
4357 BPF_MOV64_IMM(BPF_REG_3, 0),
4358 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4359 BPF_EXIT_INSN(),
4360 },
4361 .fixup_map2 = { 3 },
4362 .result = ACCEPT,
4363 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4364 },
4365 {
4366 "helper access to map: empty range",
4367 .insns = {
4368 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4369 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4370 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4371 BPF_LD_MAP_FD(BPF_REG_1, 0),
4372 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
f1a8b8e3
YS		 4373 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4374 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4375 BPF_MOV64_IMM(BPF_REG_2, 0),
4376 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5722569b
GB		 4377 BPF_EXIT_INSN(),
4378 },
4379 .fixup_map2 = { 3 },
4380 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
4381 .result = REJECT,
4382 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4383 },
4384 {
4385 "helper access to map: out-of-bound range",
4386 .insns = {
4387 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4389 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4390 BPF_LD_MAP_FD(BPF_REG_1, 0),
4391 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4392 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4393 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4394 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
4395 BPF_MOV64_IMM(BPF_REG_3, 0),
4396 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4397 BPF_EXIT_INSN(),
4398 },
4399 .fixup_map2 = { 3 },
4400 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
4401 .result = REJECT,
4402 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4403 },
4404 {
4405 "helper access to map: negative range",
4406 .insns = {
4407 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4409 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4410 BPF_LD_MAP_FD(BPF_REG_1, 0),
4411 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4412 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4413 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4414 BPF_MOV64_IMM(BPF_REG_2, -8),
4415 BPF_MOV64_IMM(BPF_REG_3, 0),
4416 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4417 BPF_EXIT_INSN(),
4418 },
4419 .fixup_map2 = { 3 },
f65b1849 4420 .errstr = "R2 min value is negative",
5722569b
GB		 4421 .result = REJECT,
4422 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4423 },
4424 {
4425 "helper access to adjusted map (via const imm): full range",
4426 .insns = {
4427 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4428 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4429 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4430 BPF_LD_MAP_FD(BPF_REG_1, 0),
4431 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4432 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4433 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4435 offsetof(struct test_val, foo)),
4436 BPF_MOV64_IMM(BPF_REG_2,
4437 sizeof(struct test_val) -
4438 offsetof(struct test_val, foo)),
4439 BPF_MOV64_IMM(BPF_REG_3, 0),
4440 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4441 BPF_EXIT_INSN(),
4442 },
4443 .fixup_map2 = { 3 },
4444 .result = ACCEPT,
4445 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4446 },
4447 {
4448 "helper access to adjusted map (via const imm): partial range",
4449 .insns = {
4450 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4451 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4452 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4453 BPF_LD_MAP_FD(BPF_REG_1, 0),
4454 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4455 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4456 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4457 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4458 offsetof(struct test_val, foo)),
4459 BPF_MOV64_IMM(BPF_REG_2, 8),
4460 BPF_MOV64_IMM(BPF_REG_3, 0),
4461 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4462 BPF_EXIT_INSN(),
4463 },
4464 .fixup_map2 = { 3 },
4465 .result = ACCEPT,
4466 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4467 },
4468 {
4469 "helper access to adjusted map (via const imm): empty range",
4470 .insns = {
4471 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4472 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4473 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4474 BPF_LD_MAP_FD(BPF_REG_1, 0),
4475 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
f1a8b8e3 4476 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5722569b
GB		 4477 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4479 offsetof(struct test_val, foo)),
f1a8b8e3
YS		 4480 BPF_MOV64_IMM(BPF_REG_2, 0),
4481 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5722569b
GB		 4482 BPF_EXIT_INSN(),
4483 },
4484 .fixup_map2 = { 3 },
f65b1849 4485 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5722569b
GB		 4486 .result = REJECT,
4487 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4488 },
4489 {
4490 "helper access to adjusted map (via const imm): out-of-bound range",
4491 .insns = {
4492 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4494 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4495 BPF_LD_MAP_FD(BPF_REG_1, 0),
4496 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4497 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4498 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4499 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4500 offsetof(struct test_val, foo)),
4501 BPF_MOV64_IMM(BPF_REG_2,
4502 sizeof(struct test_val) -
4503 offsetof(struct test_val, foo) + 8),
4504 BPF_MOV64_IMM(BPF_REG_3, 0),
4505 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4506 BPF_EXIT_INSN(),
4507 },
4508 .fixup_map2 = { 3 },
4509 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4510 .result = REJECT,
4511 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4512 },
4513 {
4514 "helper access to adjusted map (via const imm): negative range (> adjustment)",
4515 .insns = {
4516 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4518 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4519 BPF_LD_MAP_FD(BPF_REG_1, 0),
4520 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4521 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4522 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4523 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4524 offsetof(struct test_val, foo)),
4525 BPF_MOV64_IMM(BPF_REG_2, -8),
4526 BPF_MOV64_IMM(BPF_REG_3, 0),
4527 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4528 BPF_EXIT_INSN(),
4529 },
4530 .fixup_map2 = { 3 },
f65b1849 4531 .errstr = "R2 min value is negative",
5722569b
GB		 4532 .result = REJECT,
4533 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4534 },
4535 {
4536 "helper access to adjusted map (via const imm): negative range (< adjustment)",
4537 .insns = {
4538 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4539 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4540 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4541 BPF_LD_MAP_FD(BPF_REG_1, 0),
4542 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4543 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4544 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4546 offsetof(struct test_val, foo)),
4547 BPF_MOV64_IMM(BPF_REG_2, -1),
4548 BPF_MOV64_IMM(BPF_REG_3, 0),
4549 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4550 BPF_EXIT_INSN(),
4551 },
4552 .fixup_map2 = { 3 },
f65b1849 4553 .errstr = "R2 min value is negative",
5722569b
GB		 4554 .result = REJECT,
4555 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4556 },
4557 {
4558 "helper access to adjusted map (via const reg): full range",
4559 .insns = {
4560 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4561 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4562 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4563 BPF_LD_MAP_FD(BPF_REG_1, 0),
4564 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4565 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4566 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4567 BPF_MOV64_IMM(BPF_REG_3,
4568 offsetof(struct test_val, foo)),
4569 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4570 BPF_MOV64_IMM(BPF_REG_2,
4571 sizeof(struct test_val) -
4572 offsetof(struct test_val, foo)),
4573 BPF_MOV64_IMM(BPF_REG_3, 0),
4574 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4575 BPF_EXIT_INSN(),
4576 },
4577 .fixup_map2 = { 3 },
4578 .result = ACCEPT,
4579 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4580 },
4581 {
4582 "helper access to adjusted map (via const reg): partial range",
4583 .insns = {
4584 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4586 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4587 BPF_LD_MAP_FD(BPF_REG_1, 0),
4588 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4589 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4590 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4591 BPF_MOV64_IMM(BPF_REG_3,
4592 offsetof(struct test_val, foo)),
4593 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4594 BPF_MOV64_IMM(BPF_REG_2, 8),
4595 BPF_MOV64_IMM(BPF_REG_3, 0),
4596 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4597 BPF_EXIT_INSN(),
4598 },
4599 .fixup_map2 = { 3 },
4600 .result = ACCEPT,
4601 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4602 },
4603 {
4604 "helper access to adjusted map (via const reg): empty range",
4605 .insns = {
4606 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4608 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4609 BPF_LD_MAP_FD(BPF_REG_1, 0),
4610 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
f1a8b8e3 4611 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5722569b
GB		 4612 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4613 BPF_MOV64_IMM(BPF_REG_3, 0),
4614 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
f1a8b8e3
YS		 4615 BPF_MOV64_IMM(BPF_REG_2, 0),
4616 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5722569b
GB		 4617 BPF_EXIT_INSN(),
4618 },
4619 .fixup_map2 = { 3 },
f1a8b8e3 4620 .errstr = "R1 min value is outside of the array range",
5722569b
GB		 4621 .result = REJECT,
4622 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4623 },
4624 {
4625 "helper access to adjusted map (via const reg): out-of-bound range",
4626 .insns = {
4627 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4629 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4630 BPF_LD_MAP_FD(BPF_REG_1, 0),
4631 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4632 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4633 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4634 BPF_MOV64_IMM(BPF_REG_3,
4635 offsetof(struct test_val, foo)),
4636 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4637 BPF_MOV64_IMM(BPF_REG_2,
4638 sizeof(struct test_val) -
4639 offsetof(struct test_val, foo) + 8),
4640 BPF_MOV64_IMM(BPF_REG_3, 0),
4641 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4642 BPF_EXIT_INSN(),
4643 },
4644 .fixup_map2 = { 3 },
4645 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4646 .result = REJECT,
4647 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4648 },
4649 {
4650 "helper access to adjusted map (via const reg): negative range (> adjustment)",
4651 .insns = {
4652 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4653 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4654 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4655 BPF_LD_MAP_FD(BPF_REG_1, 0),
4656 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4657 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4658 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4659 BPF_MOV64_IMM(BPF_REG_3,
4660 offsetof(struct test_val, foo)),
4661 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4662 BPF_MOV64_IMM(BPF_REG_2, -8),
4663 BPF_MOV64_IMM(BPF_REG_3, 0),
4664 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4665 BPF_EXIT_INSN(),
4666 },
4667 .fixup_map2 = { 3 },
f65b1849 4668 .errstr = "R2 min value is negative",
5722569b
GB		 4669 .result = REJECT,
4670 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4671 },
4672 {
4673 "helper access to adjusted map (via const reg): negative range (< adjustment)",
4674 .insns = {
4675 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4677 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4678 BPF_LD_MAP_FD(BPF_REG_1, 0),
4679 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4680 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4681 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4682 BPF_MOV64_IMM(BPF_REG_3,
4683 offsetof(struct test_val, foo)),
4684 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4685 BPF_MOV64_IMM(BPF_REG_2, -1),
4686 BPF_MOV64_IMM(BPF_REG_3, 0),
4687 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4688 BPF_EXIT_INSN(),
4689 },
4690 .fixup_map2 = { 3 },
f65b1849 4691 .errstr = "R2 min value is negative",
5722569b
GB		 4692 .result = REJECT,
4693 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4694 },
4695 {
4696 "helper access to adjusted map (via variable): full range",
4697 .insns = {
4698 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4700 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4701 BPF_LD_MAP_FD(BPF_REG_1, 0),
4702 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4703 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4704 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4705 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4706 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4707 offsetof(struct test_val, foo), 4),
4708 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4709 BPF_MOV64_IMM(BPF_REG_2,
4710 sizeof(struct test_val) -
4711 offsetof(struct test_val, foo)),
4712 BPF_MOV64_IMM(BPF_REG_3, 0),
4713 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4714 BPF_EXIT_INSN(),
4715 },
4716 .fixup_map2 = { 3 },
4717 .result = ACCEPT,
4718 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4719 },
4720 {
4721 "helper access to adjusted map (via variable): partial range",
4722 .insns = {
4723 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4725 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4726 BPF_LD_MAP_FD(BPF_REG_1, 0),
4727 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4728 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4729 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4730 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4731 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4732 offsetof(struct test_val, foo), 4),
4733 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4734 BPF_MOV64_IMM(BPF_REG_2, 8),
4735 BPF_MOV64_IMM(BPF_REG_3, 0),
4736 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4737 BPF_EXIT_INSN(),
4738 },
4739 .fixup_map2 = { 3 },
4740 .result = ACCEPT,
4741 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4742 },
4743 {
4744 "helper access to adjusted map (via variable): empty range",
4745 .insns = {
4746 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4747 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4748 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4749 BPF_LD_MAP_FD(BPF_REG_1, 0),
4750 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
f1a8b8e3 4751 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5722569b
GB		 4752 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4753 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4754 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
f1a8b8e3 4755 offsetof(struct test_val, foo), 3),
5722569b 4756 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
f1a8b8e3
YS		 4757 BPF_MOV64_IMM(BPF_REG_2, 0),
4758 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5722569b
GB		 4759 BPF_EXIT_INSN(),
4760 },
4761 .fixup_map2 = { 3 },
f1a8b8e3 4762 .errstr = "R1 min value is outside of the array range",
5722569b
GB		 4763 .result = REJECT,
4764 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4765 },
4766 {
4767 "helper access to adjusted map (via variable): no max check",
4768 .insns = {
4769 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4771 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4772 BPF_LD_MAP_FD(BPF_REG_1, 0),
4773 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4775 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4776 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4777 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
f65b1849 4778 BPF_MOV64_IMM(BPF_REG_2, 1),
5722569b
GB		 4779 BPF_MOV64_IMM(BPF_REG_3, 0),
4780 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4781 BPF_EXIT_INSN(),
4782 },
4783 .fixup_map2 = { 3 },
f65b1849 4784 .errstr = "R1 unbounded memory access",
5722569b
GB		 4785 .result = REJECT,
4786 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4787 },
4788 {
4789 "helper access to adjusted map (via variable): wrong max check",
4790 .insns = {
4791 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4792 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4793 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4794 BPF_LD_MAP_FD(BPF_REG_1, 0),
4795 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4797 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4798 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4799 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4800 offsetof(struct test_val, foo), 4),
4801 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4802 BPF_MOV64_IMM(BPF_REG_2,
4803 sizeof(struct test_val) -
4804 offsetof(struct test_val, foo) + 1),
4805 BPF_MOV64_IMM(BPF_REG_3, 0),
4806 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4807 BPF_EXIT_INSN(),
4808 },
4809 .fixup_map2 = { 3 },
4810 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
4811 .result = REJECT,
4812 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4813 },
31e482bf
DB		 4814 {
4815 "helper access to map: bounds check using <, good access",
4816 .insns = {
4817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4819 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4820 BPF_LD_MAP_FD(BPF_REG_1, 0),
4821 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4822 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4823 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4824 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4825 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
4826 BPF_MOV64_IMM(BPF_REG_0, 0),
4827 BPF_EXIT_INSN(),
4828 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4829 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4830 BPF_MOV64_IMM(BPF_REG_0, 0),
4831 BPF_EXIT_INSN(),
4832 },
4833 .fixup_map2 = { 3 },
4834 .result = ACCEPT,
4835 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4836 },
4837 {
4838 "helper access to map: bounds check using <, bad access",
4839 .insns = {
4840 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4841 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4842 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4843 BPF_LD_MAP_FD(BPF_REG_1, 0),
4844 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4845 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4846 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4847 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4848 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
4849 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4850 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4851 BPF_MOV64_IMM(BPF_REG_0, 0),
4852 BPF_EXIT_INSN(),
4853 BPF_MOV64_IMM(BPF_REG_0, 0),
4854 BPF_EXIT_INSN(),
4855 },
4856 .fixup_map2 = { 3 },
4857 .result = REJECT,
4858 .errstr = "R1 unbounded memory access",
4859 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4860 },
4861 {
4862 "helper access to map: bounds check using <=, good access",
4863 .insns = {
4864 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4865 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4866 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4867 BPF_LD_MAP_FD(BPF_REG_1, 0),
4868 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4869 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4870 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4871 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4872 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
4873 BPF_MOV64_IMM(BPF_REG_0, 0),
4874 BPF_EXIT_INSN(),
4875 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4876 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4877 BPF_MOV64_IMM(BPF_REG_0, 0),
4878 BPF_EXIT_INSN(),
4879 },
4880 .fixup_map2 = { 3 },
4881 .result = ACCEPT,
4882 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4883 },
4884 {
4885 "helper access to map: bounds check using <=, bad access",
4886 .insns = {
4887 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4888 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4889 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4890 BPF_LD_MAP_FD(BPF_REG_1, 0),
4891 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4892 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4893 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4894 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4895 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
4896 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4897 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4898 BPF_MOV64_IMM(BPF_REG_0, 0),
4899 BPF_EXIT_INSN(),
4900 BPF_MOV64_IMM(BPF_REG_0, 0),
4901 BPF_EXIT_INSN(),
4902 },
4903 .fixup_map2 = { 3 },
4904 .result = REJECT,
