]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blob - tools/testing/selftests/bpf/test_verifier.c
projects / mirror_ubuntu-hirsute-kernel.git / blob
? search:


b03ecfd7185bbce689bb29bd122365461394bbbc
[mirror_ubuntu-hirsute-kernel.git] / tools / testing / selftests / bpf / test_verifier.c
1 /*
2 * Testsuite for eBPF verifier
3 *
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 *
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of version 2 of the GNU General Public
8 * License as published by the Free Software Foundation.
9 */
10
11 #include <endian.h>
12 #include <asm/types.h>
13 #include <linux/types.h>
14 #include <stdint.h>
15 #include <stdio.h>
16 #include <stdlib.h>
17 #include <unistd.h>
18 #include <errno.h>
19 #include <string.h>
20 #include <stddef.h>
21 #include <stdbool.h>
22 #include <sched.h>
23
24 #include <sys/capability.h>
25 #include <sys/resource.h>
26
27 #include <linux/unistd.h>
28 #include <linux/filter.h>
29 #include <linux/bpf_perf_event.h>
30 #include <linux/bpf.h>
31
32 #include <bpf/bpf.h>
33
34 #ifdef HAVE_GENHDR
35 # include "autoconf.h"
36 #else
37 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
38 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
39 # endif
40 #endif
41
42 #include "../../../include/linux/filter.h"
43
44 #ifndef ARRAY_SIZE
45 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
46 #endif
47
48 #define MAX_INSNS 512
49 #define MAX_FIXUPS 8
50 #define MAX_NR_MAPS 4
51
52 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
53 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
54
55 struct bpf_test {
56 const char *descr;
57 struct bpf_insn insns[MAX_INSNS];
58 int fixup_map1[MAX_FIXUPS];
59 int fixup_map2[MAX_FIXUPS];
60 int fixup_prog[MAX_FIXUPS];
61 int fixup_map_in_map[MAX_FIXUPS];
62 const char *errstr;
63 const char *errstr_unpriv;
64 enum {
65 UNDEF,
66 ACCEPT,
67 REJECT
68 } result, result_unpriv;
69 enum bpf_prog_type prog_type;
70 uint8_t flags;
71 };
72
73 /* Note we want this to be 64 bit aligned so that the end of our array is
74 * actually the end of the structure.
75 */
76 #define MAX_ENTRIES 11
77
78 struct test_val {
79 unsigned int index;
80 int foo[MAX_ENTRIES];
81 };
82
83 static struct bpf_test tests[] = {
84 {
85 "add+sub+mul",
86 .insns = {
87 BPF_MOV64_IMM(BPF_REG_1, 1),
88 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
89 BPF_MOV64_IMM(BPF_REG_2, 3),
90 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
91 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
92 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
93 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
94 BPF_EXIT_INSN(),
95 },
96 .result = ACCEPT,
97 },
98 {
99 "unreachable",
100 .insns = {
101 BPF_EXIT_INSN(),
102 BPF_EXIT_INSN(),
103 },
104 .errstr = "unreachable",
105 .result = REJECT,
106 },
107 {
108 "unreachable2",
109 .insns = {
110 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
111 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
112 BPF_EXIT_INSN(),
113 },
114 .errstr = "unreachable",
115 .result = REJECT,
116 },
117 {
118 "out of range jump",
119 .insns = {
120 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
121 BPF_EXIT_INSN(),
122 },
123 .errstr = "jump out of range",
124 .result = REJECT,
125 },
126 {
127 "out of range jump2",
128 .insns = {
129 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
130 BPF_EXIT_INSN(),
131 },
132 .errstr = "jump out of range",
133 .result = REJECT,
134 },
135 {
136 "test1 ld_imm64",
137 .insns = {
138 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
139 BPF_LD_IMM64(BPF_REG_0, 0),
140 BPF_LD_IMM64(BPF_REG_0, 0),
141 BPF_LD_IMM64(BPF_REG_0, 1),
142 BPF_LD_IMM64(BPF_REG_0, 1),
143 BPF_MOV64_IMM(BPF_REG_0, 2),
144 BPF_EXIT_INSN(),
145 },
146 .errstr = "invalid BPF_LD_IMM insn",
147 .errstr_unpriv = "R1 pointer comparison",
148 .result = REJECT,
149 },
150 {
151 "test2 ld_imm64",
152 .insns = {
153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
154 BPF_LD_IMM64(BPF_REG_0, 0),
155 BPF_LD_IMM64(BPF_REG_0, 0),
156 BPF_LD_IMM64(BPF_REG_0, 1),
157 BPF_LD_IMM64(BPF_REG_0, 1),
158 BPF_EXIT_INSN(),
159 },
160 .errstr = "invalid BPF_LD_IMM insn",
161 .errstr_unpriv = "R1 pointer comparison",
162 .result = REJECT,
163 },
164 {
165 "test3 ld_imm64",
166 .insns = {
167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
168 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
169 BPF_LD_IMM64(BPF_REG_0, 0),
170 BPF_LD_IMM64(BPF_REG_0, 0),
171 BPF_LD_IMM64(BPF_REG_0, 1),
172 BPF_LD_IMM64(BPF_REG_0, 1),
173 BPF_EXIT_INSN(),
174 },
175 .errstr = "invalid bpf_ld_imm64 insn",
176 .result = REJECT,
177 },
178 {
179 "test4 ld_imm64",
180 .insns = {
181 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
182 BPF_EXIT_INSN(),
183 },
184 .errstr = "invalid bpf_ld_imm64 insn",
185 .result = REJECT,
186 },
187 {
188 "test5 ld_imm64",
189 .insns = {
190 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
191 },
192 .errstr = "invalid bpf_ld_imm64 insn",
193 .result = REJECT,
194 },
195 {
196 "test6 ld_imm64",
197 .insns = {
198 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
199 BPF_RAW_INSN(0, 0, 0, 0, 0),
200 BPF_EXIT_INSN(),
201 },
202 .result = ACCEPT,
203 },
204 {
205 "test7 ld_imm64",
206 .insns = {
207 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
208 BPF_RAW_INSN(0, 0, 0, 0, 1),
209 BPF_EXIT_INSN(),
210 },
211 .result = ACCEPT,
212 },
213 {
214 "test8 ld_imm64",
215 .insns = {
216 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
217 BPF_RAW_INSN(0, 0, 0, 0, 1),
218 BPF_EXIT_INSN(),
219 },
220 .errstr = "uses reserved fields",
221 .result = REJECT,
222 },
223 {
224 "test9 ld_imm64",
225 .insns = {
226 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
227 BPF_RAW_INSN(0, 0, 0, 1, 1),
228 BPF_EXIT_INSN(),
229 },
230 .errstr = "invalid bpf_ld_imm64 insn",
231 .result = REJECT,
232 },
233 {
234 "test10 ld_imm64",
235 .insns = {
236 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
237 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
238 BPF_EXIT_INSN(),
239 },
240 .errstr = "invalid bpf_ld_imm64 insn",
241 .result = REJECT,
