]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - tools/testing/selftests/bpf/test_verifier.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
bpf: Fix verifier log string check for bad alignment.
[mirror_ubuntu-bionic-kernel.git] / tools / testing / selftests / bpf / test_verifier.c
CommitLineData
3c731eba
AS		 1/*
2 * Testsuite for eBPF verifier
3 *
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of version 2 of the GNU General Public
8 * License as published by the Free Software Foundation.
9 */
5aa5bd14 10
2c460621 11#include <endian.h>
1da8ac7c
AS		 12#include <asm/types.h>
13#include <linux/types.h>
702498a1 14#include <stdint.h>
3c731eba 15#include <stdio.h>
702498a1 16#include <stdlib.h>
3c731eba 17#include <unistd.h>
3c731eba 18#include <errno.h>
3c731eba 19#include <string.h>
614cd3bd 20#include <stddef.h>
bf508877 21#include <stdbool.h>
5aa5bd14 22#include <sched.h>
a3f6c1f4
DB		 23#include <limits.h>
24#include <assert.h>
5aa5bd14 25
d02d8986 26#include <sys/capability.h>
bf508877 27#include <sys/resource.h>
3c731eba 28
5aa5bd14
DB		 29#include <linux/unistd.h>
30#include <linux/filter.h>
31#include <linux/bpf_perf_event.h>
32#include <linux/bpf.h>
33
2ee89fb9
MS		 34#include <bpf/bpf.h>
35
02ea80b1
DB		 36#ifdef HAVE_GENHDR
37# include "autoconf.h"
38#else
39# if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
40# define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
41# endif
42#endif
43
5aa5bd14
DB		 44#include "../../../include/linux/filter.h"
45
5aa5bd14
DB		 46#ifndef ARRAY_SIZE
47# define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
48#endif
3c731eba 49
5aa5bd14
DB		 50#define MAX_INSNS 512
51#define MAX_FIXUPS 8
fb30d4b7 52#define MAX_NR_MAPS 4
bf508877 53
02ea80b1 54#define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
614d0d77 55#define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
02ea80b1 56
3c731eba
AS		 57struct bpf_test {
58 const char *descr;
59 struct bpf_insn insns[MAX_INSNS];
5aa5bd14
DB		 60 int fixup_map1[MAX_FIXUPS];
61 int fixup_map2[MAX_FIXUPS];
62 int fixup_prog[MAX_FIXUPS];
fb30d4b7 63 int fixup_map_in_map[MAX_FIXUPS];
3c731eba 64 const char *errstr;
bf508877 65 const char *errstr_unpriv;
3c731eba 66 enum {
bf508877 67 UNDEF,
3c731eba
AS		 68 ACCEPT,
69 REJECT
bf508877 70 } result, result_unpriv;
d691f9e8 71 enum bpf_prog_type prog_type;
02ea80b1 72 uint8_t flags;
3c731eba
AS		 73};
74
48461135
JB		 75/* Note we want this to be 64 bit aligned so that the end of our array is
76 * actually the end of the structure.
77 */
78#define MAX_ENTRIES 11
5aa5bd14 79
48461135 80struct test_val {
5aa5bd14 81 unsigned int index;
48461135
JB		 82 int foo[MAX_ENTRIES];
83};
84
3c731eba
AS		 85static struct bpf_test tests[] = {
86 {
87 "add+sub+mul",
88 .insns = {
89 BPF_MOV64_IMM(BPF_REG_1, 1),
90 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
91 BPF_MOV64_IMM(BPF_REG_2, 3),
92 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
93 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
94 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
95 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
96 BPF_EXIT_INSN(),
97 },
98 .result = ACCEPT,
99 },
100 {
101 "unreachable",
102 .insns = {
103 BPF_EXIT_INSN(),
104 BPF_EXIT_INSN(),
105 },
106 .errstr = "unreachable",
107 .result = REJECT,
108 },
109 {
110 "unreachable2",
111 .insns = {
112 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
113 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
114 BPF_EXIT_INSN(),
115 },
116 .errstr = "unreachable",
117 .result = REJECT,
118 },
119 {
120 "out of range jump",
121 .insns = {
122 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
123 BPF_EXIT_INSN(),
124 },
125 .errstr = "jump out of range",
126 .result = REJECT,
127 },
128 {
129 "out of range jump2",
130 .insns = {
131 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
132 BPF_EXIT_INSN(),
133 },
134 .errstr = "jump out of range",
135 .result = REJECT,
136 },
137 {
138 "test1 ld_imm64",
139 .insns = {
140 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
141 BPF_LD_IMM64(BPF_REG_0, 0),
142 BPF_LD_IMM64(BPF_REG_0, 0),
143 BPF_LD_IMM64(BPF_REG_0, 1),
144 BPF_LD_IMM64(BPF_REG_0, 1),
145 BPF_MOV64_IMM(BPF_REG_0, 2),
146 BPF_EXIT_INSN(),
147 },
148 .errstr = "invalid BPF_LD_IMM insn",
bf508877 149 .errstr_unpriv = "R1 pointer comparison",
3c731eba
AS		 150 .result = REJECT,
151 },
152 {
153 "test2 ld_imm64",
154 .insns = {
155 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
156 BPF_LD_IMM64(BPF_REG_0, 0),
157 BPF_LD_IMM64(BPF_REG_0, 0),
158 BPF_LD_IMM64(BPF_REG_0, 1),
159 BPF_LD_IMM64(BPF_REG_0, 1),
160 BPF_EXIT_INSN(),
161 },
162 .errstr = "invalid BPF_LD_IMM insn",
bf508877 163 .errstr_unpriv = "R1 pointer comparison",
3c731eba
AS		 164 .result = REJECT,
165 },
166 {
167 "test3 ld_imm64",
168 .insns = {
169 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
170 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
171 BPF_LD_IMM64(BPF_REG_0, 0),
172 BPF_LD_IMM64(BPF_REG_0, 0),
173 BPF_LD_IMM64(BPF_REG_0, 1),
174 BPF_LD_IMM64(BPF_REG_0, 1),
175 BPF_EXIT_INSN(),
176 },
177 .errstr = "invalid bpf_ld_imm64 insn",
178 .result = REJECT,
179 },
180 {
181 "test4 ld_imm64",
182 .insns = {
183 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
184 BPF_EXIT_INSN(),
185 },
186 .errstr = "invalid bpf_ld_imm64 insn",
187 .result = REJECT,
188 },
189 {
190 "test5 ld_imm64",
191 .insns = {
192 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
193 },
194 .errstr = "invalid bpf_ld_imm64 insn",
195 .result = REJECT,
196 },
728a853a
DB		 197 {
198 "test6 ld_imm64",
199 .insns = {
200 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
201 BPF_RAW_INSN(0, 0, 0, 0, 0),
202 BPF_EXIT_INSN(),
203 },
204 .result = ACCEPT,
205 },
206 {
207 "test7 ld_imm64",
208 .insns = {
209 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
210 BPF_RAW_INSN(0, 0, 0, 0, 1),
211 BPF_EXIT_INSN(),
212 },
213 .result = ACCEPT,
214 },
215 {
216 "test8 ld_imm64",
217 .insns = {
218 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
219 BPF_RAW_INSN(0, 0, 0, 0, 1),
220 BPF_EXIT_INSN(),
221 },
222 .errstr = "uses reserved fields",
223 .result = REJECT,
224 },
225 {
226 "test9 ld_imm64",
227 .insns = {
228 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
229 BPF_RAW_INSN(0, 0, 0, 1, 1),
230 BPF_EXIT_INSN(),
231 },
232 .errstr = "invalid bpf_ld_imm64 insn",
233 .result = REJECT,
234 },
235 {
236 "test10 ld_imm64",
237 .insns = {
238 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
239 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
240 BPF_EXIT_INSN(),
241 },
242 .errstr = "invalid bpf_ld_imm64 insn",
243 .result = REJECT,
244 },
245 {
246 "test11 ld_imm64",
247 .insns = {
248 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
249 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
250 BPF_EXIT_INSN(),
251 },
252 .errstr = "invalid bpf_ld_imm64 insn",
253 .result = REJECT,
254 },
255 {
256 "test12 ld_imm64",
257 .insns = {
258 BPF_MOV64_IMM(BPF_REG_1, 0),
259 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
260 BPF_RAW_INSN(0, 0, 0, 0, 1),
261 BPF_EXIT_INSN(),
262 },
263 .errstr = "not pointing to valid bpf_map",
264 .result = REJECT,
265 },
266 {
267 "test13 ld_imm64",
268 .insns = {
269 BPF_MOV64_IMM(BPF_REG_1, 0),
270 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
271 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
272 BPF_EXIT_INSN(),
273 },
274 .errstr = "invalid bpf_ld_imm64 insn",
275 .result = REJECT,
276 },
7891a87e
DB		 277 {
278 "arsh32 on imm",
279 .insns = {
280 BPF_MOV64_IMM(BPF_REG_0, 1),
281 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
282 BPF_EXIT_INSN(),
283 },
284 .result = REJECT,
285 .errstr = "BPF_ARSH not supported for 32 bit ALU",
286 },
287 {
288 "arsh32 on reg",
289 .insns = {
290 BPF_MOV64_IMM(BPF_REG_0, 1),
291 BPF_MOV64_IMM(BPF_REG_1, 5),
292 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
293 BPF_EXIT_INSN(),
294 },
295 .result = REJECT,
296 .errstr = "BPF_ARSH not supported for 32 bit ALU",
297 },
298 {
299 "arsh64 on imm",
300 .insns = {
301 BPF_MOV64_IMM(BPF_REG_0, 1),
302 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
303 BPF_EXIT_INSN(),
304 },
305 .result = ACCEPT,
306 },
307 {
308 "arsh64 on reg",
309 .insns = {
310 BPF_MOV64_IMM(BPF_REG_0, 1),
311 BPF_MOV64_IMM(BPF_REG_1, 5),
312 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
313 BPF_EXIT_INSN(),
314 },
315 .result = ACCEPT,
316 },
3c731eba
AS		 317 {
318 "no bpf_exit",
319 .insns = {
320 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
321 },
322 .errstr = "jump out of range",
323 .result = REJECT,
324 },
325 {
326 "loop (back-edge)",
327 .insns = {
328 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
329 BPF_EXIT_INSN(),
330 },
331 .errstr = "back-edge",
332 .result = REJECT,
333 },
334 {
335 "loop2 (back-edge)",
336 .insns = {
337 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
338 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
339 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
340 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
341 BPF_EXIT_INSN(),
342 },
343 .errstr = "back-edge",
344 .result = REJECT,
345 },
346 {
347 "conditional loop",
348 .insns = {
349 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
350 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
351 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
352 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
353 BPF_EXIT_INSN(),
354 },
355 .errstr = "back-edge",
356 .result = REJECT,
357 },
358 {
359 "read uninitialized register",
360 .insns = {
361 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
362 BPF_EXIT_INSN(),
363 },
364 .errstr = "R2 !read_ok",
365 .result = REJECT,
366 },
367 {
368 "read invalid register",
369 .insns = {
370 BPF_MOV64_REG(BPF_REG_0, -1),
371 BPF_EXIT_INSN(),
372 },
373 .errstr = "R15 is invalid",
374 .result = REJECT,
375 },
376 {
377 "program doesn't init R0 before exit",
378 .insns = {
379 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
380 BPF_EXIT_INSN(),
381 },
382 .errstr = "R0 !read_ok",
383 .result = REJECT,
384 },
32bf08a6
AS		 385 {
386 "program doesn't init R0 before exit in all branches",
387 .insns = {
388 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
389 BPF_MOV64_IMM(BPF_REG_0, 1),
390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
391 BPF_EXIT_INSN(),
392 },
393 .errstr = "R0 !read_ok",
bf508877 394 .errstr_unpriv = "R1 pointer comparison",
32bf08a6
AS		 395 .result = REJECT,
396 },
3c731eba
AS		 397 {
398 "stack out of bounds",
399 .insns = {
400 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
401 BPF_EXIT_INSN(),
402 },
403 .errstr = "invalid stack",
404 .result = REJECT,
405 },
406 {
407 "invalid call insn1",
408 .insns = {
409 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
410 BPF_EXIT_INSN(),
411 },
412 .errstr = "BPF_CALL uses reserved",
413 .result = REJECT,
414 },
415 {
416 "invalid call insn2",
417 .insns = {
418 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
419 BPF_EXIT_INSN(),
420 },
421 .errstr = "BPF_CALL uses reserved",
422 .result = REJECT,
423 },
424 {
425 "invalid function call",
426 .insns = {
427 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
428 BPF_EXIT_INSN(),
429 },
e00c7b21 430 .errstr = "invalid func unknown#1234567",
3c731eba
AS		 431 .result = REJECT,
432 },
433 {
434 "uninitialized stack1",
435 .insns = {
436 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
437 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
438 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 439 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
440 BPF_FUNC_map_lookup_elem),
3c731eba
AS		 441 BPF_EXIT_INSN(),
442 },
5aa5bd14 443 .fixup_map1 = { 2 },
3c731eba
AS		 444 .errstr = "invalid indirect read from stack",
445 .result = REJECT,
446 },
447 {
448 "uninitialized stack2",
449 .insns = {
450 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
451 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
452 BPF_EXIT_INSN(),
453 },
454 .errstr = "invalid read from stack",
455 .result = REJECT,
456 },
728a853a
DB		 457 {
458 "invalid fp arithmetic",
459 /* If this gets ever changed, make sure JITs can deal with it. */
460 .insns = {
461 BPF_MOV64_IMM(BPF_REG_0, 0),
462 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
463 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
464 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
465 BPF_EXIT_INSN(),
466 },
82abbf8d 467 .errstr = "R1 subtraction from stack pointer",
728a853a
DB		 468 .result = REJECT,
469 },
470 {
471 "non-invalid fp arithmetic",
472 .insns = {
473 BPF_MOV64_IMM(BPF_REG_0, 0),
474 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
475 BPF_EXIT_INSN(),
476 },
477 .result = ACCEPT,
478 },
7d95b0ab
DB		 479 {
480 "invalid argument register",
481 .insns = {
5aa5bd14
DB		 482 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
483 BPF_FUNC_get_cgroup_classid),
484 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
485 BPF_FUNC_get_cgroup_classid),
7d95b0ab
DB		 486 BPF_EXIT_INSN(),
487 },
488 .errstr = "R1 !read_ok",
489 .result = REJECT,
490 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
491 },
492 {
493 "non-invalid argument register",
494 .insns = {
495 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
5aa5bd14
DB		 496 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
497 BPF_FUNC_get_cgroup_classid),
7d95b0ab 498 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
5aa5bd14
DB		 499 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
500 BPF_FUNC_get_cgroup_classid),
7d95b0ab
DB		 501 BPF_EXIT_INSN(),
502 },
503 .result = ACCEPT,
504 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
505 },
3c731eba
AS		 506 {
507 "check valid spill/fill",
508 .insns = {
509 /* spill R1(ctx) into stack */
510 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3c731eba
AS		 511 /* fill it back into R2 */
512 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3c731eba 513 /* should be able to access R0 = *(R2 + 8) */
f91fe17e
DB		 514 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
515 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3c731eba
AS		 516 BPF_EXIT_INSN(),
517 },
bf508877 518 .errstr_unpriv = "R0 leaks addr",
3c731eba 519 .result = ACCEPT,
bf508877 520 .result_unpriv = REJECT,
3c731eba 521 },
3f2050e2
DB		 522 {
523 "check valid spill/fill, skb mark",
524 .insns = {
525 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
526 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
527 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
528 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
529 offsetof(struct __sk_buff, mark)),
530 BPF_EXIT_INSN(),
531 },
532 .result = ACCEPT,
533 .result_unpriv = ACCEPT,
534 },
3c731eba
AS		 535 {
536 "check corrupted spill/fill",
537 .insns = {
538 /* spill R1(ctx) into stack */
539 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3c731eba
AS		 540 /* mess up with R1 pointer on stack */
541 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
3c731eba
AS		 542 /* fill back into R0 should fail */
543 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3c731eba
AS		 544 BPF_EXIT_INSN(),
545 },
bf508877 546 .errstr_unpriv = "attempt to corrupt spilled",
3c731eba
AS		 547 .errstr = "corrupted spill",
548 .result = REJECT,
549 },
550 {
551 "invalid src register in STX",
552 .insns = {
553 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
554 BPF_EXIT_INSN(),
555 },
556 .errstr = "R15 is invalid",
557 .result = REJECT,
558 },
559 {
560 "invalid dst register in STX",
561 .insns = {
562 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
563 BPF_EXIT_INSN(),
564 },
565 .errstr = "R14 is invalid",
566 .result = REJECT,
567 },
568 {
569 "invalid dst register in ST",
570 .insns = {
571 BPF_ST_MEM(BPF_B, 14, -1, -1),
572 BPF_EXIT_INSN(),
573 },
574 .errstr = "R14 is invalid",
575 .result = REJECT,
576 },
577 {
578 "invalid src register in LDX",
579 .insns = {
580 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
581 BPF_EXIT_INSN(),
582 },
583 .errstr = "R12 is invalid",
584 .result = REJECT,
585 },
586 {
587 "invalid dst register in LDX",
588 .insns = {
589 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
590 BPF_EXIT_INSN(),
591 },
592 .errstr = "R11 is invalid",
593 .result = REJECT,
594 },
595 {
596 "junk insn",
597 .insns = {
598 BPF_RAW_INSN(0, 0, 0, 0, 0),
599 BPF_EXIT_INSN(),
600 },
601 .errstr = "invalid BPF_LD_IMM",
602 .result = REJECT,
603 },
604 {
605 "junk insn2",
606 .insns = {
607 BPF_RAW_INSN(1, 0, 0, 0, 0),
608 BPF_EXIT_INSN(),
609 },
610 .errstr = "BPF_LDX uses reserved fields",
611 .result = REJECT,
612 },
613 {
614 "junk insn3",
615 .insns = {
616 BPF_RAW_INSN(-1, 0, 0, 0, 0),
617 BPF_EXIT_INSN(),
618 },
619 .errstr = "invalid BPF_ALU opcode f0",
620 .result = REJECT,
621 },
622 {
623 "junk insn4",
624 .insns = {
625 BPF_RAW_INSN(-1, -1, -1, -1, -1),
626 BPF_EXIT_INSN(),
627 },
628 .errstr = "invalid BPF_ALU opcode f0",
629 .result = REJECT,
630 },
631 {
632 "junk insn5",
633 .insns = {
634 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
635 BPF_EXIT_INSN(),
636 },
637 .errstr = "BPF_ALU uses reserved fields",
638 .result = REJECT,
639 },
640 {
641 "misaligned read from stack",
642 .insns = {
643 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
644 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
645 BPF_EXIT_INSN(),
646 },
f65b1849 647 .errstr = "misaligned stack access",
3c731eba
AS		 648 .result = REJECT,
649 },
650 {
651 "invalid map_fd for function call",
652 .insns = {
653 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
654 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
655 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
656 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 657 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
658 BPF_FUNC_map_delete_elem),
3c731eba
AS		 659 BPF_EXIT_INSN(),
660 },
661 .errstr = "fd 0 is not pointing to valid bpf_map",
662 .result = REJECT,
663 },
664 {
665 "don't check return value before access",
666 .insns = {
667 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
668 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
669 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
670 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 671 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
672 BPF_FUNC_map_lookup_elem),
3c731eba
AS		 673 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
674 BPF_EXIT_INSN(),
675 },
5aa5bd14 676 .fixup_map1 = { 3 },
3c731eba
AS		 677 .errstr = "R0 invalid mem access 'map_value_or_null'",
678 .result = REJECT,
679 },
680 {
681 "access memory with incorrect alignment",
682 .insns = {
683 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
684 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
685 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
686 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 687 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
688 BPF_FUNC_map_lookup_elem),
3c731eba
AS		 689 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
690 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
691 BPF_EXIT_INSN(),
692 },
5aa5bd14 693 .fixup_map1 = { 3 },
f65b1849 694 .errstr = "misaligned value access",
3c731eba 695 .result = REJECT,
f65b1849 696 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3c731eba
AS		 697 },
698 {
699 "sometimes access memory with incorrect alignment",
700 .insns = {
701 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
702 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
704 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 705 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
706 BPF_FUNC_map_lookup_elem),
3c731eba
AS		 707 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
708 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
709 BPF_EXIT_INSN(),
710 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
711 BPF_EXIT_INSN(),
712 },
5aa5bd14 713 .fixup_map1 = { 3 },
3c731eba 714 .errstr = "R0 invalid mem access",
bf508877 715 .errstr_unpriv = "R0 leaks addr",
3c731eba 716 .result = REJECT,
f65b1849 717 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3c731eba 718 },
fd10c2ef
AS		 719 {
720 "jump test 1",
721 .insns = {
722 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
723 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
724 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
725 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
726 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
727 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
728 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
729 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
730 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
731 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
732 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
733 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
734 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
735 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
736 BPF_MOV64_IMM(BPF_REG_0, 0),
737 BPF_EXIT_INSN(),
738 },
bf508877
AS		 739 .errstr_unpriv = "R1 pointer comparison",
740 .result_unpriv = REJECT,
fd10c2ef
AS		 741 .result = ACCEPT,
742 },
743 {
744 "jump test 2",
745 .insns = {
746 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
747 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
748 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
749 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
750 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
751 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
752 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
753 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
754 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
755 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
756 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
757 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
758 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
759 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
760 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
761 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
762 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
763 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
764 BPF_MOV64_IMM(BPF_REG_0, 0),
765 BPF_EXIT_INSN(),
766 },
bf508877
AS		 767 .errstr_unpriv = "R1 pointer comparison",
768 .result_unpriv = REJECT,
fd10c2ef
AS		 769 .result = ACCEPT,
770 },
771 {
772 "jump test 3",
773 .insns = {
774 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
776 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
778 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
779 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
780 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
781 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
782 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
783 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
784 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
785 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
786 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
788 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
789 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
790 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
792 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
794 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
796 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
797 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
798 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 799 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
800 BPF_FUNC_map_delete_elem),
fd10c2ef
AS		 801 BPF_EXIT_INSN(),
802 },
5aa5bd14 803 .fixup_map1 = { 24 },
bf508877
AS		 804 .errstr_unpriv = "R1 pointer comparison",
805 .result_unpriv = REJECT,
fd10c2ef
AS		 806 .result = ACCEPT,
807 },
808 {
809 "jump test 4",
810 .insns = {
811 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
812 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
813 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
814 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
815 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
816 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
817 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
818 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
820 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
821 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
822 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
823 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
824 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
825 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
826 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
827 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
828 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
829 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
830 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
831 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
832 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
833 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
834 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
835 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
836 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
837 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
838 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
839 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
840 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
841 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
842 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
844 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
845 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
846 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
847 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
848 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
849 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
850 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
851 BPF_MOV64_IMM(BPF_REG_0, 0),
852 BPF_EXIT_INSN(),
853 },
bf508877
AS		 854 .errstr_unpriv = "R1 pointer comparison",
855 .result_unpriv = REJECT,
fd10c2ef
AS		 856 .result = ACCEPT,
857 },
342ded40
AS		 858 {
859 "jump test 5",
860 .insns = {
861 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
862 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
863 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
864 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
865 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
866 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
867 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
868 BPF_MOV64_IMM(BPF_REG_0, 0),
869 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
870 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
871 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
872 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
873 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
874 BPF_MOV64_IMM(BPF_REG_0, 0),
875 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
876 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
877 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
878 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
879 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
880 BPF_MOV64_IMM(BPF_REG_0, 0),
881 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
882 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
883 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
884 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
885 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
886 BPF_MOV64_IMM(BPF_REG_0, 0),
887 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
888 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
889 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
890 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
891 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
892 BPF_MOV64_IMM(BPF_REG_0, 0),
893 BPF_EXIT_INSN(),
894 },
bf508877
AS		 895 .errstr_unpriv = "R1 pointer comparison",
896 .result_unpriv = REJECT,
342ded40
AS		 897 .result = ACCEPT,
898 },
614cd3bd
AS		 899 {
900 "access skb fields ok",
901 .insns = {
902 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
903 offsetof(struct __sk_buff, len)),
904 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
905 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
906 offsetof(struct __sk_buff, mark)),
907 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
908 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
909 offsetof(struct __sk_buff, pkt_type)),
910 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
911 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
912 offsetof(struct __sk_buff, queue_mapping)),
913 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
c2497395
AS		 914 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
915 offsetof(struct __sk_buff, protocol)),
916 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
917 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
918 offsetof(struct __sk_buff, vlan_present)),
919 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
920 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
921 offsetof(struct __sk_buff, vlan_tci)),
922 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
b1d9fc41
DB		 923 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
924 offsetof(struct __sk_buff, napi_id)),
925 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
614cd3bd
AS		 926 BPF_EXIT_INSN(),
927 },
928 .result = ACCEPT,
929 },
930 {
931 "access skb fields bad1",
932 .insns = {
933 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
934 BPF_EXIT_INSN(),
935 },
936 .errstr = "invalid bpf_context access",
937 .result = REJECT,
938 },
939 {
940 "access skb fields bad2",
941 .insns = {
942 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
943 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
944 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
945 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
946 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 947 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
948 BPF_FUNC_map_lookup_elem),
614cd3bd
AS		 949 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
950 BPF_EXIT_INSN(),
951 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
952 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
953 offsetof(struct __sk_buff, pkt_type)),
954 BPF_EXIT_INSN(),
955 },
5aa5bd14 956 .fixup_map1 = { 4 },
614cd3bd 957 .errstr = "different pointers",
bf508877 958 .errstr_unpriv = "R1 pointer comparison",
614cd3bd
AS		 959 .result = REJECT,
960 },
961 {
962 "access skb fields bad3",
963 .insns = {
964 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
965 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
966 offsetof(struct __sk_buff, pkt_type)),
967 BPF_EXIT_INSN(),
968 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
969 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
971 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 972 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
973 BPF_FUNC_map_lookup_elem),
614cd3bd
AS		 974 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
975 BPF_EXIT_INSN(),
976 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
977 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
978 },
5aa5bd14 979 .fixup_map1 = { 6 },
614cd3bd 980 .errstr = "different pointers",
bf508877 981 .errstr_unpriv = "R1 pointer comparison",
614cd3bd
AS		 982 .result = REJECT,
983 },
725f9dcd
AS		 984 {
985 "access skb fields bad4",
986 .insns = {
987 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
988 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
989 offsetof(struct __sk_buff, len)),
990 BPF_MOV64_IMM(BPF_REG_0, 0),
991 BPF_EXIT_INSN(),
992 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
993 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
994 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
995 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 996 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
997 BPF_FUNC_map_lookup_elem),
725f9dcd
AS		 998 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
999 BPF_EXIT_INSN(),
1000 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1001 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1002 },
5aa5bd14 1003 .fixup_map1 = { 7 },
725f9dcd 1004 .errstr = "different pointers",
bf508877 1005 .errstr_unpriv = "R1 pointer comparison",
725f9dcd
AS		 1006 .result = REJECT,
1007 },
41bc94f5
JF		 1008 {
1009 "invalid access __sk_buff family",
1010 .insns = {
1011 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1012 offsetof(struct __sk_buff, family)),
1013 BPF_EXIT_INSN(),
1014 },
1015 .errstr = "invalid bpf_context access",
1016 .result = REJECT,
1017 },
1018 {
1019 "invalid access __sk_buff remote_ip4",
1020 .insns = {
1021 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1022 offsetof(struct __sk_buff, remote_ip4)),
1023 BPF_EXIT_INSN(),
1024 },
1025 .errstr = "invalid bpf_context access",
1026 .result = REJECT,
1027 },
1028 {
1029 "invalid access __sk_buff local_ip4",
1030 .insns = {
1031 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1032 offsetof(struct __sk_buff, local_ip4)),
1033 BPF_EXIT_INSN(),
1034 },
1035 .errstr = "invalid bpf_context access",
1036 .result = REJECT,
1037 },
1038 {
1039 "invalid access __sk_buff remote_ip6",
1040 .insns = {
1041 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1042 offsetof(struct __sk_buff, remote_ip6)),
1043 BPF_EXIT_INSN(),
1044 },
1045 .errstr = "invalid bpf_context access",
1046 .result = REJECT,
1047 },
1048 {
1049 "invalid access __sk_buff local_ip6",
1050 .insns = {
1051 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1052 offsetof(struct __sk_buff, local_ip6)),
1053 BPF_EXIT_INSN(),
1054 },
1055 .errstr = "invalid bpf_context access",
1056 .result = REJECT,
1057 },
1058 {
1059 "invalid access __sk_buff remote_port",
1060 .insns = {
1061 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1062 offsetof(struct __sk_buff, remote_port)),
1063 BPF_EXIT_INSN(),
1064 },
1065 .errstr = "invalid bpf_context access",
1066 .result = REJECT,
1067 },
1068 {
1069 "invalid access __sk_buff remote_port",
1070 .insns = {
1071 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1072 offsetof(struct __sk_buff, local_port)),
1073 BPF_EXIT_INSN(),
1074 },
1075 .errstr = "invalid bpf_context access",
1076 .result = REJECT,
1077 },
1078 {
1079 "valid access __sk_buff family",
1080 .insns = {
1081 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1082 offsetof(struct __sk_buff, family)),
1083 BPF_EXIT_INSN(),
1084 },
1085 .result = ACCEPT,
1086 .prog_type = BPF_PROG_TYPE_SK_SKB,
1087 },
1088 {
1089 "valid access __sk_buff remote_ip4",
1090 .insns = {
1091 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1092 offsetof(struct __sk_buff, remote_ip4)),
1093 BPF_EXIT_INSN(),
1094 },
1095 .result = ACCEPT,
1096 .prog_type = BPF_PROG_TYPE_SK_SKB,
1097 },
1098 {
1099 "valid access __sk_buff local_ip4",
1100 .insns = {
1101 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1102 offsetof(struct __sk_buff, local_ip4)),
1103 BPF_EXIT_INSN(),
1104 },
1105 .result = ACCEPT,
1106 .prog_type = BPF_PROG_TYPE_SK_SKB,
1107 },
1108 {
1109 "valid access __sk_buff remote_ip6",
1110 .insns = {
1111 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1112 offsetof(struct __sk_buff, remote_ip6[0])),
1113 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1114 offsetof(struct __sk_buff, remote_ip6[1])),
1115 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1116 offsetof(struct __sk_buff, remote_ip6[2])),
1117 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1118 offsetof(struct __sk_buff, remote_ip6[3])),
1119 BPF_EXIT_INSN(),
1120 },
1121 .result = ACCEPT,
1122 .prog_type = BPF_PROG_TYPE_SK_SKB,
1123 },
1124 {
1125 "valid access __sk_buff local_ip6",
1126 .insns = {
1127 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1128 offsetof(struct __sk_buff, local_ip6[0])),
1129 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1130 offsetof(struct __sk_buff, local_ip6[1])),
1131 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1132 offsetof(struct __sk_buff, local_ip6[2])),
1133 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1134 offsetof(struct __sk_buff, local_ip6[3])),
1135 BPF_EXIT_INSN(),
1136 },
1137 .result = ACCEPT,
1138 .prog_type = BPF_PROG_TYPE_SK_SKB,
1139 },
1140 {
1141 "valid access __sk_buff remote_port",
1142 .insns = {
1143 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1144 offsetof(struct __sk_buff, remote_port)),
1145 BPF_EXIT_INSN(),
1146 },
1147 .result = ACCEPT,
1148 .prog_type = BPF_PROG_TYPE_SK_SKB,
1149 },
1150 {
1151 "valid access __sk_buff remote_port",
1152 .insns = {
1153 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1154 offsetof(struct __sk_buff, local_port)),
1155 BPF_EXIT_INSN(),
1156 },
1157 .result = ACCEPT,
1158 .prog_type = BPF_PROG_TYPE_SK_SKB,
1159 },
ed85054d
JF		 1160 {
1161 "invalid access of tc_classid for SK_SKB",
1162 .insns = {
1163 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1164 offsetof(struct __sk_buff, tc_classid)),
1165 BPF_EXIT_INSN(),
1166 },
1167 .result = REJECT,
1168 .prog_type = BPF_PROG_TYPE_SK_SKB,
1169 .errstr = "invalid bpf_context access",
1170 },
1171 {
f7e9cb1e
JF		 1172 "invalid access of skb->mark for SK_SKB",
1173 .insns = {
1174 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1175 offsetof(struct __sk_buff, mark)),
1176 BPF_EXIT_INSN(),
1177 },
1178 .result = REJECT,
1179 .prog_type = BPF_PROG_TYPE_SK_SKB,
1180 .errstr = "invalid bpf_context access",
1181 },
1182 {
1183 "check skb->mark is not writeable by SK_SKB",
ed85054d
JF		 1184 .insns = {
1185 BPF_MOV64_IMM(BPF_REG_0, 0),
1186 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1187 offsetof(struct __sk_buff, mark)),
1188 BPF_EXIT_INSN(),
1189 },
f7e9cb1e 1190 .result = REJECT,
ed85054d 1191 .prog_type = BPF_PROG_TYPE_SK_SKB,
f7e9cb1e 1192 .errstr = "invalid bpf_context access",
ed85054d
JF		 1193 },
1194 {
1195 "check skb->tc_index is writeable by SK_SKB",
1196 .insns = {
1197 BPF_MOV64_IMM(BPF_REG_0, 0),
1198 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1199 offsetof(struct __sk_buff, tc_index)),
1200 BPF_EXIT_INSN(),
1201 },
1202 .result = ACCEPT,
1203 .prog_type = BPF_PROG_TYPE_SK_SKB,
1204 },
1205 {
1206 "check skb->priority is writeable by SK_SKB",
1207 .insns = {
1208 BPF_MOV64_IMM(BPF_REG_0, 0),
1209 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1210 offsetof(struct __sk_buff, priority)),
1211 BPF_EXIT_INSN(),
1212 },
1213 .result = ACCEPT,
1214 .prog_type = BPF_PROG_TYPE_SK_SKB,
1215 },
1216 {
1217 "direct packet read for SK_SKB",
1218 .insns = {
1219 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1220 offsetof(struct __sk_buff, data)),
1221 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1222 offsetof(struct __sk_buff, data_end)),
1223 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1224 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1225 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1226 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1227 BPF_MOV64_IMM(BPF_REG_0, 0),
1228 BPF_EXIT_INSN(),
1229 },
1230 .result = ACCEPT,
1231 .prog_type = BPF_PROG_TYPE_SK_SKB,
1232 },
1233 {
1234 "direct packet write for SK_SKB",
1235 .insns = {
1236 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1237 offsetof(struct __sk_buff, data)),
1238 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1239 offsetof(struct __sk_buff, data_end)),
1240 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1241 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1242 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1243 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1244 BPF_MOV64_IMM(BPF_REG_0, 0),
1245 BPF_EXIT_INSN(),
1246 },
1247 .result = ACCEPT,
1248 .prog_type = BPF_PROG_TYPE_SK_SKB,
1249 },
1250 {
1251 "overlapping checks for direct packet access SK_SKB",
1252 .insns = {
1253 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1254 offsetof(struct __sk_buff, data)),
1255 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1256 offsetof(struct __sk_buff, data_end)),
1257 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1258 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1259 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1260 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1261 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1262 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1263 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1264 BPF_MOV64_IMM(BPF_REG_0, 0),
1265 BPF_EXIT_INSN(),
1266 },
1267 .result = ACCEPT,
1268 .prog_type = BPF_PROG_TYPE_SK_SKB,
1269 },
d691f9e8
AS		 1270 {
1271 "check skb->mark is not writeable by sockets",
1272 .insns = {
1273 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1274 offsetof(struct __sk_buff, mark)),
1275 BPF_EXIT_INSN(),
1276 },
1277 .errstr = "invalid bpf_context access",
bf508877 1278 .errstr_unpriv = "R1 leaks addr",
d691f9e8
AS		 1279 .result = REJECT,
1280 },
1281 {
1282 "check skb->tc_index is not writeable by sockets",
1283 .insns = {
1284 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1285 offsetof(struct __sk_buff, tc_index)),
1286 BPF_EXIT_INSN(),
1287 },
1288 .errstr = "invalid bpf_context access",
bf508877 1289 .errstr_unpriv = "R1 leaks addr",
d691f9e8
AS		 1290 .result = REJECT,
1291 },
1292 {
62c7989b 1293 "check cb access: byte",
d691f9e8 1294 .insns = {
62c7989b
DB		 1295 BPF_MOV64_IMM(BPF_REG_0, 0),
1296 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1297 offsetof(struct __sk_buff, cb[0])),
1298 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1299 offsetof(struct __sk_buff, cb[0]) + 1),
1300 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1301 offsetof(struct __sk_buff, cb[0]) + 2),
1302 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1303 offsetof(struct __sk_buff, cb[0]) + 3),
1304 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1305 offsetof(struct __sk_buff, cb[1])),
1306 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1307 offsetof(struct __sk_buff, cb[1]) + 1),
1308 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1309 offsetof(struct __sk_buff, cb[1]) + 2),
1310 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1311 offsetof(struct __sk_buff, cb[1]) + 3),
1312 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1313 offsetof(struct __sk_buff, cb[2])),
1314 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1315 offsetof(struct __sk_buff, cb[2]) + 1),
1316 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1317 offsetof(struct __sk_buff, cb[2]) + 2),
1318 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1319 offsetof(struct __sk_buff, cb[2]) + 3),
1320 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1321 offsetof(struct __sk_buff, cb[3])),
1322 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1323 offsetof(struct __sk_buff, cb[3]) + 1),
1324 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1325 offsetof(struct __sk_buff, cb[3]) + 2),
1326 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1327 offsetof(struct __sk_buff, cb[3]) + 3),
1328 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1329 offsetof(struct __sk_buff, cb[4])),
1330 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1331 offsetof(struct __sk_buff, cb[4]) + 1),
1332 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1333 offsetof(struct __sk_buff, cb[4]) + 2),
1334 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1335 offsetof(struct __sk_buff, cb[4]) + 3),
1336 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1337 offsetof(struct __sk_buff, cb[0])),
1338 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1339 offsetof(struct __sk_buff, cb[0]) + 1),
1340 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1341 offsetof(struct __sk_buff, cb[0]) + 2),
1342 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1343 offsetof(struct __sk_buff, cb[0]) + 3),
1344 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1345 offsetof(struct __sk_buff, cb[1])),
1346 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1347 offsetof(struct __sk_buff, cb[1]) + 1),
1348 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1349 offsetof(struct __sk_buff, cb[1]) + 2),
1350 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1351 offsetof(struct __sk_buff, cb[1]) + 3),
1352 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1353 offsetof(struct __sk_buff, cb[2])),
1354 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1355 offsetof(struct __sk_buff, cb[2]) + 1),
1356 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1357 offsetof(struct __sk_buff, cb[2]) + 2),
1358 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1359 offsetof(struct __sk_buff, cb[2]) + 3),
1360 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1361 offsetof(struct __sk_buff, cb[3])),
1362 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1363 offsetof(struct __sk_buff, cb[3]) + 1),
1364 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1365 offsetof(struct __sk_buff, cb[3]) + 2),
1366 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1367 offsetof(struct __sk_buff, cb[3]) + 3),
1368 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1369 offsetof(struct __sk_buff, cb[4])),
1370 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1371 offsetof(struct __sk_buff, cb[4]) + 1),
1372 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1373 offsetof(struct __sk_buff, cb[4]) + 2),
1374 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1375 offsetof(struct __sk_buff, cb[4]) + 3),
1376 BPF_EXIT_INSN(),
1377 },
1378 .result = ACCEPT,
1379 },
1380 {
31fd8581 1381 "__sk_buff->hash, offset 0, byte store not permitted",
62c7989b
DB		 1382 .insns = {
1383 BPF_MOV64_IMM(BPF_REG_0, 0),
1384 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
31fd8581 1385 offsetof(struct __sk_buff, hash)),
62c7989b
DB		 1386 BPF_EXIT_INSN(),
1387 },
1388 .errstr = "invalid bpf_context access",
1389 .result = REJECT,
1390 },
1391 {
31fd8581 1392 "__sk_buff->tc_index, offset 3, byte store not permitted",
62c7989b
DB		 1393 .insns = {
1394 BPF_MOV64_IMM(BPF_REG_0, 0),