4905 .errstr = "R1 unbounded memory access",
4906 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4907 },
4908 {
4909 "helper access to map: bounds check using s<, good access",
4910 .insns = {
4911 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4912 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4913 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4914 BPF_LD_MAP_FD(BPF_REG_1, 0),
4915 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4916 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4917 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4918 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4919 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4920 BPF_MOV64_IMM(BPF_REG_0, 0),
4921 BPF_EXIT_INSN(),
4922 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
4923 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4924 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4925 BPF_MOV64_IMM(BPF_REG_0, 0),
4926 BPF_EXIT_INSN(),
4927 },
4928 .fixup_map2 = { 3 },
4929 .result = ACCEPT,
4930 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4931 },
4932 {
4933 "helper access to map: bounds check using s<, good access 2",
4934 .insns = {
4935 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4936 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4937 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4938 BPF_LD_MAP_FD(BPF_REG_1, 0),
4939 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4940 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4941 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4942 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4943 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4944 BPF_MOV64_IMM(BPF_REG_0, 0),
4945 BPF_EXIT_INSN(),
4946 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
4947 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4948 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4949 BPF_MOV64_IMM(BPF_REG_0, 0),
4950 BPF_EXIT_INSN(),
4951 },
4952 .fixup_map2 = { 3 },
4953 .result = ACCEPT,
4954 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4955 },
4956 {
4957 "helper access to map: bounds check using s<, bad access",
4958 .insns = {
4959 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4961 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4962 BPF_LD_MAP_FD(BPF_REG_1, 0),
4963 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4964 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4965 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4966 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
4967 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4968 BPF_MOV64_IMM(BPF_REG_0, 0),
4969 BPF_EXIT_INSN(),
4970 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
4971 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4972 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4973 BPF_MOV64_IMM(BPF_REG_0, 0),
4974 BPF_EXIT_INSN(),
4975 },
4976 .fixup_map2 = { 3 },
4977 .result = REJECT,
4978 .errstr = "R1 min value is negative",
4979 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4980 },
4981 {
4982 "helper access to map: bounds check using s<=, good access",
4983 .insns = {
4984 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4985 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4986 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4987 BPF_LD_MAP_FD(BPF_REG_1, 0),
4988 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4989 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4990 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4991 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4992 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
4993 BPF_MOV64_IMM(BPF_REG_0, 0),
4994 BPF_EXIT_INSN(),
4995 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
4996 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4997 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4998 BPF_MOV64_IMM(BPF_REG_0, 0),
4999 BPF_EXIT_INSN(),
5000 },
5001 .fixup_map2 = { 3 },
5002 .result = ACCEPT,
5003 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5004 },
5005 {
5006 "helper access to map: bounds check using s<=, good access 2",
5007 .insns = {
5008 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5009 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5010 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5011 BPF_LD_MAP_FD(BPF_REG_1, 0),
5012 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5013 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5014 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5015 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5016 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5017 BPF_MOV64_IMM(BPF_REG_0, 0),
5018 BPF_EXIT_INSN(),
5019 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5020 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5021 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5022 BPF_MOV64_IMM(BPF_REG_0, 0),
5023 BPF_EXIT_INSN(),
5024 },
5025 .fixup_map2 = { 3 },
5026 .result = ACCEPT,
5027 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5028 },
5029 {
5030 "helper access to map: bounds check using s<=, bad access",
5031 .insns = {
5032 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5034 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5035 BPF_LD_MAP_FD(BPF_REG_1, 0),
5036 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5037 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5038 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5039 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5040 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5041 BPF_MOV64_IMM(BPF_REG_0, 0),
5042 BPF_EXIT_INSN(),
5043 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5044 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5045 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5046 BPF_MOV64_IMM(BPF_REG_0, 0),
5047 BPF_EXIT_INSN(),
5048 },
5049 .fixup_map2 = { 3 },
5050 .result = REJECT,
5051 .errstr = "R1 min value is negative",
5052 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5053 },
f0318d01
GB		 5054 {
5055 "map element value is preserved across register spilling",
5056 .insns = {
5057 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5059 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5060 BPF_LD_MAP_FD(BPF_REG_1, 0),
5061 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5062 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5063 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5064 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5066 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5067 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5068 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5069 BPF_EXIT_INSN(),
5070 },
5071 .fixup_map2 = { 3 },
5072 .errstr_unpriv = "R0 leaks addr",
5073 .result = ACCEPT,
5074 .result_unpriv = REJECT,
5075 },
5076 {
02ea80b1
DB		 5077 "map element value or null is marked on register spilling",
5078 .insns = {
5079 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5081 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5082 BPF_LD_MAP_FD(BPF_REG_1, 0),
5083 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5084 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5085 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
5086 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5087 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5088 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5089 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5090 BPF_EXIT_INSN(),
5091 },
5092 .fixup_map2 = { 3 },
5093 .errstr_unpriv = "R0 leaks addr",
5094 .result = ACCEPT,
5095 .result_unpriv = REJECT,
5096 },
5097 {
5098 "map element value store of cleared call register",
5099 .insns = {
5100 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5102 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5103 BPF_LD_MAP_FD(BPF_REG_1, 0),
5104 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5105 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5106 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
5107 BPF_EXIT_INSN(),
5108 },
5109 .fixup_map2 = { 3 },
5110 .errstr_unpriv = "R1 !read_ok",
5111 .errstr = "R1 !read_ok",
5112 .result = REJECT,
5113 .result_unpriv = REJECT,
5114 },
5115 {
5116 "map element value with unaligned store",
5117 .insns = {
5118 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5119 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5120 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5121 BPF_LD_MAP_FD(BPF_REG_1, 0),
5122 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5123 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
5124 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5125 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5126 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
5127 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
5128 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5129 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
5130 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
5131 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
5132 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
5133 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
5134 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
5135 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
5136 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
5137 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
5138 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
5139 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
5140 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
5141 BPF_EXIT_INSN(),
5142 },
5143 .fixup_map2 = { 3 },
f65b1849 5144 .errstr_unpriv = "R0 leaks addr",
02ea80b1
DB		 5145 .result = ACCEPT,
5146 .result_unpriv = REJECT,
5147 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5148 },
5149 {
5150 "map element value with unaligned load",
5151 .insns = {
5152 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5153 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5154 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5155 BPF_LD_MAP_FD(BPF_REG_1, 0),
5156 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5157 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5158 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5159 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
5160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5161 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5162 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
5163 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5164 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
5165 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
5166 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
5167 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5168 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
5169 BPF_EXIT_INSN(),
5170 },
5171 .fixup_map2 = { 3 },
f65b1849 5172 .errstr_unpriv = "R0 leaks addr",
02ea80b1
DB		 5173 .result = ACCEPT,
5174 .result_unpriv = REJECT,
5175 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5176 },
5177 {
5178 "map element value illegal alu op, 1",
5179 .insns = {
5180 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5182 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5183 BPF_LD_MAP_FD(BPF_REG_1, 0),
5184 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5185 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5186 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
5187 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5188 BPF_EXIT_INSN(),
5189 },
5190 .fixup_map2 = { 3 },
82abbf8d 5191 .errstr = "R0 bitwise operator &= on pointer",
02ea80b1 5192 .result = REJECT,
02ea80b1
DB		 5193 },
5194 {
5195 "map element value illegal alu op, 2",
5196 .insns = {
5197 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5199 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5200 BPF_LD_MAP_FD(BPF_REG_1, 0),
5201 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5202 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5203 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
5204 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5205 BPF_EXIT_INSN(),
5206 },
5207 .fixup_map2 = { 3 },
82abbf8d 5208 .errstr = "R0 32-bit pointer arithmetic prohibited",
02ea80b1 5209 .result = REJECT,
02ea80b1
DB		 5210 },
5211 {
5212 "map element value illegal alu op, 3",
5213 .insns = {
5214 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5215 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5216 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5217 BPF_LD_MAP_FD(BPF_REG_1, 0),
5218 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5219 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5220 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
5221 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5222 BPF_EXIT_INSN(),
5223 },
5224 .fixup_map2 = { 3 },
82abbf8d 5225 .errstr = "R0 pointer arithmetic with /= operator",
02ea80b1 5226 .result = REJECT,
02ea80b1
DB		 5227 },
5228 {
5229 "map element value illegal alu op, 4",
5230 .insns = {
5231 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5232 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5233 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5234 BPF_LD_MAP_FD(BPF_REG_1, 0),
5235 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5237 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
5238 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5239 BPF_EXIT_INSN(),
5240 },
5241 .fixup_map2 = { 3 },
5242 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5243 .errstr = "invalid mem access 'inv'",
5244 .result = REJECT,
5245 .result_unpriv = REJECT,
5246 },
5247 {
5248 "map element value illegal alu op, 5",
5249 .insns = {
5250 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5251 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5252 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5253 BPF_LD_MAP_FD(BPF_REG_1, 0),
5254 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5256 BPF_MOV64_IMM(BPF_REG_3, 4096),
5257 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5258 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5259 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5260 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
5261 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
5262 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5263 BPF_EXIT_INSN(),
5264 },
5265 .fixup_map2 = { 3 },
02ea80b1
DB		 5266 .errstr = "R0 invalid mem access 'inv'",
5267 .result = REJECT,
02ea80b1
DB		 5268 },
5269 {
5270 "map element value is preserved across register spilling",
f0318d01
GB		 5271 .insns = {
5272 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5273 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5274 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5275 BPF_LD_MAP_FD(BPF_REG_1, 0),
5276 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5277 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5278 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
5279 offsetof(struct test_val, foo)),
5280 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5281 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5282 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5283 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5284 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5285 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5286 BPF_EXIT_INSN(),
5287 },
5288 .fixup_map2 = { 3 },
f65b1849 5289 .errstr_unpriv = "R0 leaks addr",
f0318d01
GB		 5290 .result = ACCEPT,
5291 .result_unpriv = REJECT,
02ea80b1 5292 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
f0318d01 5293 },
06c1c049
GB		 5294 {
5295 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
5296 .insns = {
5297 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5298 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5299 BPF_MOV64_IMM(BPF_REG_0, 0),
5300 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5301 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5302 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5303 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5304 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5305 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5306 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5307 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5308 BPF_MOV64_IMM(BPF_REG_2, 16),
5309 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5310 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5311 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5312 BPF_MOV64_IMM(BPF_REG_4, 0),
5313 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5314 BPF_MOV64_IMM(BPF_REG_3, 0),
5315 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5316 BPF_MOV64_IMM(BPF_REG_0, 0),
5317 BPF_EXIT_INSN(),
5318 },
5319 .result = ACCEPT,
5320 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5321 },
5322 {
5323 "helper access to variable memory: stack, bitwise AND, zero included",
5324 .insns = {
5325 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5326 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5327 BPF_MOV64_IMM(BPF_REG_2, 16),
5328 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5329 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5330 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5331 BPF_MOV64_IMM(BPF_REG_3, 0),
5332 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5333 BPF_EXIT_INSN(),
5334 },
b6ff6391 5335 .errstr = "invalid indirect read from stack off -64+0 size 64",
06c1c049
GB		 5336 .result = REJECT,
5337 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5338 },
5339 {
5340 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
5341 .insns = {
5342 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5343 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5344 BPF_MOV64_IMM(BPF_REG_2, 16),
5345 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5346 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5347 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
5348 BPF_MOV64_IMM(BPF_REG_4, 0),
5349 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5350 BPF_MOV64_IMM(BPF_REG_3, 0),
5351 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5352 BPF_MOV64_IMM(BPF_REG_0, 0),
5353 BPF_EXIT_INSN(),
5354 },
5355 .errstr = "invalid stack type R1 off=-64 access_size=65",
5356 .result = REJECT,
5357 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5358 },
5359 {
5360 "helper access to variable memory: stack, JMP, correct bounds",
5361 .insns = {
5362 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5364 BPF_MOV64_IMM(BPF_REG_0, 0),
5365 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5366 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5367 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5368 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5369 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5370 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5371 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5372 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5373 BPF_MOV64_IMM(BPF_REG_2, 16),
5374 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5375 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5376 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
5377 BPF_MOV64_IMM(BPF_REG_4, 0),
5378 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5379 BPF_MOV64_IMM(BPF_REG_3, 0),
5380 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5381 BPF_MOV64_IMM(BPF_REG_0, 0),
5382 BPF_EXIT_INSN(),
5383 },
5384 .result = ACCEPT,
5385 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5386 },
5387 {
5388 "helper access to variable memory: stack, JMP (signed), correct bounds",
5389 .insns = {
5390 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5392 BPF_MOV64_IMM(BPF_REG_0, 0),
5393 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5394 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5395 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5396 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5397 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5398 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5399 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5400 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5401 BPF_MOV64_IMM(BPF_REG_2, 16),
5402 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5403 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5404 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
5405 BPF_MOV64_IMM(BPF_REG_4, 0),
5406 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5407 BPF_MOV64_IMM(BPF_REG_3, 0),
5408 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5409 BPF_MOV64_IMM(BPF_REG_0, 0),
5410 BPF_EXIT_INSN(),
5411 },
5412 .result = ACCEPT,
5413 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5414 },
5415 {
5416 "helper access to variable memory: stack, JMP, bounds + offset",
5417 .insns = {
5418 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5420 BPF_MOV64_IMM(BPF_REG_2, 16),
5421 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5422 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5423 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
5424 BPF_MOV64_IMM(BPF_REG_4, 0),
5425 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
5426 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5427 BPF_MOV64_IMM(BPF_REG_3, 0),
5428 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5429 BPF_MOV64_IMM(BPF_REG_0, 0),
5430 BPF_EXIT_INSN(),