242 },
243 {
244 "test11 ld_imm64",
245 .insns = {
246 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
247 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
248 BPF_EXIT_INSN(),
249 },
250 .errstr = "invalid bpf_ld_imm64 insn",
251 .result = REJECT,
252 },
253 {
254 "test12 ld_imm64",
255 .insns = {
256 BPF_MOV64_IMM(BPF_REG_1, 0),
257 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
258 BPF_RAW_INSN(0, 0, 0, 0, 1),
259 BPF_EXIT_INSN(),
260 },
261 .errstr = "not pointing to valid bpf_map",
262 .result = REJECT,
263 },
264 {
265 "test13 ld_imm64",
266 .insns = {
267 BPF_MOV64_IMM(BPF_REG_1, 0),
268 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
269 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
270 BPF_EXIT_INSN(),
271 },
272 .errstr = "invalid bpf_ld_imm64 insn",
273 .result = REJECT,
274 },
275 {
276 "no bpf_exit",
277 .insns = {
278 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
279 },
280 .errstr = "jump out of range",
281 .result = REJECT,
282 },
283 {
284 "loop (back-edge)",
285 .insns = {
286 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
287 BPF_EXIT_INSN(),
288 },
289 .errstr = "back-edge",
290 .result = REJECT,
291 },
292 {
293 "loop2 (back-edge)",
294 .insns = {
295 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
296 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
297 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
298 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
299 BPF_EXIT_INSN(),
300 },
301 .errstr = "back-edge",
302 .result = REJECT,
303 },
304 {
305 "conditional loop",
306 .insns = {
307 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
308 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
309 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
310 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
311 BPF_EXIT_INSN(),
312 },
313 .errstr = "back-edge",
314 .result = REJECT,
315 },
316 {
317 "read uninitialized register",
318 .insns = {
319 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
320 BPF_EXIT_INSN(),
321 },
322 .errstr = "R2 !read_ok",
323 .result = REJECT,
324 },
325 {
326 "read invalid register",
327 .insns = {
328 BPF_MOV64_REG(BPF_REG_0, -1),
329 BPF_EXIT_INSN(),
330 },
331 .errstr = "R15 is invalid",
332 .result = REJECT,
333 },
334 {
335 "program doesn't init R0 before exit",
336 .insns = {
337 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
338 BPF_EXIT_INSN(),
339 },
340 .errstr = "R0 !read_ok",
341 .result = REJECT,
342 },
343 {
344 "program doesn't init R0 before exit in all branches",
345 .insns = {
346 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
347 BPF_MOV64_IMM(BPF_REG_0, 1),
348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
349 BPF_EXIT_INSN(),
350 },
351 .errstr = "R0 !read_ok",
352 .errstr_unpriv = "R1 pointer comparison",
353 .result = REJECT,
354 },
355 {
356 "stack out of bounds",
357 .insns = {
358 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
359 BPF_EXIT_INSN(),
360 },
361 .errstr = "invalid stack",
362 .result = REJECT,
363 },
364 {
365 "invalid call insn1",
366 .insns = {
367 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
368 BPF_EXIT_INSN(),
369 },
370 .errstr = "BPF_CALL uses reserved",
371 .result = REJECT,
372 },
373 {
374 "invalid call insn2",
375 .insns = {
376 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
377 BPF_EXIT_INSN(),
378 },
379 .errstr = "BPF_CALL uses reserved",
380 .result = REJECT,
381 },
382 {
383 "invalid function call",
384 .insns = {
385 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
386 BPF_EXIT_INSN(),
387 },
388 .errstr = "invalid func unknown#1234567",
389 .result = REJECT,
390 },
391 {
392 "uninitialized stack1",
393 .insns = {
394 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
395 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
396 BPF_LD_MAP_FD(BPF_REG_1, 0),
397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
398 BPF_FUNC_map_lookup_elem),
399 BPF_EXIT_INSN(),
400 },
401 .fixup_map1 = { 2 },
402 .errstr = "invalid indirect read from stack",
403 .result = REJECT,
404 },
405 {
406 "uninitialized stack2",
407 .insns = {
408 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
409 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
410 BPF_EXIT_INSN(),
411 },
412 .errstr = "invalid read from stack",
413 .result = REJECT,
414 },
415 {
416 "invalid fp arithmetic",
417 /* If this gets ever changed, make sure JITs can deal with it. */
418 .insns = {
419 BPF_MOV64_IMM(BPF_REG_0, 0),
420 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
421 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
422 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
423 BPF_EXIT_INSN(),
424 },
425 .errstr_unpriv = "R1 subtraction from stack pointer",
426 .result_unpriv = REJECT,
427 .errstr = "R1 invalid mem access",
428 .result = REJECT,
429 },
430 {
431 "non-invalid fp arithmetic",
432 .insns = {
433 BPF_MOV64_IMM(BPF_REG_0, 0),
434 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
435 BPF_EXIT_INSN(),
436 },
437 .result = ACCEPT,
438 },
439 {
440 "invalid argument register",
441 .insns = {
442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
443 BPF_FUNC_get_cgroup_classid),
444 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
445 BPF_FUNC_get_cgroup_classid),
446 BPF_EXIT_INSN(),
447 },
448 .errstr = "R1 !read_ok",
449 .result = REJECT,
450 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
451 },
452 {
453 "non-invalid argument register",
454 .insns = {
455 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
456 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
457 BPF_FUNC_get_cgroup_classid),
458 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
459 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
460 BPF_FUNC_get_cgroup_classid),
461 BPF_EXIT_INSN(),
462 },
463 .result = ACCEPT,
464 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
465 },
466 {
467 "check valid spill/fill",
468 .insns = {
469 /* spill R1(ctx) into stack */
470 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
471 /* fill it back into R2 */