1395 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
31fd8581 1396 offsetof(struct __sk_buff, tc_index) + 3),
62c7989b
DB		 1397 BPF_EXIT_INSN(),
1398 },
1399 .errstr = "invalid bpf_context access",
1400 .result = REJECT,
1401 },
18f3d6be
YS		 1402 {
1403 "check skb->hash byte load permitted",
1404 .insns = {
1405 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 1406#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 1407 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1408 offsetof(struct __sk_buff, hash)),
1409#else
1410 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1411 offsetof(struct __sk_buff, hash) + 3),
1412#endif
1413 BPF_EXIT_INSN(),
1414 },
1415 .result = ACCEPT,
1416 },
1417 {
1418 "check skb->hash byte load not permitted 1",
1419 .insns = {
1420 BPF_MOV64_IMM(BPF_REG_0, 0),
1421 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1422 offsetof(struct __sk_buff, hash) + 1),
1423 BPF_EXIT_INSN(),
1424 },
1425 .errstr = "invalid bpf_context access",
1426 .result = REJECT,
1427 },
1428 {
1429 "check skb->hash byte load not permitted 2",
1430 .insns = {
1431 BPF_MOV64_IMM(BPF_REG_0, 0),
1432 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1433 offsetof(struct __sk_buff, hash) + 2),
1434 BPF_EXIT_INSN(),
1435 },
1436 .errstr = "invalid bpf_context access",
1437 .result = REJECT,
1438 },
1439 {
1440 "check skb->hash byte load not permitted 3",
1441 .insns = {
1442 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 1443#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 1444 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1445 offsetof(struct __sk_buff, hash) + 3),
1446#else
1447 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1448 offsetof(struct __sk_buff, hash)),
1449#endif
1450 BPF_EXIT_INSN(),
1451 },
1452 .errstr = "invalid bpf_context access",
1453 .result = REJECT,
1454 },
62c7989b
DB		 1455 {
1456 "check cb access: byte, wrong type",
1457 .insns = {
1458 BPF_MOV64_IMM(BPF_REG_0, 0),
1459 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1460 offsetof(struct __sk_buff, cb[0])),
1461 BPF_EXIT_INSN(),
1462 },
1463 .errstr = "invalid bpf_context access",
1464 .result = REJECT,
1465 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1466 },
1467 {
1468 "check cb access: half",
1469 .insns = {
1470 BPF_MOV64_IMM(BPF_REG_0, 0),
1471 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1472 offsetof(struct __sk_buff, cb[0])),
1473 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1474 offsetof(struct __sk_buff, cb[0]) + 2),
1475 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1476 offsetof(struct __sk_buff, cb[1])),
1477 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1478 offsetof(struct __sk_buff, cb[1]) + 2),
1479 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1480 offsetof(struct __sk_buff, cb[2])),
1481 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1482 offsetof(struct __sk_buff, cb[2]) + 2),
1483 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1484 offsetof(struct __sk_buff, cb[3])),
1485 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1486 offsetof(struct __sk_buff, cb[3]) + 2),
1487 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1488 offsetof(struct __sk_buff, cb[4])),
1489 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1490 offsetof(struct __sk_buff, cb[4]) + 2),
1491 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1492 offsetof(struct __sk_buff, cb[0])),
1493 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1494 offsetof(struct __sk_buff, cb[0]) + 2),
1495 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1496 offsetof(struct __sk_buff, cb[1])),
1497 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1498 offsetof(struct __sk_buff, cb[1]) + 2),
1499 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1500 offsetof(struct __sk_buff, cb[2])),
1501 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1502 offsetof(struct __sk_buff, cb[2]) + 2),
1503 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1504 offsetof(struct __sk_buff, cb[3])),
1505 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1506 offsetof(struct __sk_buff, cb[3]) + 2),
1507 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1508 offsetof(struct __sk_buff, cb[4])),
1509 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1510 offsetof(struct __sk_buff, cb[4]) + 2),
1511 BPF_EXIT_INSN(),
1512 },
1513 .result = ACCEPT,
1514 },
1515 {
1516 "check cb access: half, unaligned",
1517 .insns = {
1518 BPF_MOV64_IMM(BPF_REG_0, 0),
1519 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1520 offsetof(struct __sk_buff, cb[0]) + 1),
1521 BPF_EXIT_INSN(),
1522 },
f65b1849 1523 .errstr = "misaligned context access",
62c7989b 1524 .result = REJECT,
f65b1849 1525 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 1526 },
1527 {
31fd8581 1528 "check __sk_buff->hash, offset 0, half store not permitted",
62c7989b
DB		 1529 .insns = {
1530 BPF_MOV64_IMM(BPF_REG_0, 0),
1531 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
31fd8581 1532 offsetof(struct __sk_buff, hash)),
62c7989b
DB		 1533 BPF_EXIT_INSN(),
1534 },
1535 .errstr = "invalid bpf_context access",
1536 .result = REJECT,
1537 },
1538 {
31fd8581 1539 "check __sk_buff->tc_index, offset 2, half store not permitted",
62c7989b
DB		 1540 .insns = {
1541 BPF_MOV64_IMM(BPF_REG_0, 0),
1542 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
31fd8581 1543 offsetof(struct __sk_buff, tc_index) + 2),
62c7989b
DB		 1544 BPF_EXIT_INSN(),
1545 },
1546 .errstr = "invalid bpf_context access",
1547 .result = REJECT,
1548 },
18f3d6be
YS		 1549 {
1550 "check skb->hash half load permitted",
1551 .insns = {
1552 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 1553#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 1554 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1555 offsetof(struct __sk_buff, hash)),
1556#else
1557 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1558 offsetof(struct __sk_buff, hash) + 2),
1559#endif
1560 BPF_EXIT_INSN(),
1561 },
1562 .result = ACCEPT,
1563 },
1564 {
1565 "check skb->hash half load not permitted",
1566 .insns = {
1567 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 1568#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 1569 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1570 offsetof(struct __sk_buff, hash) + 2),
1571#else
1572 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1573 offsetof(struct __sk_buff, hash)),
1574#endif
1575 BPF_EXIT_INSN(),
1576 },
1577 .errstr = "invalid bpf_context access",
1578 .result = REJECT,
1579 },
62c7989b
DB		 1580 {
1581 "check cb access: half, wrong type",
1582 .insns = {
1583 BPF_MOV64_IMM(BPF_REG_0, 0),
1584 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1585 offsetof(struct __sk_buff, cb[0])),
1586 BPF_EXIT_INSN(),
1587 },
1588 .errstr = "invalid bpf_context access",
1589 .result = REJECT,
1590 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1591 },
1592 {
1593 "check cb access: word",
1594 .insns = {
1595 BPF_MOV64_IMM(BPF_REG_0, 0),
1596 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1597 offsetof(struct __sk_buff, cb[0])),
1598 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1599 offsetof(struct __sk_buff, cb[1])),
1600 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1601 offsetof(struct __sk_buff, cb[2])),
1602 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1603 offsetof(struct __sk_buff, cb[3])),
1604 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1605 offsetof(struct __sk_buff, cb[4])),
1606 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1607 offsetof(struct __sk_buff, cb[0])),
1608 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1609 offsetof(struct __sk_buff, cb[1])),
1610 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1611 offsetof(struct __sk_buff, cb[2])),
1612 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1613 offsetof(struct __sk_buff, cb[3])),
1614 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1615 offsetof(struct __sk_buff, cb[4])),
1616 BPF_EXIT_INSN(),
1617 },
1618 .result = ACCEPT,
1619 },
1620 {
1621 "check cb access: word, unaligned 1",
1622 .insns = {
1623 BPF_MOV64_IMM(BPF_REG_0, 0),
1624 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1625 offsetof(struct __sk_buff, cb[0]) + 2),
1626 BPF_EXIT_INSN(),
1627 },
f65b1849 1628 .errstr = "misaligned context access",
62c7989b 1629 .result = REJECT,
f65b1849 1630 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 1631 },
1632 {
1633 "check cb access: word, unaligned 2",
1634 .insns = {
1635 BPF_MOV64_IMM(BPF_REG_0, 0),
1636 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1637 offsetof(struct __sk_buff, cb[4]) + 1),
1638 BPF_EXIT_INSN(),
1639 },
f65b1849 1640 .errstr = "misaligned context access",
62c7989b 1641 .result = REJECT,
f65b1849 1642 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 1643 },
1644 {
1645 "check cb access: word, unaligned 3",
1646 .insns = {
1647 BPF_MOV64_IMM(BPF_REG_0, 0),
1648 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1649 offsetof(struct __sk_buff, cb[4]) + 2),
1650 BPF_EXIT_INSN(),
1651 },
f65b1849 1652 .errstr = "misaligned context access",
62c7989b 1653 .result = REJECT,
f65b1849 1654 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 1655 },
1656 {
1657 "check cb access: word, unaligned 4",
1658 .insns = {
1659 BPF_MOV64_IMM(BPF_REG_0, 0),
1660 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1661 offsetof(struct __sk_buff, cb[4]) + 3),
1662 BPF_EXIT_INSN(),
1663 },
f65b1849 1664 .errstr = "misaligned context access",
62c7989b 1665 .result = REJECT,
f65b1849 1666 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 1667 },
1668 {
1669 "check cb access: double",
1670 .insns = {
1671 BPF_MOV64_IMM(BPF_REG_0, 0),
1672 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1673 offsetof(struct __sk_buff, cb[0])),
1674 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1675 offsetof(struct __sk_buff, cb[2])),
1676 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1677 offsetof(struct __sk_buff, cb[0])),
1678 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1679 offsetof(struct __sk_buff, cb[2])),
1680 BPF_EXIT_INSN(),
1681 },
1682 .result = ACCEPT,
1683 },
1684 {
1685 "check cb access: double, unaligned 1",
1686 .insns = {
1687 BPF_MOV64_IMM(BPF_REG_0, 0),
1688 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1689 offsetof(struct __sk_buff, cb[1])),
1690 BPF_EXIT_INSN(),
1691 },
f65b1849 1692 .errstr = "misaligned context access",
62c7989b 1693 .result = REJECT,
f65b1849 1694 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 1695 },
1696 {
1697 "check cb access: double, unaligned 2",
1698 .insns = {
1699 BPF_MOV64_IMM(BPF_REG_0, 0),
1700 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1701 offsetof(struct __sk_buff, cb[3])),
1702 BPF_EXIT_INSN(),
1703 },
f65b1849 1704 .errstr = "misaligned context access",
62c7989b 1705 .result = REJECT,
f65b1849 1706 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
62c7989b
DB		 1707 },
1708 {
1709 "check cb access: double, oob 1",
1710 .insns = {
1711 BPF_MOV64_IMM(BPF_REG_0, 0),
1712 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1713 offsetof(struct __sk_buff, cb[4])),
1714 BPF_EXIT_INSN(),
1715 },
1716 .errstr = "invalid bpf_context access",
1717 .result = REJECT,
1718 },
1719 {
1720 "check cb access: double, oob 2",
62c7989b
DB		 1721 .insns = {
1722 BPF_MOV64_IMM(BPF_REG_0, 0),
1723 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1724 offsetof(struct __sk_buff, cb[4])),
1725 BPF_EXIT_INSN(),
1726 },
1727 .errstr = "invalid bpf_context access",
1728 .result = REJECT,
1729 },
1730 {
31fd8581 1731 "check __sk_buff->ifindex dw store not permitted",
62c7989b
DB		 1732 .insns = {
1733 BPF_MOV64_IMM(BPF_REG_0, 0),
31fd8581
YS		 1734 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1735 offsetof(struct __sk_buff, ifindex)),
62c7989b
DB		 1736 BPF_EXIT_INSN(),
1737 },
1738 .errstr = "invalid bpf_context access",
1739 .result = REJECT,
1740 },
1741 {
31fd8581 1742 "check __sk_buff->ifindex dw load not permitted",
62c7989b
DB		 1743 .insns = {
1744 BPF_MOV64_IMM(BPF_REG_0, 0),
1745 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
31fd8581 1746 offsetof(struct __sk_buff, ifindex)),
62c7989b
DB		 1747 BPF_EXIT_INSN(),
1748 },
1749 .errstr = "invalid bpf_context access",
1750 .result = REJECT,
1751 },
1752 {
1753 "check cb access: double, wrong type",
1754 .insns = {
1755 BPF_MOV64_IMM(BPF_REG_0, 0),
1756 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
d691f9e8
AS		 1757 offsetof(struct __sk_buff, cb[0])),
1758 BPF_EXIT_INSN(),
1759 },
1760 .errstr = "invalid bpf_context access",
1761 .result = REJECT,
62c7989b 1762 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
d691f9e8
AS		 1763 },
1764 {
1765 "check out of range skb->cb access",
1766 .insns = {
1767 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
bf508877 1768 offsetof(struct __sk_buff, cb[0]) + 256),
d691f9e8
AS		 1769 BPF_EXIT_INSN(),
1770 },
1771 .errstr = "invalid bpf_context access",
bf508877 1772 .errstr_unpriv = "",
d691f9e8
AS		 1773 .result = REJECT,
1774 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
1775 },
1776 {
1777 "write skb fields from socket prog",
1778 .insns = {
1779 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1780 offsetof(struct __sk_buff, cb[4])),
1781 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1782 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1783 offsetof(struct __sk_buff, mark)),
1784 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1785 offsetof(struct __sk_buff, tc_index)),
1786 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1787 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1788 offsetof(struct __sk_buff, cb[0])),
1789 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1790 offsetof(struct __sk_buff, cb[2])),
1791 BPF_EXIT_INSN(),
1792 },
1793 .result = ACCEPT,
bf508877
AS		 1794 .errstr_unpriv = "R1 leaks addr",
1795 .result_unpriv = REJECT,
d691f9e8
AS		 1796 },
1797 {
1798 "write skb fields from tc_cls_act prog",
1799 .insns = {
1800 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1801 offsetof(struct __sk_buff, cb[0])),
1802 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1803 offsetof(struct __sk_buff, mark)),
1804 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1805 offsetof(struct __sk_buff, tc_index)),
1806 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1807 offsetof(struct __sk_buff, tc_index)),
1808 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1809 offsetof(struct __sk_buff, cb[3])),
1810 BPF_EXIT_INSN(),
1811 },
bf508877
AS		 1812 .errstr_unpriv = "",
1813 .result_unpriv = REJECT,
d691f9e8
AS		 1814 .result = ACCEPT,
1815 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1816 },
24b4d2ab
AG		 1817 {
1818 "PTR_TO_STACK store/load",
1819 .insns = {
1820 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1821 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1822 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1823 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1824 BPF_EXIT_INSN(),
1825 },
1826 .result = ACCEPT,
1827 },
1828 {
1829 "PTR_TO_STACK store/load - bad alignment on off",
1830 .insns = {
1831 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1832 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1833 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1834 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1835 BPF_EXIT_INSN(),
1836 },
1837 .result = REJECT,
f65b1849 1838 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
24b4d2ab
AG		 1839 },
1840 {
1841 "PTR_TO_STACK store/load - bad alignment on reg",
1842 .insns = {
1843 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1845 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1846 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1847 BPF_EXIT_INSN(),
1848 },
1849 .result = REJECT,
f65b1849 1850 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
24b4d2ab
AG		 1851 },
1852 {
1853 "PTR_TO_STACK store/load - out of bounds low",
1854 .insns = {
1855 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1856 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
1857 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1858 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1859 BPF_EXIT_INSN(),
1860 },
1861 .result = REJECT,
1862 .errstr = "invalid stack off=-79992 size=8",
a3f6c1f4 1863 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
24b4d2ab
AG		 1864 },
1865 {
1866 "PTR_TO_STACK store/load - out of bounds high",
1867 .insns = {
1868 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1870 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1871 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1872 BPF_EXIT_INSN(),
1873 },
1874 .result = REJECT,
1875 .errstr = "invalid stack off=0 size=8",
1876 },
bf508877
AS		 1877 {
1878 "unpriv: return pointer",
1879 .insns = {
1880 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
1881 BPF_EXIT_INSN(),
1882 },
1883 .result = ACCEPT,
1884 .result_unpriv = REJECT,
1885 .errstr_unpriv = "R0 leaks addr",
1886 },
1887 {
1888 "unpriv: add const to pointer",
1889 .insns = {
1890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
1891 BPF_MOV64_IMM(BPF_REG_0, 0),
1892 BPF_EXIT_INSN(),
1893 },
1894 .result = ACCEPT,
bf508877
AS		 1895 },
1896 {
1897 "unpriv: add pointer to pointer",
1898 .insns = {
1899 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
1900 BPF_MOV64_IMM(BPF_REG_0, 0),
1901 BPF_EXIT_INSN(),
1902 },
82abbf8d
AS		 1903 .result = REJECT,
1904 .errstr = "R1 pointer += pointer",
bf508877
AS		 1905 },
1906 {
1907 "unpriv: neg pointer",
1908 .insns = {
1909 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
1910 BPF_MOV64_IMM(BPF_REG_0, 0),
1911 BPF_EXIT_INSN(),
1912 },
1913 .result = ACCEPT,
1914 .result_unpriv = REJECT,
1915 .errstr_unpriv = "R1 pointer arithmetic",
1916 },
1917 {
1918 "unpriv: cmp pointer with const",
1919 .insns = {
1920 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1921 BPF_MOV64_IMM(BPF_REG_0, 0),
1922 BPF_EXIT_INSN(),
1923 },
1924 .result = ACCEPT,
1925 .result_unpriv = REJECT,
1926 .errstr_unpriv = "R1 pointer comparison",
1927 },
1928 {
1929 "unpriv: cmp pointer with pointer",
1930 .insns = {
1931 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1932 BPF_MOV64_IMM(BPF_REG_0, 0),
1933 BPF_EXIT_INSN(),
1934 },
1935 .result = ACCEPT,
1936 .result_unpriv = REJECT,
1937 .errstr_unpriv = "R10 pointer comparison",
1938 },
1939 {
1940 "unpriv: check that printk is disallowed",
1941 .insns = {
1942 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1943 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1944 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1945 BPF_MOV64_IMM(BPF_REG_2, 8),
1946 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
5aa5bd14
DB		 1947 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1948 BPF_FUNC_trace_printk),
bf508877
AS		 1949 BPF_MOV64_IMM(BPF_REG_0, 0),
1950 BPF_EXIT_INSN(),
1951 },
0eb6984f 1952 .errstr_unpriv = "unknown func bpf_trace_printk#6",
bf508877
AS		 1953 .result_unpriv = REJECT,
1954 .result = ACCEPT,
1955 },
1956 {
1957 "unpriv: pass pointer to helper function",
1958 .insns = {
1959 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1960 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1961 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1962 BPF_LD_MAP_FD(BPF_REG_1, 0),
1963 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1964 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
5aa5bd14
DB		 1965 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1966 BPF_FUNC_map_update_elem),
bf508877
AS		 1967 BPF_MOV64_IMM(BPF_REG_0, 0),
1968 BPF_EXIT_INSN(),
1969 },
5aa5bd14 1970 .fixup_map1 = { 3 },
bf508877
AS		 1971 .errstr_unpriv = "R4 leaks addr",
1972 .result_unpriv = REJECT,
1973 .result = ACCEPT,
1974 },
1975 {
1976 "unpriv: indirectly pass pointer on stack to helper function",
1977 .insns = {
1978 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1979 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1980 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1981 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 1982 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1983 BPF_FUNC_map_lookup_elem),
bf508877
AS		 1984 BPF_MOV64_IMM(BPF_REG_0, 0),
1985 BPF_EXIT_INSN(),
1986 },
5aa5bd14 1987 .fixup_map1 = { 3 },
bf508877
AS		 1988 .errstr = "invalid indirect read from stack off -8+0 size 8",
1989 .result = REJECT,
1990 },
1991 {
1992 "unpriv: mangle pointer on stack 1",
1993 .insns = {
1994 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1995 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
1996 BPF_MOV64_IMM(BPF_REG_0, 0),
1997 BPF_EXIT_INSN(),
1998 },
1999 .errstr_unpriv = "attempt to corrupt spilled",
2000 .result_unpriv = REJECT,
2001 .result = ACCEPT,
2002 },
2003 {
2004 "unpriv: mangle pointer on stack 2",
2005 .insns = {
2006 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2007 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2008 BPF_MOV64_IMM(BPF_REG_0, 0),
2009 BPF_EXIT_INSN(),
2010 },
2011 .errstr_unpriv = "attempt to corrupt spilled",
2012 .result_unpriv = REJECT,
2013 .result = ACCEPT,
2014 },
2015 {
2016 "unpriv: read pointer from stack in small chunks",
2017 .insns = {
2018 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2019 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2020 BPF_MOV64_IMM(BPF_REG_0, 0),
2021 BPF_EXIT_INSN(),
2022 },
2023 .errstr = "invalid size",
2024 .result = REJECT,
2025 },
2026 {
2027 "unpriv: write pointer into ctx",
2028 .insns = {
2029 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2030 BPF_MOV64_IMM(BPF_REG_0, 0),
2031 BPF_EXIT_INSN(),
2032 },
2033 .errstr_unpriv = "R1 leaks addr",
2034 .result_unpriv = REJECT,
2035 .errstr = "invalid bpf_context access",
2036 .result = REJECT,
2037 },
1a776b9c
DB		 2038 {
2039 "unpriv: spill/fill of ctx",
2040 .insns = {
2041 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2042 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2043 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2044 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2045 BPF_MOV64_IMM(BPF_REG_0, 0),
2046 BPF_EXIT_INSN(),
2047 },
2048 .result = ACCEPT,
2049 },
2050 {
2051 "unpriv: spill/fill of ctx 2",
2052 .insns = {
2053 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2054 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2055 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2056 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
5aa5bd14
DB		 2057 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2058 BPF_FUNC_get_hash_recalc),
1a776b9c
DB		 2059 BPF_EXIT_INSN(),
2060 },
2061 .result = ACCEPT,
2062 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2063 },
2064 {
2065 "unpriv: spill/fill of ctx 3",
2066 .insns = {
2067 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2068 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2069 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2070 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2071 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
5aa5bd14
DB		 2072 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2073 BPF_FUNC_get_hash_recalc),
1a776b9c
DB		 2074 BPF_EXIT_INSN(),
2075 },
2076 .result = REJECT,
2077 .errstr = "R1 type=fp expected=ctx",
2078 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2079 },
2080 {
2081 "unpriv: spill/fill of ctx 4",
2082 .insns = {
2083 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2085 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2086 BPF_MOV64_IMM(BPF_REG_0, 1),
5aa5bd14
DB		 2087 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2088 BPF_REG_0, -8, 0),
1a776b9c 2089 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
5aa5bd14
DB		 2090 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2091 BPF_FUNC_get_hash_recalc),
1a776b9c
DB		 2092 BPF_EXIT_INSN(),
2093 },
2094 .result = REJECT,
2095 .errstr = "R1 type=inv expected=ctx",
2096 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2097 },
2098 {
2099 "unpriv: spill/fill of different pointers stx",
2100 .insns = {
2101 BPF_MOV64_IMM(BPF_REG_3, 42),
2102 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2104 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2105 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2106 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2107 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2108 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2109 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2110 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2111 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2112 offsetof(struct __sk_buff, mark)),
2113 BPF_MOV64_IMM(BPF_REG_0, 0),
2114 BPF_EXIT_INSN(),
2115 },
2116 .result = REJECT,
2117 .errstr = "same insn cannot be used with different pointers",
2118 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2119 },
2120 {
2121 "unpriv: spill/fill of different pointers ldx",
2122 .insns = {
2123 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2124 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2125 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2126 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2127 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2128 -(__s32)offsetof(struct bpf_perf_event_data,
2129 sample_period) - 8),
2130 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2131 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2132 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2133 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2134 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2135 offsetof(struct bpf_perf_event_data,
2136 sample_period)),
2137 BPF_MOV64_IMM(BPF_REG_0, 0),
2138 BPF_EXIT_INSN(),
2139 },
2140 .result = REJECT,
2141 .errstr = "same insn cannot be used with different pointers",
2142 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2143 },
bf508877
AS		 2144 {
2145 "unpriv: write pointer into map elem value",
2146 .insns = {
2147 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2148 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2149 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2150 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 2151 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2152 BPF_FUNC_map_lookup_elem),
bf508877
AS		 2153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2154 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2155 BPF_EXIT_INSN(),
2156 },
5aa5bd14 2157 .fixup_map1 = { 3 },
bf508877
AS		 2158 .errstr_unpriv = "R0 leaks addr",
2159 .result_unpriv = REJECT,
2160 .result = ACCEPT,
2161 },
2162 {
2163 "unpriv: partial copy of pointer",
2164 .insns = {
2165 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2166 BPF_MOV64_IMM(BPF_REG_0, 0),
2167 BPF_EXIT_INSN(),
2168 },
2169 .errstr_unpriv = "R10 partial copy",
2170 .result_unpriv = REJECT,
2171 .result = ACCEPT,
2172 },
2173 {
2174 "unpriv: pass pointer to tail_call",
2175 .insns = {
2176 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2177 BPF_LD_MAP_FD(BPF_REG_2, 0),
5aa5bd14
DB		 2178 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2179 BPF_FUNC_tail_call),
bf508877
AS		 2180 BPF_MOV64_IMM(BPF_REG_0, 0),
2181 BPF_EXIT_INSN(),
2182 },
5aa5bd14 2183 .fixup_prog = { 1 },
bf508877
AS		 2184 .errstr_unpriv = "R3 leaks addr into helper",
2185 .result_unpriv = REJECT,
2186 .result = ACCEPT,
2187 },
2188 {
2189 "unpriv: cmp map pointer with zero",
2190 .insns = {
2191 BPF_MOV64_IMM(BPF_REG_1, 0),
2192 BPF_LD_MAP_FD(BPF_REG_1, 0),
2193 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2194 BPF_MOV64_IMM(BPF_REG_0, 0),
2195 BPF_EXIT_INSN(),
2196 },
5aa5bd14 2197 .fixup_map1 = { 1 },
bf508877
AS		 2198 .errstr_unpriv = "R1 pointer comparison",
2199 .result_unpriv = REJECT,
2200 .result = ACCEPT,
2201 },
2202 {
2203 "unpriv: write into frame pointer",
2204 .insns = {
2205 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2206 BPF_MOV64_IMM(BPF_REG_0, 0),
2207 BPF_EXIT_INSN(),
2208 },
2209 .errstr = "frame pointer is read only",
2210 .result = REJECT,
2211 },
1a776b9c
DB		 2212 {
2213 "unpriv: spill/fill frame pointer",
2214 .insns = {
2215 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2217 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2218 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2219 BPF_MOV64_IMM(BPF_REG_0, 0),
2220 BPF_EXIT_INSN(),
2221 },
2222 .errstr = "frame pointer is read only",
2223 .result = REJECT,
2224 },
bf508877
AS		 2225 {
2226 "unpriv: cmp of frame pointer",
2227 .insns = {
2228 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2229 BPF_MOV64_IMM(BPF_REG_0, 0),
2230 BPF_EXIT_INSN(),
2231 },
2232 .errstr_unpriv = "R10 pointer comparison",
2233 .result_unpriv = REJECT,
2234 .result = ACCEPT,
2235 },
728a853a
DB		 2236 {
2237 "unpriv: adding of fp",
2238 .insns = {
2239 BPF_MOV64_IMM(BPF_REG_0, 0),
2240 BPF_MOV64_IMM(BPF_REG_1, 0),
2241 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2242 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2243 BPF_EXIT_INSN(),
2244 },
a3f6c1f4
DB		 2245 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
2246 .result_unpriv = REJECT,
f65b1849 2247 .result = ACCEPT,
728a853a 2248 },
bf508877
AS		 2249 {
2250 "unpriv: cmp of stack pointer",
2251 .insns = {
2252 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2253 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2255 BPF_MOV64_IMM(BPF_REG_0, 0),
2256 BPF_EXIT_INSN(),
2257 },
2258 .errstr_unpriv = "R2 pointer comparison",
2259 .result_unpriv = REJECT,
2260 .result = ACCEPT,
2261 },
4d6e9773
DB		 2262 {
2263 "runtime/jit: pass negative index to tail_call",
2264 .insns = {
2265 BPF_MOV64_IMM(BPF_REG_3, -1),
2266 BPF_LD_MAP_FD(BPF_REG_2, 0),
2267 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2268 BPF_FUNC_tail_call),
2269 BPF_MOV64_IMM(BPF_REG_0, 0),
2270 BPF_EXIT_INSN(),
2271 },
2272 .fixup_prog = { 1 },
2273 .result = ACCEPT,
2274 },
2275 {
2276 "runtime/jit: pass > 32bit index to tail_call",
2277 .insns = {
2278 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2279 BPF_LD_MAP_FD(BPF_REG_2, 0),
2280 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2281 BPF_FUNC_tail_call),
2282 BPF_MOV64_IMM(BPF_REG_0, 0),
2283 BPF_EXIT_INSN(),
2284 },
2285 .fixup_prog = { 2 },
2286 .result = ACCEPT,
2287 },
a3f6c1f4
DB		 2288 {
2289 "PTR_TO_STACK check high 1",
2290 .insns = {
2291 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2292 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
2293 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
2294 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
2295 BPF_EXIT_INSN(),
2296 },
2297 .result = ACCEPT,
2298 },
2299 {
2300 "PTR_TO_STACK check high 2",
2301 .insns = {
2302 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2303 BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
2304 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
2305 BPF_EXIT_INSN(),
2306 },
2307 .result = ACCEPT,
2308 },
2309 {
2310 "PTR_TO_STACK check high 3",
2311 .insns = {
2312 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2313 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
2314 BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
2315 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
2316 BPF_EXIT_INSN(),
2317 },
2318 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
2319 .result_unpriv = REJECT,
2320 .result = ACCEPT,
2321 },
2322 {
2323 "PTR_TO_STACK check high 4",
2324 .insns = {
2325 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2326 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
2327 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
2328 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
2329 BPF_EXIT_INSN(),
2330 },
2331 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
2332 .errstr = "invalid stack off=0 size=1",
2333 .result = REJECT,
2334 },
2335 {
2336 "PTR_TO_STACK check high 5",
2337 .insns = {
2338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
2340 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
2341 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
2342 BPF_EXIT_INSN(),
2343 },
2344 .result = REJECT,
2345 .errstr = "invalid stack off",
2346 },
2347 {
2348 "PTR_TO_STACK check high 6",
2349 .insns = {
2350 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2351 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
2352 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
2353 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
2354 BPF_EXIT_INSN(),
2355 },
2356 .result = REJECT,
2357 .errstr = "invalid stack off",
2358 },
2359 {
2360 "PTR_TO_STACK check high 7",
2361 .insns = {
2362 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
2364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
2365 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
2366 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
2367 BPF_EXIT_INSN(),
2368 },
2369 .result = REJECT,
2370 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
2371 .errstr = "fp pointer offset",
2372 },
2373 {
2374 "PTR_TO_STACK check low 1",
2375 .insns = {
2376 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2377 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -512),
2378 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
2379 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
2380 BPF_EXIT_INSN(),
2381 },
2382 .result = ACCEPT,
2383 },
2384 {
2385 "PTR_TO_STACK check low 2",
2386 .insns = {
2387 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
2389 BPF_ST_MEM(BPF_B, BPF_REG_1, 1, 42),
2390 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1),
2391 BPF_EXIT_INSN(),
2392 },
2393 .result_unpriv = REJECT,
2394 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
2395 .result = ACCEPT,
2396 },
2397 {
2398 "PTR_TO_STACK check low 3",
2399 .insns = {
2400 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2401 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
2402 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
2403 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
2404 BPF_EXIT_INSN(),
2405 },
2406 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
2407 .errstr = "invalid stack off=-513 size=1",
2408 .result = REJECT,
2409 },
2410 {
2411 "PTR_TO_STACK check low 4",
2412 .insns = {
2413 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2414 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, INT_MIN),
2415 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
2416 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
2417 BPF_EXIT_INSN(),
2418 },
2419 .result = REJECT,
2420 .errstr = "math between fp pointer",
2421 },
2422 {
2423 "PTR_TO_STACK check low 5",
2424 .insns = {
2425 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2426 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
2427 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
2428 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
2429 BPF_EXIT_INSN(),
2430 },
2431 .result = REJECT,
2432 .errstr = "invalid stack off",
2433 },
2434 {
2435 "PTR_TO_STACK check low 6",
2436 .insns = {
2437 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
2439 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
2440 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
2441 BPF_EXIT_INSN(),
2442 },
2443 .result = REJECT,
2444 .errstr = "invalid stack off",
2445 },
2446 {
2447 "PTR_TO_STACK check low 7",
2448 .insns = {
2449 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2450 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
2451 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
2452 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
2453 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
2454 BPF_EXIT_INSN(),
2455 },
2456 .result = REJECT,
2457 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
2458 .errstr = "fp pointer offset",
2459 },
2460 {
2461 "PTR_TO_STACK mixed reg/k, 1",
2462 .insns = {
2463 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
2465 BPF_MOV64_IMM(BPF_REG_2, -3),
2466 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
2467 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
2468 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
2469 BPF_EXIT_INSN(),
2470 },
2471 .result = ACCEPT,
2472 },
2473 {
2474 "PTR_TO_STACK mixed reg/k, 2",
2475 .insns = {
2476 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2477 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
2478 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
2480 BPF_MOV64_IMM(BPF_REG_2, -3),
2481 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
2482 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
2483 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
2484 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_5, -6),
2485 BPF_EXIT_INSN(),
2486 },
2487 .result = ACCEPT,
2488 },
2489 {
2490 "PTR_TO_STACK mixed reg/k, 3",
2491 .insns = {
2492 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
2494 BPF_MOV64_IMM(BPF_REG_2, -3),
2495 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
2496 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
2497 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2498 BPF_EXIT_INSN(),
2499 },
2500 .result = ACCEPT,
2501 },
2502 {
2503 "PTR_TO_STACK reg",
2504 .insns = {
2505 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2506 BPF_MOV64_IMM(BPF_REG_2, -3),
2507 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
2508 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
2509 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
2510 BPF_EXIT_INSN(),
2511 },
2512 .result_unpriv = REJECT,
2513 .errstr_unpriv = "invalid stack off=0 size=1",
2514 .result = ACCEPT,
2515 },
bf508877 2516 {
332270fd 2517 "stack pointer arithmetic",
bf508877 2518 .insns = {
332270fd
YS		 2519 BPF_MOV64_IMM(BPF_REG_1, 4),
2520 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2521 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2522 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2523 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2524 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2525 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2526 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2527 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2528 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2529 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
bf508877
AS		 2530 BPF_MOV64_IMM(BPF_REG_0, 0),
2531 BPF_EXIT_INSN(),
2532 },
bf508877
AS		 2533 .result = ACCEPT,
2534 },
3f2050e2
DB		 2535 {
2536 "raw_stack: no skb_load_bytes",
2537 .insns = {
2538 BPF_MOV64_IMM(BPF_REG_2, 4),
2539 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2541 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2542 BPF_MOV64_IMM(BPF_REG_4, 8),
2543 /* Call to skb_load_bytes() omitted. */
2544 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2545 BPF_EXIT_INSN(),
2546 },
2547 .result = REJECT,
2548 .errstr = "invalid read from stack off -8+0 size 8",
2549 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2550 },
7d95b0ab
DB		 2551 {
2552 "raw_stack: skb_load_bytes, negative len",
2553 .insns = {
2554 BPF_MOV64_IMM(BPF_REG_2, 4),
2555 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2557 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2558 BPF_MOV64_IMM(BPF_REG_4, -8),
5aa5bd14
DB		 2559 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2560 BPF_FUNC_skb_load_bytes),
7d95b0ab
DB		 2561 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2562 BPF_EXIT_INSN(),
2563 },
2564 .result = REJECT,
f65b1849 2565 .errstr = "R4 min value is negative",
7d95b0ab
DB		 2566 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2567 },
2568 {
2569 "raw_stack: skb_load_bytes, negative len 2",
2570 .insns = {
2571 BPF_MOV64_IMM(BPF_REG_2, 4),
2572 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2573 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2574 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2575 BPF_MOV64_IMM(BPF_REG_4, ~0),
5aa5bd14
DB		 2576 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2577 BPF_FUNC_skb_load_bytes),
7d95b0ab
DB		 2578 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2579 BPF_EXIT_INSN(),
2580 },
2581 .result = REJECT,
f65b1849 2582 .errstr = "R4 min value is negative",
7d95b0ab
DB		 2583 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2584 },
2585 {
2586 "raw_stack: skb_load_bytes, zero len",
2587 .insns = {
2588 BPF_MOV64_IMM(BPF_REG_2, 4),
2589 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2591 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2592 BPF_MOV64_IMM(BPF_REG_4, 0),
5aa5bd14
DB		 2593 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2594 BPF_FUNC_skb_load_bytes),
7d95b0ab
DB		 2595 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2596 BPF_EXIT_INSN(),
2597 },
2598 .result = REJECT,
2599 .errstr = "invalid stack type R3",
2600 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2601 },
3f2050e2
DB		 2602 {
2603 "raw_stack: skb_load_bytes, no init",
2604 .insns = {
2605 BPF_MOV64_IMM(BPF_REG_2, 4),
2606 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2608 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2609 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2610 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2611 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2612 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2613 BPF_EXIT_INSN(),
2614 },
2615 .result = ACCEPT,
2616 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2617 },
2618 {
2619 "raw_stack: skb_load_bytes, init",
2620 .insns = {
2621 BPF_MOV64_IMM(BPF_REG_2, 4),
2622 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2623 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2624 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2625 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2626 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2627 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2628 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2629 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2630 BPF_EXIT_INSN(),
2631 },
2632 .result = ACCEPT,
2633 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2634 },
2635 {
2636 "raw_stack: skb_load_bytes, spilled regs around bounds",
2637 .insns = {
2638 BPF_MOV64_IMM(BPF_REG_2, 4),
2639 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
5aa5bd14
DB		 2641 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2642 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3f2050e2
DB		 2643 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2644 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2645 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2646 BPF_FUNC_skb_load_bytes),
2647 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2648 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3f2050e2
DB		 2649 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2650 offsetof(struct __sk_buff, mark)),
2651 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2652 offsetof(struct __sk_buff, priority)),
2653 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2654 BPF_EXIT_INSN(),
2655 },
2656 .result = ACCEPT,
2657 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2658 },
2659 {
2660 "raw_stack: skb_load_bytes, spilled regs corruption",
2661 .insns = {
2662 BPF_MOV64_IMM(BPF_REG_2, 4),
2663 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
5aa5bd14 2665 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3f2050e2
DB		 2666 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2667 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2668 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2669 BPF_FUNC_skb_load_bytes),
2670 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3f2050e2
DB		 2671 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2672 offsetof(struct __sk_buff, mark)),
2673 BPF_EXIT_INSN(),
2674 },
2675 .result = REJECT,
2676 .errstr = "R0 invalid mem access 'inv'",
2677 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2678 },
2679 {
2680 "raw_stack: skb_load_bytes, spilled regs corruption 2",
2681 .insns = {
2682 BPF_MOV64_IMM(BPF_REG_2, 4),
2683 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2684 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
5aa5bd14
DB		 2685 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2686 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2687 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3f2050e2
DB		 2688 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2689 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2690 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2691 BPF_FUNC_skb_load_bytes),
2692 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2693 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2694 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3f2050e2
DB		 2695 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2696 offsetof(struct __sk_buff, mark)),
2697 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2698 offsetof(struct __sk_buff, priority)),
2699 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2700 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
2701 offsetof(struct __sk_buff, pkt_type)),
2702 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2703 BPF_EXIT_INSN(),
2704 },
2705 .result = REJECT,
2706 .errstr = "R3 invalid mem access 'inv'",
2707 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2708 },
2709 {
2710 "raw_stack: skb_load_bytes, spilled regs + data",
2711 .insns = {
2712 BPF_MOV64_IMM(BPF_REG_2, 4),
2713 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2714 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
5aa5bd14
DB		 2715 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2716 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2717 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3f2050e2
DB		 2718 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2719 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2720 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2721 BPF_FUNC_skb_load_bytes),
2722 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2723 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2724 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3f2050e2
DB		 2725 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2726 offsetof(struct __sk_buff, mark)),
2727 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2728 offsetof(struct __sk_buff, priority)),