5431 },
5432 .errstr = "invalid stack type R1 off=-64 access_size=65",
5433 .result = REJECT,
5434 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5435 },
5436 {
5437 "helper access to variable memory: stack, JMP, wrong max",
5438 .insns = {
5439 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5441 BPF_MOV64_IMM(BPF_REG_2, 16),
5442 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5443 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5444 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
5445 BPF_MOV64_IMM(BPF_REG_4, 0),
5446 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5447 BPF_MOV64_IMM(BPF_REG_3, 0),
5448 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5449 BPF_MOV64_IMM(BPF_REG_0, 0),
5450 BPF_EXIT_INSN(),
5451 },
5452 .errstr = "invalid stack type R1 off=-64 access_size=65",
5453 .result = REJECT,
5454 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5455 },
5456 {
5457 "helper access to variable memory: stack, JMP, no max check",
5458 .insns = {
5459 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5461 BPF_MOV64_IMM(BPF_REG_2, 16),
5462 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5463 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5464 BPF_MOV64_IMM(BPF_REG_4, 0),
5465 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5466 BPF_MOV64_IMM(BPF_REG_3, 0),
5467 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5468 BPF_MOV64_IMM(BPF_REG_0, 0),
5469 BPF_EXIT_INSN(),
5470 },
f65b1849
EC		 5471 /* because max wasn't checked, signed min is negative */
5472 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
06c1c049
GB		 5473 .result = REJECT,
5474 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5475 },
5476 {
5477 "helper access to variable memory: stack, JMP, no min check",
5478 .insns = {
5479 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5481 BPF_MOV64_IMM(BPF_REG_2, 16),
5482 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5483 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5484 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
5485 BPF_MOV64_IMM(BPF_REG_3, 0),
5486 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5487 BPF_MOV64_IMM(BPF_REG_0, 0),
5488 BPF_EXIT_INSN(),
5489 },
b6ff6391 5490 .errstr = "invalid indirect read from stack off -64+0 size 64",
06c1c049
GB		 5491 .result = REJECT,
5492 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5493 },
5494 {
5495 "helper access to variable memory: stack, JMP (signed), no min check",
5496 .insns = {
5497 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5498 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5499 BPF_MOV64_IMM(BPF_REG_2, 16),
5500 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5501 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5502 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
5503 BPF_MOV64_IMM(BPF_REG_3, 0),
5504 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5505 BPF_MOV64_IMM(BPF_REG_0, 0),
5506 BPF_EXIT_INSN(),
5507 },
5508 .errstr = "R2 min value is negative",
5509 .result = REJECT,
5510 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5511 },
5512 {
5513 "helper access to variable memory: map, JMP, correct bounds",
5514 .insns = {
5515 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5516 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5517 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5518 BPF_LD_MAP_FD(BPF_REG_1, 0),
5519 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5520 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5521 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5522 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5523 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5524 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5525 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5526 sizeof(struct test_val), 4),
5527 BPF_MOV64_IMM(BPF_REG_4, 0),
a1502132 5528 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
06c1c049
GB		 5529 BPF_MOV64_IMM(BPF_REG_3, 0),
5530 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5531 BPF_MOV64_IMM(BPF_REG_0, 0),
5532 BPF_EXIT_INSN(),
5533 },
5534 .fixup_map2 = { 3 },
5535 .result = ACCEPT,
5536 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5537 },
5538 {
5539 "helper access to variable memory: map, JMP, wrong max",
5540 .insns = {
5541 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5543 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5544 BPF_LD_MAP_FD(BPF_REG_1, 0),
5545 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5546 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5547 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5548 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5549 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5550 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5551 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5552 sizeof(struct test_val) + 1, 4),
5553 BPF_MOV64_IMM(BPF_REG_4, 0),
a1502132 5554 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
06c1c049
GB		 5555 BPF_MOV64_IMM(BPF_REG_3, 0),
5556 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5557 BPF_MOV64_IMM(BPF_REG_0, 0),
5558 BPF_EXIT_INSN(),
5559 },
5560 .fixup_map2 = { 3 },
5561 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
5562 .result = REJECT,
5563 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5564 },
5565 {
5566 "helper access to variable memory: map adjusted, JMP, correct bounds",
5567 .insns = {
5568 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5570 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5571 BPF_LD_MAP_FD(BPF_REG_1, 0),
5572 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5573 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5574 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5575 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5576 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5577 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5578 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5579 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5580 sizeof(struct test_val) - 20, 4),
5581 BPF_MOV64_IMM(BPF_REG_4, 0),
a1502132 5582 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
06c1c049
GB		 5583 BPF_MOV64_IMM(BPF_REG_3, 0),
5584 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5585 BPF_MOV64_IMM(BPF_REG_0, 0),
5586 BPF_EXIT_INSN(),
5587 },
5588 .fixup_map2 = { 3 },
5589 .result = ACCEPT,
5590 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5591 },
5592 {
5593 "helper access to variable memory: map adjusted, JMP, wrong max",
5594 .insns = {
5595 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5596 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5597 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5598 BPF_LD_MAP_FD(BPF_REG_1, 0),
5599 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5600 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5601 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5603 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5604 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5605 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5606 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5607 sizeof(struct test_val) - 19, 4),
5608 BPF_MOV64_IMM(BPF_REG_4, 0),
a1502132 5609 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
06c1c049
GB		 5610 BPF_MOV64_IMM(BPF_REG_3, 0),
5611 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5612 BPF_MOV64_IMM(BPF_REG_0, 0),
5613 BPF_EXIT_INSN(),
5614 },
5615 .fixup_map2 = { 3 },
5616 .errstr = "R1 min value is outside of the array range",
5617 .result = REJECT,
5618 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5619 },
f65b1849 5620 {
db1ac496 5621 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
f65b1849
EC		 5622 .insns = {
5623 BPF_MOV64_IMM(BPF_REG_1, 0),
5624 BPF_MOV64_IMM(BPF_REG_2, 0),
5625 BPF_MOV64_IMM(BPF_REG_3, 0),
5626 BPF_MOV64_IMM(BPF_REG_4, 0),
5627 BPF_MOV64_IMM(BPF_REG_5, 0),
5628 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5629 BPF_EXIT_INSN(),
5630 },
5631 .result = ACCEPT,
5632 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5633 },
06c1c049 5634 {
db1ac496 5635 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
06c1c049
GB		 5636 .insns = {
5637 BPF_MOV64_IMM(BPF_REG_1, 0),
5638 BPF_MOV64_IMM(BPF_REG_2, 0),
3fadc801
DB		 5639 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5640 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
06c1c049
GB		 5641 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5642 BPF_MOV64_IMM(BPF_REG_3, 0),
5643 BPF_MOV64_IMM(BPF_REG_4, 0),
5644 BPF_MOV64_IMM(BPF_REG_5, 0),
5645 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5646 BPF_EXIT_INSN(),
5647 },
f65b1849 5648 .errstr = "R1 type=inv expected=fp",
06c1c049
GB		 5649 .result = REJECT,
5650 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5651 },
5652 {
db1ac496 5653 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
06c1c049
GB		 5654 .insns = {
5655 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5656 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5657 BPF_MOV64_IMM(BPF_REG_2, 0),
5658 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5659 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
5660 BPF_MOV64_IMM(BPF_REG_3, 0),
5661 BPF_MOV64_IMM(BPF_REG_4, 0),
5662 BPF_MOV64_IMM(BPF_REG_5, 0),
5663 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5664 BPF_EXIT_INSN(),
5665 },
b6ff6391
YS		 5666 .result = ACCEPT,
5667 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5668 },
5669 {
db1ac496 5670 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
b6ff6391
YS		 5671 .insns = {
5672 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5673 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5674 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5675 BPF_LD_MAP_FD(BPF_REG_1, 0),
5676 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5677 BPF_FUNC_map_lookup_elem),
5678 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5679 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5680 BPF_MOV64_IMM(BPF_REG_2, 0),
5681 BPF_MOV64_IMM(BPF_REG_3, 0),
5682 BPF_MOV64_IMM(BPF_REG_4, 0),
5683 BPF_MOV64_IMM(BPF_REG_5, 0),
5684 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5685 BPF_EXIT_INSN(),
5686 },
5687 .fixup_map1 = { 3 },
5688 .result = ACCEPT,
5689 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5690 },
5691 {
db1ac496 5692 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
b6ff6391
YS		 5693 .insns = {
5694 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5695 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5696 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5697 BPF_LD_MAP_FD(BPF_REG_1, 0),
5698 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5699 BPF_FUNC_map_lookup_elem),
5700 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5701 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5702 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
5703 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5704 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5705 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5706 BPF_MOV64_IMM(BPF_REG_3, 0),
5707 BPF_MOV64_IMM(BPF_REG_4, 0),
5708 BPF_MOV64_IMM(BPF_REG_5, 0),
5709 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5710 BPF_EXIT_INSN(),
5711 },
5712 .fixup_map1 = { 3 },
5713 .result = ACCEPT,
5714 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5715 },
5716 {
db1ac496 5717 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
b6ff6391
YS		 5718 .insns = {
5719 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5720 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5721 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5722 BPF_LD_MAP_FD(BPF_REG_1, 0),
5723 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5724 BPF_FUNC_map_lookup_elem),
5725 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5726 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5727 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5728 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5729 BPF_MOV64_IMM(BPF_REG_3, 0),
5730 BPF_MOV64_IMM(BPF_REG_4, 0),
5731 BPF_MOV64_IMM(BPF_REG_5, 0),
5732 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5733 BPF_EXIT_INSN(),
5734 },
5735 .fixup_map1 = { 3 },
5736 .result = ACCEPT,
5737 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5738 },
5739 {
db1ac496 5740 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
b6ff6391
YS		 5741 .insns = {
5742 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5743 offsetof(struct __sk_buff, data)),
5744 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5745 offsetof(struct __sk_buff, data_end)),
5746 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
5747 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5748 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
5749 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5750 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
5751 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5752 BPF_MOV64_IMM(BPF_REG_3, 0),
5753 BPF_MOV64_IMM(BPF_REG_4, 0),
5754 BPF_MOV64_IMM(BPF_REG_5, 0),
5755 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5756 BPF_EXIT_INSN(),
5757 },
5758 .result = ACCEPT,
06c1c049
GB		 5759 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5760 },
db1ac496
GB		 5761 {
5762 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
5763 .insns = {
5764 BPF_MOV64_IMM(BPF_REG_1, 0),
5765 BPF_MOV64_IMM(BPF_REG_2, 0),
5766 BPF_MOV64_IMM(BPF_REG_3, 0),
5767 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5768 BPF_EXIT_INSN(),
5769 },
5770 .errstr = "R1 type=inv expected=fp",
5771 .result = REJECT,
5772 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5773 },
5774 {
5775 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
5776 .insns = {
5777 BPF_MOV64_IMM(BPF_REG_1, 0),
5778 BPF_MOV64_IMM(BPF_REG_2, 1),
5779 BPF_MOV64_IMM(BPF_REG_3, 0),
5780 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5781 BPF_EXIT_INSN(),
5782 },
5783 .errstr = "R1 type=inv expected=fp",
5784 .result = REJECT,
5785 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5786 },
5787 {
5788 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5789 .insns = {
5790 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5792 BPF_MOV64_IMM(BPF_REG_2, 0),
5793 BPF_MOV64_IMM(BPF_REG_3, 0),
5794 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5795 BPF_EXIT_INSN(),
5796 },
5797 .result = ACCEPT,
5798 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5799 },
5800 {
5801 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5802 .insns = {
5803 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5804 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5805 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5806 BPF_LD_MAP_FD(BPF_REG_1, 0),
5807 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5808 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5809 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5810 BPF_MOV64_IMM(BPF_REG_2, 0),
5811 BPF_MOV64_IMM(BPF_REG_3, 0),
5812 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5813 BPF_EXIT_INSN(),
5814 },
5815 .fixup_map1 = { 3 },
5816 .result = ACCEPT,
5817 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5818 },
5819 {
5820 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5821 .insns = {
5822 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5823 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5825 BPF_LD_MAP_FD(BPF_REG_1, 0),
5826 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5827 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5828 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5829 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5832 BPF_MOV64_IMM(BPF_REG_3, 0),
5833 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5834 BPF_EXIT_INSN(),
5835 },
5836 .fixup_map1 = { 3 },
5837 .result = ACCEPT,
5838 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5839 },
5840 {
5841 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5842 .insns = {
5843 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5844 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5846 BPF_LD_MAP_FD(BPF_REG_1, 0),
5847 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5848 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5849 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5850 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5851 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
5852 BPF_MOV64_IMM(BPF_REG_3, 0),
5853 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5854 BPF_EXIT_INSN(),
5855 },
5856 .fixup_map1 = { 3 },
5857 .result = ACCEPT,
5858 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5859 },
06c1c049
GB		 5860 {
5861 "helper access to variable memory: 8 bytes leak",
5862 .insns = {
5863 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5864 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5865 BPF_MOV64_IMM(BPF_REG_0, 0),
5866 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5867 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5868 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5869 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5870 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5871 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5872 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5873 BPF_MOV64_IMM(BPF_REG_2, 0),
3fadc801
DB		 5874 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5875 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
06c1c049
GB		 5876 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
5877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5878 BPF_MOV64_IMM(BPF_REG_3, 0),
5879 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5880 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5881 BPF_EXIT_INSN(),
5882 },
5883 .errstr = "invalid indirect read from stack off -64+32 size 64",
5884 .result = REJECT,
5885 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5886 },
5887 {
5888 "helper access to variable memory: 8 bytes no leak (init memory)",
5889 .insns = {
5890 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5891 BPF_MOV64_IMM(BPF_REG_0, 0),
5892 BPF_MOV64_IMM(BPF_REG_0, 0),
5893 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5894 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5895 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5896 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5897 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5898 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5899 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5900 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5901 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5902 BPF_MOV64_IMM(BPF_REG_2, 0),
5903 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
5904 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
5905 BPF_MOV64_IMM(BPF_REG_3, 0),
5906 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5907 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5908 BPF_EXIT_INSN(),
5909 },
5910 .result = ACCEPT,
5911 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5912 },
29200c19
JB		 5913 {
5914 "invalid and of negative number",
5915 .insns = {
5916 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5917 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5919 BPF_LD_MAP_FD(BPF_REG_1, 0),
5920 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5921 BPF_FUNC_map_lookup_elem),
5922 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
f65b1849 5923 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
29200c19
JB		 5924 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
5925 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5926 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5927 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5928 offsetof(struct test_val, foo)),
5929 BPF_EXIT_INSN(),
5930 },
5931 .fixup_map2 = { 3 },
f65b1849 5932 .errstr = "R0 max value is outside of the array range",
29200c19 5933 .result = REJECT,
02ea80b1 5934 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
29200c19
JB		 5935 },
5936 {
5937 "invalid range check",
5938 .insns = {
5939 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5940 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5942 BPF_LD_MAP_FD(BPF_REG_1, 0),
5943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5944 BPF_FUNC_map_lookup_elem),
5945 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
5946 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5947 BPF_MOV64_IMM(BPF_REG_9, 1),
5948 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
5949 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
5950 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
5951 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
5952 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
5953 BPF_MOV32_IMM(BPF_REG_3, 1),
5954 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
5955 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
5956 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
5957 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
5958 BPF_MOV64_REG(BPF_REG_0, 0),
5959 BPF_EXIT_INSN(),
5960 },
5961 .fixup_map2 = { 3 },
f65b1849 5962 .errstr = "R0 max value is outside of the array range",
29200c19 5963 .result = REJECT,
02ea80b1 5964 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
fb30d4b7
MKL		 5965 },
5966 {
5967 "map in map access",
5968 .insns = {
5969 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5970 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5971 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5972 BPF_LD_MAP_FD(BPF_REG_1, 0),