472 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
473 /* should be able to access R0 = *(R2 + 8) */
474 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
475 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
476 BPF_EXIT_INSN(),
477 },
478 .errstr_unpriv = "R0 leaks addr",
479 .result = ACCEPT,
480 .result_unpriv = REJECT,
481 },
482 {
483 "check valid spill/fill, skb mark",
484 .insns = {
485 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
486 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
487 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
488 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
489 offsetof(struct __sk_buff, mark)),
490 BPF_EXIT_INSN(),
491 },
492 .result = ACCEPT,
493 .result_unpriv = ACCEPT,
494 },
495 {
496 "check corrupted spill/fill",
497 .insns = {
498 /* spill R1(ctx) into stack */
499 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
500 /* mess up with R1 pointer on stack */
501 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
502 /* fill back into R0 should fail */
503 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
504 BPF_EXIT_INSN(),
505 },
506 .errstr_unpriv = "attempt to corrupt spilled",
507 .errstr = "corrupted spill",
508 .result = REJECT,
509 },
510 {
511 "invalid src register in STX",
512 .insns = {
513 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
514 BPF_EXIT_INSN(),
515 },
516 .errstr = "R15 is invalid",
517 .result = REJECT,
518 },
519 {
520 "invalid dst register in STX",
521 .insns = {
522 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
523 BPF_EXIT_INSN(),
524 },
525 .errstr = "R14 is invalid",
526 .result = REJECT,
527 },
528 {
529 "invalid dst register in ST",
530 .insns = {
531 BPF_ST_MEM(BPF_B, 14, -1, -1),
532 BPF_EXIT_INSN(),
533 },
534 .errstr = "R14 is invalid",
535 .result = REJECT,
536 },
537 {
538 "invalid src register in LDX",
539 .insns = {
540 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
541 BPF_EXIT_INSN(),
542 },
543 .errstr = "R12 is invalid",
544 .result = REJECT,
545 },
546 {
547 "invalid dst register in LDX",
548 .insns = {
549 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
550 BPF_EXIT_INSN(),
551 },
552 .errstr = "R11 is invalid",
553 .result = REJECT,
554 },
555 {
556 "junk insn",
557 .insns = {
558 BPF_RAW_INSN(0, 0, 0, 0, 0),
559 BPF_EXIT_INSN(),
560 },
561 .errstr = "invalid BPF_LD_IMM",
562 .result = REJECT,
563 },
564 {
565 "junk insn2",
566 .insns = {
567 BPF_RAW_INSN(1, 0, 0, 0, 0),
568 BPF_EXIT_INSN(),
569 },
570 .errstr = "BPF_LDX uses reserved fields",
571 .result = REJECT,
572 },
573 {
574 "junk insn3",
575 .insns = {
576 BPF_RAW_INSN(-1, 0, 0, 0, 0),
577 BPF_EXIT_INSN(),
578 },
579 .errstr = "invalid BPF_ALU opcode f0",
580 .result = REJECT,
581 },
582 {
583 "junk insn4",
584 .insns = {
585 BPF_RAW_INSN(-1, -1, -1, -1, -1),
586 BPF_EXIT_INSN(),
587 },
588 .errstr = "invalid BPF_ALU opcode f0",
589 .result = REJECT,
590 },
591 {
592 "junk insn5",
593 .insns = {
594 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
595 BPF_EXIT_INSN(),
596 },
597 .errstr = "BPF_ALU uses reserved fields",
598 .result = REJECT,
599 },
600 {
601 "misaligned read from stack",
602 .insns = {
603 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
604 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
605 BPF_EXIT_INSN(),
606 },
607 .errstr = "misaligned stack access",
608 .result = REJECT,
609 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
610 },
611 {
612 "invalid map_fd for function call",
613 .insns = {
614 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
615 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
616 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
617 BPF_LD_MAP_FD(BPF_REG_1, 0),
618 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
619 BPF_FUNC_map_delete_elem),
620 BPF_EXIT_INSN(),
621 },
622 .errstr = "fd 0 is not pointing to valid bpf_map",
623 .result = REJECT,
624 },
625 {
626 "don't check return value before access",
627 .insns = {
628 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
629 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
630 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
631 BPF_LD_MAP_FD(BPF_REG_1, 0),
632 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
633 BPF_FUNC_map_lookup_elem),
634 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
635 BPF_EXIT_INSN(),
636 },
637 .fixup_map1 = { 3 },
638 .errstr = "R0 invalid mem access 'map_value_or_null'",
639 .result = REJECT,
640 },
641 {
642 "access memory with incorrect alignment",
643 .insns = {
644 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
645 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
646 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
647 BPF_LD_MAP_FD(BPF_REG_1, 0),
648 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
649 BPF_FUNC_map_lookup_elem),
650 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
651 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
652 BPF_EXIT_INSN(),
653 },
654 .fixup_map1 = { 3 },
655 .errstr = "misaligned value access",
656 .result = REJECT,
657 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
658 },
659 {
660 "sometimes access memory with incorrect alignment",
661 .insns = {
662 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
663 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
665 BPF_LD_MAP_FD(BPF_REG_1, 0),
666 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
667 BPF_FUNC_map_lookup_elem),
668 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
669 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
670 BPF_EXIT_INSN(),
671 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
672 BPF_EXIT_INSN(),
673 },
674 .fixup_map1 = { 3 },
675 .errstr = "R0 invalid mem access",
676 .errstr_unpriv = "R0 leaks addr",
677 .result = REJECT,
678 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
679 },
680 {
681 "jump test 1",
682 .insns = {
683 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
684 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
685 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