2729 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2730 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2731 BPF_EXIT_INSN(),
2732 },
2733 .result = ACCEPT,
2734 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2735 },
2736 {
2737 "raw_stack: skb_load_bytes, invalid access 1",
2738 .insns = {
2739 BPF_MOV64_IMM(BPF_REG_2, 4),
2740 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2741 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2742 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2743 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2744 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2745 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2746 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2747 BPF_EXIT_INSN(),
2748 },
2749 .result = REJECT,
2750 .errstr = "invalid stack type R3 off=-513 access_size=8",
2751 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2752 },
2753 {
2754 "raw_stack: skb_load_bytes, invalid access 2",
2755 .insns = {
2756 BPF_MOV64_IMM(BPF_REG_2, 4),
2757 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2758 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2759 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2760 BPF_MOV64_IMM(BPF_REG_4, 8),
5aa5bd14
DB		 2761 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2762 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2763 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2764 BPF_EXIT_INSN(),
2765 },
2766 .result = REJECT,
2767 .errstr = "invalid stack type R3 off=-1 access_size=8",
2768 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2769 },
2770 {
2771 "raw_stack: skb_load_bytes, invalid access 3",
2772 .insns = {
2773 BPF_MOV64_IMM(BPF_REG_2, 4),
2774 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2775 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2776 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2777 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
5aa5bd14
DB		 2778 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2779 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2780 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2781 BPF_EXIT_INSN(),
2782 },
2783 .result = REJECT,
f65b1849 2784 .errstr = "R4 min value is negative",
3f2050e2
DB		 2785 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2786 },
2787 {
2788 "raw_stack: skb_load_bytes, invalid access 4",
2789 .insns = {
2790 BPF_MOV64_IMM(BPF_REG_2, 4),
2791 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2792 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2793 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2794 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
5aa5bd14
DB		 2795 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2796 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2797 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2798 BPF_EXIT_INSN(),
2799 },
2800 .result = REJECT,
f65b1849 2801 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3f2050e2
DB		 2802 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2803 },
2804 {
2805 "raw_stack: skb_load_bytes, invalid access 5",
2806 .insns = {
2807 BPF_MOV64_IMM(BPF_REG_2, 4),
2808 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2809 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2810 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2811 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
5aa5bd14
DB		 2812 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2813 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2814 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2815 BPF_EXIT_INSN(),
2816 },
2817 .result = REJECT,
f65b1849 2818 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3f2050e2
DB		 2819 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2820 },
2821 {
2822 "raw_stack: skb_load_bytes, invalid access 6",
2823 .insns = {
2824 BPF_MOV64_IMM(BPF_REG_2, 4),
2825 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2827 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2828 BPF_MOV64_IMM(BPF_REG_4, 0),
5aa5bd14
DB		 2829 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2830 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2831 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2832 BPF_EXIT_INSN(),
2833 },
2834 .result = REJECT,
2835 .errstr = "invalid stack type R3 off=-512 access_size=0",
2836 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2837 },
2838 {
2839 "raw_stack: skb_load_bytes, large access",
2840 .insns = {
2841 BPF_MOV64_IMM(BPF_REG_2, 4),
2842 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2844 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2845 BPF_MOV64_IMM(BPF_REG_4, 512),
5aa5bd14
DB		 2846 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2847 BPF_FUNC_skb_load_bytes),
3f2050e2
DB		 2848 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2849 BPF_EXIT_INSN(),
2850 },
2851 .result = ACCEPT,
2852 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2853 },
f37a8cb8
DB		 2854 {
2855 "context stores via ST",
2856 .insns = {
2857 BPF_MOV64_IMM(BPF_REG_0, 0),
2858 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
2859 BPF_EXIT_INSN(),
2860 },
2861 .errstr = "BPF_ST stores into R1 context is not allowed",
2862 .result = REJECT,
2863 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2864 },
2865 {
2866 "context stores via XADD",
2867 .insns = {
2868 BPF_MOV64_IMM(BPF_REG_0, 0),
2869 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
2870 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
2871 BPF_EXIT_INSN(),
2872 },
2873 .errstr = "BPF_XADD stores into R1 context is not allowed",
2874 .result = REJECT,
2875 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2876 },
883e44e4 2877 {
1633ac0a 2878 "direct packet access: test1",
883e44e4
AS		 2879 .insns = {
2880 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2881 offsetof(struct __sk_buff, data)),
2882 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2883 offsetof(struct __sk_buff, data_end)),
2884 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2885 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2886 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2887 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2888 BPF_MOV64_IMM(BPF_REG_0, 0),
2889 BPF_EXIT_INSN(),
2890 },
2891 .result = ACCEPT,
2892 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2893 },
2894 {
1633ac0a 2895 "direct packet access: test2",
883e44e4
AS		 2896 .insns = {
2897 BPF_MOV64_IMM(BPF_REG_0, 1),
2898 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
2899 offsetof(struct __sk_buff, data_end)),
2900 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2901 offsetof(struct __sk_buff, data)),
2902 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2903 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
2904 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
2905 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
2906 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
2907 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
2908 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2909 offsetof(struct __sk_buff, data)),
2910 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
82abbf8d
AS		 2911 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2912 offsetof(struct __sk_buff, len)),
1f9ab38f
EC		 2913 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
2914 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
883e44e4
AS		 2915 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
2916 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
2917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2918 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2919 offsetof(struct __sk_buff, data_end)),
2920 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
2921 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
2922 BPF_MOV64_IMM(BPF_REG_0, 0),
2923 BPF_EXIT_INSN(),
2924 },
2925 .result = ACCEPT,
2926 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2927 },
2928 {
1633ac0a 2929 "direct packet access: test3",
883e44e4
AS		 2930 .insns = {
2931 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2932 offsetof(struct __sk_buff, data)),
2933 BPF_MOV64_IMM(BPF_REG_0, 0),
2934 BPF_EXIT_INSN(),
2935 },
2936 .errstr = "invalid bpf_context access off=76",
2937 .result = REJECT,
2938 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2939 },
2940 {
7d95b0ab 2941 "direct packet access: test4 (write)",
883e44e4
AS		 2942 .insns = {
2943 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2944 offsetof(struct __sk_buff, data)),
2945 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2946 offsetof(struct __sk_buff, data_end)),
2947 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2948 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2949 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2950 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2951 BPF_MOV64_IMM(BPF_REG_0, 0),
2952 BPF_EXIT_INSN(),
2953 },
7d95b0ab 2954 .result = ACCEPT,
883e44e4
AS		 2955 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2956 },
2d2be8ca
DB		 2957 {
2958 "direct packet access: test5 (pkt_end >= reg, good access)",
2959 .insns = {
2960 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2961 offsetof(struct __sk_buff, data)),
2962 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2963 offsetof(struct __sk_buff, data_end)),
2964 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2966 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2967 BPF_MOV64_IMM(BPF_REG_0, 1),
2968 BPF_EXIT_INSN(),
2969 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2970 BPF_MOV64_IMM(BPF_REG_0, 0),
2971 BPF_EXIT_INSN(),
2972 },
2973 .result = ACCEPT,
2974 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2975 },
2976 {
2977 "direct packet access: test6 (pkt_end >= reg, bad access)",
2978 .insns = {
2979 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2980 offsetof(struct __sk_buff, data)),
2981 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2982 offsetof(struct __sk_buff, data_end)),
2983 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2984 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2985 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2986 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2987 BPF_MOV64_IMM(BPF_REG_0, 1),
2988 BPF_EXIT_INSN(),
2989 BPF_MOV64_IMM(BPF_REG_0, 0),
2990 BPF_EXIT_INSN(),
2991 },
2992 .errstr = "invalid access to packet",
2993 .result = REJECT,
2994 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2995 },
2996 {
2997 "direct packet access: test7 (pkt_end >= reg, both accesses)",
2998 .insns = {
2999 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3000 offsetof(struct __sk_buff, data)),
3001 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3002 offsetof(struct __sk_buff, data_end)),
3003 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3004 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3005 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3006 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3007 BPF_MOV64_IMM(BPF_REG_0, 1),
3008 BPF_EXIT_INSN(),
3009 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3010 BPF_MOV64_IMM(BPF_REG_0, 0),
3011 BPF_EXIT_INSN(),
3012 },
3013 .errstr = "invalid access to packet",
3014 .result = REJECT,
3015 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3016 },
3017 {
3018 "direct packet access: test8 (double test, variant 1)",
3019 .insns = {
3020 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3021 offsetof(struct __sk_buff, data)),
3022 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3023 offsetof(struct __sk_buff, data_end)),
3024 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3025 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3026 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3027 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3028 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3029 BPF_MOV64_IMM(BPF_REG_0, 1),
3030 BPF_EXIT_INSN(),
3031 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3032 BPF_MOV64_IMM(BPF_REG_0, 0),
3033 BPF_EXIT_INSN(),
3034 },
3035 .result = ACCEPT,
3036 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3037 },
3038 {
3039 "direct packet access: test9 (double test, variant 2)",
3040 .insns = {
3041 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3042 offsetof(struct __sk_buff, data)),
3043 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3044 offsetof(struct __sk_buff, data_end)),
3045 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3046 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3047 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3048 BPF_MOV64_IMM(BPF_REG_0, 1),
3049 BPF_EXIT_INSN(),
3050 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3051 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3052 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3053 BPF_MOV64_IMM(BPF_REG_0, 0),
3054 BPF_EXIT_INSN(),
3055 },
3056 .result = ACCEPT,
3057 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3058 },
7d95b0ab
DB		 3059 {
3060 "direct packet access: test10 (write invalid)",
3061 .insns = {
3062 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3063 offsetof(struct __sk_buff, data)),
3064 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3065 offsetof(struct __sk_buff, data_end)),
3066 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3067 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3068 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3069 BPF_MOV64_IMM(BPF_REG_0, 0),
3070 BPF_EXIT_INSN(),
3071 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3072 BPF_MOV64_IMM(BPF_REG_0, 0),
3073 BPF_EXIT_INSN(),
3074 },
3075 .errstr = "invalid access to packet",
3076 .result = REJECT,
3077 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3078 },
3fadc801
DB		 3079 {
3080 "direct packet access: test11 (shift, good access)",
3081 .insns = {
3082 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3083 offsetof(struct __sk_buff, data)),
3084 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3085 offsetof(struct __sk_buff, data_end)),
3086 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3088 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3089 BPF_MOV64_IMM(BPF_REG_3, 144),
3090 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3091 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3092 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3093 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3094 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3095 BPF_MOV64_IMM(BPF_REG_0, 1),
3096 BPF_EXIT_INSN(),
3097 BPF_MOV64_IMM(BPF_REG_0, 0),
3098 BPF_EXIT_INSN(),
3099 },
3100 .result = ACCEPT,
3101 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3102 },
3103 {
3104 "direct packet access: test12 (and, good access)",
3105 .insns = {
3106 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3107 offsetof(struct __sk_buff, data)),
3108 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3109 offsetof(struct __sk_buff, data_end)),
3110 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3112 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3113 BPF_MOV64_IMM(BPF_REG_3, 144),
3114 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3116 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3117 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3118 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3119 BPF_MOV64_IMM(BPF_REG_0, 1),
3120 BPF_EXIT_INSN(),
3121 BPF_MOV64_IMM(BPF_REG_0, 0),
3122 BPF_EXIT_INSN(),
3123 },
3124 .result = ACCEPT,
3125 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3126 },
3127 {
3128 "direct packet access: test13 (branches, good access)",
3129 .insns = {
3130 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3131 offsetof(struct __sk_buff, data)),
3132 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3133 offsetof(struct __sk_buff, data_end)),
3134 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3135 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3136 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3137 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3138 offsetof(struct __sk_buff, mark)),
3139 BPF_MOV64_IMM(BPF_REG_4, 1),
3140 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3141 BPF_MOV64_IMM(BPF_REG_3, 14),
3142 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3143 BPF_MOV64_IMM(BPF_REG_3, 24),
3144 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3145 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3146 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3147 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3148 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3149 BPF_MOV64_IMM(BPF_REG_0, 1),
3150 BPF_EXIT_INSN(),
3151 BPF_MOV64_IMM(BPF_REG_0, 0),
3152 BPF_EXIT_INSN(),
3153 },
3154 .result = ACCEPT,
3155 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3156 },
63dfef75
WT		 3157 {
3158 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3159 .insns = {
3160 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3161 offsetof(struct __sk_buff, data)),
3162 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3163 offsetof(struct __sk_buff, data_end)),
3164 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3165 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3166 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3167 BPF_MOV64_IMM(BPF_REG_5, 12),
3168 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3169 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3170 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3171 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3172 BPF_MOV64_IMM(BPF_REG_0, 1),
3173 BPF_EXIT_INSN(),
3174 BPF_MOV64_IMM(BPF_REG_0, 0),
3175 BPF_EXIT_INSN(),
3176 },
3177 .result = ACCEPT,
3178 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3179 },
02ea80b1
DB		 3180 {
3181 "direct packet access: test15 (spill with xadd)",
3182 .insns = {
3183 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3184 offsetof(struct __sk_buff, data)),
3185 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3186 offsetof(struct __sk_buff, data_end)),
3187 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3189 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3190 BPF_MOV64_IMM(BPF_REG_5, 4096),
3191 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3193 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3194 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3195 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3196 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3197 BPF_MOV64_IMM(BPF_REG_0, 0),
3198 BPF_EXIT_INSN(),
3199 },
3200 .errstr = "R2 invalid mem access 'inv'",
3201 .result = REJECT,
3202 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3203 },
728a853a
DB		 3204 {
3205 "direct packet access: test16 (arith on data_end)",
3206 .insns = {
3207 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3208 offsetof(struct __sk_buff, data)),
3209 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3210 offsetof(struct __sk_buff, data_end)),
3211 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3213 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3214 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3215 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3216 BPF_MOV64_IMM(BPF_REG_0, 0),
3217 BPF_EXIT_INSN(),
3218 },
82abbf8d 3219 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
728a853a
DB		 3220 .result = REJECT,
3221 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3222 },
614d0d77
DB		 3223 {
3224 "direct packet access: test17 (pruning, alignment)",
3225 .insns = {
3226 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3227 offsetof(struct __sk_buff, data)),
3228 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3229 offsetof(struct __sk_buff, data_end)),
3230 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3231 offsetof(struct __sk_buff, mark)),
3232 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3233 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3234 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3235 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3236 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3237 BPF_MOV64_IMM(BPF_REG_0, 0),
3238 BPF_EXIT_INSN(),
3239 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3240 BPF_JMP_A(-6),
3241 },
f65b1849 3242 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
614d0d77
DB		 3243 .result = REJECT,
3244 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3245 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3246 },
6d191ed4
DB		 3247 {
3248 "direct packet access: test18 (imm += pkt_ptr, 1)",
3249 .insns = {
3250 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3251 offsetof(struct __sk_buff, data)),
3252 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3253 offsetof(struct __sk_buff, data_end)),
3254 BPF_MOV64_IMM(BPF_REG_0, 8),
3255 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3256 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3257 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3258 BPF_MOV64_IMM(BPF_REG_0, 0),
3259 BPF_EXIT_INSN(),
3260 },
3261 .result = ACCEPT,
3262 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3263 },
3264 {
3265 "direct packet access: test19 (imm += pkt_ptr, 2)",
3266 .insns = {
3267 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3268 offsetof(struct __sk_buff, data)),
3269 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3270 offsetof(struct __sk_buff, data_end)),
3271 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3272 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3273 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3274 BPF_MOV64_IMM(BPF_REG_4, 4),
3275 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3276 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3277 BPF_MOV64_IMM(BPF_REG_0, 0),
3278 BPF_EXIT_INSN(),
3279 },
3280 .result = ACCEPT,
3281 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3282 },
3283 {
3284 "direct packet access: test20 (x += pkt_ptr, 1)",
3285 .insns = {
3286 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3287 offsetof(struct __sk_buff, data)),
3288 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3289 offsetof(struct __sk_buff, data_end)),
3290 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3291 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3292 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1f9ab38f 3293 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
6d191ed4
DB		 3294 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3295 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3296 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
1f9ab38f 3297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
6d191ed4
DB		 3298 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3299 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3300 BPF_MOV64_IMM(BPF_REG_0, 0),
3301 BPF_EXIT_INSN(),
3302 },
3303 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3304 .result = ACCEPT,
3305 },
3306 {
3307 "direct packet access: test21 (x += pkt_ptr, 2)",
3308 .insns = {
3309 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3310 offsetof(struct __sk_buff, data)),
3311 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3312 offsetof(struct __sk_buff, data_end)),
3313 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3314 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3315 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3316 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3317 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3318 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1f9ab38f 3319 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
6d191ed4
DB		 3320 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3321 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
1f9ab38f 3322 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
6d191ed4
DB		 3323 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3324 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3325 BPF_MOV64_IMM(BPF_REG_0, 0),
3326 BPF_EXIT_INSN(),
3327 },
3328 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3329 .result = ACCEPT,
3330 },
3331 {
3332 "direct packet access: test22 (x += pkt_ptr, 3)",
3333 .insns = {
3334 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3335 offsetof(struct __sk_buff, data)),
3336 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3337 offsetof(struct __sk_buff, data_end)),
3338 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3340 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3341 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3342 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3343 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3344 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3345 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3346 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3347 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1f9ab38f 3348 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
6d191ed4
DB		 3349 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3350 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3351 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3352 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3353 BPF_MOV64_IMM(BPF_REG_2, 1),
3354 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3355 BPF_MOV64_IMM(BPF_REG_0, 0),
3356 BPF_EXIT_INSN(),
3357 },
3358 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3359 .result = ACCEPT,
3360 },
3361 {
3362 "direct packet access: test23 (x += pkt_ptr, 4)",
3363 .insns = {
3364 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3365 offsetof(struct __sk_buff, data)),
3366 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3367 offsetof(struct __sk_buff, data_end)),
3368 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3369 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3370 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3371 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3372 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3373 BPF_MOV64_IMM(BPF_REG_0, 31),
3374 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3375 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3376 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3377 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3378 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3379 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3380 BPF_MOV64_IMM(BPF_REG_0, 0),
3381 BPF_EXIT_INSN(),
3382 },
3383 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3384 .result = REJECT,
f65b1849 3385 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
6d191ed4
DB		 3386 },
3387 {
3388 "direct packet access: test24 (x += pkt_ptr, 5)",
3389 .insns = {
3390 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3391 offsetof(struct __sk_buff, data)),
3392 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3393 offsetof(struct __sk_buff, data_end)),
3394 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3395 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3396 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3397 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3398 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3399 BPF_MOV64_IMM(BPF_REG_0, 64),
3400 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3401 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3402 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
1f9ab38f 3403 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
6d191ed4
DB		 3404 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3405 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3406 BPF_MOV64_IMM(BPF_REG_0, 0),
3407 BPF_EXIT_INSN(),
3408 },
3409 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3410 .result = ACCEPT,
3411 },
31e482bf
DB		 3412 {
3413 "direct packet access: test25 (marking on <, good access)",
3414 .insns = {
3415 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3416 offsetof(struct __sk_buff, data)),
3417 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3418 offsetof(struct __sk_buff, data_end)),
3419 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3421 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3422 BPF_MOV64_IMM(BPF_REG_0, 0),
3423 BPF_EXIT_INSN(),
3424 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3425 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3426 },
3427 .result = ACCEPT,
3428 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3429 },
3430 {
3431 "direct packet access: test26 (marking on <, bad access)",
3432 .insns = {
3433 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3434 offsetof(struct __sk_buff, data)),
3435 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3436 offsetof(struct __sk_buff, data_end)),
3437 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3439 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3440 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3441 BPF_MOV64_IMM(BPF_REG_0, 0),
3442 BPF_EXIT_INSN(),
3443 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3444 },
3445 .result = REJECT,
3446 .errstr = "invalid access to packet",
3447 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3448 },
3449 {
3450 "direct packet access: test27 (marking on <=, good access)",
3451 .insns = {
3452 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3453 offsetof(struct __sk_buff, data)),
3454 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3455 offsetof(struct __sk_buff, data_end)),
3456 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3457 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3458 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3459 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3460 BPF_MOV64_IMM(BPF_REG_0, 1),
3461 BPF_EXIT_INSN(),
3462 },
3463 .result = ACCEPT,
3464 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3465 },
3466 {
3467 "direct packet access: test28 (marking on <=, bad access)",
3468 .insns = {
3469 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3470 offsetof(struct __sk_buff, data)),
3471 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3472 offsetof(struct __sk_buff, data_end)),
3473 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3474 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3475 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3476 BPF_MOV64_IMM(BPF_REG_0, 1),
3477 BPF_EXIT_INSN(),
3478 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3479 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3480 },
3481 .result = REJECT,
3482 .errstr = "invalid access to packet",
3483 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3484 },
1633ac0a
AY		 3485 {
3486 "helper access to packet: test1, valid packet_ptr range",
3487 .insns = {
3488 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3489 offsetof(struct xdp_md, data)),
3490 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3491 offsetof(struct xdp_md, data_end)),
3492 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3494 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3495 BPF_LD_MAP_FD(BPF_REG_1, 0),
3496 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3497 BPF_MOV64_IMM(BPF_REG_4, 0),
5aa5bd14
DB		 3498 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3499 BPF_FUNC_map_update_elem),
1633ac0a
AY		 3500 BPF_MOV64_IMM(BPF_REG_0, 0),
3501 BPF_EXIT_INSN(),
3502 },
5aa5bd14 3503 .fixup_map1 = { 5 },
1633ac0a
AY		 3504 .result_unpriv = ACCEPT,
3505 .result = ACCEPT,
3506 .prog_type = BPF_PROG_TYPE_XDP,
3507 },
3508 {
3509 "helper access to packet: test2, unchecked packet_ptr",
3510 .insns = {
3511 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3512 offsetof(struct xdp_md, data)),
3513 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3514 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3515 BPF_FUNC_map_lookup_elem),
1633ac0a
AY		 3516 BPF_MOV64_IMM(BPF_REG_0, 0),
3517 BPF_EXIT_INSN(),
3518 },
5aa5bd14 3519 .fixup_map1 = { 1 },
1633ac0a
AY		 3520 .result = REJECT,
3521 .errstr = "invalid access to packet",
3522 .prog_type = BPF_PROG_TYPE_XDP,
3523 },
3524 {
3525 "helper access to packet: test3, variable add",
3526 .insns = {
3527 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3528 offsetof(struct xdp_md, data)),
3529 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3530 offsetof(struct xdp_md, data_end)),
3531 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3533 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3534 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3535 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3536 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3537 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3539 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3540 BPF_LD_MAP_FD(BPF_REG_1, 0),
3541 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
5aa5bd14
DB		 3542 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3543 BPF_FUNC_map_lookup_elem),
1633ac0a
AY		 3544 BPF_MOV64_IMM(BPF_REG_0, 0),
3545 BPF_EXIT_INSN(),
3546 },
5aa5bd14 3547 .fixup_map1 = { 11 },
1633ac0a
AY		 3548 .result = ACCEPT,
3549 .prog_type = BPF_PROG_TYPE_XDP,
3550 },
3551 {
3552 "helper access to packet: test4, packet_ptr with bad range",
3553 .insns = {
3554 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3555 offsetof(struct xdp_md, data)),
3556 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3557 offsetof(struct xdp_md, data_end)),
3558 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3559 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3560 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3561 BPF_MOV64_IMM(BPF_REG_0, 0),
3562 BPF_EXIT_INSN(),
3563 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3564 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3565 BPF_FUNC_map_lookup_elem),
1633ac0a
AY		 3566 BPF_MOV64_IMM(BPF_REG_0, 0),
3567 BPF_EXIT_INSN(),
3568 },
5aa5bd14 3569 .fixup_map1 = { 7 },
1633ac0a
AY		 3570 .result = REJECT,
3571 .errstr = "invalid access to packet",
3572 .prog_type = BPF_PROG_TYPE_XDP,
3573 },
3574 {
3575 "helper access to packet: test5, packet_ptr with too short range",
3576 .insns = {
3577 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3578 offsetof(struct xdp_md, data)),
3579 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3580 offsetof(struct xdp_md, data_end)),
3581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3582 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3584 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3585 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3586 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3587 BPF_FUNC_map_lookup_elem),
1633ac0a
AY		 3588 BPF_MOV64_IMM(BPF_REG_0, 0),
3589 BPF_EXIT_INSN(),
3590 },
5aa5bd14 3591 .fixup_map1 = { 6 },
1633ac0a
AY		 3592 .result = REJECT,
3593 .errstr = "invalid access to packet",
3594 .prog_type = BPF_PROG_TYPE_XDP,
3595 },
7d95b0ab
DB		 3596 {
3597 "helper access to packet: test6, cls valid packet_ptr range",
3598 .insns = {
3599 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3600 offsetof(struct __sk_buff, data)),
3601 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3602 offsetof(struct __sk_buff, data_end)),
3603 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3604 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3605 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3606 BPF_LD_MAP_FD(BPF_REG_1, 0),
3607 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3608 BPF_MOV64_IMM(BPF_REG_4, 0),
5aa5bd14
DB		 3609 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3610 BPF_FUNC_map_update_elem),
7d95b0ab
DB		 3611 BPF_MOV64_IMM(BPF_REG_0, 0),
3612 BPF_EXIT_INSN(),
3613 },
5aa5bd14 3614 .fixup_map1 = { 5 },
7d95b0ab
DB		 3615 .result = ACCEPT,
3616 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3617 },
3618 {
3619 "helper access to packet: test7, cls unchecked packet_ptr",
3620 .insns = {
3621 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3622 offsetof(struct __sk_buff, data)),
3623 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3624 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3625 BPF_FUNC_map_lookup_elem),
7d95b0ab
DB		 3626 BPF_MOV64_IMM(BPF_REG_0, 0),
3627 BPF_EXIT_INSN(),
3628 },
5aa5bd14 3629 .fixup_map1 = { 1 },
7d95b0ab
DB		 3630 .result = REJECT,
3631 .errstr = "invalid access to packet",
3632 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3633 },
3634 {
3635 "helper access to packet: test8, cls variable add",
3636 .insns = {
3637 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3638 offsetof(struct __sk_buff, data)),
3639 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3640 offsetof(struct __sk_buff, data_end)),
3641 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3642 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3643 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3644 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3645 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3646 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3647 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3649 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3650 BPF_LD_MAP_FD(BPF_REG_1, 0),
3651 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
5aa5bd14
DB		 3652 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3653 BPF_FUNC_map_lookup_elem),
7d95b0ab
DB		 3654 BPF_MOV64_IMM(BPF_REG_0, 0),
3655 BPF_EXIT_INSN(),
3656 },
5aa5bd14 3657 .fixup_map1 = { 11 },
7d95b0ab
DB		 3658 .result = ACCEPT,
3659 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3660 },
3661 {
3662 "helper access to packet: test9, cls packet_ptr with bad range",
3663 .insns = {
3664 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3665 offsetof(struct __sk_buff, data)),
3666 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3667 offsetof(struct __sk_buff, data_end)),
3668 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3669 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3670 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3671 BPF_MOV64_IMM(BPF_REG_0, 0),
3672 BPF_EXIT_INSN(),
3673 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3674 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3675 BPF_FUNC_map_lookup_elem),
7d95b0ab
DB		 3676 BPF_MOV64_IMM(BPF_REG_0, 0),
3677 BPF_EXIT_INSN(),
3678 },
5aa5bd14 3679 .fixup_map1 = { 7 },
7d95b0ab
DB		 3680 .result = REJECT,
3681 .errstr = "invalid access to packet",
3682 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3683 },
3684 {
3685 "helper access to packet: test10, cls packet_ptr with too short range",
3686 .insns = {
3687 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3688 offsetof(struct __sk_buff, data)),
3689 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3690 offsetof(struct __sk_buff, data_end)),
3691 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3692 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3693 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3694 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3695 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3696 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3697 BPF_FUNC_map_lookup_elem),
7d95b0ab
DB		 3698 BPF_MOV64_IMM(BPF_REG_0, 0),
3699 BPF_EXIT_INSN(),
3700 },
5aa5bd14 3701 .fixup_map1 = { 6 },
7d95b0ab
DB		 3702 .result = REJECT,
3703 .errstr = "invalid access to packet",
3704 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3705 },
3706 {
3707 "helper access to packet: test11, cls unsuitable helper 1",
3708 .insns = {
3709 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3710 offsetof(struct __sk_buff, data)),
3711 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3712 offsetof(struct __sk_buff, data_end)),
3713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3714 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3715 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
3716 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
3717 BPF_MOV64_IMM(BPF_REG_2, 0),
3718 BPF_MOV64_IMM(BPF_REG_4, 42),
3719 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3720 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3721 BPF_FUNC_skb_store_bytes),
7d95b0ab
DB		 3722 BPF_MOV64_IMM(BPF_REG_0, 0),
3723 BPF_EXIT_INSN(),
3724 },
3725 .result = REJECT,
3726 .errstr = "helper access to the packet",
3727 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3728 },
3729 {
3730 "helper access to packet: test12, cls unsuitable helper 2",
3731 .insns = {
3732 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3733 offsetof(struct __sk_buff, data)),
3734 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3735 offsetof(struct __sk_buff, data_end)),
3736 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3737 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
3738 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
3739 BPF_MOV64_IMM(BPF_REG_2, 0),
3740 BPF_MOV64_IMM(BPF_REG_4, 4),
5aa5bd14
DB		 3741 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3742 BPF_FUNC_skb_load_bytes),
7d95b0ab
DB		 3743 BPF_MOV64_IMM(BPF_REG_0, 0),
3744 BPF_EXIT_INSN(),
3745 },
3746 .result = REJECT,
3747 .errstr = "helper access to the packet",
3748 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3749 },
3750 {
3751 "helper access to packet: test13, cls helper ok",
3752 .insns = {
3753 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3754 offsetof(struct __sk_buff, data)),
3755 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3756 offsetof(struct __sk_buff, data_end)),
3757 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3758 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3759 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3760 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3761 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3762 BPF_MOV64_IMM(BPF_REG_2, 4),
3763 BPF_MOV64_IMM(BPF_REG_3, 0),
3764 BPF_MOV64_IMM(BPF_REG_4, 0),
3765 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3766 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3767 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3768 BPF_MOV64_IMM(BPF_REG_0, 0),
3769 BPF_EXIT_INSN(),
3770 },
3771 .result = ACCEPT,
3772 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3773 },
3774 {
f65b1849 3775 "helper access to packet: test14, cls helper ok sub",
7d95b0ab
DB		 3776 .insns = {
3777 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3778 offsetof(struct __sk_buff, data)),
3779 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3780 offsetof(struct __sk_buff, data_end)),
3781 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3782 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3783 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3784 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3785 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
3786 BPF_MOV64_IMM(BPF_REG_2, 4),
3787 BPF_MOV64_IMM(BPF_REG_3, 0),
3788 BPF_MOV64_IMM(BPF_REG_4, 0),
3789 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3790 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3791 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3792 BPF_MOV64_IMM(BPF_REG_0, 0),
3793 BPF_EXIT_INSN(),
3794 },
f65b1849
EC		 3795 .result = ACCEPT,
3796 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3797 },
3798 {
3799 "helper access to packet: test15, cls helper fail sub",
3800 .insns = {
3801 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3802 offsetof(struct __sk_buff, data)),
3803 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3804 offsetof(struct __sk_buff, data_end)),
3805 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3806 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3807 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3808 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3809 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
3810 BPF_MOV64_IMM(BPF_REG_2, 4),
3811 BPF_MOV64_IMM(BPF_REG_3, 0),
3812 BPF_MOV64_IMM(BPF_REG_4, 0),
3813 BPF_MOV64_IMM(BPF_REG_5, 0),
3814 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3815 BPF_FUNC_csum_diff),
3816 BPF_MOV64_IMM(BPF_REG_0, 0),
3817 BPF_EXIT_INSN(),
3818 },
7d95b0ab 3819 .result = REJECT,
f65b1849 3820 .errstr = "invalid access to packet",
7d95b0ab
DB		 3821 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3822 },
3823 {
f65b1849 3824 "helper access to packet: test16, cls helper fail range 1",
7d95b0ab
DB		 3825 .insns = {
3826 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3827 offsetof(struct __sk_buff, data)),
3828 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3829 offsetof(struct __sk_buff, data_end)),
3830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3831 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3832 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3833 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3834 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3835 BPF_MOV64_IMM(BPF_REG_2, 8),
3836 BPF_MOV64_IMM(BPF_REG_3, 0),
3837 BPF_MOV64_IMM(BPF_REG_4, 0),
3838 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3839 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3840 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3841 BPF_MOV64_IMM(BPF_REG_0, 0),
3842 BPF_EXIT_INSN(),
3843 },
3844 .result = REJECT,
3845 .errstr = "invalid access to packet",
3846 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3847 },
3848 {
f65b1849 3849 "helper access to packet: test17, cls helper fail range 2",
7d95b0ab
DB		 3850 .insns = {
3851 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3852 offsetof(struct __sk_buff, data)),
3853 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3854 offsetof(struct __sk_buff, data_end)),
3855 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3856 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3857 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3858 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3859 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3860 BPF_MOV64_IMM(BPF_REG_2, -9),
3861 BPF_MOV64_IMM(BPF_REG_3, 0),
3862 BPF_MOV64_IMM(BPF_REG_4, 0),
3863 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3864 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3865 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3866 BPF_MOV64_IMM(BPF_REG_0, 0),
3867 BPF_EXIT_INSN(),