5973 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5974 BPF_FUNC_map_lookup_elem),
5975 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5976 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5977 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5978 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5979 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5980 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5981 BPF_FUNC_map_lookup_elem),
5982 BPF_MOV64_REG(BPF_REG_0, 0),
5983 BPF_EXIT_INSN(),
5984 },
5985 .fixup_map_in_map = { 3 },
5986 .result = ACCEPT,
5987 },
5988 {
5989 "invalid inner map pointer",
5990 .insns = {
5991 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5992 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5994 BPF_LD_MAP_FD(BPF_REG_1, 0),
5995 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5996 BPF_FUNC_map_lookup_elem),
5997 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5998 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6001 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
6003 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6004 BPF_FUNC_map_lookup_elem),
6005 BPF_MOV64_REG(BPF_REG_0, 0),
6006 BPF_EXIT_INSN(),
6007 },
6008 .fixup_map_in_map = { 3 },
82abbf8d 6009 .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
fb30d4b7
MKL		 6010 .result = REJECT,
6011 },
6012 {
6013 "forgot null checking on the inner map pointer",
6014 .insns = {
6015 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6016 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6018 BPF_LD_MAP_FD(BPF_REG_1, 0),
6019 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6020 BPF_FUNC_map_lookup_elem),
6021 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6022 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6024 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6025 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6026 BPF_FUNC_map_lookup_elem),
6027 BPF_MOV64_REG(BPF_REG_0, 0),
6028 BPF_EXIT_INSN(),
6029 },
6030 .fixup_map_in_map = { 3 },
6031 .errstr = "R1 type=map_value_or_null expected=map_ptr",
6032 .result = REJECT,
614d0d77
DB		 6033 },
6034 {
6035 "ld_abs: check calling conv, r1",
6036 .insns = {
6037 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6038 BPF_MOV64_IMM(BPF_REG_1, 0),
6039 BPF_LD_ABS(BPF_W, -0x200000),
6040 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6041 BPF_EXIT_INSN(),
6042 },
6043 .errstr = "R1 !read_ok",
6044 .result = REJECT,
6045 },
6046 {
6047 "ld_abs: check calling conv, r2",
6048 .insns = {
6049 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6050 BPF_MOV64_IMM(BPF_REG_2, 0),
6051 BPF_LD_ABS(BPF_W, -0x200000),
6052 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6053 BPF_EXIT_INSN(),
6054 },
6055 .errstr = "R2 !read_ok",
6056 .result = REJECT,
6057 },
6058 {
6059 "ld_abs: check calling conv, r3",
6060 .insns = {
6061 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6062 BPF_MOV64_IMM(BPF_REG_3, 0),
6063 BPF_LD_ABS(BPF_W, -0x200000),
6064 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6065 BPF_EXIT_INSN(),
6066 },
6067 .errstr = "R3 !read_ok",
6068 .result = REJECT,
6069 },
6070 {
6071 "ld_abs: check calling conv, r4",
6072 .insns = {
6073 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6074 BPF_MOV64_IMM(BPF_REG_4, 0),
6075 BPF_LD_ABS(BPF_W, -0x200000),
6076 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6077 BPF_EXIT_INSN(),
6078 },
6079 .errstr = "R4 !read_ok",
6080 .result = REJECT,
6081 },
6082 {
6083 "ld_abs: check calling conv, r5",
6084 .insns = {
6085 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6086 BPF_MOV64_IMM(BPF_REG_5, 0),
6087 BPF_LD_ABS(BPF_W, -0x200000),
6088 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6089 BPF_EXIT_INSN(),
6090 },
6091 .errstr = "R5 !read_ok",
6092 .result = REJECT,
6093 },
6094 {
6095 "ld_abs: check calling conv, r7",
6096 .insns = {
6097 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6098 BPF_MOV64_IMM(BPF_REG_7, 0),
6099 BPF_LD_ABS(BPF_W, -0x200000),
6100 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6101 BPF_EXIT_INSN(),
6102 },
6103 .result = ACCEPT,
87ab8194
DB		 6104 },
6105 {
6106 "ld_abs: tests on r6 and skb data reload helper",
6107 .insns = {
6108 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6109 BPF_LD_ABS(BPF_B, 0),
6110 BPF_LD_ABS(BPF_H, 0),
6111 BPF_LD_ABS(BPF_W, 0),
6112 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
6113 BPF_MOV64_IMM(BPF_REG_6, 0),
6114 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
6115 BPF_MOV64_IMM(BPF_REG_2, 1),
6116 BPF_MOV64_IMM(BPF_REG_3, 2),
6117 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6118 BPF_FUNC_skb_vlan_push),
6119 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
6120 BPF_LD_ABS(BPF_B, 0),
6121 BPF_LD_ABS(BPF_H, 0),
6122 BPF_LD_ABS(BPF_W, 0),
6123 BPF_MOV64_IMM(BPF_REG_0, 42),
6124 BPF_EXIT_INSN(),
6125 },
6126 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6127 .result = ACCEPT,
614d0d77
DB		 6128 },
6129 {
6130 "ld_ind: check calling conv, r1",
6131 .insns = {
6132 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6133 BPF_MOV64_IMM(BPF_REG_1, 1),
6134 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
6135 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6136 BPF_EXIT_INSN(),
6137 },
6138 .errstr = "R1 !read_ok",
6139 .result = REJECT,
6140 },
6141 {
6142 "ld_ind: check calling conv, r2",
6143 .insns = {
6144 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6145 BPF_MOV64_IMM(BPF_REG_2, 1),
6146 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
6147 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6148 BPF_EXIT_INSN(),
6149 },
6150 .errstr = "R2 !read_ok",
6151 .result = REJECT,
6152 },
6153 {
6154 "ld_ind: check calling conv, r3",
6155 .insns = {
6156 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6157 BPF_MOV64_IMM(BPF_REG_3, 1),
6158 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
6159 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6160 BPF_EXIT_INSN(),
6161 },
6162 .errstr = "R3 !read_ok",
6163 .result = REJECT,
6164 },
6165 {
6166 "ld_ind: check calling conv, r4",
6167 .insns = {
6168 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6169 BPF_MOV64_IMM(BPF_REG_4, 1),
6170 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
6171 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6172 BPF_EXIT_INSN(),
6173 },
6174 .errstr = "R4 !read_ok",
6175 .result = REJECT,
6176 },
6177 {
6178 "ld_ind: check calling conv, r5",
6179 .insns = {
6180 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6181 BPF_MOV64_IMM(BPF_REG_5, 1),
6182 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
6183 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6184 BPF_EXIT_INSN(),
6185 },
6186 .errstr = "R5 !read_ok",
6187 .result = REJECT,
6188 },
6189 {
6190 "ld_ind: check calling conv, r7",
6191 .insns = {
6192 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6193 BPF_MOV64_IMM(BPF_REG_7, 1),
6194 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
6195 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6196 BPF_EXIT_INSN(),
6197 },
6198 .result = ACCEPT,
6199 },
18f3d6be
YS		 6200 {
6201 "check bpf_perf_event_data->sample_period byte load permitted",
6202 .insns = {
6203 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 6204#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 6205 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6206 offsetof(struct bpf_perf_event_data, sample_period)),
6207#else
6208 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6209 offsetof(struct bpf_perf_event_data, sample_period) + 7),
6210#endif
6211 BPF_EXIT_INSN(),
6212 },
6213 .result = ACCEPT,
6214 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6215 },
6216 {
6217 "check bpf_perf_event_data->sample_period half load permitted",
6218 .insns = {
6219 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 6220#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 6221 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6222 offsetof(struct bpf_perf_event_data, sample_period)),
6223#else
6224 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6225 offsetof(struct bpf_perf_event_data, sample_period) + 6),
6226#endif
6227 BPF_EXIT_INSN(),
6228 },
6229 .result = ACCEPT,
6230 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6231 },
6232 {
6233 "check bpf_perf_event_data->sample_period word load permitted",
6234 .insns = {
6235 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 6236#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 6237 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6238 offsetof(struct bpf_perf_event_data, sample_period)),
6239#else
6240 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6241 offsetof(struct bpf_perf_event_data, sample_period) + 4),
6242#endif
6243 BPF_EXIT_INSN(),
6244 },
6245 .result = ACCEPT,
6246 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6247 },
6248 {
6249 "check bpf_perf_event_data->sample_period dword load permitted",
6250 .insns = {
6251 BPF_MOV64_IMM(BPF_REG_0, 0),
6252 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
6253 offsetof(struct bpf_perf_event_data, sample_period)),
6254 BPF_EXIT_INSN(),
6255 },
6256 .result = ACCEPT,
6257 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6258 },
6259 {
6260 "check skb->data half load not permitted",
6261 .insns = {
6262 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 6263#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 6264 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6265 offsetof(struct __sk_buff, data)),
6266#else
6267 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6268 offsetof(struct __sk_buff, data) + 2),
6269#endif
6270 BPF_EXIT_INSN(),
6271 },
6272 .result = REJECT,
6273 .errstr = "invalid bpf_context access",
6274 },
6275 {
6276 "check skb->tc_classid half load not permitted for lwt prog",
6277 .insns = {
6278 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 6279#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 6280 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6281 offsetof(struct __sk_buff, tc_classid)),
6282#else
6283 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6284 offsetof(struct __sk_buff, tc_classid) + 2),
6285#endif
6286 BPF_EXIT_INSN(),
6287 },
6288 .result = REJECT,
6289 .errstr = "invalid bpf_context access",
6290 .prog_type = BPF_PROG_TYPE_LWT_IN,
6291 },
b712296a
EC		 6292 {
6293 "bounds checks mixing signed and unsigned, positive bounds",
6294 .insns = {
6295 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6296 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6298 BPF_LD_MAP_FD(BPF_REG_1, 0),
6299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6300 BPF_FUNC_map_lookup_elem),
6301 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6302 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6303 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6304 BPF_MOV64_IMM(BPF_REG_2, 2),
6305 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
6306 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
6307 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6308 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6309 BPF_MOV64_IMM(BPF_REG_0, 0),
6310 BPF_EXIT_INSN(),
6311 },
6312 .fixup_map1 = { 3 },
2255f8d5 6313 .errstr = "unbounded min value",
b712296a 6314 .result = REJECT,
b712296a
EC		 6315 },
6316 {
6317 "bounds checks mixing signed and unsigned",
6318 .insns = {
6319 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6320 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6321 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6322 BPF_LD_MAP_FD(BPF_REG_1, 0),
6323 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6324 BPF_FUNC_map_lookup_elem),
6325 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6326 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6327 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6328 BPF_MOV64_IMM(BPF_REG_2, -1),
6329 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6330 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6331 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6332 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6333 BPF_MOV64_IMM(BPF_REG_0, 0),
6334 BPF_EXIT_INSN(),
6335 },
6336 .fixup_map1 = { 3 },
2255f8d5 6337 .errstr = "unbounded min value",
b712296a 6338 .result = REJECT,
b712296a 6339 },
86412502
DB		 6340 {
6341 "bounds checks mixing signed and unsigned, variant 2",
6342 .insns = {
6343 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6344 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6345 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6346 BPF_LD_MAP_FD(BPF_REG_1, 0),
6347 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6348 BPF_FUNC_map_lookup_elem),
6349 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6350 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6351 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6352 BPF_MOV64_IMM(BPF_REG_2, -1),
6353 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6354 BPF_MOV64_IMM(BPF_REG_8, 0),
6355 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
6356 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6357 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6358 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6359 BPF_MOV64_IMM(BPF_REG_0, 0),
6360 BPF_EXIT_INSN(),
6361 },
6362 .fixup_map1 = { 3 },
2255f8d5 6363 .errstr = "unbounded min value",
86412502 6364 .result = REJECT,
86412502
DB		 6365 },
6366 {
6367 "bounds checks mixing signed and unsigned, variant 3",
6368 .insns = {
6369 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6370 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6371 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6372 BPF_LD_MAP_FD(BPF_REG_1, 0),
6373 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6374 BPF_FUNC_map_lookup_elem),
6375 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6376 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6377 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6378 BPF_MOV64_IMM(BPF_REG_2, -1),
6379 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
6380 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
6381 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6382 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6383 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6384 BPF_MOV64_IMM(BPF_REG_0, 0),
6385 BPF_EXIT_INSN(),
6386 },
6387 .fixup_map1 = { 3 },
2255f8d5 6388 .errstr = "unbounded min value",
86412502 6389 .result = REJECT,
86412502
DB		 6390 },
6391 {
6392 "bounds checks mixing signed and unsigned, variant 4",
6393 .insns = {
6394 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6395 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6396 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6397 BPF_LD_MAP_FD(BPF_REG_1, 0),
6398 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6399 BPF_FUNC_map_lookup_elem),
6400 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6401 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6402 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6403 BPF_MOV64_IMM(BPF_REG_2, 1),
6404 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
6405 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6406 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6407 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6408 BPF_MOV64_IMM(BPF_REG_0, 0),
6409 BPF_EXIT_INSN(),
6410 },
6411 .fixup_map1 = { 3 },
f65b1849 6412 .result = ACCEPT,
86412502
DB		 6413 },
6414 {
6415 "bounds checks mixing signed and unsigned, variant 5",
6416 .insns = {
6417 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6418 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6420 BPF_LD_MAP_FD(BPF_REG_1, 0),
6421 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6422 BPF_FUNC_map_lookup_elem),
6423 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6424 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6425 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6426 BPF_MOV64_IMM(BPF_REG_2, -1),
6427 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6428 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
6429 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
6430 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6431 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6432 BPF_MOV64_IMM(BPF_REG_0, 0),
6433 BPF_EXIT_INSN(),
6434 },
6435 .fixup_map1 = { 3 },
2255f8d5 6436 .errstr = "unbounded min value",
86412502 6437 .result = REJECT,
86412502
DB		 6438 },
6439 {
6440 "bounds checks mixing signed and unsigned, variant 6",
6441 .insns = {
6442 BPF_MOV64_IMM(BPF_REG_2, 0),
6443 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
6444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
6445 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6446 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
6447 BPF_MOV64_IMM(BPF_REG_6, -1),
6448 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
6449 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
6450 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
6451 BPF_MOV64_IMM(BPF_REG_5, 0),
6452 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
6453 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6454 BPF_FUNC_skb_load_bytes),
6455 BPF_MOV64_IMM(BPF_REG_0, 0),
6456 BPF_EXIT_INSN(),
6457 },
86412502
DB		 6458 .errstr = "R4 min value is negative, either use unsigned",
6459 .result = REJECT,
86412502
DB		 6460 },
6461 {
6462 "bounds checks mixing signed and unsigned, variant 7",
6463 .insns = {
6464 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6465 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6466 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6467 BPF_LD_MAP_FD(BPF_REG_1, 0),
6468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6469 BPF_FUNC_map_lookup_elem),
6470 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6471 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6472 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6473 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
6474 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6475 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6476 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6477 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6478 BPF_MOV64_IMM(BPF_REG_0, 0),
6479 BPF_EXIT_INSN(),
6480 },
6481 .fixup_map1 = { 3 },
f65b1849 6482 .result = ACCEPT,
86412502
DB		 6483 },
6484 {
6485 "bounds checks mixing signed and unsigned, variant 8",
86412502
DB		 6486 .insns = {
6487 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6488 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6489 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6490 BPF_LD_MAP_FD(BPF_REG_1, 0),
6491 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6492 BPF_FUNC_map_lookup_elem),
6493 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6494 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6495 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6496 BPF_MOV64_IMM(BPF_REG_2, -1),
6497 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6498 BPF_MOV64_IMM(BPF_REG_0, 0),
6499 BPF_EXIT_INSN(),
6500 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6501 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6502 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6503 BPF_MOV64_IMM(BPF_REG_0, 0),
6504 BPF_EXIT_INSN(),
6505 },
6506 .fixup_map1 = { 3 },
2255f8d5 6507 .errstr = "unbounded min value",
86412502 6508 .result = REJECT,
86412502
DB		 6509 },
6510 {
f65b1849 6511 "bounds checks mixing signed and unsigned, variant 9",
86412502
DB		 6512 .insns = {
6513 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6514 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6515 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6516 BPF_LD_MAP_FD(BPF_REG_1, 0),
6517 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6518 BPF_FUNC_map_lookup_elem),
6519 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6520 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6521 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6522 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
6523 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6524 BPF_MOV64_IMM(BPF_REG_0, 0),
6525 BPF_EXIT_INSN(),
6526 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6527 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6528 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6529 BPF_MOV64_IMM(BPF_REG_0, 0),
6530 BPF_EXIT_INSN(),
6531 },
6532 .fixup_map1 = { 3 },
f65b1849 6533 .result = ACCEPT,
86412502
DB		 6534 },
6535 {
f65b1849 6536 "bounds checks mixing signed and unsigned, variant 10",
86412502
DB		 6537 .insns = {
6538 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6539 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6541 BPF_LD_MAP_FD(BPF_REG_1, 0),
6542 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6543 BPF_FUNC_map_lookup_elem),
6544 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6545 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6546 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6547 BPF_MOV64_IMM(BPF_REG_2, 0),
6548 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6549 BPF_MOV64_IMM(BPF_REG_0, 0),
6550 BPF_EXIT_INSN(),
6551 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6552 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6553 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6554 BPF_MOV64_IMM(BPF_REG_0, 0),
6555 BPF_EXIT_INSN(),
6556 },
6557 .fixup_map1 = { 3 },