686 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
688 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
689 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
690 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
691 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
692 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
693 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
694 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
695 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
696 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
697 BPF_MOV64_IMM(BPF_REG_0, 0),
698 BPF_EXIT_INSN(),
699 },
700 .errstr_unpriv = "R1 pointer comparison",
701 .result_unpriv = REJECT,
702 .result = ACCEPT,
703 },
704 {
705 "jump test 2",
706 .insns = {
707 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
708 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
709 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
710 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
711 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
712 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
713 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
714 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
715 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
716 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
718 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
719 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
720 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
721 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
722 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
723 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
724 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
725 BPF_MOV64_IMM(BPF_REG_0, 0),
726 BPF_EXIT_INSN(),
727 },
728 .errstr_unpriv = "R1 pointer comparison",
729 .result_unpriv = REJECT,
730 .result = ACCEPT,
731 },
732 {
733 "jump test 3",
734 .insns = {
735 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
736 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
737 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
739 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
740 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
741 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
743 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
744 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
745 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
747 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
748 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
749 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
751 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
752 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
753 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
755 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
756 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
757 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
758 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
759 BPF_LD_MAP_FD(BPF_REG_1, 0),
760 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
761 BPF_FUNC_map_delete_elem),
762 BPF_EXIT_INSN(),
763 },
764 .fixup_map1 = { 24 },
765 .errstr_unpriv = "R1 pointer comparison",
766 .result_unpriv = REJECT,
767 .result = ACCEPT,
768 },
769 {
770 "jump test 4",
771 .insns = {
772 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
773 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
779 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
783 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
784 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
786 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
788 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
793 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
798 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
799 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
801 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
804 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
805 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
806 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
807 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
808 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
809 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
810 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
811 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
812 BPF_MOV64_IMM(BPF_REG_0, 0),
813 BPF_EXIT_INSN(),
814 },
815 .errstr_unpriv = "R1 pointer comparison",
816 .result_unpriv = REJECT,
817 .result = ACCEPT,
818 },
819 {
820 "jump test 5",
821 .insns = {
822 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
823 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
824 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
825 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
826 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
827 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
828 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
829 BPF_MOV64_IMM(BPF_REG_0, 0),
830 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
831 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
832 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
833 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
834 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
835 BPF_MOV64_IMM(BPF_REG_0, 0),
836 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
837 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
838 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
839 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
840 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
841 BPF_MOV64_IMM(BPF_REG_0, 0),
842 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
843 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
844 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
845 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
846 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
847 BPF_MOV64_IMM(BPF_REG_0, 0),