3868 },
3869 .result = REJECT,
f65b1849 3870 .errstr = "R2 min value is negative",
7d95b0ab
DB		 3871 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3872 },
3873 {
f65b1849 3874 "helper access to packet: test18, cls helper fail range 3",
7d95b0ab
DB		 3875 .insns = {
3876 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3877 offsetof(struct __sk_buff, data)),
3878 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3879 offsetof(struct __sk_buff, data_end)),
3880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3881 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3882 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3883 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3884 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3885 BPF_MOV64_IMM(BPF_REG_2, ~0),
3886 BPF_MOV64_IMM(BPF_REG_3, 0),
3887 BPF_MOV64_IMM(BPF_REG_4, 0),
3888 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3889 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3890 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3891 BPF_MOV64_IMM(BPF_REG_0, 0),
3892 BPF_EXIT_INSN(),
3893 },
3894 .result = REJECT,
f65b1849 3895 .errstr = "R2 min value is negative",
7d95b0ab
DB		 3896 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3897 },
3898 {
b6ff6391 3899 "helper access to packet: test19, cls helper range zero",
7d95b0ab
DB		 3900 .insns = {
3901 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3902 offsetof(struct __sk_buff, data)),
3903 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3904 offsetof(struct __sk_buff, data_end)),
3905 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3906 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3908 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3909 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3910 BPF_MOV64_IMM(BPF_REG_2, 0),
3911 BPF_MOV64_IMM(BPF_REG_3, 0),
3912 BPF_MOV64_IMM(BPF_REG_4, 0),
3913 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3914 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3915 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3916 BPF_MOV64_IMM(BPF_REG_0, 0),
3917 BPF_EXIT_INSN(),
3918 },
b6ff6391 3919 .result = ACCEPT,
7d95b0ab
DB		 3920 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3921 },
3922 {
f65b1849 3923 "helper access to packet: test20, pkt end as input",
7d95b0ab
DB		 3924 .insns = {
3925 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3926 offsetof(struct __sk_buff, data)),
3927 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3928 offsetof(struct __sk_buff, data_end)),
3929 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3930 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3932 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3933 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
3934 BPF_MOV64_IMM(BPF_REG_2, 4),
3935 BPF_MOV64_IMM(BPF_REG_3, 0),
3936 BPF_MOV64_IMM(BPF_REG_4, 0),
3937 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3938 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3939 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3940 BPF_MOV64_IMM(BPF_REG_0, 0),
3941 BPF_EXIT_INSN(),
3942 },
3943 .result = REJECT,
3944 .errstr = "R1 type=pkt_end expected=fp",
3945 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3946 },
3947 {
f65b1849 3948 "helper access to packet: test21, wrong reg",
7d95b0ab
DB		 3949 .insns = {
3950 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3951 offsetof(struct __sk_buff, data)),
3952 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3953 offsetof(struct __sk_buff, data_end)),
3954 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3955 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3956 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3957 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3958 BPF_MOV64_IMM(BPF_REG_2, 4),
3959 BPF_MOV64_IMM(BPF_REG_3, 0),
3960 BPF_MOV64_IMM(BPF_REG_4, 0),
3961 BPF_MOV64_IMM(BPF_REG_5, 0),
5aa5bd14
DB		 3962 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3963 BPF_FUNC_csum_diff),
7d95b0ab
DB		 3964 BPF_MOV64_IMM(BPF_REG_0, 0),
3965 BPF_EXIT_INSN(),
3966 },
3967 .result = REJECT,
3968 .errstr = "invalid access to packet",
3969 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3970 },
48461135
JB		 3971 {
3972 "valid map access into an array with a constant",
3973 .insns = {
3974 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3975 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3976 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3977 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3978 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3979 BPF_FUNC_map_lookup_elem),
48461135 3980 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5aa5bd14
DB		 3981 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3982 offsetof(struct test_val, foo)),
48461135
JB		 3983 BPF_EXIT_INSN(),
3984 },
5aa5bd14 3985 .fixup_map2 = { 3 },
48461135
JB		 3986 .errstr_unpriv = "R0 leaks addr",
3987 .result_unpriv = REJECT,
3988 .result = ACCEPT,
3989 },
3990 {
3991 "valid map access into an array with a register",
3992 .insns = {
3993 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3994 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3995 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3996 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 3997 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3998 BPF_FUNC_map_lookup_elem),
48461135
JB		 3999 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4000 BPF_MOV64_IMM(BPF_REG_1, 4),
4001 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4002 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 4003 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4004 offsetof(struct test_val, foo)),
48461135
JB		 4005 BPF_EXIT_INSN(),
4006 },
5aa5bd14 4007 .fixup_map2 = { 3 },
f65b1849 4008 .errstr_unpriv = "R0 leaks addr",
48461135
JB		 4009 .result_unpriv = REJECT,
4010 .result = ACCEPT,
02ea80b1 4011 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 4012 },
4013 {
4014 "valid map access into an array with a variable",
4015 .insns = {
4016 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4017 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4018 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4019 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4020 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4021 BPF_FUNC_map_lookup_elem),
48461135
JB		 4022 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4023 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4024 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4025 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4026 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 4027 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4028 offsetof(struct test_val, foo)),
48461135
JB		 4029 BPF_EXIT_INSN(),
4030 },
5aa5bd14 4031 .fixup_map2 = { 3 },
f65b1849 4032 .errstr_unpriv = "R0 leaks addr",
48461135
JB		 4033 .result_unpriv = REJECT,
4034 .result = ACCEPT,
02ea80b1 4035 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 4036 },
4037 {
4038 "valid map access into an array with a signed variable",
4039 .insns = {
4040 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4041 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4042 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4043 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4044 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4045 BPF_FUNC_map_lookup_elem),
48461135
JB		 4046 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4047 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4048 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4049 BPF_MOV32_IMM(BPF_REG_1, 0),
4050 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4051 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4052 BPF_MOV32_IMM(BPF_REG_1, 0),
4053 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4054 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 4055 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4056 offsetof(struct test_val, foo)),
48461135
JB		 4057 BPF_EXIT_INSN(),
4058 },
5aa5bd14 4059 .fixup_map2 = { 3 },
f65b1849 4060 .errstr_unpriv = "R0 leaks addr",
48461135
JB		 4061 .result_unpriv = REJECT,
4062 .result = ACCEPT,
02ea80b1 4063 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 4064 },
4065 {
4066 "invalid map access into an array with a constant",
4067 .insns = {
4068 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4069 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4070 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4071 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4072 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4073 BPF_FUNC_map_lookup_elem),
48461135
JB		 4074 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4075 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4076 offsetof(struct test_val, foo)),
4077 BPF_EXIT_INSN(),
4078 },
5aa5bd14 4079 .fixup_map2 = { 3 },
48461135
JB		 4080 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4081 .result = REJECT,
4082 },
4083 {
4084 "invalid map access into an array with a register",
4085 .insns = {
4086 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4087 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4088 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4089 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4090 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4091 BPF_FUNC_map_lookup_elem),
48461135
JB		 4092 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4093 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4094 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4095 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 4096 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4097 offsetof(struct test_val, foo)),
48461135
JB		 4098 BPF_EXIT_INSN(),
4099 },
5aa5bd14 4100 .fixup_map2 = { 3 },
48461135
JB		 4101 .errstr = "R0 min value is outside of the array range",
4102 .result = REJECT,
02ea80b1 4103 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 4104 },
4105 {
4106 "invalid map access into an array with a variable",
4107 .insns = {
4108 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4109 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4111 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4112 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4113 BPF_FUNC_map_lookup_elem),
48461135
JB		 4114 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4115 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4116 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4117 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 4118 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4119 offsetof(struct test_val, foo)),
48461135
JB		 4120 BPF_EXIT_INSN(),
4121 },
5aa5bd14 4122 .fixup_map2 = { 3 },
f65b1849 4123 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
48461135 4124 .result = REJECT,
02ea80b1 4125 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 4126 },
4127 {
4128 "invalid map access into an array with no floor check",
4129 .insns = {
4130 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4131 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4132 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4133 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4134 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4135 BPF_FUNC_map_lookup_elem),
48461135 4136 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
f65b1849 4137 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
48461135
JB		 4138 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4139 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4140 BPF_MOV32_IMM(BPF_REG_1, 0),
4141 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4142 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 4143 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4144 offsetof(struct test_val, foo)),
48461135
JB		 4145 BPF_EXIT_INSN(),
4146 },
5aa5bd14 4147 .fixup_map2 = { 3 },
f65b1849
EC		 4148 .errstr_unpriv = "R0 leaks addr",
4149 .errstr = "R0 unbounded memory access",
5aa5bd14 4150 .result_unpriv = REJECT,
48461135 4151 .result = REJECT,
02ea80b1 4152 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 4153 },
4154 {
4155 "invalid map access into an array with a invalid max check",
4156 .insns = {
4157 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4158 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4159 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4160 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4161 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4162 BPF_FUNC_map_lookup_elem),
48461135
JB		 4163 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4164 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4165 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4166 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4167 BPF_MOV32_IMM(BPF_REG_1, 0),
4168 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4169 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5aa5bd14
DB		 4170 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4171 offsetof(struct test_val, foo)),
48461135
JB		 4172 BPF_EXIT_INSN(),
4173 },
5aa5bd14 4174 .fixup_map2 = { 3 },
f65b1849 4175 .errstr_unpriv = "R0 leaks addr",
48461135 4176 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
5aa5bd14 4177 .result_unpriv = REJECT,
48461135 4178 .result = REJECT,
02ea80b1 4179 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135
JB		 4180 },
4181 {
4182 "invalid map access into an array with a invalid max check",
4183 .insns = {
4184 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4185 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4186 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4187 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4188 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4189 BPF_FUNC_map_lookup_elem),
48461135
JB		 4190 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4191 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4192 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4193 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4195 BPF_LD_MAP_FD(BPF_REG_1, 0),
5aa5bd14
DB		 4196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4197 BPF_FUNC_map_lookup_elem),
48461135
JB		 4198 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4199 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
5aa5bd14
DB		 4200 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4201 offsetof(struct test_val, foo)),
48461135
JB		 4202 BPF_EXIT_INSN(),
4203 },
5aa5bd14 4204 .fixup_map2 = { 3, 11 },
82abbf8d 4205 .errstr = "R0 pointer += pointer",
48461135 4206 .result = REJECT,
02ea80b1 4207 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
48461135 4208 },
57a09bf0
TG		 4209 {
4210 "multiple registers share map_lookup_elem result",
4211 .insns = {
4212 BPF_MOV64_IMM(BPF_REG_1, 10),
4213 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4214 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4215 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4216 BPF_LD_MAP_FD(BPF_REG_1, 0),
4217 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4218 BPF_FUNC_map_lookup_elem),
4219 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4220 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4221 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4222 BPF_EXIT_INSN(),
4223 },
4224 .fixup_map1 = { 4 },
4225 .result = ACCEPT,
4226 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4227 },
614d0d77
DB		 4228 {
4229 "alu ops on ptr_to_map_value_or_null, 1",
4230 .insns = {
4231 BPF_MOV64_IMM(BPF_REG_1, 10),
4232 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4233 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4234 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4235 BPF_LD_MAP_FD(BPF_REG_1, 0),
4236 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4237 BPF_FUNC_map_lookup_elem),
4238 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4239 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4240 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4241 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4242 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4243 BPF_EXIT_INSN(),
4244 },
4245 .fixup_map1 = { 4 },
82abbf8d 4246 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
614d0d77
DB		 4247 .result = REJECT,
4248 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4249 },
4250 {
4251 "alu ops on ptr_to_map_value_or_null, 2",
4252 .insns = {
4253 BPF_MOV64_IMM(BPF_REG_1, 10),
4254 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4255 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4256 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4257 BPF_LD_MAP_FD(BPF_REG_1, 0),
4258 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4259 BPF_FUNC_map_lookup_elem),
4260 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4261 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4262 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4263 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4264 BPF_EXIT_INSN(),
4265 },
4266 .fixup_map1 = { 4 },
82abbf8d 4267 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
614d0d77
DB		 4268 .result = REJECT,
4269 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4270 },
4271 {
4272 "alu ops on ptr_to_map_value_or_null, 3",
4273 .insns = {
4274 BPF_MOV64_IMM(BPF_REG_1, 10),
4275 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4276 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4277 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4278 BPF_LD_MAP_FD(BPF_REG_1, 0),
4279 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4280 BPF_FUNC_map_lookup_elem),
4281 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4282 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4283 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4284 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4285 BPF_EXIT_INSN(),
4286 },
4287 .fixup_map1 = { 4 },
82abbf8d 4288 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
614d0d77
DB		 4289 .result = REJECT,
4290 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4291 },
57a09bf0
TG		 4292 {
4293 "invalid memory access with multiple map_lookup_elem calls",
4294 .insns = {
4295 BPF_MOV64_IMM(BPF_REG_1, 10),
4296 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4297 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4298 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4299 BPF_LD_MAP_FD(BPF_REG_1, 0),
4300 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4301 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4302 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4303 BPF_FUNC_map_lookup_elem),
4304 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4305 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4306 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4307 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4308 BPF_FUNC_map_lookup_elem),
4309 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4310 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4311 BPF_EXIT_INSN(),
4312 },
4313 .fixup_map1 = { 4 },
4314 .result = REJECT,
4315 .errstr = "R4 !read_ok",
4316 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4317 },
4318 {
4319 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4320 .insns = {
4321 BPF_MOV64_IMM(BPF_REG_1, 10),
4322 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4323 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4324 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4325 BPF_LD_MAP_FD(BPF_REG_1, 0),
4326 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4327 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4328 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4329 BPF_FUNC_map_lookup_elem),
4330 BPF_MOV64_IMM(BPF_REG_2, 10),
4331 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4332 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4333 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4334 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4335 BPF_FUNC_map_lookup_elem),
4336 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4337 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4338 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4339 BPF_EXIT_INSN(),
4340 },
4341 .fixup_map1 = { 4 },
4342 .result = ACCEPT,
4343 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4344 },
e9548901
JB		 4345 {
4346 "invalid map access from else condition",
4347 .insns = {
4348 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4349 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4350 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4351 BPF_LD_MAP_FD(BPF_REG_1, 0),
4352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4353 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4354 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4355 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4356 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4357 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4358 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4359 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4360 BPF_EXIT_INSN(),
4361 },
4362 .fixup_map2 = { 3 },
f65b1849 4363 .errstr = "R0 unbounded memory access",
e9548901 4364 .result = REJECT,
f65b1849 4365 .errstr_unpriv = "R0 leaks addr",
e9548901 4366 .result_unpriv = REJECT,
02ea80b1 4367 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
e9548901 4368 },
3c839744
GB		 4369 {
4370 "constant register |= constant should keep constant type",
4371 .insns = {
4372 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4373 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4374 BPF_MOV64_IMM(BPF_REG_2, 34),
4375 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4376 BPF_MOV64_IMM(BPF_REG_3, 0),
4377 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4378 BPF_EXIT_INSN(),
4379 },
4380 .result = ACCEPT,
4381 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4382 },
4383 {
4384 "constant register |= constant should not bypass stack boundary checks",
4385 .insns = {
4386 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4388 BPF_MOV64_IMM(BPF_REG_2, 34),
4389 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4390 BPF_MOV64_IMM(BPF_REG_3, 0),
4391 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4392 BPF_EXIT_INSN(),
4393 },
4394 .errstr = "invalid stack type R1 off=-48 access_size=58",
4395 .result = REJECT,
4396 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4397 },
4398 {
4399 "constant register |= constant register should keep constant type",
4400 .insns = {
4401 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4403 BPF_MOV64_IMM(BPF_REG_2, 34),
4404 BPF_MOV64_IMM(BPF_REG_4, 13),
4405 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4406 BPF_MOV64_IMM(BPF_REG_3, 0),
4407 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4408 BPF_EXIT_INSN(),
4409 },
4410 .result = ACCEPT,
4411 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4412 },
4413 {
4414 "constant register |= constant register should not bypass stack boundary checks",
4415 .insns = {
4416 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4417 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4418 BPF_MOV64_IMM(BPF_REG_2, 34),
4419 BPF_MOV64_IMM(BPF_REG_4, 24),
4420 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4421 BPF_MOV64_IMM(BPF_REG_3, 0),
4422 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4423 BPF_EXIT_INSN(),
4424 },
4425 .errstr = "invalid stack type R1 off=-48 access_size=58",
4426 .result = REJECT,
4427 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4428 },
3f731d89
TG		 4429 {
4430 "invalid direct packet write for LWT_IN",
4431 .insns = {
4432 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4433 offsetof(struct __sk_buff, data)),
4434 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4435 offsetof(struct __sk_buff, data_end)),
4436 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4437 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4438 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4439 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4440 BPF_MOV64_IMM(BPF_REG_0, 0),
4441 BPF_EXIT_INSN(),
4442 },
4443 .errstr = "cannot write into packet",
4444 .result = REJECT,
4445 .prog_type = BPF_PROG_TYPE_LWT_IN,
4446 },
4447 {
4448 "invalid direct packet write for LWT_OUT",
4449 .insns = {
4450 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4451 offsetof(struct __sk_buff, data)),
4452 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4453 offsetof(struct __sk_buff, data_end)),
4454 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4455 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4456 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4457 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4458 BPF_MOV64_IMM(BPF_REG_0, 0),
4459 BPF_EXIT_INSN(),
4460 },
4461 .errstr = "cannot write into packet",
4462 .result = REJECT,
4463 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4464 },
4465 {
4466 "direct packet write for LWT_XMIT",
4467 .insns = {
4468 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4469 offsetof(struct __sk_buff, data)),
4470 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4471 offsetof(struct __sk_buff, data_end)),
4472 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4474 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4475 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4476 BPF_MOV64_IMM(BPF_REG_0, 0),
4477 BPF_EXIT_INSN(),
4478 },
4479 .result = ACCEPT,
4480 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4481 },
4482 {
4483 "direct packet read for LWT_IN",
4484 .insns = {
4485 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4486 offsetof(struct __sk_buff, data)),
4487 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4488 offsetof(struct __sk_buff, data_end)),
4489 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4490 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4491 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4492 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4493 BPF_MOV64_IMM(BPF_REG_0, 0),
4494 BPF_EXIT_INSN(),
4495 },
4496 .result = ACCEPT,
4497 .prog_type = BPF_PROG_TYPE_LWT_IN,
4498 },
4499 {
4500 "direct packet read for LWT_OUT",
4501 .insns = {
4502 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4503 offsetof(struct __sk_buff, data)),
4504 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4505 offsetof(struct __sk_buff, data_end)),
4506 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4507 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4508 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4509 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4510 BPF_MOV64_IMM(BPF_REG_0, 0),
4511 BPF_EXIT_INSN(),
4512 },
4513 .result = ACCEPT,
4514 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4515 },
4516 {
4517 "direct packet read for LWT_XMIT",
4518 .insns = {
4519 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4520 offsetof(struct __sk_buff, data)),
4521 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4522 offsetof(struct __sk_buff, data_end)),
4523 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4525 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4526 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4527 BPF_MOV64_IMM(BPF_REG_0, 0),
4528 BPF_EXIT_INSN(),
4529 },
4530 .result = ACCEPT,
4531 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4532 },
b1977682
AS		 4533 {
4534 "overlapping checks for direct packet access",
4535 .insns = {
4536 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4537 offsetof(struct __sk_buff, data)),
4538 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4539 offsetof(struct __sk_buff, data_end)),
4540 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4541 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4542 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4543 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4544 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4545 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4546 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4547 BPF_MOV64_IMM(BPF_REG_0, 0),
4548 BPF_EXIT_INSN(),
3f731d89
TG		 4549 },
4550 .result = ACCEPT,
4551 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4552 },
4553 {
4554 "invalid access of tc_classid for LWT_IN",
4555 .insns = {
4556 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4557 offsetof(struct __sk_buff, tc_classid)),
4558 BPF_EXIT_INSN(),
4559 },
4560 .result = REJECT,
4561 .errstr = "invalid bpf_context access",
4562 },
4563 {
4564 "invalid access of tc_classid for LWT_OUT",
4565 .insns = {
4566 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4567 offsetof(struct __sk_buff, tc_classid)),
4568 BPF_EXIT_INSN(),
4569 },
4570 .result = REJECT,
4571 .errstr = "invalid bpf_context access",
4572 },
4573 {
4574 "invalid access of tc_classid for LWT_XMIT",
4575 .insns = {
4576 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4577 offsetof(struct __sk_buff, tc_classid)),
4578 BPF_EXIT_INSN(),
4579 },
4580 .result = REJECT,
4581 .errstr = "invalid bpf_context access",
4582 },
6bdf6abc
DB		 4583 {
4584 "leak pointer into ctx 1",
4585 .insns = {
4586 BPF_MOV64_IMM(BPF_REG_0, 0),
4587 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4588 offsetof(struct __sk_buff, cb[0])),
4589 BPF_LD_MAP_FD(BPF_REG_2, 0),
4590 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
4591 offsetof(struct __sk_buff, cb[0])),
4592 BPF_EXIT_INSN(),
4593 },
4594 .fixup_map1 = { 2 },
4595 .errstr_unpriv = "R2 leaks addr into mem",
4596 .result_unpriv = REJECT,
f37a8cb8
DB		 4597 .result = REJECT,
4598 .errstr = "BPF_XADD stores into R1 context is not allowed",
6bdf6abc
DB		 4599 },
4600 {
4601 "leak pointer into ctx 2",
4602 .insns = {
4603 BPF_MOV64_IMM(BPF_REG_0, 0),
4604 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4605 offsetof(struct __sk_buff, cb[0])),
4606 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
4607 offsetof(struct __sk_buff, cb[0])),
4608 BPF_EXIT_INSN(),
4609 },
4610 .errstr_unpriv = "R10 leaks addr into mem",
4611 .result_unpriv = REJECT,
f37a8cb8
DB		 4612 .result = REJECT,
4613 .errstr = "BPF_XADD stores into R1 context is not allowed",
6bdf6abc
DB		 4614 },
4615 {
4616 "leak pointer into ctx 3",
4617 .insns = {
4618 BPF_MOV64_IMM(BPF_REG_0, 0),
4619 BPF_LD_MAP_FD(BPF_REG_2, 0),
4620 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
4621 offsetof(struct __sk_buff, cb[0])),
4622 BPF_EXIT_INSN(),
4623 },
4624 .fixup_map1 = { 1 },
4625 .errstr_unpriv = "R2 leaks addr into ctx",
4626 .result_unpriv = REJECT,
4627 .result = ACCEPT,
4628 },
4629 {
4630 "leak pointer into map val",
4631 .insns = {
4632 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
4633 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4634 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4635 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4636 BPF_LD_MAP_FD(BPF_REG_1, 0),
4637 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4638 BPF_FUNC_map_lookup_elem),
4639 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4640 BPF_MOV64_IMM(BPF_REG_3, 0),
4641 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
4642 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
4643 BPF_MOV64_IMM(BPF_REG_0, 0),
4644 BPF_EXIT_INSN(),
4645 },
4646 .fixup_map1 = { 4 },
4647 .errstr_unpriv = "R6 leaks addr into mem",
4648 .result_unpriv = REJECT,
4649 .result = ACCEPT,
4650 },
5722569b
GB		 4651 {
4652 "helper access to map: full range",
4653 .insns = {
4654 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4655 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4656 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4657 BPF_LD_MAP_FD(BPF_REG_1, 0),
4658 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4659 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4660 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4661 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4662 BPF_MOV64_IMM(BPF_REG_3, 0),
4663 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4664 BPF_EXIT_INSN(),
4665 },
4666 .fixup_map2 = { 3 },
4667 .result = ACCEPT,
4668 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4669 },
4670 {
4671 "helper access to map: partial range",
4672 .insns = {
4673 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4674 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4675 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4676 BPF_LD_MAP_FD(BPF_REG_1, 0),
4677 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4678 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4679 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4680 BPF_MOV64_IMM(BPF_REG_2, 8),
4681 BPF_MOV64_IMM(BPF_REG_3, 0),
4682 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4683 BPF_EXIT_INSN(),
4684 },
4685 .fixup_map2 = { 3 },
4686 .result = ACCEPT,
4687 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4688 },
4689 {
4690 "helper access to map: empty range",
4691 .insns = {
4692 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4693 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4694 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4695 BPF_LD_MAP_FD(BPF_REG_1, 0),
4696 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
f1a8b8e3
YS		 4697 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4698 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4699 BPF_MOV64_IMM(BPF_REG_2, 0),
4700 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5722569b
GB		 4701 BPF_EXIT_INSN(),
4702 },
4703 .fixup_map2 = { 3 },
4704 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
4705 .result = REJECT,
4706 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4707 },
4708 {
4709 "helper access to map: out-of-bound range",
4710 .insns = {
4711 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4712 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4713 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4714 BPF_LD_MAP_FD(BPF_REG_1, 0),
4715 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4716 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4717 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4718 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
4719 BPF_MOV64_IMM(BPF_REG_3, 0),
4720 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4721 BPF_EXIT_INSN(),
4722 },
4723 .fixup_map2 = { 3 },
4724 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
4725 .result = REJECT,
4726 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4727 },
4728 {
4729 "helper access to map: negative range",
4730 .insns = {
4731 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4732 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4733 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4734 BPF_LD_MAP_FD(BPF_REG_1, 0),
4735 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4736 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4737 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4738 BPF_MOV64_IMM(BPF_REG_2, -8),
4739 BPF_MOV64_IMM(BPF_REG_3, 0),
4740 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4741 BPF_EXIT_INSN(),
4742 },
4743 .fixup_map2 = { 3 },
f65b1849 4744 .errstr = "R2 min value is negative",
5722569b
GB		 4745 .result = REJECT,
4746 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4747 },
4748 {
4749 "helper access to adjusted map (via const imm): full range",
4750 .insns = {
4751 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4753 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4754 BPF_LD_MAP_FD(BPF_REG_1, 0),
4755 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4756 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4757 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4758 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4759 offsetof(struct test_val, foo)),
4760 BPF_MOV64_IMM(BPF_REG_2,
4761 sizeof(struct test_val) -
4762 offsetof(struct test_val, foo)),
4763 BPF_MOV64_IMM(BPF_REG_3, 0),
4764 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4765 BPF_EXIT_INSN(),
4766 },
4767 .fixup_map2 = { 3 },
4768 .result = ACCEPT,
4769 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4770 },
4771 {
4772 "helper access to adjusted map (via const imm): partial range",
4773 .insns = {
4774 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4775 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4776 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4777 BPF_LD_MAP_FD(BPF_REG_1, 0),
4778 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4779 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4780 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4781 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4782 offsetof(struct test_val, foo)),
4783 BPF_MOV64_IMM(BPF_REG_2, 8),
4784 BPF_MOV64_IMM(BPF_REG_3, 0),
4785 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4786 BPF_EXIT_INSN(),
4787 },
4788 .fixup_map2 = { 3 },
4789 .result = ACCEPT,
4790 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4791 },
4792 {
4793 "helper access to adjusted map (via const imm): empty range",
4794 .insns = {
4795 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4796 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4797 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4798 BPF_LD_MAP_FD(BPF_REG_1, 0),
4799 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
f1a8b8e3 4800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5722569b
GB		 4801 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4802 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4803 offsetof(struct test_val, foo)),
f1a8b8e3
YS		 4804 BPF_MOV64_IMM(BPF_REG_2, 0),
4805 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5722569b
GB		 4806 BPF_EXIT_INSN(),
4807 },
4808 .fixup_map2 = { 3 },
f65b1849 4809 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5722569b
GB		 4810 .result = REJECT,
4811 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4812 },
4813 {
4814 "helper access to adjusted map (via const imm): out-of-bound range",
4815 .insns = {
4816 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4818 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4819 BPF_LD_MAP_FD(BPF_REG_1, 0),
4820 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4821 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4822 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4824 offsetof(struct test_val, foo)),
4825 BPF_MOV64_IMM(BPF_REG_2,
4826 sizeof(struct test_val) -
4827 offsetof(struct test_val, foo) + 8),
4828 BPF_MOV64_IMM(BPF_REG_3, 0),
4829 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4830 BPF_EXIT_INSN(),
4831 },
4832 .fixup_map2 = { 3 },
4833 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4834 .result = REJECT,
4835 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4836 },
4837 {
4838 "helper access to adjusted map (via const imm): negative range (> adjustment)",
4839 .insns = {
4840 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4841 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4842 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4843 BPF_LD_MAP_FD(BPF_REG_1, 0),
4844 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4845 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4846 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4848 offsetof(struct test_val, foo)),
4849 BPF_MOV64_IMM(BPF_REG_2, -8),
4850 BPF_MOV64_IMM(BPF_REG_3, 0),
4851 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4852 BPF_EXIT_INSN(),
4853 },
4854 .fixup_map2 = { 3 },
f65b1849 4855 .errstr = "R2 min value is negative",
5722569b
GB		 4856 .result = REJECT,
4857 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4858 },
4859 {
4860 "helper access to adjusted map (via const imm): negative range (< adjustment)",
4861 .insns = {
4862 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4863 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4864 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4865 BPF_LD_MAP_FD(BPF_REG_1, 0),
4866 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4867 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4868 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4870 offsetof(struct test_val, foo)),
4871 BPF_MOV64_IMM(BPF_REG_2, -1),
4872 BPF_MOV64_IMM(BPF_REG_3, 0),
4873 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4874 BPF_EXIT_INSN(),
4875 },
4876 .fixup_map2 = { 3 },
f65b1849 4877 .errstr = "R2 min value is negative",
5722569b
GB		 4878 .result = REJECT,
4879 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4880 },
4881 {
4882 "helper access to adjusted map (via const reg): full range",
4883 .insns = {
4884 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4885 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4886 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4887 BPF_LD_MAP_FD(BPF_REG_1, 0),
4888 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4889 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4890 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4891 BPF_MOV64_IMM(BPF_REG_3,
4892 offsetof(struct test_val, foo)),
4893 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4894 BPF_MOV64_IMM(BPF_REG_2,
4895 sizeof(struct test_val) -
4896 offsetof(struct test_val, foo)),
4897 BPF_MOV64_IMM(BPF_REG_3, 0),
4898 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4899 BPF_EXIT_INSN(),
4900 },
4901 .fixup_map2 = { 3 },
4902 .result = ACCEPT,
4903 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4904 },
4905 {
4906 "helper access to adjusted map (via const reg): partial range",
4907 .insns = {
4908 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4909 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4910 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4911 BPF_LD_MAP_FD(BPF_REG_1, 0),
4912 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4913 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4914 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4915 BPF_MOV64_IMM(BPF_REG_3,
4916 offsetof(struct test_val, foo)),
4917 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4918 BPF_MOV64_IMM(BPF_REG_2, 8),
4919 BPF_MOV64_IMM(BPF_REG_3, 0),
4920 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4921 BPF_EXIT_INSN(),
4922 },
4923 .fixup_map2 = { 3 },
4924 .result = ACCEPT,
4925 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4926 },
4927 {
4928 "helper access to adjusted map (via const reg): empty range",
4929 .insns = {
4930 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4932 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4933 BPF_LD_MAP_FD(BPF_REG_1, 0),
4934 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
f1a8b8e3 4935 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5722569b
GB		 4936 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4937 BPF_MOV64_IMM(BPF_REG_3, 0),
4938 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
f1a8b8e3
YS		 4939 BPF_MOV64_IMM(BPF_REG_2, 0),
4940 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5722569b
GB		 4941 BPF_EXIT_INSN(),
4942 },
4943 .fixup_map2 = { 3 },
f1a8b8e3 4944 .errstr = "R1 min value is outside of the array range",
5722569b
GB		 4945 .result = REJECT,
4946 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4947 },
4948 {
4949 "helper access to adjusted map (via const reg): out-of-bound range",
4950 .insns = {
4951 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4952 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4953 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4954 BPF_LD_MAP_FD(BPF_REG_1, 0),
4955 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4956 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4957 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4958 BPF_MOV64_IMM(BPF_REG_3,
4959 offsetof(struct test_val, foo)),
4960 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4961 BPF_MOV64_IMM(BPF_REG_2,
4962 sizeof(struct test_val) -
4963 offsetof(struct test_val, foo) + 8),
4964 BPF_MOV64_IMM(BPF_REG_3, 0),
4965 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4966 BPF_EXIT_INSN(),
4967 },
4968 .fixup_map2 = { 3 },
4969 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4970 .result = REJECT,
4971 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4972 },
4973 {
4974 "helper access to adjusted map (via const reg): negative range (> adjustment)",
4975 .insns = {
4976 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4977 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4978 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4979 BPF_LD_MAP_FD(BPF_REG_1, 0),
4980 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4981 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4982 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4983 BPF_MOV64_IMM(BPF_REG_3,
4984 offsetof(struct test_val, foo)),
4985 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4986 BPF_MOV64_IMM(BPF_REG_2, -8),
4987 BPF_MOV64_IMM(BPF_REG_3, 0),
4988 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4989 BPF_EXIT_INSN(),
4990 },
4991 .fixup_map2 = { 3 },
f65b1849 4992 .errstr = "R2 min value is negative",
5722569b
GB		 4993 .result = REJECT,
4994 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4995 },
4996 {
4997 "helper access to adjusted map (via const reg): negative range (< adjustment)",
4998 .insns = {
4999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5001 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5002 BPF_LD_MAP_FD(BPF_REG_1, 0),
5003 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5004 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5005 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5006 BPF_MOV64_IMM(BPF_REG_3,
5007 offsetof(struct test_val, foo)),
5008 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5009 BPF_MOV64_IMM(BPF_REG_2, -1),
5010 BPF_MOV64_IMM(BPF_REG_3, 0),
5011 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5012 BPF_EXIT_INSN(),
5013 },
5014 .fixup_map2 = { 3 },
f65b1849 5015 .errstr = "R2 min value is negative",
5722569b
GB		 5016 .result = REJECT,
5017 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5018 },
5019 {
5020 "helper access to adjusted map (via variable): full range",
5021 .insns = {
5022 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5024 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5025 BPF_LD_MAP_FD(BPF_REG_1, 0),