2255f8d5 6558 .errstr = "unbounded min value",
86412502 6559 .result = REJECT,
86412502
DB		 6560 },
6561 {
f65b1849 6562 "bounds checks mixing signed and unsigned, variant 11",
86412502
DB		 6563 .insns = {
6564 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6565 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6566 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6567 BPF_LD_MAP_FD(BPF_REG_1, 0),
6568 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6569 BPF_FUNC_map_lookup_elem),
6570 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6571 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6572 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6573 BPF_MOV64_IMM(BPF_REG_2, -1),
6574 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6575 /* Dead branch. */
6576 BPF_MOV64_IMM(BPF_REG_0, 0),
6577 BPF_EXIT_INSN(),
6578 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6579 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6580 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6581 BPF_MOV64_IMM(BPF_REG_0, 0),
6582 BPF_EXIT_INSN(),
6583 },
6584 .fixup_map1 = { 3 },
2255f8d5 6585 .errstr = "unbounded min value",
86412502 6586 .result = REJECT,
86412502
DB		 6587 },
6588 {
f65b1849 6589 "bounds checks mixing signed and unsigned, variant 12",
86412502
DB		 6590 .insns = {
6591 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6592 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6593 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6594 BPF_LD_MAP_FD(BPF_REG_1, 0),
6595 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6596 BPF_FUNC_map_lookup_elem),
6597 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6598 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6599 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6600 BPF_MOV64_IMM(BPF_REG_2, -6),
6601 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6602 BPF_MOV64_IMM(BPF_REG_0, 0),
6603 BPF_EXIT_INSN(),
6604 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6605 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6606 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6607 BPF_MOV64_IMM(BPF_REG_0, 0),
6608 BPF_EXIT_INSN(),
6609 },
6610 .fixup_map1 = { 3 },
2255f8d5 6611 .errstr = "unbounded min value",
86412502 6612 .result = REJECT,
86412502
DB		 6613 },
6614 {
f65b1849 6615 "bounds checks mixing signed and unsigned, variant 13",
86412502
DB		 6616 .insns = {
6617 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6618 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6619 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6620 BPF_LD_MAP_FD(BPF_REG_1, 0),
6621 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6622 BPF_FUNC_map_lookup_elem),
6623 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6624 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6625 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6626 BPF_MOV64_IMM(BPF_REG_2, 2),
6627 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6628 BPF_MOV64_IMM(BPF_REG_7, 1),
6629 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
6630 BPF_MOV64_IMM(BPF_REG_0, 0),
6631 BPF_EXIT_INSN(),
6632 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
6633 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
6634 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
6635 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6636 BPF_MOV64_IMM(BPF_REG_0, 0),
6637 BPF_EXIT_INSN(),
6638 },
6639 .fixup_map1 = { 3 },
2255f8d5 6640 .errstr = "unbounded min value",
86412502 6641 .result = REJECT,
86412502
DB		 6642 },
6643 {
f65b1849 6644 "bounds checks mixing signed and unsigned, variant 14",
86412502
DB		 6645 .insns = {
6646 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
6647 offsetof(struct __sk_buff, mark)),
6648 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6649 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6650 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6651 BPF_LD_MAP_FD(BPF_REG_1, 0),
6652 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6653 BPF_FUNC_map_lookup_elem),
6654 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6655 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6656 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6657 BPF_MOV64_IMM(BPF_REG_2, -1),
6658 BPF_MOV64_IMM(BPF_REG_8, 2),
6659 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
6660 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
6661 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6662 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6663 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6664 BPF_MOV64_IMM(BPF_REG_0, 0),
6665 BPF_EXIT_INSN(),
6666 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
6667 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
6668 },
6669 .fixup_map1 = { 4 },
2255f8d5 6670 .errstr = "unbounded min value",
86412502 6671 .result = REJECT,
86412502
DB		 6672 },
6673 {
f65b1849 6674 "bounds checks mixing signed and unsigned, variant 15",
86412502
DB		 6675 .insns = {
6676 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6677 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6678 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6679 BPF_LD_MAP_FD(BPF_REG_1, 0),
6680 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6681 BPF_FUNC_map_lookup_elem),
6682 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6683 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6684 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6685 BPF_MOV64_IMM(BPF_REG_2, -6),
6686 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6687 BPF_MOV64_IMM(BPF_REG_0, 0),
6688 BPF_EXIT_INSN(),
6689 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6690 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
6691 BPF_MOV64_IMM(BPF_REG_0, 0),
6692 BPF_EXIT_INSN(),
6693 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6694 BPF_MOV64_IMM(BPF_REG_0, 0),
6695 BPF_EXIT_INSN(),
6696 },
6697 .fixup_map1 = { 3 },
2255f8d5 6698 .errstr = "unbounded min value",
86412502
DB		 6699 .result = REJECT,
6700 .result_unpriv = REJECT,
6701 },
545722cb 6702 {
f65b1849 6703 "subtraction bounds (map value) variant 1",
545722cb
EC		 6704 .insns = {
6705 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6706 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6707 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6708 BPF_LD_MAP_FD(BPF_REG_1, 0),
6709 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6710 BPF_FUNC_map_lookup_elem),
6711 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6712 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6713 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
6714 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
6715 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
6716 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
6717 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
6718 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6719 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6720 BPF_EXIT_INSN(),
6721 BPF_MOV64_IMM(BPF_REG_0, 0),
6722 BPF_EXIT_INSN(),
6723 },
6724 .fixup_map1 = { 3 },
f65b1849
EC		 6725 .errstr = "R0 max value is outside of the array range",
6726 .result = REJECT,
6727 },
6728 {
6729 "subtraction bounds (map value) variant 2",
6730 .insns = {
6731 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6732 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6733 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6734 BPF_LD_MAP_FD(BPF_REG_1, 0),
6735 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6736 BPF_FUNC_map_lookup_elem),
6737 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6738 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6739 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
6740 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
6741 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
6742 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
6743 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6744 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6745 BPF_EXIT_INSN(),
6746 BPF_MOV64_IMM(BPF_REG_0, 0),
6747 BPF_EXIT_INSN(),
6748 },
6749 .fixup_map1 = { 3 },
545722cb
EC		 6750 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
6751 .result = REJECT,
545722cb 6752 },
2255f8d5
JH		 6753 {
6754 "bounds check based on zero-extended MOV",
6755 .insns = {
6756 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6757 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6758 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6759 BPF_LD_MAP_FD(BPF_REG_1, 0),
6760 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6761 BPF_FUNC_map_lookup_elem),
6762 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6763 /* r2 = 0x0000'0000'ffff'ffff */
6764 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
6765 /* r2 = 0 */
6766 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
6767 /* no-op */
6768 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
6769 /* access at offset 0 */
6770 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6771 /* exit */
6772 BPF_MOV64_IMM(BPF_REG_0, 0),
6773 BPF_EXIT_INSN(),
6774 },
6775 .fixup_map1 = { 3 },
6776 .result = ACCEPT
6777 },
6778 {
6779 "bounds check based on sign-extended MOV. test1",
6780 .insns = {
6781 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6782 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6783 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6784 BPF_LD_MAP_FD(BPF_REG_1, 0),
6785 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6786 BPF_FUNC_map_lookup_elem),
6787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6788 /* r2 = 0xffff'ffff'ffff'ffff */
6789 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
6790 /* r2 = 0xffff'ffff */
6791 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
6792 /* r0 = <oob pointer> */
6793 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
6794 /* access to OOB pointer */
6795 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6796 /* exit */
6797 BPF_MOV64_IMM(BPF_REG_0, 0),
6798 BPF_EXIT_INSN(),
6799 },
6800 .fixup_map1 = { 3 },
6801 .errstr = "map_value pointer and 4294967295",
6802 .result = REJECT
6803 },
6804 {
6805 "bounds check based on sign-extended MOV. test2",
6806 .insns = {
6807 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6808 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6809 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6810 BPF_LD_MAP_FD(BPF_REG_1, 0),
6811 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6812 BPF_FUNC_map_lookup_elem),
6813 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6814 /* r2 = 0xffff'ffff'ffff'ffff */
6815 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
6816 /* r2 = 0xfff'ffff */
6817 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
6818 /* r0 = <oob pointer> */
6819 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
6820 /* access to OOB pointer */
6821 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6822 /* exit */
6823 BPF_MOV64_IMM(BPF_REG_0, 0),
6824 BPF_EXIT_INSN(),
6825 },
6826 .fixup_map1 = { 3 },
6827 .errstr = "R0 min value is outside of the array range",
6828 .result = REJECT
6829 },
6830 {
6831 "bounds check based on reg_off + var_off + insn_off. test1",
6832 .insns = {
6833 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6834 offsetof(struct __sk_buff, mark)),
6835 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6838 BPF_LD_MAP_FD(BPF_REG_1, 0),
6839 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6840 BPF_FUNC_map_lookup_elem),
6841 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6842 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
6843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
6844 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
6845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
6846 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
6847 BPF_MOV64_IMM(BPF_REG_0, 0),
6848 BPF_EXIT_INSN(),
6849 },
6850 .fixup_map1 = { 4 },
6851 .errstr = "value_size=8 off=1073741825",
6852 .result = REJECT,
6853 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6854 },
6855 {
6856 "bounds check based on reg_off + var_off + insn_off. test2",
6857 .insns = {
6858 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6859 offsetof(struct __sk_buff, mark)),
6860 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6861 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6862 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6863 BPF_LD_MAP_FD(BPF_REG_1, 0),
6864 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6865 BPF_FUNC_map_lookup_elem),
6866 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6867 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
6868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
6869 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
6870 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
6871 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
6872 BPF_MOV64_IMM(BPF_REG_0, 0),
6873 BPF_EXIT_INSN(),
6874 },
6875 .fixup_map1 = { 4 },
6876 .errstr = "value 1073741823",
6877 .result = REJECT,
6878 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6879 },
6880 {
6881 "bounds check after truncation of non-boundary-crossing range",
6882 .insns = {
6883 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6884 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6885 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6886 BPF_LD_MAP_FD(BPF_REG_1, 0),
6887 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6888 BPF_FUNC_map_lookup_elem),
6889 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6890 /* r1 = [0x00, 0xff] */
6891 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6892 BPF_MOV64_IMM(BPF_REG_2, 1),
6893 /* r2 = 0x10'0000'0000 */
6894 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
6895 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
6896 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
6897 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
6898 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
6899 /* r1 = [0x00, 0xff] */
6900 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
6901 /* r1 = 0 */
6902 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
6903 /* no-op */
6904 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6905 /* access at offset 0 */
6906 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6907 /* exit */
6908 BPF_MOV64_IMM(BPF_REG_0, 0),
6909 BPF_EXIT_INSN(),
6910 },
6911 .fixup_map1 = { 3 },
6912 .result = ACCEPT
6913 },
6914 {
6915 "bounds check after truncation of boundary-crossing range (1)",
6916 .insns = {
6917 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6918 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6920 BPF_LD_MAP_FD(BPF_REG_1, 0),
6921 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6922 BPF_FUNC_map_lookup_elem),
6923 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6924 /* r1 = [0x00, 0xff] */
6925 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6926 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
6927 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
6928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
6929 /* r1 = [0xffff'ff80, 0xffff'ffff] or
6930 * [0x0000'0000, 0x0000'007f]
6931 */
6932 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
6933 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
6934 /* r1 = [0x00, 0xff] or
6935 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
6936 */
6937 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
6938 /* r1 = 0 or
6939 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
6940 */
6941 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
6942 /* no-op or OOB pointer computation */
6943 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6944 /* potentially OOB access */
6945 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6946 /* exit */
6947 BPF_MOV64_IMM(BPF_REG_0, 0),
6948 BPF_EXIT_INSN(),
6949 },
6950 .fixup_map1 = { 3 },
6951 /* not actually fully unbounded, but the bound is very high */
6952 .errstr = "R0 unbounded memory access",
6953 .result = REJECT
6954 },
6955 {
6956 "bounds check after truncation of boundary-crossing range (2)",
6957 .insns = {
6958 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6959 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6961 BPF_LD_MAP_FD(BPF_REG_1, 0),
6962 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6963 BPF_FUNC_map_lookup_elem),
6964 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6965 /* r1 = [0x00, 0xff] */
6966 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
6968 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
6969 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
6970 /* r1 = [0xffff'ff80, 0xffff'ffff] or
6971 * [0x0000'0000, 0x0000'007f]
6972 * difference to previous test: truncation via MOV32
6973 * instead of ALU32.
6974 */
6975 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
6976 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
6977 /* r1 = [0x00, 0xff] or
6978 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
6979 */
6980 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
6981 /* r1 = 0 or
6982 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
6983 */
6984 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
6985 /* no-op or OOB pointer computation */
6986 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6987 /* potentially OOB access */
6988 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6989 /* exit */
6990 BPF_MOV64_IMM(BPF_REG_0, 0),
6991 BPF_EXIT_INSN(),
6992 },
6993 .fixup_map1 = { 3 },
6994 /* not actually fully unbounded, but the bound is very high */
6995 .errstr = "R0 unbounded memory access",
6996 .result = REJECT
6997 },
6998 {
6999 "bounds check after wrapping 32-bit addition",
7000 .insns = {
7001 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7002 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7003 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7004 BPF_LD_MAP_FD(BPF_REG_1, 0),
7005 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7006 BPF_FUNC_map_lookup_elem),
7007 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7008 /* r1 = 0x7fff'ffff */
7009 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
7010 /* r1 = 0xffff'fffe */
7011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7012 /* r1 = 0 */
7013 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
7014 /* no-op */
7015 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7016 /* access at offset 0 */
7017 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7018 /* exit */
7019 BPF_MOV64_IMM(BPF_REG_0, 0),
7020 BPF_EXIT_INSN(),
7021 },
7022 .fixup_map1 = { 3 },
7023 .result = ACCEPT
7024 },
7025 {
7026 "bounds check after shift with oversized count operand",
7027 .insns = {
7028 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7029 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7030 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7031 BPF_LD_MAP_FD(BPF_REG_1, 0),
7032 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7033 BPF_FUNC_map_lookup_elem),
7034 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7035 BPF_MOV64_IMM(BPF_REG_2, 32),
7036 BPF_MOV64_IMM(BPF_REG_1, 1),
7037 /* r1 = (u32)1 << (u32)32 = ? */
7038 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
7039 /* r1 = [0x0000, 0xffff] */
7040 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
7041 /* computes unknown pointer, potentially OOB */
7042 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7043 /* potentially OOB access */
7044 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7045 /* exit */
7046 BPF_MOV64_IMM(BPF_REG_0, 0),
7047 BPF_EXIT_INSN(),
7048 },
7049 .fixup_map1 = { 3 },
7050 .errstr = "R0 max value is outside of the array range",
7051 .result = REJECT
7052 },
7053 {
7054 "bounds check after right shift of maybe-negative number",
7055 .insns = {
7056 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7057 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7059 BPF_LD_MAP_FD(BPF_REG_1, 0),
7060 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7061 BPF_FUNC_map_lookup_elem),
7062 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7063 /* r1 = [0x00, 0xff] */
7064 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7065 /* r1 = [-0x01, 0xfe] */
7066 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
7067 /* r1 = 0 or 0xff'ffff'ffff'ffff */
7068 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7069 /* r1 = 0 or 0xffff'ffff'ffff */
7070 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7071 /* computes unknown pointer, potentially OOB */
7072 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7073 /* potentially OOB access */
7074 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7075 /* exit */
7076 BPF_MOV64_IMM(BPF_REG_0, 0),
7077 BPF_EXIT_INSN(),
7078 },
7079 .fixup_map1 = { 3 },
7080 .errstr = "R0 unbounded memory access",
7081 .result = REJECT
7082 },
7083 {
7084 "bounds check map access with off+size signed 32bit overflow. test1",
7085 .insns = {
7086 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7087 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7088 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7089 BPF_LD_MAP_FD(BPF_REG_1, 0),
7090 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7091 BPF_FUNC_map_lookup_elem),
7092 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7093 BPF_EXIT_INSN(),
7094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
7095 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7096 BPF_JMP_A(0),
7097 BPF_EXIT_INSN(),
7098 },
7099 .fixup_map1 = { 3 },