848 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
849 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
850 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
851 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
852 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
853 BPF_MOV64_IMM(BPF_REG_0, 0),
854 BPF_EXIT_INSN(),
855 },
856 .errstr_unpriv = "R1 pointer comparison",
857 .result_unpriv = REJECT,
858 .result = ACCEPT,
859 },
860 {
861 "access skb fields ok",
862 .insns = {
863 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
864 offsetof(struct __sk_buff, len)),
865 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
866 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
867 offsetof(struct __sk_buff, mark)),
868 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
869 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
870 offsetof(struct __sk_buff, pkt_type)),
871 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
872 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
873 offsetof(struct __sk_buff, queue_mapping)),
874 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
875 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
876 offsetof(struct __sk_buff, protocol)),
877 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
878 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
879 offsetof(struct __sk_buff, vlan_present)),
880 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
881 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
882 offsetof(struct __sk_buff, vlan_tci)),
883 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
884 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
885 offsetof(struct __sk_buff, napi_id)),
886 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
887 BPF_EXIT_INSN(),
888 },
889 .result = ACCEPT,
890 },
891 {
892 "access skb fields bad1",
893 .insns = {
894 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
895 BPF_EXIT_INSN(),
896 },
897 .errstr = "invalid bpf_context access",
898 .result = REJECT,
899 },
900 {
901 "access skb fields bad2",
902 .insns = {
903 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
904 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
905 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
906 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
907 BPF_LD_MAP_FD(BPF_REG_1, 0),
908 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
909 BPF_FUNC_map_lookup_elem),
910 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
911 BPF_EXIT_INSN(),
912 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
913 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
914 offsetof(struct __sk_buff, pkt_type)),
915 BPF_EXIT_INSN(),
916 },
917 .fixup_map1 = { 4 },
918 .errstr = "different pointers",
919 .errstr_unpriv = "R1 pointer comparison",
920 .result = REJECT,
921 },
922 {
923 "access skb fields bad3",
924 .insns = {
925 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
926 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
927 offsetof(struct __sk_buff, pkt_type)),
928 BPF_EXIT_INSN(),
929 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
930 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
932 BPF_LD_MAP_FD(BPF_REG_1, 0),
933 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
934 BPF_FUNC_map_lookup_elem),
935 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
936 BPF_EXIT_INSN(),
937 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
938 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
939 },
940 .fixup_map1 = { 6 },
941 .errstr = "different pointers",
942 .errstr_unpriv = "R1 pointer comparison",
943 .result = REJECT,
944 },
945 {
946 "access skb fields bad4",
947 .insns = {
948 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
949 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
950 offsetof(struct __sk_buff, len)),
951 BPF_MOV64_IMM(BPF_REG_0, 0),
952 BPF_EXIT_INSN(),
953 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
954 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
956 BPF_LD_MAP_FD(BPF_REG_1, 0),
957 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
958 BPF_FUNC_map_lookup_elem),
959 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
960 BPF_EXIT_INSN(),
961 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
962 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
963 },
964 .fixup_map1 = { 7 },
965 .errstr = "different pointers",
966 .errstr_unpriv = "R1 pointer comparison",
967 .result = REJECT,
968 },
969 {
970 "invalid access __sk_buff family",
971 .insns = {
972 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
973 offsetof(struct __sk_buff, family)),
974 BPF_EXIT_INSN(),
975 },
976 .errstr = "invalid bpf_context access",
977 .result = REJECT,
978 },
979 {
980 "invalid access __sk_buff remote_ip4",
981 .insns = {
982 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
983 offsetof(struct __sk_buff, remote_ip4)),
984 BPF_EXIT_INSN(),
985 },
986 .errstr = "invalid bpf_context access",
987 .result = REJECT,
988 },
989 {
990 "invalid access __sk_buff local_ip4",
991 .insns = {
992 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
993 offsetof(struct __sk_buff, local_ip4)),
994 BPF_EXIT_INSN(),
995 },
996 .errstr = "invalid bpf_context access",
997 .result = REJECT,
998 },
999 {
1000 "invalid access __sk_buff remote_ip6",
1001 .insns = {
1002 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1003 offsetof(struct __sk_buff, remote_ip6)),
1004 BPF_EXIT_INSN(),
1005 },
1006 .errstr = "invalid bpf_context access",
1007 .result = REJECT,
1008 },
1009 {
1010 "invalid access __sk_buff local_ip6",
1011 .insns = {
1012 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1013 offsetof(struct __sk_buff, local_ip6)),
1014 BPF_EXIT_INSN(),
1015 },
1016 .errstr = "invalid bpf_context access",
1017 .result = REJECT,
1018 },
1019 {
1020 "invalid access __sk_buff remote_port",
1021 .insns = {
1022 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1023 offsetof(struct __sk_buff, remote_port)),
1024 BPF_EXIT_INSN(),
1025 },
1026 .errstr = "invalid bpf_context access",
1027 .result = REJECT,