5026 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5027 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5028 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5029 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5030 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5031 offsetof(struct test_val, foo), 4),
5032 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5033 BPF_MOV64_IMM(BPF_REG_2,
5034 sizeof(struct test_val) -
5035 offsetof(struct test_val, foo)),
5036 BPF_MOV64_IMM(BPF_REG_3, 0),
5037 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5038 BPF_EXIT_INSN(),
5039 },
5040 .fixup_map2 = { 3 },
5041 .result = ACCEPT,
5042 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5043 },
5044 {
5045 "helper access to adjusted map (via variable): partial range",
5046 .insns = {
5047 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5048 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5049 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5050 BPF_LD_MAP_FD(BPF_REG_1, 0),
5051 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5052 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5053 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5054 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5055 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5056 offsetof(struct test_val, foo), 4),
5057 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5058 BPF_MOV64_IMM(BPF_REG_2, 8),
5059 BPF_MOV64_IMM(BPF_REG_3, 0),
5060 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5061 BPF_EXIT_INSN(),
5062 },
5063 .fixup_map2 = { 3 },
5064 .result = ACCEPT,
5065 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5066 },
5067 {
5068 "helper access to adjusted map (via variable): empty range",
5069 .insns = {
5070 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5071 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5072 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5073 BPF_LD_MAP_FD(BPF_REG_1, 0),
5074 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
f1a8b8e3 5075 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5722569b
GB		 5076 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5077 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5078 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
f1a8b8e3 5079 offsetof(struct test_val, foo), 3),
5722569b 5080 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
f1a8b8e3
YS		 5081 BPF_MOV64_IMM(BPF_REG_2, 0),
5082 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5722569b
GB		 5083 BPF_EXIT_INSN(),
5084 },
5085 .fixup_map2 = { 3 },
f1a8b8e3 5086 .errstr = "R1 min value is outside of the array range",
5722569b
GB		 5087 .result = REJECT,
5088 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5089 },
5090 {
5091 "helper access to adjusted map (via variable): no max check",
5092 .insns = {
5093 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5095 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5096 BPF_LD_MAP_FD(BPF_REG_1, 0),
5097 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5098 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5099 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5100 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5101 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
f65b1849 5102 BPF_MOV64_IMM(BPF_REG_2, 1),
5722569b
GB		 5103 BPF_MOV64_IMM(BPF_REG_3, 0),
5104 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5105 BPF_EXIT_INSN(),
5106 },
5107 .fixup_map2 = { 3 },
f65b1849 5108 .errstr = "R1 unbounded memory access",
5722569b
GB		 5109 .result = REJECT,
5110 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5111 },
5112 {
5113 "helper access to adjusted map (via variable): wrong max check",
5114 .insns = {
5115 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5117 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5118 BPF_LD_MAP_FD(BPF_REG_1, 0),
5119 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5120 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5121 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5122 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5123 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5124 offsetof(struct test_val, foo), 4),
5125 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5126 BPF_MOV64_IMM(BPF_REG_2,
5127 sizeof(struct test_val) -
5128 offsetof(struct test_val, foo) + 1),
5129 BPF_MOV64_IMM(BPF_REG_3, 0),
5130 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5131 BPF_EXIT_INSN(),
5132 },
5133 .fixup_map2 = { 3 },
5134 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
5135 .result = REJECT,
5136 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5137 },
31e482bf
DB		 5138 {
5139 "helper access to map: bounds check using <, good access",
5140 .insns = {
5141 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5142 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5143 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5144 BPF_LD_MAP_FD(BPF_REG_1, 0),
5145 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5146 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5147 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5148 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5149 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5150 BPF_MOV64_IMM(BPF_REG_0, 0),
5151 BPF_EXIT_INSN(),
5152 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5153 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5154 BPF_MOV64_IMM(BPF_REG_0, 0),
5155 BPF_EXIT_INSN(),
5156 },
5157 .fixup_map2 = { 3 },
5158 .result = ACCEPT,
5159 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5160 },
5161 {
5162 "helper access to map: bounds check using <, bad access",
5163 .insns = {
5164 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5165 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5166 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5167 BPF_LD_MAP_FD(BPF_REG_1, 0),
5168 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5169 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5170 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5171 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5172 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5173 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5174 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5175 BPF_MOV64_IMM(BPF_REG_0, 0),
5176 BPF_EXIT_INSN(),
5177 BPF_MOV64_IMM(BPF_REG_0, 0),
5178 BPF_EXIT_INSN(),
5179 },
5180 .fixup_map2 = { 3 },
5181 .result = REJECT,
5182 .errstr = "R1 unbounded memory access",
5183 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5184 },
5185 {
5186 "helper access to map: bounds check using <=, good access",
5187 .insns = {
5188 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5189 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5190 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5191 BPF_LD_MAP_FD(BPF_REG_1, 0),
5192 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5193 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5194 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5195 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5196 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5197 BPF_MOV64_IMM(BPF_REG_0, 0),
5198 BPF_EXIT_INSN(),
5199 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5200 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5201 BPF_MOV64_IMM(BPF_REG_0, 0),
5202 BPF_EXIT_INSN(),
5203 },
5204 .fixup_map2 = { 3 },
5205 .result = ACCEPT,
5206 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5207 },
5208 {
5209 "helper access to map: bounds check using <=, bad access",
5210 .insns = {
5211 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5213 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5214 BPF_LD_MAP_FD(BPF_REG_1, 0),
5215 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5216 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5217 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5218 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5219 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5220 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5221 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5222 BPF_MOV64_IMM(BPF_REG_0, 0),
5223 BPF_EXIT_INSN(),
5224 BPF_MOV64_IMM(BPF_REG_0, 0),
5225 BPF_EXIT_INSN(),
5226 },
5227 .fixup_map2 = { 3 },
5228 .result = REJECT,
5229 .errstr = "R1 unbounded memory access",
5230 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5231 },
5232 {
5233 "helper access to map: bounds check using s<, good access",
5234 .insns = {
5235 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5237 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5238 BPF_LD_MAP_FD(BPF_REG_1, 0),
5239 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5240 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5241 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5242 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5243 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5244 BPF_MOV64_IMM(BPF_REG_0, 0),
5245 BPF_EXIT_INSN(),
5246 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5247 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5248 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5249 BPF_MOV64_IMM(BPF_REG_0, 0),
5250 BPF_EXIT_INSN(),
5251 },
5252 .fixup_map2 = { 3 },
5253 .result = ACCEPT,
5254 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5255 },
5256 {
5257 "helper access to map: bounds check using s<, good access 2",
5258 .insns = {
5259 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5260 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5261 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5262 BPF_LD_MAP_FD(BPF_REG_1, 0),
5263 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5265 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5266 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5267 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5268 BPF_MOV64_IMM(BPF_REG_0, 0),
5269 BPF_EXIT_INSN(),
5270 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5271 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5272 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5273 BPF_MOV64_IMM(BPF_REG_0, 0),
5274 BPF_EXIT_INSN(),
5275 },
5276 .fixup_map2 = { 3 },
5277 .result = ACCEPT,
5278 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5279 },
5280 {
5281 "helper access to map: bounds check using s<, bad access",
5282 .insns = {
5283 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5284 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5285 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5286 BPF_LD_MAP_FD(BPF_REG_1, 0),
5287 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5288 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5289 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5290 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5291 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5292 BPF_MOV64_IMM(BPF_REG_0, 0),
5293 BPF_EXIT_INSN(),
5294 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5295 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5296 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5297 BPF_MOV64_IMM(BPF_REG_0, 0),
5298 BPF_EXIT_INSN(),
5299 },
5300 .fixup_map2 = { 3 },
5301 .result = REJECT,
5302 .errstr = "R1 min value is negative",
5303 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5304 },
5305 {
5306 "helper access to map: bounds check using s<=, good access",
5307 .insns = {
5308 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5309 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5310 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5311 BPF_LD_MAP_FD(BPF_REG_1, 0),
5312 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5313 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5314 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5315 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5316 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5317 BPF_MOV64_IMM(BPF_REG_0, 0),
5318 BPF_EXIT_INSN(),
5319 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5320 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5321 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5322 BPF_MOV64_IMM(BPF_REG_0, 0),
5323 BPF_EXIT_INSN(),
5324 },
5325 .fixup_map2 = { 3 },
5326 .result = ACCEPT,
5327 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5328 },
5329 {
5330 "helper access to map: bounds check using s<=, good access 2",
5331 .insns = {
5332 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5333 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5334 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5335 BPF_LD_MAP_FD(BPF_REG_1, 0),
5336 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5337 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5339 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5340 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5341 BPF_MOV64_IMM(BPF_REG_0, 0),
5342 BPF_EXIT_INSN(),
5343 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5344 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5345 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5346 BPF_MOV64_IMM(BPF_REG_0, 0),
5347 BPF_EXIT_INSN(),
5348 },
5349 .fixup_map2 = { 3 },
5350 .result = ACCEPT,
5351 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5352 },
5353 {
5354 "helper access to map: bounds check using s<=, bad access",
5355 .insns = {
5356 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5358 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5359 BPF_LD_MAP_FD(BPF_REG_1, 0),
5360 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5361 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5362 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5363 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5364 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5365 BPF_MOV64_IMM(BPF_REG_0, 0),
5366 BPF_EXIT_INSN(),
5367 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5368 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5369 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5370 BPF_MOV64_IMM(BPF_REG_0, 0),
5371 BPF_EXIT_INSN(),
5372 },
5373 .fixup_map2 = { 3 },
5374 .result = REJECT,
5375 .errstr = "R1 min value is negative",
5376 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5377 },
f0318d01
GB		 5378 {
5379 "map element value is preserved across register spilling",
5380 .insns = {
5381 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5382 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5383 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5384 BPF_LD_MAP_FD(BPF_REG_1, 0),
5385 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5386 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5387 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5388 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5389 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5390 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5391 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5392 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5393 BPF_EXIT_INSN(),
5394 },
5395 .fixup_map2 = { 3 },
5396 .errstr_unpriv = "R0 leaks addr",
5397 .result = ACCEPT,
5398 .result_unpriv = REJECT,
5399 },
5400 {
02ea80b1
DB		 5401 "map element value or null is marked on register spilling",
5402 .insns = {
5403 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5405 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5406 BPF_LD_MAP_FD(BPF_REG_1, 0),
5407 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5408 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
5410 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5411 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5412 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5413 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5414 BPF_EXIT_INSN(),
5415 },
5416 .fixup_map2 = { 3 },
5417 .errstr_unpriv = "R0 leaks addr",
5418 .result = ACCEPT,
5419 .result_unpriv = REJECT,
5420 },
5421 {
5422 "map element value store of cleared call register",
5423 .insns = {
5424 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5425 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5426 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5427 BPF_LD_MAP_FD(BPF_REG_1, 0),
5428 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5429 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5430 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
5431 BPF_EXIT_INSN(),
5432 },
5433 .fixup_map2 = { 3 },
5434 .errstr_unpriv = "R1 !read_ok",
5435 .errstr = "R1 !read_ok",
5436 .result = REJECT,
5437 .result_unpriv = REJECT,
5438 },
5439 {
5440 "map element value with unaligned store",
5441 .insns = {
5442 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5443 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5444 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5445 BPF_LD_MAP_FD(BPF_REG_1, 0),
5446 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5447 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
5448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5449 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5450 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
5451 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
5452 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5453 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
5454 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
5455 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
5456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
5457 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
5458 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
5459 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
5460 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
5461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
5462 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
5463 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
5464 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
5465 BPF_EXIT_INSN(),
5466 },
5467 .fixup_map2 = { 3 },
f65b1849 5468 .errstr_unpriv = "R0 leaks addr",
02ea80b1
DB		 5469 .result = ACCEPT,
5470 .result_unpriv = REJECT,
5471 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5472 },
5473 {
5474 "map element value with unaligned load",
5475 .insns = {
5476 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5477 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5478 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5479 BPF_LD_MAP_FD(BPF_REG_1, 0),
5480 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5481 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5482 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5483 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
5484 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5485 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5486 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
5487 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5488 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
5489 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
5490 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
5491 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5492 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
5493 BPF_EXIT_INSN(),
5494 },
5495 .fixup_map2 = { 3 },
f65b1849 5496 .errstr_unpriv = "R0 leaks addr",
02ea80b1
DB		 5497 .result = ACCEPT,
5498 .result_unpriv = REJECT,
5499 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5500 },
5501 {
5502 "map element value illegal alu op, 1",
5503 .insns = {
5504 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5506 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5507 BPF_LD_MAP_FD(BPF_REG_1, 0),
5508 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5509 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5510 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
5511 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5512 BPF_EXIT_INSN(),
5513 },
5514 .fixup_map2 = { 3 },
82abbf8d 5515 .errstr = "R0 bitwise operator &= on pointer",
02ea80b1 5516 .result = REJECT,
02ea80b1
DB		 5517 },
5518 {
5519 "map element value illegal alu op, 2",
5520 .insns = {
5521 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5522 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5523 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5524 BPF_LD_MAP_FD(BPF_REG_1, 0),
5525 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5526 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5527 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
5528 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5529 BPF_EXIT_INSN(),
5530 },
5531 .fixup_map2 = { 3 },
82abbf8d 5532 .errstr = "R0 32-bit pointer arithmetic prohibited",
02ea80b1 5533 .result = REJECT,
02ea80b1
DB		 5534 },
5535 {
5536 "map element value illegal alu op, 3",
5537 .insns = {
5538 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5539 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5540 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5541 BPF_LD_MAP_FD(BPF_REG_1, 0),
5542 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5543 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5544 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
5545 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5546 BPF_EXIT_INSN(),
5547 },
5548 .fixup_map2 = { 3 },
82abbf8d 5549 .errstr = "R0 pointer arithmetic with /= operator",
02ea80b1 5550 .result = REJECT,
02ea80b1
DB		 5551 },
5552 {
5553 "map element value illegal alu op, 4",
5554 .insns = {
5555 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5557 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5558 BPF_LD_MAP_FD(BPF_REG_1, 0),
5559 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5560 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5561 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
5562 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5563 BPF_EXIT_INSN(),
5564 },
5565 .fixup_map2 = { 3 },
5566 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5567 .errstr = "invalid mem access 'inv'",
5568 .result = REJECT,
5569 .result_unpriv = REJECT,
5570 },
5571 {
5572 "map element value illegal alu op, 5",
5573 .insns = {
5574 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5575 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5576 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5577 BPF_LD_MAP_FD(BPF_REG_1, 0),
5578 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5579 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5580 BPF_MOV64_IMM(BPF_REG_3, 4096),
5581 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5583 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5584 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
5585 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
5586 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5587 BPF_EXIT_INSN(),
5588 },
5589 .fixup_map2 = { 3 },
02ea80b1
DB		 5590 .errstr = "R0 invalid mem access 'inv'",
5591 .result = REJECT,
02ea80b1
DB		 5592 },
5593 {
5594 "map element value is preserved across register spilling",
f0318d01
GB		 5595 .insns = {
5596 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5597 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5598 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5599 BPF_LD_MAP_FD(BPF_REG_1, 0),
5600 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5601 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
5603 offsetof(struct test_val, foo)),
5604 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5605 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5606 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5607 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5608 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5609 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5610 BPF_EXIT_INSN(),
5611 },
5612 .fixup_map2 = { 3 },
f65b1849 5613 .errstr_unpriv = "R0 leaks addr",
f0318d01
GB		 5614 .result = ACCEPT,
5615 .result_unpriv = REJECT,
02ea80b1 5616 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
f0318d01 5617 },
06c1c049
GB		 5618 {
5619 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
5620 .insns = {
5621 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5622 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5623 BPF_MOV64_IMM(BPF_REG_0, 0),
5624 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5625 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5626 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5627 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5628 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5629 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5630 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5631 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5632 BPF_MOV64_IMM(BPF_REG_2, 16),
5633 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5634 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5635 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5636 BPF_MOV64_IMM(BPF_REG_4, 0),
5637 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5638 BPF_MOV64_IMM(BPF_REG_3, 0),
5639 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5640 BPF_MOV64_IMM(BPF_REG_0, 0),
5641 BPF_EXIT_INSN(),
5642 },
5643 .result = ACCEPT,
5644 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5645 },
5646 {
5647 "helper access to variable memory: stack, bitwise AND, zero included",
5648 .insns = {
5649 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5650 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5651 BPF_MOV64_IMM(BPF_REG_2, 16),
5652 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5653 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5654 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5655 BPF_MOV64_IMM(BPF_REG_3, 0),
5656 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5657 BPF_EXIT_INSN(),
5658 },
b6ff6391 5659 .errstr = "invalid indirect read from stack off -64+0 size 64",
06c1c049
GB		 5660 .result = REJECT,
5661 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5662 },
5663 {
5664 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
5665 .insns = {
5666 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5668 BPF_MOV64_IMM(BPF_REG_2, 16),
5669 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5670 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5671 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
5672 BPF_MOV64_IMM(BPF_REG_4, 0),
5673 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5674 BPF_MOV64_IMM(BPF_REG_3, 0),
5675 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5676 BPF_MOV64_IMM(BPF_REG_0, 0),
5677 BPF_EXIT_INSN(),
5678 },
5679 .errstr = "invalid stack type R1 off=-64 access_size=65",
5680 .result = REJECT,
5681 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5682 },
5683 {
5684 "helper access to variable memory: stack, JMP, correct bounds",
5685 .insns = {
5686 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5688 BPF_MOV64_IMM(BPF_REG_0, 0),
5689 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5690 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5691 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5692 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5693 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5694 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5695 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5696 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5697 BPF_MOV64_IMM(BPF_REG_2, 16),
5698 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5699 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5700 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
5701 BPF_MOV64_IMM(BPF_REG_4, 0),
5702 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5703 BPF_MOV64_IMM(BPF_REG_3, 0),
5704 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5705 BPF_MOV64_IMM(BPF_REG_0, 0),
5706 BPF_EXIT_INSN(),
5707 },
5708 .result = ACCEPT,
5709 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5710 },
5711 {
5712 "helper access to variable memory: stack, JMP (signed), correct bounds",
5713 .insns = {
5714 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5715 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5716 BPF_MOV64_IMM(BPF_REG_0, 0),
5717 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5718 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5719 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5720 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5721 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5722 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5723 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5724 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5725 BPF_MOV64_IMM(BPF_REG_2, 16),
5726 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5727 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5728 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
5729 BPF_MOV64_IMM(BPF_REG_4, 0),
5730 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5731 BPF_MOV64_IMM(BPF_REG_3, 0),
5732 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5733 BPF_MOV64_IMM(BPF_REG_0, 0),
5734 BPF_EXIT_INSN(),
5735 },
5736 .result = ACCEPT,
5737 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5738 },
5739 {
5740 "helper access to variable memory: stack, JMP, bounds + offset",
5741 .insns = {
5742 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5743 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5744 BPF_MOV64_IMM(BPF_REG_2, 16),
5745 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5746 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5747 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
5748 BPF_MOV64_IMM(BPF_REG_4, 0),
5749 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
5750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5751 BPF_MOV64_IMM(BPF_REG_3, 0),
5752 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5753 BPF_MOV64_IMM(BPF_REG_0, 0),
5754 BPF_EXIT_INSN(),
5755 },
5756 .errstr = "invalid stack type R1 off=-64 access_size=65",
5757 .result = REJECT,
5758 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5759 },
5760 {
5761 "helper access to variable memory: stack, JMP, wrong max",
5762 .insns = {
5763 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5764 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5765 BPF_MOV64_IMM(BPF_REG_2, 16),
5766 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5767 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5768 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
5769 BPF_MOV64_IMM(BPF_REG_4, 0),
5770 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5771 BPF_MOV64_IMM(BPF_REG_3, 0),
5772 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5773 BPF_MOV64_IMM(BPF_REG_0, 0),
5774 BPF_EXIT_INSN(),
5775 },
5776 .errstr = "invalid stack type R1 off=-64 access_size=65",
5777 .result = REJECT,
5778 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5779 },
5780 {
5781 "helper access to variable memory: stack, JMP, no max check",
5782 .insns = {
5783 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5784 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5785 BPF_MOV64_IMM(BPF_REG_2, 16),
5786 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5787 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5788 BPF_MOV64_IMM(BPF_REG_4, 0),
5789 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5790 BPF_MOV64_IMM(BPF_REG_3, 0),
5791 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5792 BPF_MOV64_IMM(BPF_REG_0, 0),
5793 BPF_EXIT_INSN(),
5794 },
f65b1849
EC		 5795 /* because max wasn't checked, signed min is negative */
5796 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
06c1c049
GB		 5797 .result = REJECT,
5798 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5799 },
5800 {
5801 "helper access to variable memory: stack, JMP, no min check",
5802 .insns = {
5803 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5804 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5805 BPF_MOV64_IMM(BPF_REG_2, 16),
5806 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5807 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5808 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
5809 BPF_MOV64_IMM(BPF_REG_3, 0),
5810 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5811 BPF_MOV64_IMM(BPF_REG_0, 0),
5812 BPF_EXIT_INSN(),
5813 },
b6ff6391 5814 .errstr = "invalid indirect read from stack off -64+0 size 64",
06c1c049
GB		 5815 .result = REJECT,
5816 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5817 },
5818 {
5819 "helper access to variable memory: stack, JMP (signed), no min check",
5820 .insns = {
5821 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5822 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5823 BPF_MOV64_IMM(BPF_REG_2, 16),
5824 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5825 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5826 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
5827 BPF_MOV64_IMM(BPF_REG_3, 0),
5828 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5829 BPF_MOV64_IMM(BPF_REG_0, 0),
5830 BPF_EXIT_INSN(),
5831 },
5832 .errstr = "R2 min value is negative",
5833 .result = REJECT,
5834 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5835 },
5836 {
5837 "helper access to variable memory: map, JMP, correct bounds",
5838 .insns = {
5839 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5840 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5841 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5842 BPF_LD_MAP_FD(BPF_REG_1, 0),
5843 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5844 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5845 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5846 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5847 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5848 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5849 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5850 sizeof(struct test_val), 4),
5851 BPF_MOV64_IMM(BPF_REG_4, 0),
a1502132 5852 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
06c1c049
GB		 5853 BPF_MOV64_IMM(BPF_REG_3, 0),
5854 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5855 BPF_MOV64_IMM(BPF_REG_0, 0),
5856 BPF_EXIT_INSN(),
5857 },
5858 .fixup_map2 = { 3 },
5859 .result = ACCEPT,
5860 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5861 },
5862 {
5863 "helper access to variable memory: map, JMP, wrong max",
5864 .insns = {
5865 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5866 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5867 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5868 BPF_LD_MAP_FD(BPF_REG_1, 0),
5869 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5870 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5871 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5872 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5873 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5874 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5875 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5876 sizeof(struct test_val) + 1, 4),
5877 BPF_MOV64_IMM(BPF_REG_4, 0),
a1502132 5878 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
06c1c049
GB		 5879 BPF_MOV64_IMM(BPF_REG_3, 0),
5880 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5881 BPF_MOV64_IMM(BPF_REG_0, 0),
5882 BPF_EXIT_INSN(),
5883 },
5884 .fixup_map2 = { 3 },
5885 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
5886 .result = REJECT,
5887 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5888 },
5889 {
5890 "helper access to variable memory: map adjusted, JMP, correct bounds",
5891 .insns = {
5892 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5893 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5894 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5895 BPF_LD_MAP_FD(BPF_REG_1, 0),
5896 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5897 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5898 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5899 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5900 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5901 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5902 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5903 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5904 sizeof(struct test_val) - 20, 4),
5905 BPF_MOV64_IMM(BPF_REG_4, 0),
a1502132 5906 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
06c1c049
GB		 5907 BPF_MOV64_IMM(BPF_REG_3, 0),
5908 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5909 BPF_MOV64_IMM(BPF_REG_0, 0),
5910 BPF_EXIT_INSN(),
5911 },
5912 .fixup_map2 = { 3 },
5913 .result = ACCEPT,
5914 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5915 },
5916 {
5917 "helper access to variable memory: map adjusted, JMP, wrong max",
5918 .insns = {
5919 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5920 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5921 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5922 BPF_LD_MAP_FD(BPF_REG_1, 0),
5923 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5924 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5925 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5926 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5927 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5928 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5929 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5930 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5931 sizeof(struct test_val) - 19, 4),
5932 BPF_MOV64_IMM(BPF_REG_4, 0),
a1502132 5933 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
06c1c049
GB		 5934 BPF_MOV64_IMM(BPF_REG_3, 0),
5935 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5936 BPF_MOV64_IMM(BPF_REG_0, 0),
5937 BPF_EXIT_INSN(),
5938 },
5939 .fixup_map2 = { 3 },
5940 .errstr = "R1 min value is outside of the array range",
5941 .result = REJECT,
5942 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5943 },
f65b1849 5944 {
db1ac496 5945 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
f65b1849
EC		 5946 .insns = {
5947 BPF_MOV64_IMM(BPF_REG_1, 0),
5948 BPF_MOV64_IMM(BPF_REG_2, 0),
5949 BPF_MOV64_IMM(BPF_REG_3, 0),
5950 BPF_MOV64_IMM(BPF_REG_4, 0),
5951 BPF_MOV64_IMM(BPF_REG_5, 0),
5952 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5953 BPF_EXIT_INSN(),
5954 },
5955 .result = ACCEPT,
5956 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5957 },
06c1c049 5958 {
db1ac496 5959 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
06c1c049
GB		 5960 .insns = {
5961 BPF_MOV64_IMM(BPF_REG_1, 0),
5962 BPF_MOV64_IMM(BPF_REG_2, 0),
3fadc801
DB		 5963 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5964 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
06c1c049
GB		 5965 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5966 BPF_MOV64_IMM(BPF_REG_3, 0),
5967 BPF_MOV64_IMM(BPF_REG_4, 0),
5968 BPF_MOV64_IMM(BPF_REG_5, 0),
5969 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5970 BPF_EXIT_INSN(),
5971 },
f65b1849 5972 .errstr = "R1 type=inv expected=fp",
06c1c049
GB		 5973 .result = REJECT,
5974 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5975 },
5976 {
db1ac496 5977 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
06c1c049
GB		 5978 .insns = {
5979 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5980 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5981 BPF_MOV64_IMM(BPF_REG_2, 0),
5982 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5983 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
5984 BPF_MOV64_IMM(BPF_REG_3, 0),
5985 BPF_MOV64_IMM(BPF_REG_4, 0),
5986 BPF_MOV64_IMM(BPF_REG_5, 0),
5987 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5988 BPF_EXIT_INSN(),
5989 },
b6ff6391
YS		 5990 .result = ACCEPT,
5991 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5992 },
5993 {
db1ac496 5994 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
b6ff6391
YS		 5995 .insns = {
5996 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5997 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5998 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5999 BPF_LD_MAP_FD(BPF_REG_1, 0),
6000 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6001 BPF_FUNC_map_lookup_elem),
6002 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6003 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6004 BPF_MOV64_IMM(BPF_REG_2, 0),
6005 BPF_MOV64_IMM(BPF_REG_3, 0),
6006 BPF_MOV64_IMM(BPF_REG_4, 0),
6007 BPF_MOV64_IMM(BPF_REG_5, 0),
6008 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6009 BPF_EXIT_INSN(),
6010 },
6011 .fixup_map1 = { 3 },
6012 .result = ACCEPT,
6013 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6014 },
6015 {
db1ac496 6016 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
b6ff6391
YS		 6017 .insns = {
6018 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6019 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6020 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6021 BPF_LD_MAP_FD(BPF_REG_1, 0),
6022 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6023 BPF_FUNC_map_lookup_elem),
6024 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6025 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6026 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
6027 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6028 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6029 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6030 BPF_MOV64_IMM(BPF_REG_3, 0),
6031 BPF_MOV64_IMM(BPF_REG_4, 0),
6032 BPF_MOV64_IMM(BPF_REG_5, 0),
6033 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6034 BPF_EXIT_INSN(),
6035 },
6036 .fixup_map1 = { 3 },
6037 .result = ACCEPT,
6038 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6039 },
6040 {
db1ac496 6041 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
b6ff6391
YS		 6042 .insns = {
6043 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6044 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6045 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6046 BPF_LD_MAP_FD(BPF_REG_1, 0),
6047 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6048 BPF_FUNC_map_lookup_elem),
6049 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6050 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6051 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6052 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6053 BPF_MOV64_IMM(BPF_REG_3, 0),
6054 BPF_MOV64_IMM(BPF_REG_4, 0),
6055 BPF_MOV64_IMM(BPF_REG_5, 0),
6056 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6057 BPF_EXIT_INSN(),
6058 },
6059 .fixup_map1 = { 3 },
6060 .result = ACCEPT,
6061 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6062 },
6063 {
db1ac496 6064 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
b6ff6391
YS		 6065 .insns = {
6066 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6067 offsetof(struct __sk_buff, data)),
6068 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6069 offsetof(struct __sk_buff, data_end)),
6070 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
6071 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6072 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
6073 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6074 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
6075 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6076 BPF_MOV64_IMM(BPF_REG_3, 0),
6077 BPF_MOV64_IMM(BPF_REG_4, 0),
6078 BPF_MOV64_IMM(BPF_REG_5, 0),
6079 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6080 BPF_EXIT_INSN(),
6081 },
6082 .result = ACCEPT,
06c1c049
GB		 6083 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6084 },
db1ac496
GB		 6085 {
6086 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6087 .insns = {
6088 BPF_MOV64_IMM(BPF_REG_1, 0),
6089 BPF_MOV64_IMM(BPF_REG_2, 0),
6090 BPF_MOV64_IMM(BPF_REG_3, 0),
6091 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6092 BPF_EXIT_INSN(),
6093 },
6094 .errstr = "R1 type=inv expected=fp",
6095 .result = REJECT,
6096 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6097 },
6098 {
6099 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6100 .insns = {
6101 BPF_MOV64_IMM(BPF_REG_1, 0),
6102 BPF_MOV64_IMM(BPF_REG_2, 1),
6103 BPF_MOV64_IMM(BPF_REG_3, 0),
6104 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6105 BPF_EXIT_INSN(),
6106 },
6107 .errstr = "R1 type=inv expected=fp",
6108 .result = REJECT,
6109 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6110 },
6111 {
6112 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6113 .insns = {
6114 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6116 BPF_MOV64_IMM(BPF_REG_2, 0),
6117 BPF_MOV64_IMM(BPF_REG_3, 0),
6118 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6119 BPF_EXIT_INSN(),
6120 },
6121 .result = ACCEPT,
6122 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6123 },
6124 {
6125 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6126 .insns = {
6127 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6128 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6130 BPF_LD_MAP_FD(BPF_REG_1, 0),
6131 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6132 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6133 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6134 BPF_MOV64_IMM(BPF_REG_2, 0),
6135 BPF_MOV64_IMM(BPF_REG_3, 0),
6136 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6137 BPF_EXIT_INSN(),
6138 },
6139 .fixup_map1 = { 3 },
6140 .result = ACCEPT,
6141 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6142 },
6143 {
6144 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6145 .insns = {
6146 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6147 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6148 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6149 BPF_LD_MAP_FD(BPF_REG_1, 0),
6150 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6151 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6152 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6153 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6154 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6155 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6156 BPF_MOV64_IMM(BPF_REG_3, 0),
6157 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6158 BPF_EXIT_INSN(),
6159 },
6160 .fixup_map1 = { 3 },
6161 .result = ACCEPT,
6162 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6163 },
6164 {
6165 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6166 .insns = {