7100 .errstr = "map_value pointer and 2147483646",
7101 .result = REJECT
7102 },
7103 {
7104 "bounds check map access with off+size signed 32bit overflow. test2",
7105 .insns = {
7106 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7107 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7108 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7109 BPF_LD_MAP_FD(BPF_REG_1, 0),
7110 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7111 BPF_FUNC_map_lookup_elem),
7112 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7113 BPF_EXIT_INSN(),
7114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7117 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7118 BPF_JMP_A(0),
7119 BPF_EXIT_INSN(),
7120 },
7121 .fixup_map1 = { 3 },
7122 .errstr = "pointer offset 1073741822",
7123 .result = REJECT
7124 },
7125 {
7126 "bounds check map access with off+size signed 32bit overflow. test3",
7127 .insns = {
7128 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7129 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7131 BPF_LD_MAP_FD(BPF_REG_1, 0),
7132 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7133 BPF_FUNC_map_lookup_elem),
7134 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7135 BPF_EXIT_INSN(),
7136 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
7137 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
7138 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
7139 BPF_JMP_A(0),
7140 BPF_EXIT_INSN(),
7141 },
7142 .fixup_map1 = { 3 },
7143 .errstr = "pointer offset -1073741822",
7144 .result = REJECT
7145 },
7146 {
7147 "bounds check map access with off+size signed 32bit overflow. test4",
7148 .insns = {
7149 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7150 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7151 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7152 BPF_LD_MAP_FD(BPF_REG_1, 0),
7153 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7154 BPF_FUNC_map_lookup_elem),
7155 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7156 BPF_EXIT_INSN(),
7157 BPF_MOV64_IMM(BPF_REG_1, 1000000),
7158 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
7159 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7160 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
7161 BPF_JMP_A(0),
7162 BPF_EXIT_INSN(),
7163 },
7164 .fixup_map1 = { 3 },
7165 .errstr = "map_value pointer and 1000000000000",
7166 .result = REJECT
7167 },
7168 {
7169 "pointer/scalar confusion in state equality check (way 1)",
7170 .insns = {
7171 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7172 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7174 BPF_LD_MAP_FD(BPF_REG_1, 0),
7175 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7176 BPF_FUNC_map_lookup_elem),
7177 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7178 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7179 BPF_JMP_A(1),
7180 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
7181 BPF_JMP_A(0),
7182 BPF_EXIT_INSN(),
7183 },
7184 .fixup_map1 = { 3 },
7185 .result = ACCEPT,
7186 .result_unpriv = REJECT,
7187 .errstr_unpriv = "R0 leaks addr as return value"
7188 },
7189 {
7190 "pointer/scalar confusion in state equality check (way 2)",
7191 .insns = {
7192 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7193 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7195 BPF_LD_MAP_FD(BPF_REG_1, 0),
7196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7197 BPF_FUNC_map_lookup_elem),
7198 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
7199 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
7200 BPF_JMP_A(1),
7201 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7202 BPF_EXIT_INSN(),
7203 },
7204 .fixup_map1 = { 3 },
7205 .result = ACCEPT,
7206 .result_unpriv = REJECT,
7207 .errstr_unpriv = "R0 leaks addr as return value"
7208 },
69c4e8ad
EC		 7209 {
7210 "variable-offset ctx access",
7211 .insns = {
7212 /* Get an unknown value */
7213 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7214 /* Make it small and 4-byte aligned */
7215 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7216 /* add it to skb. We now have either &skb->len or
7217 * &skb->pkt_type, but we don't know which
7218 */
7219 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
7220 /* dereference it */
7221 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7222 BPF_EXIT_INSN(),
7223 },
7224 .errstr = "variable ctx access var_off=(0x0; 0x4)",
7225 .result = REJECT,
7226 .prog_type = BPF_PROG_TYPE_LWT_IN,
7227 },
7228 {
7229 "variable-offset stack access",
7230 .insns = {
7231 /* Fill the top 8 bytes of the stack */
7232 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7233 /* Get an unknown value */
7234 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7235 /* Make it small and 4-byte aligned */
7236 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7237 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
7238 /* add it to fp. We now have either fp-4 or fp-8, but
7239 * we don't know which
7240 */
7241 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
7242 /* dereference it */
7243 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
7244 BPF_EXIT_INSN(),
7245 },
7246 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
7247 .result = REJECT,
7248 .prog_type = BPF_PROG_TYPE_LWT_IN,
7249 },
2255f8d5
JH		 7250 {
7251 "indirect variable-offset stack access",
7252 .insns = {
7253 /* Fill the top 8 bytes of the stack */
7254 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7255 /* Get an unknown value */
7256 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7257 /* Make it small and 4-byte aligned */
7258 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7259 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
7260 /* add it to fp. We now have either fp-4 or fp-8, but
7261 * we don't know which
7262 */
7263 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
7264 /* dereference it indirectly */
7265 BPF_LD_MAP_FD(BPF_REG_1, 0),
7266 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7267 BPF_FUNC_map_lookup_elem),
7268 BPF_MOV64_IMM(BPF_REG_0, 0),
7269 BPF_EXIT_INSN(),
7270 },
7271 .fixup_map1 = { 5 },
7272 .errstr = "variable stack read R2",
7273 .result = REJECT,
7274 .prog_type = BPF_PROG_TYPE_LWT_IN,
7275 },
7276 {
7277 "direct stack access with 32-bit wraparound. test1",
7278 .insns = {
7279 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7282 BPF_MOV32_IMM(BPF_REG_0, 0),
7283 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7284 BPF_EXIT_INSN()
7285 },
7286 .errstr = "fp pointer and 2147483647",
7287 .result = REJECT
7288 },
7289 {
7290 "direct stack access with 32-bit wraparound. test2",
7291 .insns = {
7292 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7293 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
7294 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
7295 BPF_MOV32_IMM(BPF_REG_0, 0),
7296 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7297 BPF_EXIT_INSN()
7298 },
7299 .errstr = "fp pointer and 1073741823",
7300 .result = REJECT
7301 },
7302 {
7303 "direct stack access with 32-bit wraparound. test3",
7304 .insns = {
7305 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7306 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
7307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
7308 BPF_MOV32_IMM(BPF_REG_0, 0),
7309 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7310 BPF_EXIT_INSN()
7311 },
7312 .errstr = "fp pointer offset 1073741822",
7313 .result = REJECT
7314 },
d893dc26
EC		 7315 {
7316 "liveness pruning and write screening",
7317 .insns = {
7318 /* Get an unknown value */
7319 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7320 /* branch conditions teach us nothing about R2 */
7321 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
7322 BPF_MOV64_IMM(BPF_REG_0, 0),
7323 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
7324 BPF_MOV64_IMM(BPF_REG_0, 0),
7325 BPF_EXIT_INSN(),
7326 },
7327 .errstr = "R0 !read_ok",
7328 .result = REJECT,
7329 .prog_type = BPF_PROG_TYPE_LWT_IN,
7330 },
df20cb7e
AS		 7331 {
7332 "varlen_map_value_access pruning",
7333 .insns = {
7334 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7335 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7337 BPF_LD_MAP_FD(BPF_REG_1, 0),
7338 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7339 BPF_FUNC_map_lookup_elem),
7340 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7341 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7342 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
7343 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
7344 BPF_MOV32_IMM(BPF_REG_1, 0),
7345 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
7346 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7347 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
7348 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7349 offsetof(struct test_val, foo)),
7350 BPF_EXIT_INSN(),
7351 },
7352 .fixup_map2 = { 3 },
7353 .errstr_unpriv = "R0 leaks addr",
7354 .errstr = "R0 unbounded memory access",
7355 .result_unpriv = REJECT,
7356 .result = REJECT,
7357 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7358 },
e67b8a68
EC		 7359 {
7360 "invalid 64-bit BPF_END",
7361 .insns = {
7362 BPF_MOV32_IMM(BPF_REG_0, 0),
7363 {
7364 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
7365 .dst_reg = BPF_REG_0,
7366 .src_reg = 0,
7367 .off = 0,
7368 .imm = 32,
7369 },
7370 BPF_EXIT_INSN(),
7371 },
7372 .errstr = "BPF_END uses reserved fields",
7373 .result = REJECT,
7374 },
22c88526
DB		 7375 {
7376 "meta access, test1",
7377 .insns = {
7378 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7379 offsetof(struct xdp_md, data_meta)),
7380 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7381 offsetof(struct xdp_md, data)),
7382 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7384 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7385 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7386 BPF_MOV64_IMM(BPF_REG_0, 0),
7387 BPF_EXIT_INSN(),
7388 },
7389 .result = ACCEPT,
7390 .prog_type = BPF_PROG_TYPE_XDP,
7391 },
7392 {
7393 "meta access, test2",
7394 .insns = {
7395 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7396 offsetof(struct xdp_md, data_meta)),
7397 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7398 offsetof(struct xdp_md, data)),
7399 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7400 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
7401 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
7403 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7404 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7405 BPF_MOV64_IMM(BPF_REG_0, 0),
7406 BPF_EXIT_INSN(),
7407 },
7408 .result = REJECT,
7409 .errstr = "invalid access to packet, off=-8",
7410 .prog_type = BPF_PROG_TYPE_XDP,
7411 },
7412 {
7413 "meta access, test3",
7414 .insns = {
7415 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7416 offsetof(struct xdp_md, data_meta)),
7417 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7418 offsetof(struct xdp_md, data_end)),
7419 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7421 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7422 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7423 BPF_MOV64_IMM(BPF_REG_0, 0),
7424 BPF_EXIT_INSN(),
7425 },
7426 .result = REJECT,
7427 .errstr = "invalid access to packet",
7428 .prog_type = BPF_PROG_TYPE_XDP,
7429 },
7430 {
7431 "meta access, test4",
7432 .insns = {
7433 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7434 offsetof(struct xdp_md, data_meta)),
7435 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7436 offsetof(struct xdp_md, data_end)),
7437 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7438 offsetof(struct xdp_md, data)),
7439 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7441 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7442 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7443 BPF_MOV64_IMM(BPF_REG_0, 0),
7444 BPF_EXIT_INSN(),
7445 },
7446 .result = REJECT,
7447 .errstr = "invalid access to packet",
7448 .prog_type = BPF_PROG_TYPE_XDP,
7449 },
7450 {
7451 "meta access, test5",
7452 .insns = {
7453 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7454 offsetof(struct xdp_md, data_meta)),
7455 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7456 offsetof(struct xdp_md, data)),
7457 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7459 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
7460 BPF_MOV64_IMM(BPF_REG_2, -8),
7461 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7462 BPF_FUNC_xdp_adjust_meta),
7463 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
7464 BPF_MOV64_IMM(BPF_REG_0, 0),
7465 BPF_EXIT_INSN(),
7466 },
7467 .result = REJECT,
7468 .errstr = "R3 !read_ok",
7469 .prog_type = BPF_PROG_TYPE_XDP,
7470 },
7471 {
7472 "meta access, test6",
7473 .insns = {
7474 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7475 offsetof(struct xdp_md, data_meta)),
7476 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7477 offsetof(struct xdp_md, data)),
7478 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7480 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
7482 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
7483 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7484 BPF_MOV64_IMM(BPF_REG_0, 0),
7485 BPF_EXIT_INSN(),
7486 },
7487 .result = REJECT,
7488 .errstr = "invalid access to packet",
7489 .prog_type = BPF_PROG_TYPE_XDP,
7490 },
7491 {
7492 "meta access, test7",
7493 .insns = {
7494 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7495 offsetof(struct xdp_md, data_meta)),
7496 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7497 offsetof(struct xdp_md, data)),
7498 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7499 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7500 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7501 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
7502 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7503 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7504 BPF_MOV64_IMM(BPF_REG_0, 0),
7505 BPF_EXIT_INSN(),
7506 },
7507 .result = ACCEPT,
7508 .prog_type = BPF_PROG_TYPE_XDP,
7509 },
7510 {
7511 "meta access, test8",
7512 .insns = {
7513 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7514 offsetof(struct xdp_md, data_meta)),
7515 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7516 offsetof(struct xdp_md, data)),
7517 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7518 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
7519 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7520 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7521 BPF_MOV64_IMM(BPF_REG_0, 0),
7522 BPF_EXIT_INSN(),
7523 },
7524 .result = ACCEPT,
7525 .prog_type = BPF_PROG_TYPE_XDP,
7526 },
7527 {
7528 "meta access, test9",
7529 .insns = {
7530 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7531 offsetof(struct xdp_md, data_meta)),
7532 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7533 offsetof(struct xdp_md, data)),
7534 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
7536 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7537 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7538 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7539 BPF_MOV64_IMM(BPF_REG_0, 0),
7540 BPF_EXIT_INSN(),
7541 },
7542 .result = REJECT,
7543 .errstr = "invalid access to packet",
7544 .prog_type = BPF_PROG_TYPE_XDP,
7545 },
7546 {
7547 "meta access, test10",
7548 .insns = {
7549 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7550 offsetof(struct xdp_md, data_meta)),
7551 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7552 offsetof(struct xdp_md, data)),
7553 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7554 offsetof(struct xdp_md, data_end)),
7555 BPF_MOV64_IMM(BPF_REG_5, 42),
7556 BPF_MOV64_IMM(BPF_REG_6, 24),
7557 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
7558 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
7559 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
7560 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
7561 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
7562 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
7563 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
7564 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
7565 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
7566 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
7567 BPF_MOV64_IMM(BPF_REG_0, 0),
7568 BPF_EXIT_INSN(),
7569 },
7570 .result = REJECT,
7571 .errstr = "invalid access to packet",
7572 .prog_type = BPF_PROG_TYPE_XDP,
7573 },
7574 {
7575 "meta access, test11",
7576 .insns = {
7577 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7578 offsetof(struct xdp_md, data_meta)),
7579 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7580 offsetof(struct xdp_md, data)),
7581 BPF_MOV64_IMM(BPF_REG_5, 42),
7582 BPF_MOV64_IMM(BPF_REG_6, 24),
7583 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
7584 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
7585 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
7586 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
7587 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
7588 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
7589 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
7590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
7591 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
7592 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
7593 BPF_MOV64_IMM(BPF_REG_0, 0),
7594 BPF_EXIT_INSN(),
7595 },
7596 .result = ACCEPT,
7597 .prog_type = BPF_PROG_TYPE_XDP,
7598 },
7599 {
7600 "meta access, test12",
7601 .insns = {
7602 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7603 offsetof(struct xdp_md, data_meta)),
7604 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7605 offsetof(struct xdp_md, data)),
7606 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7607 offsetof(struct xdp_md, data_end)),
7608 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
7609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
7610 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
7611 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
7612 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
7613 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
7614 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
7615 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7616 BPF_MOV64_IMM(BPF_REG_0, 0),
7617 BPF_EXIT_INSN(),
7618 },
7619 .result = ACCEPT,
7620 .prog_type = BPF_PROG_TYPE_XDP,
7621 },
28e33f9d
JK		 7622 {
7623 "arithmetic ops make PTR_TO_CTX unusable",
7624 .insns = {
7625 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
7626 offsetof(struct __sk_buff, data) -
7627 offsetof(struct __sk_buff, mark)),
7628 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7629 offsetof(struct __sk_buff, mark)),
7630 BPF_EXIT_INSN(),
7631 },
7632 .errstr = "dereference of modified ctx ptr R1 off=68+8, ctx+const is allowed, ctx+const+const is not",
7633 .result = REJECT,
7634 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7635 },
82abbf8d
AS		 7636 {
7637 "pkt_end - pkt_start is allowed",
7638 .insns = {
7639 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7640 offsetof(struct __sk_buff, data_end)),
7641 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7642 offsetof(struct __sk_buff, data)),
7643 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
7644 BPF_EXIT_INSN(),
7645 },
7646 .result = ACCEPT,
7647 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7648 },
b37242c7
DB		 7649 {
7650 "XDP pkt read, pkt_end mangling, bad access 1",
7651 .insns = {
7652 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7653 offsetof(struct xdp_md, data)),
7654 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7655 offsetof(struct xdp_md, data_end)),
7656 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7657 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7658 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
7659 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7660 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7661 BPF_MOV64_IMM(BPF_REG_0, 0),
7662 BPF_EXIT_INSN(),
7663 },
82abbf8d 7664 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
b37242c7
DB		 7665 .result = REJECT,
7666 .prog_type = BPF_PROG_TYPE_XDP,
7667 },
7668 {
7669 "XDP pkt read, pkt_end mangling, bad access 2",
7670 .insns = {
7671 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7672 offsetof(struct xdp_md, data)),
7673 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7674 offsetof(struct xdp_md, data_end)),
7675 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7677 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
7678 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7679 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7680 BPF_MOV64_IMM(BPF_REG_0, 0),
7681 BPF_EXIT_INSN(),
7682 },
82abbf8d 7683 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
b37242c7
DB		 7684 .result = REJECT,
7685 .prog_type = BPF_PROG_TYPE_XDP,
7686 },
7687 {
7688 "XDP pkt read, pkt_data' > pkt_end, good access",
7689 .insns = {
7690 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7691 offsetof(struct xdp_md, data)),
7692 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7693 offsetof(struct xdp_md, data_end)),
7694 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7696 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7697 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7698 BPF_MOV64_IMM(BPF_REG_0, 0),
7699 BPF_EXIT_INSN(),