1028 },
1029 {
1030 "invalid access __sk_buff remote_port",
1031 .insns = {
1032 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1033 offsetof(struct __sk_buff, local_port)),
1034 BPF_EXIT_INSN(),
1035 },
1036 .errstr = "invalid bpf_context access",
1037 .result = REJECT,
1038 },
1039 {
1040 "valid access __sk_buff family",
1041 .insns = {
1042 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1043 offsetof(struct __sk_buff, family)),
1044 BPF_EXIT_INSN(),
1045 },
1046 .result = ACCEPT,
1047 .prog_type = BPF_PROG_TYPE_SK_SKB,
1048 },
1049 {
1050 "valid access __sk_buff remote_ip4",
1051 .insns = {
1052 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1053 offsetof(struct __sk_buff, remote_ip4)),
1054 BPF_EXIT_INSN(),
1055 },
1056 .result = ACCEPT,
1057 .prog_type = BPF_PROG_TYPE_SK_SKB,
1058 },
1059 {
1060 "valid access __sk_buff local_ip4",
1061 .insns = {
1062 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1063 offsetof(struct __sk_buff, local_ip4)),
1064 BPF_EXIT_INSN(),
1065 },
1066 .result = ACCEPT,
1067 .prog_type = BPF_PROG_TYPE_SK_SKB,
1068 },
1069 {
1070 "valid access __sk_buff remote_ip6",
1071 .insns = {
1072 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1073 offsetof(struct __sk_buff, remote_ip6[0])),
1074 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1075 offsetof(struct __sk_buff, remote_ip6[1])),
1076 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1077 offsetof(struct __sk_buff, remote_ip6[2])),
1078 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1079 offsetof(struct __sk_buff, remote_ip6[3])),
1080 BPF_EXIT_INSN(),
1081 },
1082 .result = ACCEPT,
1083 .prog_type = BPF_PROG_TYPE_SK_SKB,
1084 },
1085 {
1086 "valid access __sk_buff local_ip6",
1087 .insns = {
1088 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1089 offsetof(struct __sk_buff, local_ip6[0])),
1090 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1091 offsetof(struct __sk_buff, local_ip6[1])),
1092 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1093 offsetof(struct __sk_buff, local_ip6[2])),
1094 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1095 offsetof(struct __sk_buff, local_ip6[3])),
1096 BPF_EXIT_INSN(),
1097 },
1098 .result = ACCEPT,
1099 .prog_type = BPF_PROG_TYPE_SK_SKB,
1100 },
1101 {
1102 "valid access __sk_buff remote_port",
1103 .insns = {
1104 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1105 offsetof(struct __sk_buff, remote_port)),
1106 BPF_EXIT_INSN(),
1107 },
1108 .result = ACCEPT,
1109 .prog_type = BPF_PROG_TYPE_SK_SKB,
1110 },
1111 {
1112 "valid access __sk_buff remote_port",
1113 .insns = {
1114 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1115 offsetof(struct __sk_buff, local_port)),
1116 BPF_EXIT_INSN(),
1117 },
1118 .result = ACCEPT,
1119 .prog_type = BPF_PROG_TYPE_SK_SKB,
1120 },
1121 {
1122 "invalid access of tc_classid for SK_SKB",
1123 .insns = {
1124 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1125 offsetof(struct __sk_buff, tc_classid)),
1126 BPF_EXIT_INSN(),
1127 },
1128 .result = REJECT,
1129 .prog_type = BPF_PROG_TYPE_SK_SKB,
1130 .errstr = "invalid bpf_context access",
1131 },
1132 {
1133 "invalid access of skb->mark for SK_SKB",
1134 .insns = {
1135 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1136 offsetof(struct __sk_buff, mark)),
1137 BPF_EXIT_INSN(),
1138 },
1139 .result = REJECT,
1140 .prog_type = BPF_PROG_TYPE_SK_SKB,
1141 .errstr = "invalid bpf_context access",
1142 },
1143 {
1144 "check skb->mark is not writeable by SK_SKB",
1145 .insns = {
1146 BPF_MOV64_IMM(BPF_REG_0, 0),
1147 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1148 offsetof(struct __sk_buff, mark)),
1149 BPF_EXIT_INSN(),
1150 },
1151 .result = REJECT,
1152 .prog_type = BPF_PROG_TYPE_SK_SKB,
1153 .errstr = "invalid bpf_context access",
1154 },
1155 {
1156 "check skb->tc_index is writeable by SK_SKB",
1157 .insns = {
1158 BPF_MOV64_IMM(BPF_REG_0, 0),
1159 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1160 offsetof(struct __sk_buff, tc_index)),
1161 BPF_EXIT_INSN(),
1162 },
1163 .result = ACCEPT,
1164 .prog_type = BPF_PROG_TYPE_SK_SKB,
1165 },
1166 {
1167 "check skb->priority is writeable by SK_SKB",
1168 .insns = {
1169 BPF_MOV64_IMM(BPF_REG_0, 0),
1170 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1171 offsetof(struct __sk_buff, priority)),
1172 BPF_EXIT_INSN(),
1173 },
1174 .result = ACCEPT,
1175 .prog_type = BPF_PROG_TYPE_SK_SKB,
1176 },
1177 {
1178 "direct packet read for SK_SKB",
1179 .insns = {
1180 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1181 offsetof(struct __sk_buff, data)),
1182 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1183 offsetof(struct __sk_buff, data_end)),
1184 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1186 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1187 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1188 BPF_MOV64_IMM(BPF_REG_0, 0),
1189 BPF_EXIT_INSN(),
1190 },
1191 .result = ACCEPT,
1192 .prog_type = BPF_PROG_TYPE_SK_SKB,
1193 },
1194 {
1195 "direct packet write for SK_SKB",
1196 .insns = {
1197 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1198 offsetof(struct __sk_buff, data)),
1199 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1200 offsetof(struct __sk_buff, data_end)),
1201 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1203 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1204 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1205 BPF_MOV64_IMM(BPF_REG_0, 0),
1206 BPF_EXIT_INSN(),
1207 },
1208 .result = ACCEPT,
1209 .prog_type = BPF_PROG_TYPE_SK_SKB,
1210 },
1211 {
1212 "overlapping checks for direct packet access SK_SKB",
1213 .insns = {
1214 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1215 offsetof(struct __sk_buff, data)),
1216 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1217 offsetof(struct __sk_buff, data_end)),
1218 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1220 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1221 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1223 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1224 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1225 BPF_MOV64_IMM(BPF_REG_0, 0),