6167 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6168 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6169 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6170 BPF_LD_MAP_FD(BPF_REG_1, 0),
6171 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6172 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6173 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6174 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6175 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
6176 BPF_MOV64_IMM(BPF_REG_3, 0),
6177 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6178 BPF_EXIT_INSN(),
6179 },
6180 .fixup_map1 = { 3 },
6181 .result = ACCEPT,
6182 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6183 },
06c1c049
GB		 6184 {
6185 "helper access to variable memory: 8 bytes leak",
6186 .insns = {
6187 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6189 BPF_MOV64_IMM(BPF_REG_0, 0),
6190 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6191 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6192 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6193 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6194 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6195 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6196 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6197 BPF_MOV64_IMM(BPF_REG_2, 0),
3fadc801
DB		 6198 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6199 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
06c1c049
GB		 6200 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
6201 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6202 BPF_MOV64_IMM(BPF_REG_3, 0),
6203 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6204 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6205 BPF_EXIT_INSN(),
6206 },
6207 .errstr = "invalid indirect read from stack off -64+32 size 64",
6208 .result = REJECT,
6209 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6210 },
6211 {
6212 "helper access to variable memory: 8 bytes no leak (init memory)",
6213 .insns = {
6214 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6215 BPF_MOV64_IMM(BPF_REG_0, 0),
6216 BPF_MOV64_IMM(BPF_REG_0, 0),
6217 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6218 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6219 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6220 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6221 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6222 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6223 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6224 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6226 BPF_MOV64_IMM(BPF_REG_2, 0),
6227 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
6228 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
6229 BPF_MOV64_IMM(BPF_REG_3, 0),
6230 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6231 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6232 BPF_EXIT_INSN(),
6233 },
6234 .result = ACCEPT,
6235 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6236 },
29200c19
JB		 6237 {
6238 "invalid and of negative number",
6239 .insns = {
6240 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6241 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6242 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6243 BPF_LD_MAP_FD(BPF_REG_1, 0),
6244 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6245 BPF_FUNC_map_lookup_elem),
6246 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
f65b1849 6247 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
29200c19
JB		 6248 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
6249 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
6250 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6251 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
6252 offsetof(struct test_val, foo)),
6253 BPF_EXIT_INSN(),
6254 },
6255 .fixup_map2 = { 3 },
f65b1849 6256 .errstr = "R0 max value is outside of the array range",
29200c19 6257 .result = REJECT,
02ea80b1 6258 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
29200c19
JB		 6259 },
6260 {
6261 "invalid range check",
6262 .insns = {
6263 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6264 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6265 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6266 BPF_LD_MAP_FD(BPF_REG_1, 0),
6267 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6268 BPF_FUNC_map_lookup_elem),
6269 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
6270 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6271 BPF_MOV64_IMM(BPF_REG_9, 1),
6272 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
6273 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
6274 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
6275 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
6276 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
6277 BPF_MOV32_IMM(BPF_REG_3, 1),
6278 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
6279 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
6280 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
6281 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
6282 BPF_MOV64_REG(BPF_REG_0, 0),
6283 BPF_EXIT_INSN(),
6284 },
6285 .fixup_map2 = { 3 },
f65b1849 6286 .errstr = "R0 max value is outside of the array range",
29200c19 6287 .result = REJECT,
02ea80b1 6288 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
fb30d4b7
MKL		 6289 },
6290 {
6291 "map in map access",
6292 .insns = {
6293 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6294 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6295 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6296 BPF_LD_MAP_FD(BPF_REG_1, 0),
6297 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6298 BPF_FUNC_map_lookup_elem),
6299 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6300 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6301 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6302 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6303 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6304 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6305 BPF_FUNC_map_lookup_elem),
37639e9d 6306 BPF_MOV64_IMM(BPF_REG_0, 0),
fb30d4b7
MKL		 6307 BPF_EXIT_INSN(),
6308 },
6309 .fixup_map_in_map = { 3 },
6310 .result = ACCEPT,
6311 },
6312 {
6313 "invalid inner map pointer",
6314 .insns = {
6315 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6316 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6318 BPF_LD_MAP_FD(BPF_REG_1, 0),
6319 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6320 BPF_FUNC_map_lookup_elem),
6321 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6322 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6323 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6324 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6325 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6326 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
6327 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6328 BPF_FUNC_map_lookup_elem),
37639e9d 6329 BPF_MOV64_IMM(BPF_REG_0, 0),
fb30d4b7
MKL		 6330 BPF_EXIT_INSN(),
6331 },
6332 .fixup_map_in_map = { 3 },
82abbf8d 6333 .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
fb30d4b7
MKL		 6334 .result = REJECT,
6335 },
6336 {
6337 "forgot null checking on the inner map pointer",
6338 .insns = {
6339 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6340 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6341 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6342 BPF_LD_MAP_FD(BPF_REG_1, 0),
6343 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6344 BPF_FUNC_map_lookup_elem),
6345 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6346 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6348 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6349 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6350 BPF_FUNC_map_lookup_elem),
37639e9d 6351 BPF_MOV64_IMM(BPF_REG_0, 0),
fb30d4b7
MKL		 6352 BPF_EXIT_INSN(),
6353 },
6354 .fixup_map_in_map = { 3 },
6355 .errstr = "R1 type=map_value_or_null expected=map_ptr",
6356 .result = REJECT,
614d0d77
DB		 6357 },
6358 {
6359 "ld_abs: check calling conv, r1",
6360 .insns = {
6361 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6362 BPF_MOV64_IMM(BPF_REG_1, 0),
6363 BPF_LD_ABS(BPF_W, -0x200000),
6364 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6365 BPF_EXIT_INSN(),
6366 },
6367 .errstr = "R1 !read_ok",
6368 .result = REJECT,
6369 },
6370 {
6371 "ld_abs: check calling conv, r2",
6372 .insns = {
6373 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6374 BPF_MOV64_IMM(BPF_REG_2, 0),
6375 BPF_LD_ABS(BPF_W, -0x200000),
6376 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6377 BPF_EXIT_INSN(),
6378 },
6379 .errstr = "R2 !read_ok",
6380 .result = REJECT,
6381 },
6382 {
6383 "ld_abs: check calling conv, r3",
6384 .insns = {
6385 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6386 BPF_MOV64_IMM(BPF_REG_3, 0),
6387 BPF_LD_ABS(BPF_W, -0x200000),
6388 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6389 BPF_EXIT_INSN(),
6390 },
6391 .errstr = "R3 !read_ok",
6392 .result = REJECT,
6393 },
6394 {
6395 "ld_abs: check calling conv, r4",
6396 .insns = {
6397 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6398 BPF_MOV64_IMM(BPF_REG_4, 0),
6399 BPF_LD_ABS(BPF_W, -0x200000),
6400 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6401 BPF_EXIT_INSN(),
6402 },
6403 .errstr = "R4 !read_ok",
6404 .result = REJECT,
6405 },
6406 {
6407 "ld_abs: check calling conv, r5",
6408 .insns = {
6409 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6410 BPF_MOV64_IMM(BPF_REG_5, 0),
6411 BPF_LD_ABS(BPF_W, -0x200000),
6412 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6413 BPF_EXIT_INSN(),
6414 },
6415 .errstr = "R5 !read_ok",
6416 .result = REJECT,
6417 },
6418 {
6419 "ld_abs: check calling conv, r7",
6420 .insns = {
6421 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6422 BPF_MOV64_IMM(BPF_REG_7, 0),
6423 BPF_LD_ABS(BPF_W, -0x200000),
6424 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6425 BPF_EXIT_INSN(),
6426 },
6427 .result = ACCEPT,
87ab8194
DB		 6428 },
6429 {
6430 "ld_abs: tests on r6 and skb data reload helper",
6431 .insns = {
6432 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6433 BPF_LD_ABS(BPF_B, 0),
6434 BPF_LD_ABS(BPF_H, 0),
6435 BPF_LD_ABS(BPF_W, 0),
6436 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
6437 BPF_MOV64_IMM(BPF_REG_6, 0),
6438 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
6439 BPF_MOV64_IMM(BPF_REG_2, 1),
6440 BPF_MOV64_IMM(BPF_REG_3, 2),
6441 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6442 BPF_FUNC_skb_vlan_push),
6443 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
6444 BPF_LD_ABS(BPF_B, 0),
6445 BPF_LD_ABS(BPF_H, 0),
6446 BPF_LD_ABS(BPF_W, 0),
6447 BPF_MOV64_IMM(BPF_REG_0, 42),
6448 BPF_EXIT_INSN(),
6449 },
6450 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6451 .result = ACCEPT,
614d0d77
DB		 6452 },
6453 {
6454 "ld_ind: check calling conv, r1",
6455 .insns = {
6456 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6457 BPF_MOV64_IMM(BPF_REG_1, 1),
6458 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
6459 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6460 BPF_EXIT_INSN(),
6461 },
6462 .errstr = "R1 !read_ok",
6463 .result = REJECT,
6464 },
6465 {
6466 "ld_ind: check calling conv, r2",
6467 .insns = {
6468 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6469 BPF_MOV64_IMM(BPF_REG_2, 1),
6470 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
6471 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6472 BPF_EXIT_INSN(),
6473 },
6474 .errstr = "R2 !read_ok",
6475 .result = REJECT,
6476 },
6477 {
6478 "ld_ind: check calling conv, r3",
6479 .insns = {
6480 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6481 BPF_MOV64_IMM(BPF_REG_3, 1),
6482 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
6483 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6484 BPF_EXIT_INSN(),
6485 },
6486 .errstr = "R3 !read_ok",
6487 .result = REJECT,
6488 },
6489 {
6490 "ld_ind: check calling conv, r4",
6491 .insns = {
6492 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6493 BPF_MOV64_IMM(BPF_REG_4, 1),
6494 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
6495 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6496 BPF_EXIT_INSN(),
6497 },
6498 .errstr = "R4 !read_ok",
6499 .result = REJECT,
6500 },
6501 {
6502 "ld_ind: check calling conv, r5",
6503 .insns = {
6504 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6505 BPF_MOV64_IMM(BPF_REG_5, 1),
6506 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
6507 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6508 BPF_EXIT_INSN(),
6509 },
6510 .errstr = "R5 !read_ok",
6511 .result = REJECT,
6512 },
6513 {
6514 "ld_ind: check calling conv, r7",
6515 .insns = {
6516 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6517 BPF_MOV64_IMM(BPF_REG_7, 1),
6518 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
6519 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6520 BPF_EXIT_INSN(),
6521 },
6522 .result = ACCEPT,
6523 },
18f3d6be
YS		 6524 {
6525 "check bpf_perf_event_data->sample_period byte load permitted",
6526 .insns = {
6527 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 6528#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 6529 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6530 offsetof(struct bpf_perf_event_data, sample_period)),
6531#else
6532 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6533 offsetof(struct bpf_perf_event_data, sample_period) + 7),
6534#endif
6535 BPF_EXIT_INSN(),
6536 },
6537 .result = ACCEPT,
6538 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6539 },
6540 {
6541 "check bpf_perf_event_data->sample_period half load permitted",
6542 .insns = {
6543 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 6544#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 6545 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6546 offsetof(struct bpf_perf_event_data, sample_period)),
6547#else
6548 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6549 offsetof(struct bpf_perf_event_data, sample_period) + 6),
6550#endif
6551 BPF_EXIT_INSN(),
6552 },
6553 .result = ACCEPT,
6554 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6555 },
6556 {
6557 "check bpf_perf_event_data->sample_period word load permitted",
6558 .insns = {
6559 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 6560#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 6561 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6562 offsetof(struct bpf_perf_event_data, sample_period)),
6563#else
6564 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6565 offsetof(struct bpf_perf_event_data, sample_period) + 4),
6566#endif
6567 BPF_EXIT_INSN(),
6568 },
6569 .result = ACCEPT,
6570 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6571 },
6572 {
6573 "check bpf_perf_event_data->sample_period dword load permitted",
6574 .insns = {
6575 BPF_MOV64_IMM(BPF_REG_0, 0),
6576 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
6577 offsetof(struct bpf_perf_event_data, sample_period)),
6578 BPF_EXIT_INSN(),
6579 },
6580 .result = ACCEPT,
6581 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6582 },
6583 {
6584 "check skb->data half load not permitted",
6585 .insns = {
6586 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 6587#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 6588 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6589 offsetof(struct __sk_buff, data)),
6590#else
6591 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6592 offsetof(struct __sk_buff, data) + 2),
6593#endif
6594 BPF_EXIT_INSN(),
6595 },
6596 .result = REJECT,
6597 .errstr = "invalid bpf_context access",
6598 },
6599 {
6600 "check skb->tc_classid half load not permitted for lwt prog",
6601 .insns = {
6602 BPF_MOV64_IMM(BPF_REG_0, 0),
2c460621 6603#if __BYTE_ORDER == __LITTLE_ENDIAN
18f3d6be
YS		 6604 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6605 offsetof(struct __sk_buff, tc_classid)),
6606#else
6607 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6608 offsetof(struct __sk_buff, tc_classid) + 2),
6609#endif
6610 BPF_EXIT_INSN(),
6611 },
6612 .result = REJECT,
6613 .errstr = "invalid bpf_context access",
6614 .prog_type = BPF_PROG_TYPE_LWT_IN,
6615 },
b712296a
EC		 6616 {
6617 "bounds checks mixing signed and unsigned, positive bounds",
6618 .insns = {
6619 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6620 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6621 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6622 BPF_LD_MAP_FD(BPF_REG_1, 0),
6623 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6624 BPF_FUNC_map_lookup_elem),
6625 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6626 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6627 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6628 BPF_MOV64_IMM(BPF_REG_2, 2),
6629 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
6630 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
6631 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6632 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6633 BPF_MOV64_IMM(BPF_REG_0, 0),
6634 BPF_EXIT_INSN(),
6635 },
6636 .fixup_map1 = { 3 },
2255f8d5 6637 .errstr = "unbounded min value",
a3f6c1f4 6638 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
b712296a 6639 .result = REJECT,
b712296a
EC		 6640 },
6641 {
6642 "bounds checks mixing signed and unsigned",
6643 .insns = {
6644 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6645 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6646 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6647 BPF_LD_MAP_FD(BPF_REG_1, 0),
6648 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6649 BPF_FUNC_map_lookup_elem),
6650 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6651 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6652 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6653 BPF_MOV64_IMM(BPF_REG_2, -1),
6654 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6655 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6656 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6657 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6658 BPF_MOV64_IMM(BPF_REG_0, 0),
6659 BPF_EXIT_INSN(),
6660 },
6661 .fixup_map1 = { 3 },
2255f8d5 6662 .errstr = "unbounded min value",
a3f6c1f4 6663 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
b712296a 6664 .result = REJECT,
b712296a 6665 },
86412502
DB		 6666 {
6667 "bounds checks mixing signed and unsigned, variant 2",
6668 .insns = {
6669 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6670 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6671 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6672 BPF_LD_MAP_FD(BPF_REG_1, 0),
6673 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6674 BPF_FUNC_map_lookup_elem),
6675 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6676 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6677 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6678 BPF_MOV64_IMM(BPF_REG_2, -1),
6679 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6680 BPF_MOV64_IMM(BPF_REG_8, 0),
6681 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
6682 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6683 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6684 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6685 BPF_MOV64_IMM(BPF_REG_0, 0),
6686 BPF_EXIT_INSN(),
6687 },
6688 .fixup_map1 = { 3 },
2255f8d5 6689 .errstr = "unbounded min value",
a3f6c1f4 6690 .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
86412502 6691 .result = REJECT,
86412502
DB		 6692 },
6693 {
6694 "bounds checks mixing signed and unsigned, variant 3",
6695 .insns = {
6696 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6697 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6698 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6699 BPF_LD_MAP_FD(BPF_REG_1, 0),
6700 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6701 BPF_FUNC_map_lookup_elem),
6702 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6703 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6704 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6705 BPF_MOV64_IMM(BPF_REG_2, -1),
6706 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
6707 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
6708 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6709 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6710 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6711 BPF_MOV64_IMM(BPF_REG_0, 0),
6712 BPF_EXIT_INSN(),
6713 },
6714 .fixup_map1 = { 3 },
2255f8d5 6715 .errstr = "unbounded min value",
a3f6c1f4 6716 .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
86412502 6717 .result = REJECT,
86412502
DB		 6718 },
6719 {
6720 "bounds checks mixing signed and unsigned, variant 4",
6721 .insns = {
6722 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6723 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6725 BPF_LD_MAP_FD(BPF_REG_1, 0),
6726 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6727 BPF_FUNC_map_lookup_elem),
6728 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6729 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6730 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6731 BPF_MOV64_IMM(BPF_REG_2, 1),
6732 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
6733 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6734 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6735 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6736 BPF_MOV64_IMM(BPF_REG_0, 0),
6737 BPF_EXIT_INSN(),
6738 },
6739 .fixup_map1 = { 3 },
f65b1849 6740 .result = ACCEPT,
86412502
DB		 6741 },
6742 {
6743 "bounds checks mixing signed and unsigned, variant 5",
6744 .insns = {
6745 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6746 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6747 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6748 BPF_LD_MAP_FD(BPF_REG_1, 0),
6749 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6750 BPF_FUNC_map_lookup_elem),
6751 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6752 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6753 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6754 BPF_MOV64_IMM(BPF_REG_2, -1),
6755 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6756 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
6757 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
6758 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6759 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6760 BPF_MOV64_IMM(BPF_REG_0, 0),
6761 BPF_EXIT_INSN(),
6762 },
6763 .fixup_map1 = { 3 },
2255f8d5 6764 .errstr = "unbounded min value",
a3f6c1f4 6765 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
86412502 6766 .result = REJECT,
86412502
DB		 6767 },
6768 {
6769 "bounds checks mixing signed and unsigned, variant 6",
6770 .insns = {
6771 BPF_MOV64_IMM(BPF_REG_2, 0),
6772 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
6773 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
6774 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6775 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
6776 BPF_MOV64_IMM(BPF_REG_6, -1),
6777 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
6778 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
6779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
6780 BPF_MOV64_IMM(BPF_REG_5, 0),
6781 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
6782 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6783 BPF_FUNC_skb_load_bytes),
6784 BPF_MOV64_IMM(BPF_REG_0, 0),
6785 BPF_EXIT_INSN(),
6786 },
86412502
DB		 6787 .errstr = "R4 min value is negative, either use unsigned",
6788 .result = REJECT,
86412502
DB		 6789 },
6790 {
6791 "bounds checks mixing signed and unsigned, variant 7",
6792 .insns = {
6793 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6794 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6795 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6796 BPF_LD_MAP_FD(BPF_REG_1, 0),
6797 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6798 BPF_FUNC_map_lookup_elem),
6799 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6800 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6801 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6802 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
6803 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6804 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6805 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6806 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6807 BPF_MOV64_IMM(BPF_REG_0, 0),
6808 BPF_EXIT_INSN(),
6809 },
6810 .fixup_map1 = { 3 },
f65b1849 6811 .result = ACCEPT,
86412502
DB		 6812 },
6813 {
6814 "bounds checks mixing signed and unsigned, variant 8",
86412502
DB		 6815 .insns = {
6816 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6819 BPF_LD_MAP_FD(BPF_REG_1, 0),
6820 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6821 BPF_FUNC_map_lookup_elem),
6822 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6823 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6824 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6825 BPF_MOV64_IMM(BPF_REG_2, -1),
6826 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6827 BPF_MOV64_IMM(BPF_REG_0, 0),
6828 BPF_EXIT_INSN(),
6829 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6830 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6831 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6832 BPF_MOV64_IMM(BPF_REG_0, 0),
6833 BPF_EXIT_INSN(),
6834 },
6835 .fixup_map1 = { 3 },
2255f8d5 6836 .errstr = "unbounded min value",
a3f6c1f4 6837 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
86412502 6838 .result = REJECT,
86412502
DB		 6839 },
6840 {
f65b1849 6841 "bounds checks mixing signed and unsigned, variant 9",
86412502
DB		 6842 .insns = {
6843 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6844 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6846 BPF_LD_MAP_FD(BPF_REG_1, 0),
6847 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6848 BPF_FUNC_map_lookup_elem),
6849 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6850 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6851 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6852 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
6853 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6854 BPF_MOV64_IMM(BPF_REG_0, 0),
6855 BPF_EXIT_INSN(),
6856 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6857 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6858 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6859 BPF_MOV64_IMM(BPF_REG_0, 0),
6860 BPF_EXIT_INSN(),
6861 },
6862 .fixup_map1 = { 3 },
f65b1849 6863 .result = ACCEPT,
86412502
DB		 6864 },
6865 {
f65b1849 6866 "bounds checks mixing signed and unsigned, variant 10",
86412502
DB		 6867 .insns = {
6868 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6869 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6870 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6871 BPF_LD_MAP_FD(BPF_REG_1, 0),
6872 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6873 BPF_FUNC_map_lookup_elem),
6874 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6875 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6876 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6877 BPF_MOV64_IMM(BPF_REG_2, 0),
6878 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6879 BPF_MOV64_IMM(BPF_REG_0, 0),
6880 BPF_EXIT_INSN(),
6881 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6882 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6883 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6884 BPF_MOV64_IMM(BPF_REG_0, 0),
6885 BPF_EXIT_INSN(),
6886 },
6887 .fixup_map1 = { 3 },
2255f8d5 6888 .errstr = "unbounded min value",
a3f6c1f4 6889 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
86412502 6890 .result = REJECT,
86412502
DB		 6891 },
6892 {
f65b1849 6893 "bounds checks mixing signed and unsigned, variant 11",
86412502
DB		 6894 .insns = {
6895 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6896 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6898 BPF_LD_MAP_FD(BPF_REG_1, 0),
6899 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6900 BPF_FUNC_map_lookup_elem),
6901 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6902 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6903 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6904 BPF_MOV64_IMM(BPF_REG_2, -1),
6905 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6906 /* Dead branch. */
6907 BPF_MOV64_IMM(BPF_REG_0, 0),
6908 BPF_EXIT_INSN(),
6909 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6910 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6911 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6912 BPF_MOV64_IMM(BPF_REG_0, 0),
6913 BPF_EXIT_INSN(),
6914 },
6915 .fixup_map1 = { 3 },
2255f8d5 6916 .errstr = "unbounded min value",
a3f6c1f4 6917 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
86412502 6918 .result = REJECT,
86412502
DB		 6919 },
6920 {
f65b1849 6921 "bounds checks mixing signed and unsigned, variant 12",
86412502
DB		 6922 .insns = {
6923 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6924 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6925 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6926 BPF_LD_MAP_FD(BPF_REG_1, 0),
6927 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6928 BPF_FUNC_map_lookup_elem),
6929 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6930 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6931 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6932 BPF_MOV64_IMM(BPF_REG_2, -6),
6933 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6934 BPF_MOV64_IMM(BPF_REG_0, 0),
6935 BPF_EXIT_INSN(),
6936 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6937 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6938 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6939 BPF_MOV64_IMM(BPF_REG_0, 0),
6940 BPF_EXIT_INSN(),
6941 },
6942 .fixup_map1 = { 3 },
2255f8d5 6943 .errstr = "unbounded min value",
a3f6c1f4 6944 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
86412502 6945 .result = REJECT,
86412502
DB		 6946 },
6947 {
f65b1849 6948 "bounds checks mixing signed and unsigned, variant 13",
86412502
DB		 6949 .insns = {
6950 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6951 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6952 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6953 BPF_LD_MAP_FD(BPF_REG_1, 0),
6954 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6955 BPF_FUNC_map_lookup_elem),
6956 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6957 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6958 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6959 BPF_MOV64_IMM(BPF_REG_2, 2),
6960 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6961 BPF_MOV64_IMM(BPF_REG_7, 1),
6962 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
6963 BPF_MOV64_IMM(BPF_REG_0, 0),
6964 BPF_EXIT_INSN(),
6965 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
6966 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
6967 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
6968 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6969 BPF_MOV64_IMM(BPF_REG_0, 0),
6970 BPF_EXIT_INSN(),
6971 },
6972 .fixup_map1 = { 3 },
2255f8d5 6973 .errstr = "unbounded min value",
a3f6c1f4 6974 .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds",
86412502 6975 .result = REJECT,
86412502
DB		 6976 },
6977 {
f65b1849 6978 "bounds checks mixing signed and unsigned, variant 14",
86412502
DB		 6979 .insns = {
6980 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
6981 offsetof(struct __sk_buff, mark)),
6982 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6983 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6984 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6985 BPF_LD_MAP_FD(BPF_REG_1, 0),
6986 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6987 BPF_FUNC_map_lookup_elem),
6988 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6989 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6990 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6991 BPF_MOV64_IMM(BPF_REG_2, -1),
6992 BPF_MOV64_IMM(BPF_REG_8, 2),
6993 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
6994 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
6995 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6996 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6997 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6998 BPF_MOV64_IMM(BPF_REG_0, 0),
6999 BPF_EXIT_INSN(),
7000 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
7001 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
7002 },
7003 .fixup_map1 = { 4 },
6f16101e 7004 .errstr = "R0 invalid mem access 'inv'",
a3f6c1f4 7005 .errstr_unpriv = "R0 invalid mem access 'inv'",
86412502 7006 .result = REJECT,
86412502
DB		 7007 },
7008 {
f65b1849 7009 "bounds checks mixing signed and unsigned, variant 15",
86412502
DB		 7010 .insns = {
7011 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7012 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7014 BPF_LD_MAP_FD(BPF_REG_1, 0),
7015 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7016 BPF_FUNC_map_lookup_elem),
7017 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7018 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7019 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7020 BPF_MOV64_IMM(BPF_REG_2, -6),
7021 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7022 BPF_MOV64_IMM(BPF_REG_0, 0),
7023 BPF_EXIT_INSN(),
7024 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7025 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
7026 BPF_MOV64_IMM(BPF_REG_0, 0),
7027 BPF_EXIT_INSN(),
7028 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7029 BPF_MOV64_IMM(BPF_REG_0, 0),
7030 BPF_EXIT_INSN(),
7031 },
7032 .fixup_map1 = { 3 },
2255f8d5 7033 .errstr = "unbounded min value",
a3f6c1f4 7034 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
86412502
DB		 7035 .result = REJECT,
7036 .result_unpriv = REJECT,
7037 },
545722cb 7038 {
f65b1849 7039 "subtraction bounds (map value) variant 1",
545722cb
EC		 7040 .insns = {
7041 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7042 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7043 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7044 BPF_LD_MAP_FD(BPF_REG_1, 0),
7045 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7046 BPF_FUNC_map_lookup_elem),
7047 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7048 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7049 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
7050 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7051 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
7052 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7053 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
7054 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7055 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7056 BPF_EXIT_INSN(),
7057 BPF_MOV64_IMM(BPF_REG_0, 0),
7058 BPF_EXIT_INSN(),
7059 },
7060 .fixup_map1 = { 3 },
f65b1849
EC		 7061 .errstr = "R0 max value is outside of the array range",
7062 .result = REJECT,
7063 },
7064 {
7065 "subtraction bounds (map value) variant 2",
7066 .insns = {
7067 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7068 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7069 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7070 BPF_LD_MAP_FD(BPF_REG_1, 0),
7071 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7072 BPF_FUNC_map_lookup_elem),
7073 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7074 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7075 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
7076 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7077 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
7078 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7079 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7080 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7081 BPF_EXIT_INSN(),
7082 BPF_MOV64_IMM(BPF_REG_0, 0),
7083 BPF_EXIT_INSN(),
7084 },
7085 .fixup_map1 = { 3 },
545722cb 7086 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
a3f6c1f4 7087 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
545722cb 7088 .result = REJECT,
545722cb 7089 },
a3f6c1f4
DB		 7090 {
7091 "check subtraction on pointers for unpriv",
7092 .insns = {
7093 BPF_MOV64_IMM(BPF_REG_0, 0),
7094 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
7095 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
7096 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8),
7097 BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 9),
7098 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7099 BPF_FUNC_map_lookup_elem),
7100 BPF_MOV64_REG(BPF_REG_9, BPF_REG_FP),
7101 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_0),
7102 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
7103 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
7104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8),
7105 BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 0),
7106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7107 BPF_FUNC_map_lookup_elem),
7108 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7109 BPF_EXIT_INSN(),
7110 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_9, 0),
7111 BPF_MOV64_IMM(BPF_REG_0, 0),
7112 BPF_EXIT_INSN(),
7113 },
7114 .fixup_map1 = { 1, 9 },
7115 .result = ACCEPT,
7116 .result_unpriv = REJECT,
7117 .errstr_unpriv = "R9 pointer -= pointer prohibited",
7118 },
2255f8d5
JH		 7119 {
7120 "bounds check based on zero-extended MOV",
7121 .insns = {
7122 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7123 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7124 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7125 BPF_LD_MAP_FD(BPF_REG_1, 0),
7126 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7127 BPF_FUNC_map_lookup_elem),
7128 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7129 /* r2 = 0x0000'0000'ffff'ffff */
7130 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
7131 /* r2 = 0 */
7132 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7133 /* no-op */
7134 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7135 /* access at offset 0 */
7136 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7137 /* exit */
7138 BPF_MOV64_IMM(BPF_REG_0, 0),
7139 BPF_EXIT_INSN(),
7140 },
7141 .fixup_map1 = { 3 },
7142 .result = ACCEPT
7143 },
7144 {
7145 "bounds check based on sign-extended MOV. test1",
7146 .insns = {
7147 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7148 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7149 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7150 BPF_LD_MAP_FD(BPF_REG_1, 0),
7151 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7152 BPF_FUNC_map_lookup_elem),
7153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7154 /* r2 = 0xffff'ffff'ffff'ffff */
7155 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7156 /* r2 = 0xffff'ffff */
7157 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7158 /* r0 = <oob pointer> */
7159 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7160 /* access to OOB pointer */
7161 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7162 /* exit */
7163 BPF_MOV64_IMM(BPF_REG_0, 0),
7164 BPF_EXIT_INSN(),
7165 },
7166 .fixup_map1 = { 3 },
7167 .errstr = "map_value pointer and 4294967295",
7168 .result = REJECT
7169 },
7170 {
7171 "bounds check based on sign-extended MOV. test2",
7172 .insns = {
7173 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7174 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7175 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7176 BPF_LD_MAP_FD(BPF_REG_1, 0),
7177 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7178 BPF_FUNC_map_lookup_elem),
7179 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7180 /* r2 = 0xffff'ffff'ffff'ffff */
7181 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7182 /* r2 = 0xfff'ffff */
7183 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
7184 /* r0 = <oob pointer> */
7185 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7186 /* access to OOB pointer */
7187 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7188 /* exit */
7189 BPF_MOV64_IMM(BPF_REG_0, 0),
7190 BPF_EXIT_INSN(),
7191 },
7192 .fixup_map1 = { 3 },
7193 .errstr = "R0 min value is outside of the array range",
7194 .result = REJECT
7195 },
7196 {
7197 "bounds check based on reg_off + var_off + insn_off. test1",
7198 .insns = {
7199 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7200 offsetof(struct __sk_buff, mark)),
7201 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7202 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7203 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7204 BPF_LD_MAP_FD(BPF_REG_1, 0),
7205 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7206 BPF_FUNC_map_lookup_elem),
7207 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7208 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
7210 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7212 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7213 BPF_MOV64_IMM(BPF_REG_0, 0),
7214 BPF_EXIT_INSN(),
7215 },
7216 .fixup_map1 = { 4 },
7217 .errstr = "value_size=8 off=1073741825",
7218 .result = REJECT,
7219 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7220 },
7221 {
7222 "bounds check based on reg_off + var_off + insn_off. test2",
7223 .insns = {
7224 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7225 offsetof(struct __sk_buff, mark)),
7226 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7227 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7228 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7229 BPF_LD_MAP_FD(BPF_REG_1, 0),
7230 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7231 BPF_FUNC_map_lookup_elem),
7232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7233 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7234 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
7235 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7237 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7238 BPF_MOV64_IMM(BPF_REG_0, 0),
7239 BPF_EXIT_INSN(),
7240 },
7241 .fixup_map1 = { 4 },
7242 .errstr = "value 1073741823",
7243 .result = REJECT,
7244 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7245 },
7246 {
7247 "bounds check after truncation of non-boundary-crossing range",
7248 .insns = {
7249 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7250 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7251 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7252 BPF_LD_MAP_FD(BPF_REG_1, 0),
7253 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7254 BPF_FUNC_map_lookup_elem),
7255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7256 /* r1 = [0x00, 0xff] */
7257 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7258 BPF_MOV64_IMM(BPF_REG_2, 1),
7259 /* r2 = 0x10'0000'0000 */
7260 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
7261 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
7262 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
7263 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
7264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7265 /* r1 = [0x00, 0xff] */
7266 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
7267 /* r1 = 0 */
7268 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7269 /* no-op */
7270 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7271 /* access at offset 0 */
7272 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7273 /* exit */
7274 BPF_MOV64_IMM(BPF_REG_0, 0),
7275 BPF_EXIT_INSN(),
7276 },
7277 .fixup_map1 = { 3 },
7278 .result = ACCEPT
7279 },
7280 {
7281 "bounds check after truncation of boundary-crossing range (1)",
7282 .insns = {
7283 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7284 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7285 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7286 BPF_LD_MAP_FD(BPF_REG_1, 0),
7287 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7288 BPF_FUNC_map_lookup_elem),
7289 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7290 /* r1 = [0x00, 0xff] */
7291 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7292 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7293 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
7294 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7295 /* r1 = [0xffff'ff80, 0xffff'ffff] or
7296 * [0x0000'0000, 0x0000'007f]
7297 */
7298 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
7299 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7300 /* r1 = [0x00, 0xff] or
7301 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7302 */
7303 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7304 /* r1 = 0 or
7305 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7306 */
7307 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7308 /* no-op or OOB pointer computation */
7309 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7310 /* potentially OOB access */
7311 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7312 /* exit */
7313 BPF_MOV64_IMM(BPF_REG_0, 0),
7314 BPF_EXIT_INSN(),
7315 },
7316 .fixup_map1 = { 3 },
7317 /* not actually fully unbounded, but the bound is very high */
7318 .errstr = "R0 unbounded memory access",
7319 .result = REJECT
7320 },
7321 {
7322 "bounds check after truncation of boundary-crossing range (2)",
7323 .insns = {
7324 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7325 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7326 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7327 BPF_LD_MAP_FD(BPF_REG_1, 0),
7328 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7329 BPF_FUNC_map_lookup_elem),
7330 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7331 /* r1 = [0x00, 0xff] */
7332 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7333 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7334 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
7335 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7336 /* r1 = [0xffff'ff80, 0xffff'ffff] or
7337 * [0x0000'0000, 0x0000'007f]
7338 * difference to previous test: truncation via MOV32
7339 * instead of ALU32.