7700 },
7701 .result = ACCEPT,
7702 .prog_type = BPF_PROG_TYPE_XDP,
7703 },
7704 {
7705 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
7706 .insns = {
7707 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7708 offsetof(struct xdp_md, data)),
7709 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7710 offsetof(struct xdp_md, data_end)),
7711 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7712 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7713 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7714 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7715 BPF_MOV64_IMM(BPF_REG_0, 0),
7716 BPF_EXIT_INSN(),
7717 },
7718 .errstr = "R1 offset is outside of the packet",
7719 .result = REJECT,
7720 .prog_type = BPF_PROG_TYPE_XDP,
7721 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7722 },
7723 {
7724 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
7725 .insns = {
7726 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7727 offsetof(struct xdp_md, data)),
7728 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7729 offsetof(struct xdp_md, data_end)),
7730 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7732 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
7733 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7734 BPF_MOV64_IMM(BPF_REG_0, 0),
7735 BPF_EXIT_INSN(),
7736 },
7737 .errstr = "R1 offset is outside of the packet",
7738 .result = REJECT,
7739 .prog_type = BPF_PROG_TYPE_XDP,
7740 },
7741 {
7742 "XDP pkt read, pkt_end > pkt_data', good access",
7743 .insns = {
7744 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7745 offsetof(struct xdp_md, data)),
7746 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7747 offsetof(struct xdp_md, data_end)),
7748 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7749 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7750 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7751 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7752 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7753 BPF_MOV64_IMM(BPF_REG_0, 0),
7754 BPF_EXIT_INSN(),
7755 },
7756 .result = ACCEPT,
7757 .prog_type = BPF_PROG_TYPE_XDP,
7758 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7759 },
7760 {
7761 "XDP pkt read, pkt_end > pkt_data', bad access 1",
7762 .insns = {
7763 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7764 offsetof(struct xdp_md, data)),
7765 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7766 offsetof(struct xdp_md, data_end)),
7767 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7768 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7769 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7770 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7771 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7772 BPF_MOV64_IMM(BPF_REG_0, 0),
7773 BPF_EXIT_INSN(),
7774 },
7775 .errstr = "R1 offset is outside of the packet",
7776 .result = REJECT,
7777 .prog_type = BPF_PROG_TYPE_XDP,
7778 },
7779 {
7780 "XDP pkt read, pkt_end > pkt_data', bad access 2",
7781 .insns = {
7782 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7783 offsetof(struct xdp_md, data)),
7784 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7785 offsetof(struct xdp_md, data_end)),
7786 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7788 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7789 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7790 BPF_MOV64_IMM(BPF_REG_0, 0),
7791 BPF_EXIT_INSN(),
7792 },
7793 .errstr = "R1 offset is outside of the packet",
7794 .result = REJECT,
7795 .prog_type = BPF_PROG_TYPE_XDP,
7796 },
7797 {
7798 "XDP pkt read, pkt_data' < pkt_end, good access",
7799 .insns = {
7800 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7801 offsetof(struct xdp_md, data)),
7802 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7803 offsetof(struct xdp_md, data_end)),
7804 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7805 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7806 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7807 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7808 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7809 BPF_MOV64_IMM(BPF_REG_0, 0),
7810 BPF_EXIT_INSN(),
7811 },
7812 .result = ACCEPT,
7813 .prog_type = BPF_PROG_TYPE_XDP,
7814 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7815 },
7816 {
7817 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
7818 .insns = {
7819 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7820 offsetof(struct xdp_md, data)),
7821 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7822 offsetof(struct xdp_md, data_end)),
7823 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7825 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7826 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7827 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7828 BPF_MOV64_IMM(BPF_REG_0, 0),
7829 BPF_EXIT_INSN(),
7830 },
7831 .errstr = "R1 offset is outside of the packet",
7832 .result = REJECT,
7833 .prog_type = BPF_PROG_TYPE_XDP,
7834 },
7835 {
7836 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
7837 .insns = {
7838 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7839 offsetof(struct xdp_md, data)),
7840 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7841 offsetof(struct xdp_md, data_end)),
7842 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7844 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7845 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7846 BPF_MOV64_IMM(BPF_REG_0, 0),
7847 BPF_EXIT_INSN(),
7848 },
7849 .errstr = "R1 offset is outside of the packet",
7850 .result = REJECT,
7851 .prog_type = BPF_PROG_TYPE_XDP,
7852 },
7853 {
7854 "XDP pkt read, pkt_end < pkt_data', good access",
7855 .insns = {
7856 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7857 offsetof(struct xdp_md, data)),
7858 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7859 offsetof(struct xdp_md, data_end)),
7860 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7861 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7862 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7863 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7864 BPF_MOV64_IMM(BPF_REG_0, 0),
7865 BPF_EXIT_INSN(),
7866 },
7867 .result = ACCEPT,
7868 .prog_type = BPF_PROG_TYPE_XDP,
7869 },
7870 {
7871 "XDP pkt read, pkt_end < pkt_data', bad access 1",
7872 .insns = {
7873 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7874 offsetof(struct xdp_md, data)),
7875 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7876 offsetof(struct xdp_md, data_end)),
7877 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7878 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7879 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7880 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7881 BPF_MOV64_IMM(BPF_REG_0, 0),
7882 BPF_EXIT_INSN(),
7883 },
7884 .errstr = "R1 offset is outside of the packet",
7885 .result = REJECT,
7886 .prog_type = BPF_PROG_TYPE_XDP,
7887 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7888 },
7889 {
7890 "XDP pkt read, pkt_end < pkt_data', bad access 2",
7891 .insns = {
7892 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7893 offsetof(struct xdp_md, data)),
7894 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7895 offsetof(struct xdp_md, data_end)),
7896 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7898 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
7899 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7900 BPF_MOV64_IMM(BPF_REG_0, 0),
7901 BPF_EXIT_INSN(),
7902 },
7903 .errstr = "R1 offset is outside of the packet",
7904 .result = REJECT,
7905 .prog_type = BPF_PROG_TYPE_XDP,
7906 },
7907 {
7908 "XDP pkt read, pkt_data' >= pkt_end, good access",
7909 .insns = {
7910 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7911 offsetof(struct xdp_md, data)),
7912 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7913 offsetof(struct xdp_md, data_end)),
7914 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7916 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7917 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7918 BPF_MOV64_IMM(BPF_REG_0, 0),
7919 BPF_EXIT_INSN(),
7920 },
7921 .result = ACCEPT,
7922 .prog_type = BPF_PROG_TYPE_XDP,
7923 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7924 },
7925 {
7926 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
7927 .insns = {
7928 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7929 offsetof(struct xdp_md, data)),
7930 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7931 offsetof(struct xdp_md, data_end)),
7932 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7933 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7934 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7935 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7936 BPF_MOV64_IMM(BPF_REG_0, 0),
7937 BPF_EXIT_INSN(),
7938 },
7939 .errstr = "R1 offset is outside of the packet",
7940 .result = REJECT,
7941 .prog_type = BPF_PROG_TYPE_XDP,
7942 },
7943 {
7944 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
7945 .insns = {
7946 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7947 offsetof(struct xdp_md, data)),
7948 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7949 offsetof(struct xdp_md, data_end)),
7950 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7951 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7952 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
7953 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7954 BPF_MOV64_IMM(BPF_REG_0, 0),
7955 BPF_EXIT_INSN(),
7956 },
7957 .errstr = "R1 offset is outside of the packet",
7958 .result = REJECT,
7959 .prog_type = BPF_PROG_TYPE_XDP,
7960 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7961 },
7962 {
7963 "XDP pkt read, pkt_end >= pkt_data', good access",
7964 .insns = {
7965 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7966 offsetof(struct xdp_md, data)),
7967 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7968 offsetof(struct xdp_md, data_end)),
7969 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7971 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7972 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7973 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7974 BPF_MOV64_IMM(BPF_REG_0, 0),
7975 BPF_EXIT_INSN(),
7976 },
7977 .result = ACCEPT,
7978 .prog_type = BPF_PROG_TYPE_XDP,
7979 },
7980 {
7981 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
7982 .insns = {
7983 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7984 offsetof(struct xdp_md, data)),
7985 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7986 offsetof(struct xdp_md, data_end)),
7987 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7989 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7990 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7991 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7992 BPF_MOV64_IMM(BPF_REG_0, 0),
7993 BPF_EXIT_INSN(),
7994 },
7995 .errstr = "R1 offset is outside of the packet",
7996 .result = REJECT,
7997 .prog_type = BPF_PROG_TYPE_XDP,
7998 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7999 },
8000 {
8001 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
8002 .insns = {
8003 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8004 offsetof(struct xdp_md, data)),
8005 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8006 offsetof(struct xdp_md, data_end)),
8007 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8009 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8010 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8011 BPF_MOV64_IMM(BPF_REG_0, 0),
8012 BPF_EXIT_INSN(),
8013 },
8014 .errstr = "R1 offset is outside of the packet",
8015 .result = REJECT,
8016 .prog_type = BPF_PROG_TYPE_XDP,
8017 },
8018 {
8019 "XDP pkt read, pkt_data' <= pkt_end, good access",
8020 .insns = {
8021 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8022 offsetof(struct xdp_md, data)),
8023 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8024 offsetof(struct xdp_md, data_end)),
8025 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8026 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8027 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8028 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8029 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8030 BPF_MOV64_IMM(BPF_REG_0, 0),
8031 BPF_EXIT_INSN(),
8032 },
8033 .result = ACCEPT,
8034 .prog_type = BPF_PROG_TYPE_XDP,
8035 },
8036 {
8037 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
8038 .insns = {
8039 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8040 offsetof(struct xdp_md, data)),
8041 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8042 offsetof(struct xdp_md, data_end)),
8043 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8044 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8045 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8046 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8047 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8048 BPF_MOV64_IMM(BPF_REG_0, 0),
8049 BPF_EXIT_INSN(),
8050 },
8051 .errstr = "R1 offset is outside of the packet",
8052 .result = REJECT,
8053 .prog_type = BPF_PROG_TYPE_XDP,
8054 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8055 },
8056 {
8057 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
8058 .insns = {
8059 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8060 offsetof(struct xdp_md, data)),
8061 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8062 offsetof(struct xdp_md, data_end)),
8063 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8064 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8065 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8066 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8067 BPF_MOV64_IMM(BPF_REG_0, 0),
8068 BPF_EXIT_INSN(),
8069 },
8070 .errstr = "R1 offset is outside of the packet",
8071 .result = REJECT,
8072 .prog_type = BPF_PROG_TYPE_XDP,
8073 },
8074 {
8075 "XDP pkt read, pkt_end <= pkt_data', good access",
8076 .insns = {
8077 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8078 offsetof(struct xdp_md, data)),
8079 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8080 offsetof(struct xdp_md, data_end)),
8081 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8083 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8084 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8085 BPF_MOV64_IMM(BPF_REG_0, 0),
8086 BPF_EXIT_INSN(),
8087 },
8088 .result = ACCEPT,
8089 .prog_type = BPF_PROG_TYPE_XDP,
8090 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8091 },
8092 {
8093 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
8094 .insns = {
8095 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8096 offsetof(struct xdp_md, data)),
8097 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8098 offsetof(struct xdp_md, data_end)),
8099 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8100 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8101 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8102 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8103 BPF_MOV64_IMM(BPF_REG_0, 0),
8104 BPF_EXIT_INSN(),
8105 },
8106 .errstr = "R1 offset is outside of the packet",
8107 .result = REJECT,
8108 .prog_type = BPF_PROG_TYPE_XDP,
8109 },
8110 {
8111 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
8112 .insns = {
8113 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8114 offsetof(struct xdp_md, data)),
8115 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8116 offsetof(struct xdp_md, data_end)),
8117 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8118 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8119 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
8120 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8121 BPF_MOV64_IMM(BPF_REG_0, 0),
8122 BPF_EXIT_INSN(),
8123 },
8124 .errstr = "R1 offset is outside of the packet",
8125 .result = REJECT,
8126 .prog_type = BPF_PROG_TYPE_XDP,
8127 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8128 },
634eab11
DB		 8129 {
8130 "XDP pkt read, pkt_meta' > pkt_data, good access",
8131 .insns = {
8132 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8133 offsetof(struct xdp_md, data_meta)),
8134 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8135 offsetof(struct xdp_md, data)),
8136 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8137 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8138 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8139 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8140 BPF_MOV64_IMM(BPF_REG_0, 0),
8141 BPF_EXIT_INSN(),
8142 },
8143 .result = ACCEPT,
8144 .prog_type = BPF_PROG_TYPE_XDP,
8145 },
8146 {
8147 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
8148 .insns = {
8149 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8150 offsetof(struct xdp_md, data_meta)),
8151 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8152 offsetof(struct xdp_md, data)),
8153 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8154 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8155 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8156 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8157 BPF_MOV64_IMM(BPF_REG_0, 0),
8158 BPF_EXIT_INSN(),
8159 },
8160 .errstr = "R1 offset is outside of the packet",
8161 .result = REJECT,
8162 .prog_type = BPF_PROG_TYPE_XDP,
8163 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8164 },
8165 {
8166 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
8167 .insns = {
8168 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8169 offsetof(struct xdp_md, data_meta)),
8170 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8171 offsetof(struct xdp_md, data)),
8172 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8174 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8175 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8176 BPF_MOV64_IMM(BPF_REG_0, 0),
8177 BPF_EXIT_INSN(),
8178 },
8179 .errstr = "R1 offset is outside of the packet",
8180 .result = REJECT,
8181 .prog_type = BPF_PROG_TYPE_XDP,
8182 },
8183 {
8184 "XDP pkt read, pkt_data > pkt_meta', good access",
8185 .insns = {
8186 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8187 offsetof(struct xdp_md, data_meta)),
8188 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8189 offsetof(struct xdp_md, data)),
8190 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8191 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8192 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8193 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8194 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8195 BPF_MOV64_IMM(BPF_REG_0, 0),
8196 BPF_EXIT_INSN(),
8197 },
8198 .result = ACCEPT,
8199 .prog_type = BPF_PROG_TYPE_XDP,
8200 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8201 },
8202 {
8203 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
8204 .insns = {
8205 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8206 offsetof(struct xdp_md, data_meta)),
8207 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8208 offsetof(struct xdp_md, data)),
8209 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8211 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8212 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8213 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8214 BPF_MOV64_IMM(BPF_REG_0, 0),
8215 BPF_EXIT_INSN(),
8216 },
8217 .errstr = "R1 offset is outside of the packet",
8218 .result = REJECT,
8219 .prog_type = BPF_PROG_TYPE_XDP,
8220 },
8221 {
8222 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
8223 .insns = {
8224 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8225 offsetof(struct xdp_md, data_meta)),
8226 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8227 offsetof(struct xdp_md, data)),
8228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8230 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8231 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8232 BPF_MOV64_IMM(BPF_REG_0, 0),
8233 BPF_EXIT_INSN(),
8234 },
8235 .errstr = "R1 offset is outside of the packet",
8236 .result = REJECT,
8237 .prog_type = BPF_PROG_TYPE_XDP,
8238 },
8239 {
8240 "XDP pkt read, pkt_meta' < pkt_data, good access",
8241 .insns = {
8242 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8243 offsetof(struct xdp_md, data_meta)),
8244 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8245 offsetof(struct xdp_md, data)),
8246 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8248 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8249 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8250 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8251 BPF_MOV64_IMM(BPF_REG_0, 0),
8252 BPF_EXIT_INSN(),
8253 },
8254 .result = ACCEPT,
8255 .prog_type = BPF_PROG_TYPE_XDP,
8256 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8257 },
8258 {
8259 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
8260 .insns = {
8261 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8262 offsetof(struct xdp_md, data_meta)),
8263 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8264 offsetof(struct xdp_md, data)),
8265 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8266 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8267 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8268 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8269 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8270 BPF_MOV64_IMM(BPF_REG_0, 0),
8271 BPF_EXIT_INSN(),
8272 },
8273 .errstr = "R1 offset is outside of the packet",
8274 .result = REJECT,
8275 .prog_type = BPF_PROG_TYPE_XDP,