1226 BPF_EXIT_INSN(),
1227 },
1228 .result = ACCEPT,
1229 .prog_type = BPF_PROG_TYPE_SK_SKB,
1230 },
1231 {
1232 "check skb->mark is not writeable by sockets",
1233 .insns = {
1234 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1235 offsetof(struct __sk_buff, mark)),
1236 BPF_EXIT_INSN(),
1237 },
1238 .errstr = "invalid bpf_context access",
1239 .errstr_unpriv = "R1 leaks addr",
1240 .result = REJECT,
1241 },
1242 {
1243 "check skb->tc_index is not writeable by sockets",
1244 .insns = {
1245 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1246 offsetof(struct __sk_buff, tc_index)),
1247 BPF_EXIT_INSN(),
1248 },
1249 .errstr = "invalid bpf_context access",
1250 .errstr_unpriv = "R1 leaks addr",
1251 .result = REJECT,
1252 },
1253 {
1254 "check cb access: byte",
1255 .insns = {
1256 BPF_MOV64_IMM(BPF_REG_0, 0),
1257 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1258 offsetof(struct __sk_buff, cb[0])),
1259 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1260 offsetof(struct __sk_buff, cb[0]) + 1),
1261 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1262 offsetof(struct __sk_buff, cb[0]) + 2),
1263 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1264 offsetof(struct __sk_buff, cb[0]) + 3),
1265 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1266 offsetof(struct __sk_buff, cb[1])),
1267 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1268 offsetof(struct __sk_buff, cb[1]) + 1),
1269 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1270 offsetof(struct __sk_buff, cb[1]) + 2),
1271 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1272 offsetof(struct __sk_buff, cb[1]) + 3),
1273 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1274 offsetof(struct __sk_buff, cb[2])),
1275 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1276 offsetof(struct __sk_buff, cb[2]) + 1),
1277 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1278 offsetof(struct __sk_buff, cb[2]) + 2),
1279 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1280 offsetof(struct __sk_buff, cb[2]) + 3),
1281 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1282 offsetof(struct __sk_buff, cb[3])),
1283 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1284 offsetof(struct __sk_buff, cb[3]) + 1),
1285 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1286 offsetof(struct __sk_buff, cb[3]) + 2),
1287 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1288 offsetof(struct __sk_buff, cb[3]) + 3),
1289 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1290 offsetof(struct __sk_buff, cb[4])),
1291 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1292 offsetof(struct __sk_buff, cb[4]) + 1),
1293 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1294 offsetof(struct __sk_buff, cb[4]) + 2),
1295 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1296 offsetof(struct __sk_buff, cb[4]) + 3),
1297 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1298 offsetof(struct __sk_buff, cb[0])),
1299 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1300 offsetof(struct __sk_buff, cb[0]) + 1),
1301 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1302 offsetof(struct __sk_buff, cb[0]) + 2),
1303 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1304 offsetof(struct __sk_buff, cb[0]) + 3),
1305 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1306 offsetof(struct __sk_buff, cb[1])),
1307 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1308 offsetof(struct __sk_buff, cb[1]) + 1),
1309 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1310 offsetof(struct __sk_buff, cb[1]) + 2),
1311 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1312 offsetof(struct __sk_buff, cb[1]) + 3),
1313 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1314 offsetof(struct __sk_buff, cb[2])),
1315 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1316 offsetof(struct __sk_buff, cb[2]) + 1),
1317 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1318 offsetof(struct __sk_buff, cb[2]) + 2),
1319 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1320 offsetof(struct __sk_buff, cb[2]) + 3),
1321 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1322 offsetof(struct __sk_buff, cb[3])),
1323 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1324 offsetof(struct __sk_buff, cb[3]) + 1),
1325 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1326 offsetof(struct __sk_buff, cb[3]) + 2),
1327 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1328 offsetof(struct __sk_buff, cb[3]) + 3),
1329 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1330 offsetof(struct __sk_buff, cb[4])),
1331 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1332 offsetof(struct __sk_buff, cb[4]) + 1),
1333 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1334 offsetof(struct __sk_buff, cb[4]) + 2),
1335 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1336 offsetof(struct __sk_buff, cb[4]) + 3),
1337 BPF_EXIT_INSN(),
1338 },
1339 .result = ACCEPT,
1340 },
1341 {
1342 "__sk_buff->hash, offset 0, byte store not permitted",
1343 .insns = {
1344 BPF_MOV64_IMM(BPF_REG_0, 0),
1345 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1346 offsetof(struct __sk_buff, hash)),
1347 BPF_EXIT_INSN(),
1348 },
1349 .errstr = "invalid bpf_context access",
1350 .result = REJECT,
1351 },
1352 {
1353 "__sk_buff->tc_index, offset 3, byte store not permitted",
1354 .insns = {
1355 BPF_MOV64_IMM(BPF_REG_0, 0),
1356 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1357 offsetof(struct __sk_buff, tc_index) + 3),
1358 BPF_EXIT_INSN(),
1359 },
1360 .errstr = "invalid bpf_context access",
1361 .result = REJECT,
1362 },
1363 {
1364 "check skb->hash byte load permitted",
1365 .insns = {
1366 BPF_MOV64_IMM(BPF_REG_0, 0),
1367 #if __BYTE_ORDER == __LITTLE_ENDIAN
1368 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1369 offsetof(struct __sk_buff, hash)),
1370 #else
1371 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1372 offsetof(struct __sk_buff, hash) + 3),
1373 #endif
1374 BPF_EXIT_INSN(),
1375 },
1376 .result = ACCEPT,