7340 */
7341 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
7342 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7343 /* r1 = [0x00, 0xff] or
7344 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7345 */
7346 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7347 /* r1 = 0 or
7348 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7349 */
7350 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7351 /* no-op or OOB pointer computation */
7352 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7353 /* potentially OOB access */
7354 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7355 /* exit */
7356 BPF_MOV64_IMM(BPF_REG_0, 0),
7357 BPF_EXIT_INSN(),
7358 },
7359 .fixup_map1 = { 3 },
7360 /* not actually fully unbounded, but the bound is very high */
7361 .errstr = "R0 unbounded memory access",
7362 .result = REJECT
7363 },
7364 {
7365 "bounds check after wrapping 32-bit addition",
7366 .insns = {
7367 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7368 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7369 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7370 BPF_LD_MAP_FD(BPF_REG_1, 0),
7371 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7372 BPF_FUNC_map_lookup_elem),
7373 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7374 /* r1 = 0x7fff'ffff */
7375 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
7376 /* r1 = 0xffff'fffe */
7377 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7378 /* r1 = 0 */
7379 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
7380 /* no-op */
7381 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7382 /* access at offset 0 */
7383 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7384 /* exit */
7385 BPF_MOV64_IMM(BPF_REG_0, 0),
7386 BPF_EXIT_INSN(),
7387 },
7388 .fixup_map1 = { 3 },
7389 .result = ACCEPT
7390 },
7391 {
7392 "bounds check after shift with oversized count operand",
7393 .insns = {
7394 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7395 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7396 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7397 BPF_LD_MAP_FD(BPF_REG_1, 0),
7398 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7399 BPF_FUNC_map_lookup_elem),
7400 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7401 BPF_MOV64_IMM(BPF_REG_2, 32),
7402 BPF_MOV64_IMM(BPF_REG_1, 1),
7403 /* r1 = (u32)1 << (u32)32 = ? */
7404 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
7405 /* r1 = [0x0000, 0xffff] */
7406 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
7407 /* computes unknown pointer, potentially OOB */
7408 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7409 /* potentially OOB access */
7410 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7411 /* exit */
7412 BPF_MOV64_IMM(BPF_REG_0, 0),
7413 BPF_EXIT_INSN(),
7414 },
7415 .fixup_map1 = { 3 },
7416 .errstr = "R0 max value is outside of the array range",
7417 .result = REJECT
7418 },
7419 {
7420 "bounds check after right shift of maybe-negative number",
7421 .insns = {
7422 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7423 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7425 BPF_LD_MAP_FD(BPF_REG_1, 0),
7426 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7427 BPF_FUNC_map_lookup_elem),
7428 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7429 /* r1 = [0x00, 0xff] */
7430 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7431 /* r1 = [-0x01, 0xfe] */
7432 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
7433 /* r1 = 0 or 0xff'ffff'ffff'ffff */
7434 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7435 /* r1 = 0 or 0xffff'ffff'ffff */
7436 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7437 /* computes unknown pointer, potentially OOB */
7438 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7439 /* potentially OOB access */
7440 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7441 /* exit */
7442 BPF_MOV64_IMM(BPF_REG_0, 0),
7443 BPF_EXIT_INSN(),
7444 },
7445 .fixup_map1 = { 3 },
7446 .errstr = "R0 unbounded memory access",
7447 .result = REJECT
7448 },
a3f6c1f4
DB		 7449 {
7450 "bounds check after 32-bit right shift with 64-bit input",
7451 .insns = {
7452 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7453 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7454 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7455 BPF_LD_MAP_FD(BPF_REG_1, 0),
7456 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7457 BPF_FUNC_map_lookup_elem),
7458 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7459 /* r1 = 2 */
7460 BPF_MOV64_IMM(BPF_REG_1, 2),
7461 /* r1 = 1<<32 */
7462 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 31),
7463 /* r1 = 0 (NOT 2!) */
7464 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 31),
7465 /* r1 = 0xffff'fffe (NOT 0!) */
7466 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 2),
7467 /* computes OOB pointer */
7468 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7469 /* OOB access */
7470 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7471 /* exit */
7472 BPF_MOV64_IMM(BPF_REG_0, 0),
7473 BPF_EXIT_INSN(),
7474 },
7475 .fixup_map1 = { 3 },
7476 .errstr = "R0 invalid mem access",
7477 .result = REJECT,
7478 },
2255f8d5
JH		 7479 {
7480 "bounds check map access with off+size signed 32bit overflow. test1",
7481 .insns = {
7482 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7483 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7484 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7485 BPF_LD_MAP_FD(BPF_REG_1, 0),
7486 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7487 BPF_FUNC_map_lookup_elem),
7488 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7489 BPF_EXIT_INSN(),
7490 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
7491 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7492 BPF_JMP_A(0),
7493 BPF_EXIT_INSN(),
7494 },
7495 .fixup_map1 = { 3 },
7496 .errstr = "map_value pointer and 2147483646",
7497 .result = REJECT
7498 },
7499 {
7500 "bounds check map access with off+size signed 32bit overflow. test2",
7501 .insns = {
7502 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7503 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7504 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7505 BPF_LD_MAP_FD(BPF_REG_1, 0),
7506 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7507 BPF_FUNC_map_lookup_elem),
7508 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7509 BPF_EXIT_INSN(),
7510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7511 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7512 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7513 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7514 BPF_JMP_A(0),
7515 BPF_EXIT_INSN(),
7516 },
7517 .fixup_map1 = { 3 },
7518 .errstr = "pointer offset 1073741822",
a3f6c1f4 7519 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
2255f8d5
JH		 7520 .result = REJECT
7521 },
7522 {
7523 "bounds check map access with off+size signed 32bit overflow. test3",
7524 .insns = {
7525 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7526 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7527 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7528 BPF_LD_MAP_FD(BPF_REG_1, 0),
7529 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7530 BPF_FUNC_map_lookup_elem),
7531 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7532 BPF_EXIT_INSN(),
7533 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
7534 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
7535 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
7536 BPF_JMP_A(0),
7537 BPF_EXIT_INSN(),
7538 },
7539 .fixup_map1 = { 3 },
7540 .errstr = "pointer offset -1073741822",
a3f6c1f4 7541 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
2255f8d5
JH		 7542 .result = REJECT
7543 },
7544 {
7545 "bounds check map access with off+size signed 32bit overflow. test4",
7546 .insns = {
7547 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7548 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7549 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7550 BPF_LD_MAP_FD(BPF_REG_1, 0),
7551 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7552 BPF_FUNC_map_lookup_elem),
7553 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7554 BPF_EXIT_INSN(),
7555 BPF_MOV64_IMM(BPF_REG_1, 1000000),
7556 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
7557 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7558 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
7559 BPF_JMP_A(0),
7560 BPF_EXIT_INSN(),
7561 },
7562 .fixup_map1 = { 3 },
7563 .errstr = "map_value pointer and 1000000000000",
7564 .result = REJECT
7565 },
7566 {
7567 "pointer/scalar confusion in state equality check (way 1)",
7568 .insns = {
7569 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7570 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7571 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7572 BPF_LD_MAP_FD(BPF_REG_1, 0),
7573 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7574 BPF_FUNC_map_lookup_elem),
7575 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7576 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7577 BPF_JMP_A(1),
7578 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
7579 BPF_JMP_A(0),
7580 BPF_EXIT_INSN(),
7581 },
7582 .fixup_map1 = { 3 },
7583 .result = ACCEPT,
7584 .result_unpriv = REJECT,
7585 .errstr_unpriv = "R0 leaks addr as return value"
7586 },
7587 {
7588 "pointer/scalar confusion in state equality check (way 2)",
7589 .insns = {
7590 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7591 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7593 BPF_LD_MAP_FD(BPF_REG_1, 0),
7594 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7595 BPF_FUNC_map_lookup_elem),
7596 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
7597 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
7598 BPF_JMP_A(1),
7599 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7600 BPF_EXIT_INSN(),
7601 },
7602 .fixup_map1 = { 3 },
7603 .result = ACCEPT,
7604 .result_unpriv = REJECT,
7605 .errstr_unpriv = "R0 leaks addr as return value"
7606 },
69c4e8ad
EC		 7607 {
7608 "variable-offset ctx access",
7609 .insns = {
7610 /* Get an unknown value */
7611 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7612 /* Make it small and 4-byte aligned */
7613 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7614 /* add it to skb. We now have either &skb->len or
7615 * &skb->pkt_type, but we don't know which
7616 */
7617 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
7618 /* dereference it */
7619 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7620 BPF_EXIT_INSN(),
7621 },
7622 .errstr = "variable ctx access var_off=(0x0; 0x4)",
7623 .result = REJECT,
7624 .prog_type = BPF_PROG_TYPE_LWT_IN,
7625 },
7626 {
7627 "variable-offset stack access",
7628 .insns = {
7629 /* Fill the top 8 bytes of the stack */
7630 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7631 /* Get an unknown value */
7632 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7633 /* Make it small and 4-byte aligned */
7634 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7635 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
7636 /* add it to fp. We now have either fp-4 or fp-8, but
7637 * we don't know which
7638 */
7639 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
7640 /* dereference it */
7641 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
7642 BPF_EXIT_INSN(),
7643 },
7644 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
7645 .result = REJECT,
7646 .prog_type = BPF_PROG_TYPE_LWT_IN,
7647 },
2255f8d5
JH		 7648 {
7649 "indirect variable-offset stack access",
7650 .insns = {
7651 /* Fill the top 8 bytes of the stack */
7652 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7653 /* Get an unknown value */
7654 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7655 /* Make it small and 4-byte aligned */
7656 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7657 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
7658 /* add it to fp. We now have either fp-4 or fp-8, but
7659 * we don't know which
7660 */
7661 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
7662 /* dereference it indirectly */
7663 BPF_LD_MAP_FD(BPF_REG_1, 0),
7664 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7665 BPF_FUNC_map_lookup_elem),
7666 BPF_MOV64_IMM(BPF_REG_0, 0),
7667 BPF_EXIT_INSN(),
7668 },
7669 .fixup_map1 = { 5 },
7670 .errstr = "variable stack read R2",
7671 .result = REJECT,
7672 .prog_type = BPF_PROG_TYPE_LWT_IN,
7673 },
7674 {
7675 "direct stack access with 32-bit wraparound. test1",
7676 .insns = {
7677 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7678 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7679 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7680 BPF_MOV32_IMM(BPF_REG_0, 0),
7681 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7682 BPF_EXIT_INSN()
7683 },
7684 .errstr = "fp pointer and 2147483647",
7685 .result = REJECT
7686 },
7687 {
7688 "direct stack access with 32-bit wraparound. test2",
7689 .insns = {
7690 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7691 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
7692 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
7693 BPF_MOV32_IMM(BPF_REG_0, 0),
7694 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7695 BPF_EXIT_INSN()
7696 },
7697 .errstr = "fp pointer and 1073741823",
7698 .result = REJECT
7699 },
7700 {
7701 "direct stack access with 32-bit wraparound. test3",
7702 .insns = {
7703 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7704 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
7705 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
7706 BPF_MOV32_IMM(BPF_REG_0, 0),
7707 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7708 BPF_EXIT_INSN()
7709 },
7710 .errstr = "fp pointer offset 1073741822",
a3f6c1f4 7711 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
2255f8d5
JH		 7712 .result = REJECT
7713 },
d893dc26
EC		 7714 {
7715 "liveness pruning and write screening",
7716 .insns = {
7717 /* Get an unknown value */
7718 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7719 /* branch conditions teach us nothing about R2 */
7720 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
7721 BPF_MOV64_IMM(BPF_REG_0, 0),
7722 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
7723 BPF_MOV64_IMM(BPF_REG_0, 0),
7724 BPF_EXIT_INSN(),
7725 },
7726 .errstr = "R0 !read_ok",
7727 .result = REJECT,
7728 .prog_type = BPF_PROG_TYPE_LWT_IN,
7729 },
df20cb7e
AS		 7730 {
7731 "varlen_map_value_access pruning",
7732 .insns = {
7733 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7734 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7735 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7736 BPF_LD_MAP_FD(BPF_REG_1, 0),
7737 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7738 BPF_FUNC_map_lookup_elem),
7739 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7740 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7741 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
7742 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
7743 BPF_MOV32_IMM(BPF_REG_1, 0),
7744 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
7745 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7746 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
7747 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7748 offsetof(struct test_val, foo)),
7749 BPF_EXIT_INSN(),
7750 },
7751 .fixup_map2 = { 3 },
7752 .errstr_unpriv = "R0 leaks addr",
7753 .errstr = "R0 unbounded memory access",
7754 .result_unpriv = REJECT,
7755 .result = REJECT,
7756 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7757 },
e67b8a68
EC		 7758 {
7759 "invalid 64-bit BPF_END",
7760 .insns = {
7761 BPF_MOV32_IMM(BPF_REG_0, 0),
7762 {
7763 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
7764 .dst_reg = BPF_REG_0,
7765 .src_reg = 0,
7766 .off = 0,
7767 .imm = 32,
7768 },
7769 BPF_EXIT_INSN(),
7770 },
7771 .errstr = "BPF_END uses reserved fields",
7772 .result = REJECT,
7773 },
22c88526
DB		 7774 {
7775 "meta access, test1",
7776 .insns = {
7777 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7778 offsetof(struct xdp_md, data_meta)),
7779 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7780 offsetof(struct xdp_md, data)),
7781 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7782 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7783 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7784 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7785 BPF_MOV64_IMM(BPF_REG_0, 0),
7786 BPF_EXIT_INSN(),
7787 },
7788 .result = ACCEPT,
7789 .prog_type = BPF_PROG_TYPE_XDP,
7790 },
7791 {
7792 "meta access, test2",
7793 .insns = {
7794 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7795 offsetof(struct xdp_md, data_meta)),
7796 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7797 offsetof(struct xdp_md, data)),
7798 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7799 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
7800 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7801 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
7802 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7803 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7804 BPF_MOV64_IMM(BPF_REG_0, 0),
7805 BPF_EXIT_INSN(),
7806 },
7807 .result = REJECT,
7808 .errstr = "invalid access to packet, off=-8",
7809 .prog_type = BPF_PROG_TYPE_XDP,
7810 },
7811 {
7812 "meta access, test3",
7813 .insns = {
7814 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7815 offsetof(struct xdp_md, data_meta)),
7816 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7817 offsetof(struct xdp_md, data_end)),
7818 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7819 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7820 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7821 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7822 BPF_MOV64_IMM(BPF_REG_0, 0),
7823 BPF_EXIT_INSN(),
7824 },
7825 .result = REJECT,
7826 .errstr = "invalid access to packet",
7827 .prog_type = BPF_PROG_TYPE_XDP,
7828 },
7829 {
7830 "meta access, test4",
7831 .insns = {
7832 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7833 offsetof(struct xdp_md, data_meta)),
7834 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7835 offsetof(struct xdp_md, data_end)),
7836 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7837 offsetof(struct xdp_md, data)),
7838 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7839 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7840 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7841 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7842 BPF_MOV64_IMM(BPF_REG_0, 0),
7843 BPF_EXIT_INSN(),
7844 },
7845 .result = REJECT,
7846 .errstr = "invalid access to packet",
7847 .prog_type = BPF_PROG_TYPE_XDP,
7848 },
7849 {
7850 "meta access, test5",
7851 .insns = {
7852 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7853 offsetof(struct xdp_md, data_meta)),
7854 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7855 offsetof(struct xdp_md, data)),
7856 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7857 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7858 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
7859 BPF_MOV64_IMM(BPF_REG_2, -8),
7860 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7861 BPF_FUNC_xdp_adjust_meta),
7862 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
7863 BPF_MOV64_IMM(BPF_REG_0, 0),
7864 BPF_EXIT_INSN(),
7865 },
7866 .result = REJECT,
7867 .errstr = "R3 !read_ok",
7868 .prog_type = BPF_PROG_TYPE_XDP,
7869 },
7870 {
7871 "meta access, test6",
7872 .insns = {
7873 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7874 offsetof(struct xdp_md, data_meta)),
7875 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7876 offsetof(struct xdp_md, data)),
7877 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7878 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7879 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
7881 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
7882 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7883 BPF_MOV64_IMM(BPF_REG_0, 0),
7884 BPF_EXIT_INSN(),
7885 },
7886 .result = REJECT,
7887 .errstr = "invalid access to packet",
7888 .prog_type = BPF_PROG_TYPE_XDP,
7889 },
7890 {
7891 "meta access, test7",
7892 .insns = {
7893 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7894 offsetof(struct xdp_md, data_meta)),
7895 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7896 offsetof(struct xdp_md, data)),
7897 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7898 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7899 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
7901 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7902 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7903 BPF_MOV64_IMM(BPF_REG_0, 0),
7904 BPF_EXIT_INSN(),
7905 },
7906 .result = ACCEPT,
7907 .prog_type = BPF_PROG_TYPE_XDP,
7908 },
7909 {
7910 "meta access, test8",
7911 .insns = {
7912 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7913 offsetof(struct xdp_md, data_meta)),
7914 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7915 offsetof(struct xdp_md, data)),
7916 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
7918 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7919 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7920 BPF_MOV64_IMM(BPF_REG_0, 0),
7921 BPF_EXIT_INSN(),
7922 },
7923 .result = ACCEPT,
7924 .prog_type = BPF_PROG_TYPE_XDP,
7925 },
7926 {
7927 "meta access, test9",
7928 .insns = {
7929 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7930 offsetof(struct xdp_md, data_meta)),
7931 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7932 offsetof(struct xdp_md, data)),
7933 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7934 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
7935 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7936 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7937 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7938 BPF_MOV64_IMM(BPF_REG_0, 0),
7939 BPF_EXIT_INSN(),
7940 },
7941 .result = REJECT,
7942 .errstr = "invalid access to packet",
7943 .prog_type = BPF_PROG_TYPE_XDP,
7944 },
7945 {
7946 "meta access, test10",
7947 .insns = {
7948 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7949 offsetof(struct xdp_md, data_meta)),
7950 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7951 offsetof(struct xdp_md, data)),
7952 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7953 offsetof(struct xdp_md, data_end)),
7954 BPF_MOV64_IMM(BPF_REG_5, 42),
7955 BPF_MOV64_IMM(BPF_REG_6, 24),
7956 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
7957 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
7958 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
7959 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
7960 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
7961 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
7962 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
7963 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
7964 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
7965 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
7966 BPF_MOV64_IMM(BPF_REG_0, 0),
7967 BPF_EXIT_INSN(),
7968 },
7969 .result = REJECT,
7970 .errstr = "invalid access to packet",
7971 .prog_type = BPF_PROG_TYPE_XDP,
7972 },
7973 {
7974 "meta access, test11",
7975 .insns = {
7976 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7977 offsetof(struct xdp_md, data_meta)),
7978 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7979 offsetof(struct xdp_md, data)),
7980 BPF_MOV64_IMM(BPF_REG_5, 42),
7981 BPF_MOV64_IMM(BPF_REG_6, 24),
7982 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
7983 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
7984 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
7985 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
7986 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
7987 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
7988 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
7989 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
7990 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
7991 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
7992 BPF_MOV64_IMM(BPF_REG_0, 0),
7993 BPF_EXIT_INSN(),
7994 },
7995 .result = ACCEPT,
7996 .prog_type = BPF_PROG_TYPE_XDP,
7997 },
7998 {
7999 "meta access, test12",
8000 .insns = {
8001 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8002 offsetof(struct xdp_md, data_meta)),
8003 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8004 offsetof(struct xdp_md, data)),
8005 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8006 offsetof(struct xdp_md, data_end)),
8007 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8009 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
8010 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8011 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8012 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8013 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
8014 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8015 BPF_MOV64_IMM(BPF_REG_0, 0),
8016 BPF_EXIT_INSN(),
8017 },
8018 .result = ACCEPT,
8019 .prog_type = BPF_PROG_TYPE_XDP,
8020 },
28e33f9d
JK		 8021 {
8022 "arithmetic ops make PTR_TO_CTX unusable",
8023 .insns = {
8024 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
8025 offsetof(struct __sk_buff, data) -
8026 offsetof(struct __sk_buff, mark)),
8027 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8028 offsetof(struct __sk_buff, mark)),
8029 BPF_EXIT_INSN(),
8030 },
173abb86 8031 .errstr = "dereference of modified ctx ptr",
28e33f9d
JK		 8032 .result = REJECT,
8033 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8034 },
82abbf8d
AS		 8035 {
8036 "pkt_end - pkt_start is allowed",
8037 .insns = {
8038 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8039 offsetof(struct __sk_buff, data_end)),
8040 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8041 offsetof(struct __sk_buff, data)),
8042 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
8043 BPF_EXIT_INSN(),
8044 },
8045 .result = ACCEPT,
8046 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8047 },
b37242c7
DB		 8048 {
8049 "XDP pkt read, pkt_end mangling, bad access 1",
8050 .insns = {
8051 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8052 offsetof(struct xdp_md, data)),
8053 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8054 offsetof(struct xdp_md, data_end)),
8055 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8056 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8057 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
8058 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8059 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8060 BPF_MOV64_IMM(BPF_REG_0, 0),
8061 BPF_EXIT_INSN(),
8062 },
82abbf8d 8063 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
b37242c7
DB		 8064 .result = REJECT,
8065 .prog_type = BPF_PROG_TYPE_XDP,
8066 },
8067 {
8068 "XDP pkt read, pkt_end mangling, bad access 2",
8069 .insns = {
8070 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8071 offsetof(struct xdp_md, data)),
8072 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8073 offsetof(struct xdp_md, data_end)),
8074 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8075 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8076 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
8077 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8078 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8079 BPF_MOV64_IMM(BPF_REG_0, 0),
8080 BPF_EXIT_INSN(),
8081 },
82abbf8d 8082 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
b37242c7
DB		 8083 .result = REJECT,
8084 .prog_type = BPF_PROG_TYPE_XDP,
8085 },
8086 {
8087 "XDP pkt read, pkt_data' > pkt_end, good access",
8088 .insns = {
8089 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8090 offsetof(struct xdp_md, data)),
8091 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8092 offsetof(struct xdp_md, data_end)),
8093 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8095 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8096 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8097 BPF_MOV64_IMM(BPF_REG_0, 0),
8098 BPF_EXIT_INSN(),
8099 },
8100 .result = ACCEPT,
8101 .prog_type = BPF_PROG_TYPE_XDP,
8102 },
8103 {
8104 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
8105 .insns = {
8106 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8107 offsetof(struct xdp_md, data)),
8108 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8109 offsetof(struct xdp_md, data_end)),
8110 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8112 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8113 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8114 BPF_MOV64_IMM(BPF_REG_0, 0),
8115 BPF_EXIT_INSN(),
8116 },
8117 .errstr = "R1 offset is outside of the packet",
8118 .result = REJECT,
8119 .prog_type = BPF_PROG_TYPE_XDP,
8120 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8121 },
8122 {
8123 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
8124 .insns = {
8125 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8126 offsetof(struct xdp_md, data)),
8127 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8128 offsetof(struct xdp_md, data_end)),
8129 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8131 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8132 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8133 BPF_MOV64_IMM(BPF_REG_0, 0),
8134 BPF_EXIT_INSN(),
8135 },
8136 .errstr = "R1 offset is outside of the packet",
8137 .result = REJECT,
8138 .prog_type = BPF_PROG_TYPE_XDP,
8139 },
8140 {
8141 "XDP pkt read, pkt_end > pkt_data', good access",
8142 .insns = {
8143 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8144 offsetof(struct xdp_md, data)),
8145 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8146 offsetof(struct xdp_md, data_end)),
8147 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8148 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8149 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8150 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8151 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8152 BPF_MOV64_IMM(BPF_REG_0, 0),
8153 BPF_EXIT_INSN(),
8154 },
8155 .result = ACCEPT,
8156 .prog_type = BPF_PROG_TYPE_XDP,
8157 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8158 },
8159 {
8160 "XDP pkt read, pkt_end > pkt_data', bad access 1",
8161 .insns = {
8162 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8163 offsetof(struct xdp_md, data)),
8164 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8165 offsetof(struct xdp_md, data_end)),
8166 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8167 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8168 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8169 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8170 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8171 BPF_MOV64_IMM(BPF_REG_0, 0),
8172 BPF_EXIT_INSN(),
8173 },
8174 .errstr = "R1 offset is outside of the packet",
8175 .result = REJECT,
8176 .prog_type = BPF_PROG_TYPE_XDP,
8177 },
8178 {
8179 "XDP pkt read, pkt_end > pkt_data', bad access 2",
8180 .insns = {
8181 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8182 offsetof(struct xdp_md, data)),
8183 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8184 offsetof(struct xdp_md, data_end)),
8185 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8186 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8187 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8188 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8189 BPF_MOV64_IMM(BPF_REG_0, 0),
8190 BPF_EXIT_INSN(),
8191 },
8192 .errstr = "R1 offset is outside of the packet",
8193 .result = REJECT,
8194 .prog_type = BPF_PROG_TYPE_XDP,
8195 },
8196 {
8197 "XDP pkt read, pkt_data' < pkt_end, good access",
8198 .insns = {
8199 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8200 offsetof(struct xdp_md, data)),
8201 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8202 offsetof(struct xdp_md, data_end)),
8203 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8204 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8205 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8206 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8207 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8208 BPF_MOV64_IMM(BPF_REG_0, 0),
8209 BPF_EXIT_INSN(),
8210 },
8211 .result = ACCEPT,
8212 .prog_type = BPF_PROG_TYPE_XDP,
8213 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8214 },
8215 {
8216 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
8217 .insns = {
8218 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8219 offsetof(struct xdp_md, data)),
8220 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8221 offsetof(struct xdp_md, data_end)),
8222 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8224 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8225 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8226 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8227 BPF_MOV64_IMM(BPF_REG_0, 0),
8228 BPF_EXIT_INSN(),
8229 },
8230 .errstr = "R1 offset is outside of the packet",
8231 .result = REJECT,
8232 .prog_type = BPF_PROG_TYPE_XDP,
8233 },
8234 {
8235 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
8236 .insns = {
8237 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8238 offsetof(struct xdp_md, data)),
8239 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8240 offsetof(struct xdp_md, data_end)),
8241 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8242 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8243 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8244 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8245 BPF_MOV64_IMM(BPF_REG_0, 0),
8246 BPF_EXIT_INSN(),
8247 },
8248 .errstr = "R1 offset is outside of the packet",
8249 .result = REJECT,
8250 .prog_type = BPF_PROG_TYPE_XDP,
8251 },
8252 {
8253 "XDP pkt read, pkt_end < pkt_data', good access",
8254 .insns = {
8255 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8256 offsetof(struct xdp_md, data)),
8257 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8258 offsetof(struct xdp_md, data_end)),
8259 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8260 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8261 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8262 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8263 BPF_MOV64_IMM(BPF_REG_0, 0),
8264 BPF_EXIT_INSN(),
8265 },
8266 .result = ACCEPT,
8267 .prog_type = BPF_PROG_TYPE_XDP,
8268 },
8269 {
8270 "XDP pkt read, pkt_end < pkt_data', bad access 1",
8271 .insns = {
8272 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8273 offsetof(struct xdp_md, data)),
8274 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8275 offsetof(struct xdp_md, data_end)),
8276 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8277 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8278 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8279 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8280 BPF_MOV64_IMM(BPF_REG_0, 0),
8281 BPF_EXIT_INSN(),
8282 },
8283 .errstr = "R1 offset is outside of the packet",
8284 .result = REJECT,
8285 .prog_type = BPF_PROG_TYPE_XDP,
8286 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8287 },
8288 {
8289 "XDP pkt read, pkt_end < pkt_data', bad access 2",
8290 .insns = {
8291 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8292 offsetof(struct xdp_md, data)),
8293 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8294 offsetof(struct xdp_md, data_end)),
8295 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8296 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8297 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
8298 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8299 BPF_MOV64_IMM(BPF_REG_0, 0),
8300 BPF_EXIT_INSN(),
8301 },
8302 .errstr = "R1 offset is outside of the packet",
8303 .result = REJECT,
8304 .prog_type = BPF_PROG_TYPE_XDP,
8305 },
8306 {
8307 "XDP pkt read, pkt_data' >= pkt_end, good access",
8308 .insns = {
8309 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8310 offsetof(struct xdp_md, data)),
8311 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8312 offsetof(struct xdp_md, data_end)),
8313 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8314 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8315 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8316 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8317 BPF_MOV64_IMM(BPF_REG_0, 0),
8318 BPF_EXIT_INSN(),
8319 },
8320 .result = ACCEPT,
8321 .prog_type = BPF_PROG_TYPE_XDP,
8322 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8323 },
8324 {
8325 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
8326 .insns = {
8327 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8328 offsetof(struct xdp_md, data)),
8329 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8330 offsetof(struct xdp_md, data_end)),
8331 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8333 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8334 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8335 BPF_MOV64_IMM(BPF_REG_0, 0),
8336 BPF_EXIT_INSN(),
8337 },
8338 .errstr = "R1 offset is outside of the packet",
8339 .result = REJECT,
8340 .prog_type = BPF_PROG_TYPE_XDP,
8341 },
8342 {
8343 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
8344 .insns = {
8345 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8346 offsetof(struct xdp_md, data)),
8347 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8348 offsetof(struct xdp_md, data_end)),
8349 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8350 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8351 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
8352 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8353 BPF_MOV64_IMM(BPF_REG_0, 0),
8354 BPF_EXIT_INSN(),
8355 },
8356 .errstr = "R1 offset is outside of the packet",
8357 .result = REJECT,
8358 .prog_type = BPF_PROG_TYPE_XDP,
8359 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8360 },
8361 {
8362 "XDP pkt read, pkt_end >= pkt_data', good access",
8363 .insns = {
8364 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8365 offsetof(struct xdp_md, data)),
8366 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8367 offsetof(struct xdp_md, data_end)),
8368 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8369 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8370 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8371 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8372 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8373 BPF_MOV64_IMM(BPF_REG_0, 0),
8374 BPF_EXIT_INSN(),
8375 },
8376 .result = ACCEPT,
8377 .prog_type = BPF_PROG_TYPE_XDP,
8378 },
8379 {
8380 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
8381 .insns = {
8382 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8383 offsetof(struct xdp_md, data)),
8384 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8385 offsetof(struct xdp_md, data_end)),
8386 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8388 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8389 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8390 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8391 BPF_MOV64_IMM(BPF_REG_0, 0),
8392 BPF_EXIT_INSN(),
8393 },
8394 .errstr = "R1 offset is outside of the packet",
8395 .result = REJECT,
8396 .prog_type = BPF_PROG_TYPE_XDP,
8397 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8398 },
8399 {
8400 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
8401 .insns = {
8402 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8403 offsetof(struct xdp_md, data)),
8404 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8405 offsetof(struct xdp_md, data_end)),
8406 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8408 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8409 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8410 BPF_MOV64_IMM(BPF_REG_0, 0),
8411 BPF_EXIT_INSN(),
8412 },
8413 .errstr = "R1 offset is outside of the packet",
8414 .result = REJECT,
8415 .prog_type = BPF_PROG_TYPE_XDP,
8416 },
8417 {
8418 "XDP pkt read, pkt_data' <= pkt_end, good access",
8419 .insns = {
8420 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8421 offsetof(struct xdp_md, data)),
8422 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8423 offsetof(struct xdp_md, data_end)),
8424 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8425 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8426 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8427 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8428 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8429 BPF_MOV64_IMM(BPF_REG_0, 0),
8430 BPF_EXIT_INSN(),
8431 },
8432 .result = ACCEPT,
8433 .prog_type = BPF_PROG_TYPE_XDP,
8434 },
8435 {
8436 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
8437 .insns = {
8438 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8439 offsetof(struct xdp_md, data)),
8440 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8441 offsetof(struct xdp_md, data_end)),
8442 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8443 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8444 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8445 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8446 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8447 BPF_MOV64_IMM(BPF_REG_0, 0),
8448 BPF_EXIT_INSN(),
8449 },
8450 .errstr = "R1 offset is outside of the packet",
8451 .result = REJECT,
8452 .prog_type = BPF_PROG_TYPE_XDP,
8453 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8454 },
8455 {
8456 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
8457 .insns = {
8458 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8459 offsetof(struct xdp_md, data)),
8460 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8461 offsetof(struct xdp_md, data_end)),
8462 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8463 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8464 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8465 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8466 BPF_MOV64_IMM(BPF_REG_0, 0),
8467 BPF_EXIT_INSN(),
8468 },
8469 .errstr = "R1 offset is outside of the packet",
8470 .result = REJECT,
8471 .prog_type = BPF_PROG_TYPE_XDP,
8472 },
8473 {
8474 "XDP pkt read, pkt_end <= pkt_data', good access",
8475 .insns = {
8476 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8477 offsetof(struct xdp_md, data)),
8478 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8479 offsetof(struct xdp_md, data_end)),
8480 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8482 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8483 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8484 BPF_MOV64_IMM(BPF_REG_0, 0),
8485 BPF_EXIT_INSN(),
8486 },
8487 .result = ACCEPT,
8488 .prog_type = BPF_PROG_TYPE_XDP,
8489 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8490 },
8491 {
8492 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
8493 .insns = {
8494 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8495 offsetof(struct xdp_md, data)),
8496 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8497 offsetof(struct xdp_md, data_end)),
8498 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8499 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8500 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8501 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8502 BPF_MOV64_IMM(BPF_REG_0, 0),
8503 BPF_EXIT_INSN(),
8504 },
8505 .errstr = "R1 offset is outside of the packet",
8506 .result = REJECT,
8507 .prog_type = BPF_PROG_TYPE_XDP,
8508 },
8509 {
8510 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
8511 .insns = {
8512 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8513 offsetof(struct xdp_md, data)),
8514 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8515 offsetof(struct xdp_md, data_end)),
8516 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8518 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
8519 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8520 BPF_MOV64_IMM(BPF_REG_0, 0),
8521 BPF_EXIT_INSN(),
8522 },
8523 .errstr = "R1 offset is outside of the packet",
8524 .result = REJECT,
8525 .prog_type = BPF_PROG_TYPE_XDP,
8526 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8527 },
634eab11
DB		 8528 {
8529 "XDP pkt read, pkt_meta' > pkt_data, good access",
8530 .insns = {
8531 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8532 offsetof(struct xdp_md, data_meta)),
8533 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8534 offsetof(struct xdp_md, data)),
8535 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8536 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8537 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8538 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8539 BPF_MOV64_IMM(BPF_REG_0, 0),
8540 BPF_EXIT_INSN(),
8541 },
8542 .result = ACCEPT,
8543 .prog_type = BPF_PROG_TYPE_XDP,
8544 },
8545 {
8546 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
8547 .insns = {
8548 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8549 offsetof(struct xdp_md, data_meta)),
8550 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8551 offsetof(struct xdp_md, data)),