8276 },
8277 {
8278 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
8279 .insns = {
8280 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8281 offsetof(struct xdp_md, data_meta)),
8282 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8283 offsetof(struct xdp_md, data)),
8284 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8285 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8286 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8287 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8288 BPF_MOV64_IMM(BPF_REG_0, 0),
8289 BPF_EXIT_INSN(),
8290 },
8291 .errstr = "R1 offset is outside of the packet",
8292 .result = REJECT,
8293 .prog_type = BPF_PROG_TYPE_XDP,
8294 },
8295 {
8296 "XDP pkt read, pkt_data < pkt_meta', good access",
8297 .insns = {
8298 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8299 offsetof(struct xdp_md, data_meta)),
8300 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8301 offsetof(struct xdp_md, data)),
8302 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8303 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8304 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8305 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8306 BPF_MOV64_IMM(BPF_REG_0, 0),
8307 BPF_EXIT_INSN(),
8308 },
8309 .result = ACCEPT,
8310 .prog_type = BPF_PROG_TYPE_XDP,
8311 },
8312 {
8313 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
8314 .insns = {
8315 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8316 offsetof(struct xdp_md, data_meta)),
8317 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8318 offsetof(struct xdp_md, data)),
8319 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8321 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8322 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8323 BPF_MOV64_IMM(BPF_REG_0, 0),
8324 BPF_EXIT_INSN(),
8325 },
8326 .errstr = "R1 offset is outside of the packet",
8327 .result = REJECT,
8328 .prog_type = BPF_PROG_TYPE_XDP,
8329 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8330 },
8331 {
8332 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
8333 .insns = {
8334 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8335 offsetof(struct xdp_md, data_meta)),
8336 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8337 offsetof(struct xdp_md, data)),
8338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8340 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
8341 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8342 BPF_MOV64_IMM(BPF_REG_0, 0),
8343 BPF_EXIT_INSN(),
8344 },
8345 .errstr = "R1 offset is outside of the packet",
8346 .result = REJECT,
8347 .prog_type = BPF_PROG_TYPE_XDP,
8348 },
8349 {
8350 "XDP pkt read, pkt_meta' >= pkt_data, good access",
8351 .insns = {
8352 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8353 offsetof(struct xdp_md, data_meta)),
8354 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8355 offsetof(struct xdp_md, data)),
8356 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8358 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8359 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8360 BPF_MOV64_IMM(BPF_REG_0, 0),
8361 BPF_EXIT_INSN(),
8362 },
8363 .result = ACCEPT,
8364 .prog_type = BPF_PROG_TYPE_XDP,
8365 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8366 },
8367 {
8368 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
8369 .insns = {
8370 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8371 offsetof(struct xdp_md, data_meta)),
8372 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8373 offsetof(struct xdp_md, data)),
8374 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8375 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8376 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8377 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8378 BPF_MOV64_IMM(BPF_REG_0, 0),
8379 BPF_EXIT_INSN(),
8380 },
8381 .errstr = "R1 offset is outside of the packet",
8382 .result = REJECT,
8383 .prog_type = BPF_PROG_TYPE_XDP,
8384 },
8385 {
8386 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
8387 .insns = {
8388 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8389 offsetof(struct xdp_md, data_meta)),
8390 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8391 offsetof(struct xdp_md, data)),
8392 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8393 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8394 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
8395 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8396 BPF_MOV64_IMM(BPF_REG_0, 0),
8397 BPF_EXIT_INSN(),
8398 },
8399 .errstr = "R1 offset is outside of the packet",
8400 .result = REJECT,
8401 .prog_type = BPF_PROG_TYPE_XDP,
8402 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8403 },
8404 {
8405 "XDP pkt read, pkt_data >= pkt_meta', good access",
8406 .insns = {
8407 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8408 offsetof(struct xdp_md, data_meta)),
8409 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8410 offsetof(struct xdp_md, data)),
8411 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8413 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8414 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8415 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8416 BPF_MOV64_IMM(BPF_REG_0, 0),
8417 BPF_EXIT_INSN(),
8418 },
8419 .result = ACCEPT,
8420 .prog_type = BPF_PROG_TYPE_XDP,
8421 },
8422 {
8423 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
8424 .insns = {
8425 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8426 offsetof(struct xdp_md, data_meta)),
8427 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8428 offsetof(struct xdp_md, data)),
8429 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8430 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8431 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8432 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8433 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8434 BPF_MOV64_IMM(BPF_REG_0, 0),
8435 BPF_EXIT_INSN(),
8436 },
8437 .errstr = "R1 offset is outside of the packet",
8438 .result = REJECT,
8439 .prog_type = BPF_PROG_TYPE_XDP,
8440 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8441 },
8442 {
8443 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
8444 .insns = {
8445 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8446 offsetof(struct xdp_md, data_meta)),
8447 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8448 offsetof(struct xdp_md, data)),
8449 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8450 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8451 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8452 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8453 BPF_MOV64_IMM(BPF_REG_0, 0),
8454 BPF_EXIT_INSN(),
8455 },
8456 .errstr = "R1 offset is outside of the packet",
8457 .result = REJECT,
8458 .prog_type = BPF_PROG_TYPE_XDP,
8459 },
8460 {
8461 "XDP pkt read, pkt_meta' <= pkt_data, good access",
8462 .insns = {
8463 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8464 offsetof(struct xdp_md, data_meta)),
8465 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8466 offsetof(struct xdp_md, data)),
8467 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8468 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8469 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8470 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8471 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8472 BPF_MOV64_IMM(BPF_REG_0, 0),
8473 BPF_EXIT_INSN(),
8474 },
8475 .result = ACCEPT,
8476 .prog_type = BPF_PROG_TYPE_XDP,
8477 },
8478 {
8479 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
8480 .insns = {
8481 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8482 offsetof(struct xdp_md, data_meta)),
8483 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8484 offsetof(struct xdp_md, data)),
8485 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8487 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8488 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8489 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8490 BPF_MOV64_IMM(BPF_REG_0, 0),
8491 BPF_EXIT_INSN(),
8492 },
8493 .errstr = "R1 offset is outside of the packet",
8494 .result = REJECT,
8495 .prog_type = BPF_PROG_TYPE_XDP,
8496 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8497 },
8498 {
8499 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
8500 .insns = {
8501 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8502 offsetof(struct xdp_md, data_meta)),
8503 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8504 offsetof(struct xdp_md, data)),
8505 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8507 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8508 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8509 BPF_MOV64_IMM(BPF_REG_0, 0),
8510 BPF_EXIT_INSN(),
8511 },
8512 .errstr = "R1 offset is outside of the packet",
8513 .result = REJECT,
8514 .prog_type = BPF_PROG_TYPE_XDP,
8515 },
8516 {
8517 "XDP pkt read, pkt_data <= pkt_meta', good access",
8518 .insns = {
8519 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8520 offsetof(struct xdp_md, data_meta)),
8521 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8522 offsetof(struct xdp_md, data)),
8523 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8525 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8526 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8527 BPF_MOV64_IMM(BPF_REG_0, 0),
8528 BPF_EXIT_INSN(),
8529 },
8530 .result = ACCEPT,
8531 .prog_type = BPF_PROG_TYPE_XDP,
8532 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8533 },
8534 {
8535 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
8536 .insns = {
8537 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8538 offsetof(struct xdp_md, data_meta)),
8539 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8540 offsetof(struct xdp_md, data)),
8541 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8543 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8544 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8545 BPF_MOV64_IMM(BPF_REG_0, 0),
8546 BPF_EXIT_INSN(),
8547 },
8548 .errstr = "R1 offset is outside of the packet",
8549 .result = REJECT,
8550 .prog_type = BPF_PROG_TYPE_XDP,
8551 },
8552 {
8553 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
8554 .insns = {
8555 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8556 offsetof(struct xdp_md, data_meta)),
8557 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8558 offsetof(struct xdp_md, data)),
8559 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8560 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8561 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
8562 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8563 BPF_MOV64_IMM(BPF_REG_0, 0),
8564 BPF_EXIT_INSN(),
8565 },
8566 .errstr = "R1 offset is outside of the packet",
8567 .result = REJECT,
8568 .prog_type = BPF_PROG_TYPE_XDP,
8569 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8570 },
b06723da
DB		 8571 {
8572 "bpf_exit with invalid return code. test1",
8573 .insns = {
8574 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8575 BPF_EXIT_INSN(),
8576 },
8577 .errstr = "R0 has value (0x0; 0xffffffff)",
8578 .result = REJECT,
8579 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8580 },
8581 {
8582 "bpf_exit with invalid return code. test2",
8583 .insns = {
8584 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8585 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
8586 BPF_EXIT_INSN(),
8587 },
8588 .result = ACCEPT,
8589 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8590 },
8591 {
8592 "bpf_exit with invalid return code. test3",
8593 .insns = {
8594 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8595 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
8596 BPF_EXIT_INSN(),
8597 },
8598 .errstr = "R0 has value (0x0; 0x3)",
8599 .result = REJECT,
8600 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8601 },
8602 {
8603 "bpf_exit with invalid return code. test4",
8604 .insns = {
8605 BPF_MOV64_IMM(BPF_REG_0, 1),
8606 BPF_EXIT_INSN(),
8607 },
8608 .result = ACCEPT,
8609 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8610 },
8611 {
8612 "bpf_exit with invalid return code. test5",
8613 .insns = {
8614 BPF_MOV64_IMM(BPF_REG_0, 2),
8615 BPF_EXIT_INSN(),
8616 },
8617 .errstr = "R0 has value (0x2; 0x0)",
8618 .result = REJECT,
8619 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8620 },
8621 {
8622 "bpf_exit with invalid return code. test6",
8623 .insns = {
8624 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8625 BPF_EXIT_INSN(),
8626 },
8627 .errstr = "R0 is not a known value (ctx)",
8628 .result = REJECT,
8629 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8630 },
8631 {
8632 "bpf_exit with invalid return code. test7",
8633 .insns = {
8634 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8635 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
8636 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
8637 BPF_EXIT_INSN(),
8638 },
8639 .errstr = "R0 has unknown scalar value",
8640 .result = REJECT,
8641 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8642 },
3c731eba
AS		 8643};
8644
5aa5bd14 8645static int probe_filter_length(const struct bpf_insn *fp)
3c731eba 8646{
5aa5bd14 8647 int len;
3c731eba
AS		 8648
8649 for (len = MAX_INSNS - 1; len > 0; --len)
8650 if (fp[len].code != 0 || fp[len].imm != 0)
8651 break;
3c731eba
AS		 8652 return len + 1;
8653}
8654
5aa5bd14 8655static int create_map(uint32_t size_value, uint32_t max_elem)
3c731eba 8656{
5aa5bd14 8657 int fd;
3c731eba 8658
f4874d01 8659 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
5aa5bd14
DB		 8660 size_value, max_elem, BPF_F_NO_PREALLOC);
8661 if (fd < 0)
8662 printf("Failed to create hash map '%s'!\n", strerror(errno));
bf508877 8663
5aa5bd14 8664 return fd;
bf508877
AS		 8665}
8666
8667static int create_prog_array(void)
8668{
5aa5bd14 8669 int fd;
bf508877 8670
f4874d01 8671 fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
5aa5bd14
DB		 8672 sizeof(int), 4, 0);
8673 if (fd < 0)
8674 printf("Failed to create prog array '%s'!\n", strerror(errno));
3c731eba 8675
5aa5bd14 8676 return fd;
3c731eba
AS		 8677}
8678
fb30d4b7
MKL		 8679static int create_map_in_map(void)
8680{
8681 int inner_map_fd, outer_map_fd;
8682
8683 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
8684 sizeof(int), 1, 0);
8685 if (inner_map_fd < 0) {
8686 printf("Failed to create array '%s'!\n", strerror(errno));
8687 return inner_map_fd;
8688 }
8689
88cda1c9 8690 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
fb30d4b7
MKL		 8691 sizeof(int), inner_map_fd, 1, 0);
8692 if (outer_map_fd < 0)
8693 printf("Failed to create array of maps '%s'!\n",
8694 strerror(errno));
8695
8696 close(inner_map_fd);
8697
8698 return outer_map_fd;
8699}
8700
5aa5bd14
DB		 8701static char bpf_vlog[32768];
8702
8703static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
fb30d4b7 8704 int *map_fds)
3c731eba 8705{
5aa5bd14
DB		 8706 int *fixup_map1 = test->fixup_map1;
8707 int *fixup_map2 = test->fixup_map2;
8708 int *fixup_prog = test->fixup_prog;
fb30d4b7 8709 int *fixup_map_in_map = test->fixup_map_in_map;
3c731eba 8710
5aa5bd14
DB		 8711 /* Allocating HTs with 1 elem is fine here, since we only test
8712 * for verifier and not do a runtime lookup, so the only thing
8713 * that really matters is value size in this case.
8714 */
8715 if (*fixup_map1) {
fb30d4b7 8716 map_fds[0] = create_map(sizeof(long long), 1);
5aa5bd14 8717 do {
fb30d4b7 8718 prog[*fixup_map1].imm = map_fds[0];
5aa5bd14
DB		 8719 fixup_map1++;
8720 } while (*fixup_map1);
8721 }
3c731eba 8722
5aa5bd14 8723 if (*fixup_map2) {
fb30d4b7 8724 map_fds[1] = create_map(sizeof(struct test_val), 1);
5aa5bd14 8725 do {
fb30d4b7 8726 prog[*fixup_map2].imm = map_fds[1];
5aa5bd14
DB		 8727 fixup_map2++;
8728 } while (*fixup_map2);
8729 }
3c731eba 8730
5aa5bd14 8731 if (*fixup_prog) {
fb30d4b7 8732 map_fds[2] = create_prog_array();
5aa5bd14 8733 do {
fb30d4b7 8734 prog[*fixup_prog].imm = map_fds[2];
5aa5bd14
DB		 8735 fixup_prog++;
8736 } while (*fixup_prog);
8737 }
fb30d4b7
MKL		 8738
8739 if (*fixup_map_in_map) {
8740 map_fds[3] = create_map_in_map();
8741 do {
8742 prog[*fixup_map_in_map].imm = map_fds[3];
8743 fixup_map_in_map++;
8744 } while (*fixup_map_in_map);
8745 }
5aa5bd14 8746}
bf508877 8747
5aa5bd14
DB		 8748static void do_test_single(struct bpf_test *test, bool unpriv,
8749 int *passes, int *errors)
8750{
02ea80b1 8751 int fd_prog, expected_ret, reject_from_alignment;
5aa5bd14
DB		 8752 struct bpf_insn *prog = test->insns;
8753 int prog_len = probe_filter_length(prog);
8754 int prog_type = test->prog_type;
fb30d4b7 8755 int map_fds[MAX_NR_MAPS];
5aa5bd14 8756 const char *expected_err;
fb30d4b7
MKL		 8757 int i;
8758
8759 for (i = 0; i < MAX_NR_MAPS; i++)
8760 map_fds[i] = -1;
48461135 8761
fb30d4b7 8762 do_test_fixup(test, prog, map_fds);
3c731eba 8763
614d0d77
DB		 8764 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
8765 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
d6554904 8766 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
3c731eba 8767
5aa5bd14
DB		 8768 expected_ret = unpriv && test->result_unpriv != UNDEF ?
8769 test->result_unpriv : test->result;
8770 expected_err = unpriv && test->errstr_unpriv ?
8771 test->errstr_unpriv : test->errstr;
02ea80b1
DB		 8772
8773 reject_from_alignment = fd_prog < 0 &&
8774 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
8775 strstr(bpf_vlog, "Unknown alignment.");
8776#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
8777 if (reject_from_alignment) {
8778 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
8779 strerror(errno));
8780 goto fail_log;
8781 }
8782#endif
5aa5bd14 8783 if (expected_ret == ACCEPT) {
02ea80b1 8784 if (fd_prog < 0 && !reject_from_alignment) {
5aa5bd14
DB		 8785 printf("FAIL\nFailed to load prog '%s'!\n",
8786 strerror(errno));
8787 goto fail_log;
8788 }
8789 } else {
8790 if (fd_prog >= 0) {
8791 printf("FAIL\nUnexpected success to load!\n");
8792 goto fail_log;
8793 }
02ea80b1 8794 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
5aa5bd14
DB		 8795 printf("FAIL\nUnexpected error message!\n");
8796 goto fail_log;
8797 }
8798 }
bf508877 8799
5aa5bd14 8800 (*passes)++;
02ea80b1
DB		 8801 printf("OK%s\n", reject_from_alignment ?
8802 " (NOTE: reject due to unknown alignment)" : "");
5aa5bd14
DB		 8803close_fds:
8804 close(fd_prog);
fb30d4b7
MKL		 8805 for (i = 0; i < MAX_NR_MAPS; i++)
8806 close(map_fds[i]);
5aa5bd14
DB		 8807 sched_yield();
8808 return;
8809fail_log:
8810 (*errors)++;
8811 printf("%s", bpf_vlog);
8812 goto close_fds;
8813}
bf508877 8814
d02d8986
MS		 8815static bool is_admin(void)
8816{
8817 cap_t caps;
8818 cap_flag_value_t sysadmin = CAP_CLEAR;
8819 const cap_value_t cap_val = CAP_SYS_ADMIN;
8820
1da8ac7c 8821#ifdef CAP_IS_SUPPORTED
d02d8986
MS		 8822 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
8823 perror("cap_get_flag");
8824 return false;
8825 }
1da8ac7c 8826#endif
d02d8986
MS		 8827 caps = cap_get_proc();
8828 if (!caps) {
8829 perror("cap_get_proc");
8830 return false;
8831 }
8832 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
8833 perror("cap_get_flag");
8834 if (cap_free(caps))
8835 perror("cap_free");
8836 return (sysadmin == CAP_SET);
8837}
8838
8839static int set_admin(bool admin)
8840{
8841 cap_t caps;
8842 const cap_value_t cap_val = CAP_SYS_ADMIN;
8843 int ret = -1;
8844
8845 caps = cap_get_proc();
8846 if (!caps) {
8847 perror("cap_get_proc");
8848 return -1;
8849 }
8850 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
8851 admin ? CAP_SET : CAP_CLEAR)) {
8852 perror("cap_set_flag");
8853 goto out;
8854 }
8855 if (cap_set_proc(caps)) {
8856 perror("cap_set_proc");
8857 goto out;
8858 }
8859 ret = 0;
8860out:
8861 if (cap_free(caps))
8862 perror("cap_free");
8863 return ret;
8864}
8865
5aa5bd14
DB		 8866static int do_test(bool unpriv, unsigned int from, unsigned int to)
8867{
8868 int i, passes = 0, errors = 0;
3c731eba 8869
5aa5bd14
DB		 8870 for (i = from; i < to; i++) {
8871 struct bpf_test *test = &tests[i];
3c731eba 8872
5aa5bd14
DB		 8873 /* Program types that are not supported by non-root we
8874 * skip right away.
8875 */
d02d8986
MS		 8876 if (!test->prog_type) {
8877 if (!unpriv)
8878 set_admin(false);
8879 printf("#%d/u %s ", i, test->descr);
8880 do_test_single(test, true, &passes, &errors);
8881 if (!unpriv)
8882 set_admin(true);
8883 }
5aa5bd14 8884
d02d8986
MS		 8885 if (!unpriv) {
8886 printf("#%d/p %s ", i, test->descr);
8887 do_test_single(test, false, &passes, &errors);
8888 }
3c731eba
AS		 8889 }
8890
5aa5bd14 8891 printf("Summary: %d PASSED, %d FAILED\n", passes, errors);
efe5f9c0 8892 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
3c731eba
AS		 8893}
8894
5aa5bd14 8895int main(int argc, char **argv)
3c731eba 8896{
5aa5bd14
DB		 8897 struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY };
8898 struct rlimit rlim = { 1 << 20, 1 << 20 };
8899 unsigned int from = 0, to = ARRAY_SIZE(tests);
d02d8986 8900 bool unpriv = !is_admin();
5aa5bd14
DB		 8901
8902 if (argc == 3) {
8903 unsigned int l = atoi(argv[argc - 2]);
8904 unsigned int u = atoi(argv[argc - 1]);
8905
8906 if (l < to && u < to) {
8907 from = l;
8908 to = u + 1;
8909 }
8910 } else if (argc == 2) {
8911 unsigned int t = atoi(argv[argc - 1]);
8912
8913 if (t < to) {
8914 from = t;
8915 to = t + 1;
8916 }
8917 }
bf508877 8918
5aa5bd14
DB		 8919 setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf);
8920 return do_test(unpriv, from, to);
3c731eba 8921}
ubuntu-bionic-kernel mirror