8552 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8553 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8554 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8555 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8556 BPF_MOV64_IMM(BPF_REG_0, 0),
8557 BPF_EXIT_INSN(),
8558 },
8559 .errstr = "R1 offset is outside of the packet",
8560 .result = REJECT,
8561 .prog_type = BPF_PROG_TYPE_XDP,
8562 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8563 },
8564 {
8565 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
8566 .insns = {
8567 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8568 offsetof(struct xdp_md, data_meta)),
8569 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8570 offsetof(struct xdp_md, data)),
8571 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8572 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8573 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8574 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8575 BPF_MOV64_IMM(BPF_REG_0, 0),
8576 BPF_EXIT_INSN(),
8577 },
8578 .errstr = "R1 offset is outside of the packet",
8579 .result = REJECT,
8580 .prog_type = BPF_PROG_TYPE_XDP,
8581 },
8582 {
8583 "XDP pkt read, pkt_data > pkt_meta', good access",
8584 .insns = {
8585 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8586 offsetof(struct xdp_md, data_meta)),
8587 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8588 offsetof(struct xdp_md, data)),
8589 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8591 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8592 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8593 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8594 BPF_MOV64_IMM(BPF_REG_0, 0),
8595 BPF_EXIT_INSN(),
8596 },
8597 .result = ACCEPT,
8598 .prog_type = BPF_PROG_TYPE_XDP,
8599 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8600 },
8601 {
8602 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
8603 .insns = {
8604 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8605 offsetof(struct xdp_md, data_meta)),
8606 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8607 offsetof(struct xdp_md, data)),
8608 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8610 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8611 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8612 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8613 BPF_MOV64_IMM(BPF_REG_0, 0),
8614 BPF_EXIT_INSN(),
8615 },
8616 .errstr = "R1 offset is outside of the packet",
8617 .result = REJECT,
8618 .prog_type = BPF_PROG_TYPE_XDP,
8619 },
8620 {
8621 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
8622 .insns = {
8623 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8624 offsetof(struct xdp_md, data_meta)),
8625 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8626 offsetof(struct xdp_md, data)),
8627 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8629 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8630 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8631 BPF_MOV64_IMM(BPF_REG_0, 0),
8632 BPF_EXIT_INSN(),
8633 },
8634 .errstr = "R1 offset is outside of the packet",
8635 .result = REJECT,
8636 .prog_type = BPF_PROG_TYPE_XDP,
8637 },
8638 {
8639 "XDP pkt read, pkt_meta' < pkt_data, good access",
8640 .insns = {
8641 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8642 offsetof(struct xdp_md, data_meta)),
8643 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8644 offsetof(struct xdp_md, data)),
8645 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8646 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8647 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8648 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8649 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8650 BPF_MOV64_IMM(BPF_REG_0, 0),
8651 BPF_EXIT_INSN(),
8652 },
8653 .result = ACCEPT,
8654 .prog_type = BPF_PROG_TYPE_XDP,
8655 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8656 },
8657 {
8658 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
8659 .insns = {
8660 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8661 offsetof(struct xdp_md, data_meta)),
8662 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8663 offsetof(struct xdp_md, data)),
8664 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8665 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8666 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8667 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8668 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8669 BPF_MOV64_IMM(BPF_REG_0, 0),
8670 BPF_EXIT_INSN(),
8671 },
8672 .errstr = "R1 offset is outside of the packet",
8673 .result = REJECT,
8674 .prog_type = BPF_PROG_TYPE_XDP,
8675 },
8676 {
8677 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
8678 .insns = {
8679 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8680 offsetof(struct xdp_md, data_meta)),
8681 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8682 offsetof(struct xdp_md, data)),
8683 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8684 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8685 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8686 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8687 BPF_MOV64_IMM(BPF_REG_0, 0),
8688 BPF_EXIT_INSN(),
8689 },
8690 .errstr = "R1 offset is outside of the packet",
8691 .result = REJECT,
8692 .prog_type = BPF_PROG_TYPE_XDP,
8693 },
8694 {
8695 "XDP pkt read, pkt_data < pkt_meta', good access",
8696 .insns = {
8697 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8698 offsetof(struct xdp_md, data_meta)),
8699 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8700 offsetof(struct xdp_md, data)),
8701 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8702 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8703 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8704 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8705 BPF_MOV64_IMM(BPF_REG_0, 0),
8706 BPF_EXIT_INSN(),
8707 },
8708 .result = ACCEPT,
8709 .prog_type = BPF_PROG_TYPE_XDP,
8710 },
8711 {
8712 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
8713 .insns = {
8714 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8715 offsetof(struct xdp_md, data_meta)),
8716 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8717 offsetof(struct xdp_md, data)),
8718 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8719 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8720 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8721 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8722 BPF_MOV64_IMM(BPF_REG_0, 0),
8723 BPF_EXIT_INSN(),
8724 },
8725 .errstr = "R1 offset is outside of the packet",
8726 .result = REJECT,
8727 .prog_type = BPF_PROG_TYPE_XDP,
8728 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8729 },
8730 {
8731 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
8732 .insns = {
8733 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8734 offsetof(struct xdp_md, data_meta)),
8735 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8736 offsetof(struct xdp_md, data)),
8737 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8739 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
8740 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8741 BPF_MOV64_IMM(BPF_REG_0, 0),
8742 BPF_EXIT_INSN(),
8743 },
8744 .errstr = "R1 offset is outside of the packet",
8745 .result = REJECT,
8746 .prog_type = BPF_PROG_TYPE_XDP,
8747 },
8748 {
8749 "XDP pkt read, pkt_meta' >= pkt_data, good access",
8750 .insns = {
8751 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8752 offsetof(struct xdp_md, data_meta)),
8753 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8754 offsetof(struct xdp_md, data)),
8755 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8756 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8757 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8758 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8759 BPF_MOV64_IMM(BPF_REG_0, 0),
8760 BPF_EXIT_INSN(),
8761 },
8762 .result = ACCEPT,
8763 .prog_type = BPF_PROG_TYPE_XDP,
8764 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8765 },
8766 {
8767 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
8768 .insns = {
8769 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8770 offsetof(struct xdp_md, data_meta)),
8771 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8772 offsetof(struct xdp_md, data)),
8773 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8775 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8776 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8777 BPF_MOV64_IMM(BPF_REG_0, 0),
8778 BPF_EXIT_INSN(),
8779 },
8780 .errstr = "R1 offset is outside of the packet",
8781 .result = REJECT,
8782 .prog_type = BPF_PROG_TYPE_XDP,
8783 },
8784 {
8785 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
8786 .insns = {
8787 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8788 offsetof(struct xdp_md, data_meta)),
8789 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8790 offsetof(struct xdp_md, data)),
8791 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8792 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8793 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
8794 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8795 BPF_MOV64_IMM(BPF_REG_0, 0),
8796 BPF_EXIT_INSN(),
8797 },
8798 .errstr = "R1 offset is outside of the packet",
8799 .result = REJECT,
8800 .prog_type = BPF_PROG_TYPE_XDP,
8801 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8802 },
8803 {
8804 "XDP pkt read, pkt_data >= pkt_meta', good access",
8805 .insns = {
8806 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8807 offsetof(struct xdp_md, data_meta)),
8808 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8809 offsetof(struct xdp_md, data)),
8810 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8812 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8813 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8814 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8815 BPF_MOV64_IMM(BPF_REG_0, 0),
8816 BPF_EXIT_INSN(),
8817 },
8818 .result = ACCEPT,
8819 .prog_type = BPF_PROG_TYPE_XDP,
8820 },
8821 {
8822 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
8823 .insns = {
8824 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8825 offsetof(struct xdp_md, data_meta)),
8826 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8827 offsetof(struct xdp_md, data)),
8828 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8829 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8830 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8831 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8832 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8833 BPF_MOV64_IMM(BPF_REG_0, 0),
8834 BPF_EXIT_INSN(),
8835 },
8836 .errstr = "R1 offset is outside of the packet",
8837 .result = REJECT,
8838 .prog_type = BPF_PROG_TYPE_XDP,
8839 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8840 },
8841 {
8842 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
8843 .insns = {
8844 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8845 offsetof(struct xdp_md, data_meta)),
8846 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8847 offsetof(struct xdp_md, data)),
8848 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8849 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8850 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8851 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8852 BPF_MOV64_IMM(BPF_REG_0, 0),
8853 BPF_EXIT_INSN(),
8854 },
8855 .errstr = "R1 offset is outside of the packet",
8856 .result = REJECT,
8857 .prog_type = BPF_PROG_TYPE_XDP,
8858 },
8859 {
8860 "XDP pkt read, pkt_meta' <= pkt_data, good access",
8861 .insns = {
8862 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8863 offsetof(struct xdp_md, data_meta)),
8864 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8865 offsetof(struct xdp_md, data)),
8866 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8867 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8868 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8869 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8870 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8871 BPF_MOV64_IMM(BPF_REG_0, 0),
8872 BPF_EXIT_INSN(),
8873 },
8874 .result = ACCEPT,
8875 .prog_type = BPF_PROG_TYPE_XDP,
8876 },
8877 {
8878 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
8879 .insns = {
8880 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8881 offsetof(struct xdp_md, data_meta)),
8882 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8883 offsetof(struct xdp_md, data)),
8884 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8885 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8886 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8887 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8888 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8889 BPF_MOV64_IMM(BPF_REG_0, 0),
8890 BPF_EXIT_INSN(),
8891 },
8892 .errstr = "R1 offset is outside of the packet",
8893 .result = REJECT,
8894 .prog_type = BPF_PROG_TYPE_XDP,
8895 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8896 },
8897 {
8898 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
8899 .insns = {
8900 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8901 offsetof(struct xdp_md, data_meta)),
8902 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8903 offsetof(struct xdp_md, data)),
8904 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8905 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8906 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8907 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8908 BPF_MOV64_IMM(BPF_REG_0, 0),
8909 BPF_EXIT_INSN(),
8910 },
8911 .errstr = "R1 offset is outside of the packet",
8912 .result = REJECT,
8913 .prog_type = BPF_PROG_TYPE_XDP,
8914 },
8915 {
8916 "XDP pkt read, pkt_data <= pkt_meta', good access",
8917 .insns = {
8918 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8919 offsetof(struct xdp_md, data_meta)),
8920 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8921 offsetof(struct xdp_md, data)),
8922 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8923 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8924 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8925 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8926 BPF_MOV64_IMM(BPF_REG_0, 0),
8927 BPF_EXIT_INSN(),
8928 },
8929 .result = ACCEPT,
8930 .prog_type = BPF_PROG_TYPE_XDP,
8931 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8932 },
8933 {
8934 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
8935 .insns = {
8936 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8937 offsetof(struct xdp_md, data_meta)),
8938 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8939 offsetof(struct xdp_md, data)),
8940 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8942 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8943 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8944 BPF_MOV64_IMM(BPF_REG_0, 0),
8945 BPF_EXIT_INSN(),
8946 },
8947 .errstr = "R1 offset is outside of the packet",
8948 .result = REJECT,
8949 .prog_type = BPF_PROG_TYPE_XDP,
8950 },
8951 {
8952 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
8953 .insns = {
8954 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8955 offsetof(struct xdp_md, data_meta)),
8956 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8957 offsetof(struct xdp_md, data)),
8958 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8959 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8960 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
8961 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8962 BPF_MOV64_IMM(BPF_REG_0, 0),
8963 BPF_EXIT_INSN(),
8964 },
8965 .errstr = "R1 offset is outside of the packet",
8966 .result = REJECT,
8967 .prog_type = BPF_PROG_TYPE_XDP,
8968 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8969 },
6f16101e
DB		 8970 {
8971 "check deducing bounds from const, 1",
8972 .insns = {
8973 BPF_MOV64_IMM(BPF_REG_0, 1),
8974 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
8975 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
8976 BPF_EXIT_INSN(),
8977 },
8978 .result = REJECT,
8979 .errstr = "R0 tried to subtract pointer from scalar",
8980 },
8981 {
8982 "check deducing bounds from const, 2",
8983 .insns = {
8984 BPF_MOV64_IMM(BPF_REG_0, 1),
8985 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
8986 BPF_EXIT_INSN(),
8987 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
8988 BPF_EXIT_INSN(),
8989 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
8990 BPF_EXIT_INSN(),
8991 },
8992 .result = ACCEPT,
8993 },
8994 {
8995 "check deducing bounds from const, 3",
8996 .insns = {
8997 BPF_MOV64_IMM(BPF_REG_0, 0),
8998 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
8999 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9000 BPF_EXIT_INSN(),
9001 },
9002 .result = REJECT,
9003 .errstr = "R0 tried to subtract pointer from scalar",
9004 },
9005 {
9006 "check deducing bounds from const, 4",
9007 .insns = {
9008 BPF_MOV64_IMM(BPF_REG_0, 0),
9009 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
9010 BPF_EXIT_INSN(),
9011 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9012 BPF_EXIT_INSN(),
9013 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9014 BPF_EXIT_INSN(),
9015 },
9016 .result = ACCEPT,
9017 },
9018 {
9019 "check deducing bounds from const, 5",
9020 .insns = {
9021 BPF_MOV64_IMM(BPF_REG_0, 0),
9022 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9023 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9024 BPF_EXIT_INSN(),
9025 },
9026 .result = REJECT,
9027 .errstr = "R0 tried to subtract pointer from scalar",
9028 },
9029 {
9030 "check deducing bounds from const, 6",
9031 .insns = {
9032 BPF_MOV64_IMM(BPF_REG_0, 0),
9033 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9034 BPF_EXIT_INSN(),
9035 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9036 BPF_EXIT_INSN(),
9037 },
9038 .result = REJECT,
9039 .errstr = "R0 tried to subtract pointer from scalar",
9040 },
9041 {
9042 "check deducing bounds from const, 7",
9043 .insns = {
9044 BPF_MOV64_IMM(BPF_REG_0, ~0),
9045 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9046 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9047 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9048 offsetof(struct __sk_buff, mark)),
9049 BPF_EXIT_INSN(),
9050 },
9051 .result = REJECT,
9052 .errstr = "dereference of modified ctx ptr",
9053 },
9054 {
9055 "check deducing bounds from const, 8",
9056 .insns = {
9057 BPF_MOV64_IMM(BPF_REG_0, ~0),
9058 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9059 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
9060 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9061 offsetof(struct __sk_buff, mark)),
9062 BPF_EXIT_INSN(),
9063 },
9064 .result = REJECT,
9065 .errstr = "dereference of modified ctx ptr",
9066 },
9067 {
9068 "check deducing bounds from const, 9",
9069 .insns = {
9070 BPF_MOV64_IMM(BPF_REG_0, 0),
9071 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9072 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9073 BPF_EXIT_INSN(),
9074 },
9075 .result = REJECT,
9076 .errstr = "R0 tried to subtract pointer from scalar",
9077 },
9078 {
9079 "check deducing bounds from const, 10",
9080 .insns = {
9081 BPF_MOV64_IMM(BPF_REG_0, 0),
9082 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9083 /* Marks reg as unknown. */
9084 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
9085 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9086 BPF_EXIT_INSN(),
9087 },
9088 .result = REJECT,
9089 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
9090 },
b06723da
DB		 9091 {
9092 "bpf_exit with invalid return code. test1",
9093 .insns = {
9094 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9095 BPF_EXIT_INSN(),
9096 },
9097 .errstr = "R0 has value (0x0; 0xffffffff)",
9098 .result = REJECT,
9099 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9100 },
9101 {
9102 "bpf_exit with invalid return code. test2",
9103 .insns = {
9104 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9105 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
9106 BPF_EXIT_INSN(),
9107 },
9108 .result = ACCEPT,
9109 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9110 },
9111 {
9112 "bpf_exit with invalid return code. test3",
9113 .insns = {
9114 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9115 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
9116 BPF_EXIT_INSN(),
9117 },
9118 .errstr = "R0 has value (0x0; 0x3)",
9119 .result = REJECT,
9120 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9121 },
9122 {
9123 "bpf_exit with invalid return code. test4",
9124 .insns = {
9125 BPF_MOV64_IMM(BPF_REG_0, 1),
9126 BPF_EXIT_INSN(),
9127 },
9128 .result = ACCEPT,
9129 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9130 },
9131 {
9132 "bpf_exit with invalid return code. test5",
9133 .insns = {
9134 BPF_MOV64_IMM(BPF_REG_0, 2),
9135 BPF_EXIT_INSN(),
9136 },
9137 .errstr = "R0 has value (0x2; 0x0)",
9138 .result = REJECT,
9139 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9140 },
9141 {
9142 "bpf_exit with invalid return code. test6",
9143 .insns = {
9144 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9145 BPF_EXIT_INSN(),
9146 },
9147 .errstr = "R0 is not a known value (ctx)",
9148 .result = REJECT,
9149 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9150 },
9151 {
9152 "bpf_exit with invalid return code. test7",
9153 .insns = {
9154 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9155 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
9156 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
9157 BPF_EXIT_INSN(),
9158 },
9159 .errstr = "R0 has unknown scalar value",
9160 .result = REJECT,
9161 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9162 },
57b4a36e
DB		 9163 {
9164 "xadd/w check unaligned stack",
9165 .insns = {
9166 BPF_MOV64_IMM(BPF_REG_0, 1),
9167 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
9168 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
9169 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
9170 BPF_EXIT_INSN(),
9171 },
9172 .result = REJECT,
9173 .errstr = "misaligned stack access off",
9174 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9175 },
9176 {
9177 "xadd/w check unaligned map",
9178 .insns = {
9179 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9180 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9182 BPF_LD_MAP_FD(BPF_REG_1, 0),
9183 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9184 BPF_FUNC_map_lookup_elem),
9185 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9186 BPF_EXIT_INSN(),
9187 BPF_MOV64_IMM(BPF_REG_1, 1),
9188 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
9189 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
9190 BPF_EXIT_INSN(),
9191 },
9192 .fixup_map1 = { 3 },
9193 .result = REJECT,
9194 .errstr = "misaligned value access off",
9195 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9196 },
9197 {
9198 "xadd/w check unaligned pkt",
9199 .insns = {
9200 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9201 offsetof(struct xdp_md, data)),
9202 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9203 offsetof(struct xdp_md, data_end)),
9204 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9206 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
9207 BPF_MOV64_IMM(BPF_REG_0, 99),
9208 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
9209 BPF_MOV64_IMM(BPF_REG_0, 1),
9210 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
9211 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
9212 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
9213 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
9214 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
9215 BPF_EXIT_INSN(),
9216 },
9217 .result = REJECT,
9218 .errstr = "BPF_XADD stores into R2 packet",
9219 .prog_type = BPF_PROG_TYPE_XDP,
9220 },
173abb86
DB		 9221 {
9222 "pass unmodified ctx pointer to helper",
9223 .insns = {
9224 BPF_MOV64_IMM(BPF_REG_2, 0),
9225 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9226 BPF_FUNC_csum_update),
9227 BPF_MOV64_IMM(BPF_REG_0, 0),
9228 BPF_EXIT_INSN(),
9229 },
9230 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9231 .result = ACCEPT,
9232 },
9233 {
9234 "pass modified ctx pointer to helper, 1",
9235 .insns = {
9236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
9237 BPF_MOV64_IMM(BPF_REG_2, 0),
9238 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9239 BPF_FUNC_csum_update),
9240 BPF_MOV64_IMM(BPF_REG_0, 0),
9241 BPF_EXIT_INSN(),
9242 },
9243 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9244 .result = REJECT,
9245 .errstr = "dereference of modified ctx ptr",
9246 },
9247 {
9248 "pass modified ctx pointer to helper, 2",
9249 .insns = {
9250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
9251 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9252 BPF_FUNC_get_socket_cookie),
9253 BPF_MOV64_IMM(BPF_REG_0, 0),
9254 BPF_EXIT_INSN(),
9255 },
9256 .result_unpriv = REJECT,
9257 .result = REJECT,
9258 .errstr_unpriv = "dereference of modified ctx ptr",
9259 .errstr = "dereference of modified ctx ptr",
9260 },
9261 {
9262 "pass modified ctx pointer to helper, 3",
9263 .insns = {
9264 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
9265 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
9266 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
9267 BPF_MOV64_IMM(BPF_REG_2, 0),
9268 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9269 BPF_FUNC_csum_update),
9270 BPF_MOV64_IMM(BPF_REG_0, 0),
9271 BPF_EXIT_INSN(),
9272 },
9273 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9274 .result = REJECT,
9275 .errstr = "variable ctx access var_off=(0x0; 0x4)",
9276 },
a3f6c1f4
DB		 9277 {
9278 "masking, test out of bounds 1",
9279 .insns = {
9280 BPF_MOV32_IMM(BPF_REG_1, 5),
9281 BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
9282 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9283 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9284 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9285 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9286 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9287 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9288 BPF_EXIT_INSN(),
9289 },
9290 .result = ACCEPT,
9291 },
9292 {
9293 "masking, test out of bounds 2",
9294 .insns = {
9295 BPF_MOV32_IMM(BPF_REG_1, 1),
9296 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
9297 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9298 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9299 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9300 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9301 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9302 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9303 BPF_EXIT_INSN(),
9304 },
9305 .result = ACCEPT,
9306 },
9307 {
9308 "masking, test out of bounds 3",
9309 .insns = {
9310 BPF_MOV32_IMM(BPF_REG_1, 0xffffffff),
9311 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
9312 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9313 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9314 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9315 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9316 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9317 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9318 BPF_EXIT_INSN(),
9319 },
9320 .result = ACCEPT,
9321 },
9322 {
9323 "masking, test out of bounds 4",
9324 .insns = {
9325 BPF_MOV32_IMM(BPF_REG_1, 0xffffffff),
9326 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
9327 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9328 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9329 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9330 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9331 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9332 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9333 BPF_EXIT_INSN(),
9334 },
9335 .result = ACCEPT,
9336 },
9337 {
9338 "masking, test out of bounds 5",
9339 .insns = {
9340 BPF_MOV32_IMM(BPF_REG_1, -1),
9341 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
9342 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9343 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9344 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9345 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9346 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9347 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9348 BPF_EXIT_INSN(),
9349 },
9350 .result = ACCEPT,
9351 },
9352 {
9353 "masking, test out of bounds 6",
9354 .insns = {
9355 BPF_MOV32_IMM(BPF_REG_1, -1),
9356 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
9357 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9358 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9359 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9360 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9361 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9362 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9363 BPF_EXIT_INSN(),
9364 },
9365 .result = ACCEPT,
9366 },
9367 {
9368 "masking, test out of bounds 7",
9369 .insns = {
9370 BPF_MOV64_IMM(BPF_REG_1, 5),
9371 BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
9372 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9373 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9374 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9375 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9376 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9377 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9378 BPF_EXIT_INSN(),
9379 },
9380 .result = ACCEPT,
9381 },
9382 {
9383 "masking, test out of bounds 8",
9384 .insns = {
9385 BPF_MOV64_IMM(BPF_REG_1, 1),
9386 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
9387 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9388 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9389 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9390 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9391 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9392 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9393 BPF_EXIT_INSN(),
9394 },
9395 .result = ACCEPT,
9396 },
9397 {
9398 "masking, test out of bounds 9",
9399 .insns = {
9400 BPF_MOV64_IMM(BPF_REG_1, 0xffffffff),
9401 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
9402 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9403 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9404 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9405 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9406 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9407 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9408 BPF_EXIT_INSN(),
9409 },
9410 .result = ACCEPT,
9411 },
9412 {
9413 "masking, test out of bounds 10",
9414 .insns = {
9415 BPF_MOV64_IMM(BPF_REG_1, 0xffffffff),
9416 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
9417 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9418 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9419 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9420 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9421 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9422 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9423 BPF_EXIT_INSN(),
9424 },
9425 .result = ACCEPT,
9426 },
9427 {
9428 "masking, test out of bounds 11",
9429 .insns = {
9430 BPF_MOV64_IMM(BPF_REG_1, -1),
9431 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
9432 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9433 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9434 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9435 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9436 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9437 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9438 BPF_EXIT_INSN(),
9439 },
9440 .result = ACCEPT,
9441 },
9442 {
9443 "masking, test out of bounds 12",
9444 .insns = {
9445 BPF_MOV64_IMM(BPF_REG_1, -1),
9446 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
9447 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9448 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9449 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9450 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9451 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9452 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9453 BPF_EXIT_INSN(),
9454 },
9455 .result = ACCEPT,
9456 },
9457 {
9458 "masking, test in bounds 1",
9459 .insns = {
9460 BPF_MOV32_IMM(BPF_REG_1, 4),
9461 BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
9462 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9463 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9464 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9465 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9466 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9467 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9468 BPF_EXIT_INSN(),
9469 },
9470 .result = ACCEPT,
9471 },
9472 {
9473 "masking, test in bounds 2",
9474 .insns = {
9475 BPF_MOV32_IMM(BPF_REG_1, 0),
9476 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
9477 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9478 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9479 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9480 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9481 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9482 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9483 BPF_EXIT_INSN(),
9484 },
9485 .result = ACCEPT,
9486 },
9487 {
9488 "masking, test in bounds 3",
9489 .insns = {
9490 BPF_MOV32_IMM(BPF_REG_1, 0xfffffffe),
9491 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
9492 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9493 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9494 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9495 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9496 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9497 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9498 BPF_EXIT_INSN(),
9499 },
9500 .result = ACCEPT,
9501 },
9502 {
9503 "masking, test in bounds 4",
9504 .insns = {
9505 BPF_MOV32_IMM(BPF_REG_1, 0xabcde),
9506 BPF_MOV32_IMM(BPF_REG_2, 0xabcdef - 1),
9507 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9508 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9509 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9510 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9511 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9512 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9513 BPF_EXIT_INSN(),
9514 },
9515 .result = ACCEPT,
9516 },
9517 {
9518 "masking, test in bounds 5",
9519 .insns = {
9520 BPF_MOV32_IMM(BPF_REG_1, 0),
9521 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
9522 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9523 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9524 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9525 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9526 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9527 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9528 BPF_EXIT_INSN(),
9529 },
9530 .result = ACCEPT,
9531 },
9532 {
9533 "masking, test in bounds 6",
9534 .insns = {
9535 BPF_MOV32_IMM(BPF_REG_1, 46),
9536 BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
9537 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
9538 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
9539 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9540 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9541 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9542 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9543 BPF_EXIT_INSN(),
9544 },
9545 .result = ACCEPT,
9546 },
9547 {
9548 "masking, test in bounds 7",
9549 .insns = {
9550 BPF_MOV64_IMM(BPF_REG_3, -46),
9551 BPF_ALU64_IMM(BPF_MUL, BPF_REG_3, -1),
9552 BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
9553 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_3),
9554 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_3),
9555 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9556 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9557 BPF_ALU64_REG(BPF_AND, BPF_REG_3, BPF_REG_2),
9558 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9559 BPF_EXIT_INSN(),
9560 },
9561 .result = ACCEPT,
9562 },
9563 {
9564 "masking, test in bounds 8",
9565 .insns = {
9566 BPF_MOV64_IMM(BPF_REG_3, -47),
9567 BPF_ALU64_IMM(BPF_MUL, BPF_REG_3, -1),
9568 BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
9569 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_3),
9570 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_3),
9571 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
9572 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
9573 BPF_ALU64_REG(BPF_AND, BPF_REG_3, BPF_REG_2),
9574 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9575 BPF_EXIT_INSN(),
9576 },
9577 .result = ACCEPT,
9578 },
3c731eba
AS		 9579};
9580
5aa5bd14 9581static int probe_filter_length(const struct bpf_insn *fp)
3c731eba 9582{
5aa5bd14 9583 int len;
3c731eba
AS		 9584
9585 for (len = MAX_INSNS - 1; len > 0; --len)
9586 if (fp[len].code != 0 || fp[len].imm != 0)
9587 break;
3c731eba
AS		 9588 return len + 1;
9589}
9590
5aa5bd14 9591static int create_map(uint32_t size_value, uint32_t max_elem)
3c731eba 9592{
5aa5bd14 9593 int fd;
3c731eba 9594
f4874d01 9595 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
5aa5bd14
DB		 9596 size_value, max_elem, BPF_F_NO_PREALLOC);
9597 if (fd < 0)
9598 printf("Failed to create hash map '%s'!\n", strerror(errno));
bf508877 9599
5aa5bd14 9600 return fd;
bf508877
AS		 9601}
9602
9603static int create_prog_array(void)
9604{
5aa5bd14 9605 int fd;
bf508877 9606
f4874d01 9607 fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
5aa5bd14
DB		 9608 sizeof(int), 4, 0);
9609 if (fd < 0)
9610 printf("Failed to create prog array '%s'!\n", strerror(errno));
3c731eba 9611
5aa5bd14 9612 return fd;
3c731eba
AS		 9613}
9614
fb30d4b7
MKL		 9615static int create_map_in_map(void)
9616{
9617 int inner_map_fd, outer_map_fd;
9618
9619 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
9620 sizeof(int), 1, 0);
9621 if (inner_map_fd < 0) {
9622 printf("Failed to create array '%s'!\n", strerror(errno));
9623 return inner_map_fd;
9624 }
9625
88cda1c9 9626 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
fb30d4b7
MKL		 9627 sizeof(int), inner_map_fd, 1, 0);
9628 if (outer_map_fd < 0)
9629 printf("Failed to create array of maps '%s'!\n",
9630 strerror(errno));
9631
9632 close(inner_map_fd);
9633
9634 return outer_map_fd;
9635}
9636
5aa5bd14
DB		 9637static char bpf_vlog[32768];
9638
9639static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
fb30d4b7 9640 int *map_fds)
3c731eba 9641{
5aa5bd14
DB		 9642 int *fixup_map1 = test->fixup_map1;
9643 int *fixup_map2 = test->fixup_map2;
9644 int *fixup_prog = test->fixup_prog;
fb30d4b7 9645 int *fixup_map_in_map = test->fixup_map_in_map;
3c731eba 9646
5aa5bd14
DB		 9647 /* Allocating HTs with 1 elem is fine here, since we only test
9648 * for verifier and not do a runtime lookup, so the only thing
9649 * that really matters is value size in this case.
9650 */
9651 if (*fixup_map1) {
fb30d4b7 9652 map_fds[0] = create_map(sizeof(long long), 1);
5aa5bd14 9653 do {
fb30d4b7 9654 prog[*fixup_map1].imm = map_fds[0];
5aa5bd14
DB		 9655 fixup_map1++;
9656 } while (*fixup_map1);
9657 }
3c731eba 9658
5aa5bd14 9659 if (*fixup_map2) {
fb30d4b7 9660 map_fds[1] = create_map(sizeof(struct test_val), 1);
5aa5bd14 9661 do {
fb30d4b7 9662 prog[*fixup_map2].imm = map_fds[1];
5aa5bd14
DB		 9663 fixup_map2++;
9664 } while (*fixup_map2);
9665 }
3c731eba 9666
5aa5bd14 9667 if (*fixup_prog) {
fb30d4b7 9668 map_fds[2] = create_prog_array();
5aa5bd14 9669 do {
fb30d4b7 9670 prog[*fixup_prog].imm = map_fds[2];
5aa5bd14
DB		 9671 fixup_prog++;
9672 } while (*fixup_prog);
9673 }
fb30d4b7
MKL		 9674
9675 if (*fixup_map_in_map) {
9676 map_fds[3] = create_map_in_map();
9677 do {
9678 prog[*fixup_map_in_map].imm = map_fds[3];
9679 fixup_map_in_map++;
9680 } while (*fixup_map_in_map);
9681 }
5aa5bd14 9682}
bf508877 9683
5aa5bd14
DB		 9684static void do_test_single(struct bpf_test *test, bool unpriv,
9685 int *passes, int *errors)
9686{
02ea80b1 9687 int fd_prog, expected_ret, reject_from_alignment;
5aa5bd14
DB		 9688 struct bpf_insn *prog = test->insns;
9689 int prog_len = probe_filter_length(prog);
9690 int prog_type = test->prog_type;
fb30d4b7 9691 int map_fds[MAX_NR_MAPS];
5aa5bd14 9692 const char *expected_err;
fb30d4b7
MKL		 9693 int i;
9694
9695 for (i = 0; i < MAX_NR_MAPS; i++)
9696 map_fds[i] = -1;
48461135 9697
fb30d4b7 9698 do_test_fixup(test, prog, map_fds);
3c731eba 9699
614d0d77
DB		 9700 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
9701 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
d6554904 9702 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
3c731eba 9703
5aa5bd14
DB		 9704 expected_ret = unpriv && test->result_unpriv != UNDEF ?
9705 test->result_unpriv : test->result;
9706 expected_err = unpriv && test->errstr_unpriv ?
9707 test->errstr_unpriv : test->errstr;
02ea80b1
DB		 9708
9709 reject_from_alignment = fd_prog < 0 &&
9710 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
c8ef19bc 9711 strstr(bpf_vlog, "misaligned");
02ea80b1
DB		 9712#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
9713 if (reject_from_alignment) {
9714 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
9715 strerror(errno));
9716 goto fail_log;
9717 }
9718#endif
5aa5bd14 9719 if (expected_ret == ACCEPT) {
02ea80b1 9720 if (fd_prog < 0 && !reject_from_alignment) {
5aa5bd14
DB		 9721 printf("FAIL\nFailed to load prog '%s'!\n",
9722 strerror(errno));
9723 goto fail_log;
9724 }
9725 } else {
9726 if (fd_prog >= 0) {
9727 printf("FAIL\nUnexpected success to load!\n");
9728 goto fail_log;
9729 }
02ea80b1 9730 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
5aa5bd14
DB		 9731 printf("FAIL\nUnexpected error message!\n");
9732 goto fail_log;
9733 }
9734 }
bf508877 9735
5aa5bd14 9736 (*passes)++;
02ea80b1
DB		 9737 printf("OK%s\n", reject_from_alignment ?
9738 " (NOTE: reject due to unknown alignment)" : "");
5aa5bd14
DB		 9739close_fds:
9740 close(fd_prog);
fb30d4b7
MKL		 9741 for (i = 0; i < MAX_NR_MAPS; i++)
9742 close(map_fds[i]);
5aa5bd14
DB		 9743 sched_yield();
9744 return;
9745fail_log:
9746 (*errors)++;
9747 printf("%s", bpf_vlog);
9748 goto close_fds;
9749}
bf508877 9750
d02d8986
MS		 9751static bool is_admin(void)
9752{
9753 cap_t caps;
9754 cap_flag_value_t sysadmin = CAP_CLEAR;
9755 const cap_value_t cap_val = CAP_SYS_ADMIN;
9756
1da8ac7c 9757#ifdef CAP_IS_SUPPORTED
d02d8986
MS		 9758 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
9759 perror("cap_get_flag");
9760 return false;
9761 }
1da8ac7c 9762#endif
d02d8986
MS		 9763 caps = cap_get_proc();
9764 if (!caps) {
9765 perror("cap_get_proc");
9766 return false;
9767 }
9768 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
9769 perror("cap_get_flag");
9770 if (cap_free(caps))
9771 perror("cap_free");
9772 return (sysadmin == CAP_SET);
9773}
9774
9775static int set_admin(bool admin)
9776{
9777 cap_t caps;
9778 const cap_value_t cap_val = CAP_SYS_ADMIN;
9779 int ret = -1;
9780
9781 caps = cap_get_proc();
9782 if (!caps) {
9783 perror("cap_get_proc");
9784 return -1;
9785 }
9786 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
9787 admin ? CAP_SET : CAP_CLEAR)) {
9788 perror("cap_set_flag");
9789 goto out;
9790 }
9791 if (cap_set_proc(caps)) {
9792 perror("cap_set_proc");
9793 goto out;
9794 }
9795 ret = 0;
9796out:
9797 if (cap_free(caps))
9798 perror("cap_free");
9799 return ret;
9800}
9801
5aa5bd14
DB		 9802static int do_test(bool unpriv, unsigned int from, unsigned int to)
9803{
9804 int i, passes = 0, errors = 0;
3c731eba 9805
5aa5bd14
DB		 9806 for (i = from; i < to; i++) {
9807 struct bpf_test *test = &tests[i];
3c731eba 9808
5aa5bd14
DB		 9809 /* Program types that are not supported by non-root we
9810 * skip right away.
9811 */
d02d8986
MS		 9812 if (!test->prog_type) {
9813 if (!unpriv)
9814 set_admin(false);
9815 printf("#%d/u %s ", i, test->descr);
9816 do_test_single(test, true, &passes, &errors);
9817 if (!unpriv)
9818 set_admin(true);
9819 }
5aa5bd14 9820
d02d8986
MS		 9821 if (!unpriv) {
9822 printf("#%d/p %s ", i, test->descr);
9823 do_test_single(test, false, &passes, &errors);
9824 }
3c731eba
AS		 9825 }
9826
5aa5bd14 9827 printf("Summary: %d PASSED, %d FAILED\n", passes, errors);
efe5f9c0 9828 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
3c731eba
AS		 9829}
9830
5aa5bd14 9831int main(int argc, char **argv)
3c731eba 9832{
5aa5bd14
DB		 9833 struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY };
9834 struct rlimit rlim = { 1 << 20, 1 << 20 };
9835 unsigned int from = 0, to = ARRAY_SIZE(tests);
d02d8986 9836 bool unpriv = !is_admin();
5aa5bd14
DB		 9837
9838 if (argc == 3) {
9839 unsigned int l = atoi(argv[argc - 2]);
9840 unsigned int u = atoi(argv[argc - 1]);
9841
9842 if (l < to && u < to) {
9843 from = l;
9844 to = u + 1;
9845 }
9846 } else if (argc == 2) {
9847 unsigned int t = atoi(argv[argc - 1]);
9848
9849 if (t < to) {
9850 from = t;
9851 to = t + 1;
9852 }
9853 }
bf508877 9854
5aa5bd14
DB		 9855 setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf);
9856 return do_test(unpriv, from, to);
3c731eba 9857}
ubuntu-bionic-kernel mirror