1377 },
1378 {
1379 "check skb->hash byte load not permitted 1",
1380 .insns = {
1381 BPF_MOV64_IMM(BPF_REG_0, 0),
1382 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1383 offsetof(struct __sk_buff, hash) + 1),
1384 BPF_EXIT_INSN(),
1385 },
1386 .errstr = "invalid bpf_context access",
1387 .result = REJECT,
1388 },
1389 {
1390 "check skb->hash byte load not permitted 2",
1391 .insns = {
1392 BPF_MOV64_IMM(BPF_REG_0, 0),
1393 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1394 offsetof(struct __sk_buff, hash) + 2),
1395 BPF_EXIT_INSN(),
1396 },
1397 .errstr = "invalid bpf_context access",
1398 .result = REJECT,
1399 },
1400 {
1401 "check skb->hash byte load not permitted 3",
1402 .insns = {
1403 BPF_MOV64_IMM(BPF_REG_0, 0),
1404 #if __BYTE_ORDER == __LITTLE_ENDIAN
1405 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1406 offsetof(struct __sk_buff, hash) + 3),
1407 #else
1408 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1409 offsetof(struct __sk_buff, hash)),
1410 #endif
1411 BPF_EXIT_INSN(),
1412 },
1413 .errstr = "invalid bpf_context access",
1414 .result = REJECT,
1415 },
1416 {
1417 "check cb access: byte, wrong type",
1418 .insns = {
1419 BPF_MOV64_IMM(BPF_REG_0, 0),
1420 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1421 offsetof(struct __sk_buff, cb[0])),
1422 BPF_EXIT_INSN(),
1423 },
1424 .errstr = "invalid bpf_context access",
1425 .result = REJECT,
1426 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1427 },
1428 {
1429 "check cb access: half",
1430 .insns = {
1431 BPF_MOV64_IMM(BPF_REG_0, 0),
1432 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1433 offsetof(struct __sk_buff, cb[0])),
1434 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1435 offsetof(struct __sk_buff, cb[0]) + 2),
1436 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1437 offsetof(struct __sk_buff, cb[1])),
1438 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1439 offsetof(struct __sk_buff, cb[1]) + 2),
1440 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1441 offsetof(struct __sk_buff, cb[2])),
1442 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1443 offsetof(struct __sk_buff, cb[2]) + 2),
1444 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1445 offsetof(struct __sk_buff, cb[3])),
1446 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1447 offsetof(struct __sk_buff, cb[3]) + 2),
1448 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1449 offsetof(struct __sk_buff, cb[4])),
1450 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1451 offsetof(struct __sk_buff, cb[4]) + 2),
1452 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1453 offsetof(struct __sk_buff, cb[0])),
1454 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1455 offsetof(struct __sk_buff, cb[0]) + 2),
1456 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1457 offsetof(struct __sk_buff, cb[1])),
1458 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1459 offsetof(struct __sk_buff, cb[1]) + 2),
1460 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1461 offsetof(struct __sk_buff, cb[2])),
1462 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1463 offsetof(struct __sk_buff, cb[2]) + 2),
1464 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1465 offsetof(struct __sk_buff, cb[3])),
1466 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1467 offsetof(struct __sk_buff, cb[3]) + 2),
1468 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1469 offsetof(struct __sk_buff, cb[4])),
1470 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1471 offsetof(struct __sk_buff, cb[4]) + 2),
1472 BPF_EXIT_INSN(),
1473 },
1474 .result = ACCEPT,
1475 },
1476 {
1477 "check cb access: half, unaligned",
1478 .insns = {
1479 BPF_MOV64_IMM(BPF_REG_0, 0),
1480 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1481 offsetof(struct __sk_buff, cb[0]) + 1),
1482 BPF_EXIT_INSN(),
1483 },
1484 .errstr = "misaligned context access",
1485 .result = REJECT,
1486 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1487 },
1488 {
1489 "check __sk_buff->hash, offset 0, half store not permitted",
1490 .insns = {
1491 BPF_MOV64_IMM(BPF_REG_0, 0),
1492 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1493 offsetof(struct __sk_buff, hash)),
1494 BPF_EXIT_INSN(),
1495 },
1496 .errstr = "invalid bpf_context access",
1497 .result = REJECT,
1498 },
1499 {
1500 "check __sk_buff->tc_index, offset 2, half store not permitted",
1501 .insns = {
1502 BPF_MOV64_IMM(BPF_REG_0, 0),
1503 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1504 offsetof(struct __sk_buff, tc_index) + 2),
1505 BPF_EXIT_INSN(),
1506 },
1507 .errstr = "invalid bpf_context access",
1508 .result = REJECT,
1509 },
1510 {
1511 "check skb->hash half load permitted",
1512 .insns = {
1513 BPF_MOV64_IMM(BPF_REG_0, 0),
1514 #if __BYTE_ORDER == __LITTLE_ENDIAN
1515 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1516 offsetof(struct __sk_buff, hash)),
1517 #else
1518 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1519 offsetof(struct __sk_buff, hash) + 2),
1520 #endif
1521 BPF_EXIT_INSN(),
1522 },
1523 .result = ACCEPT,
1524 },
1525 {
1526 "check skb->hash half load not permitted",
1527 .insns = {
1528 BPF_MOV64_IMM(BPF_REG_0, 0),
1529 #if __BYTE_ORDER == __LITTLE_ENDIAN
1530 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1531 offsetof(struct __sk_buff, hash) + 2),
1532 #else
1533 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1534 offsetof(struct __sk_buff, hash)),
1535 #endif
1536 BPF_EXIT_INSN(),
1537 },
1538 .errstr = "invalid bpf_context access",
1539 .result = REJECT,
1540 },
1541 {
1542 "check cb access: half, wrong type",
1543 .insns = {
1544 BPF_MOV64_IMM(BPF_REG_0, 0),
1545 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1546 offsetof(struct __sk_buff, cb[0])),
1547 BPF_EXIT_INSN(),
1548 },
1549 .errstr = "invalid bpf_context access",
1550 .result = REJECT,
1551 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1552 },
1553 {
1554 "check cb access: word",
1555 .insns = {
1556 BPF_MOV64_IMM(BPF_REG_0, 0),
1557 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1558 offsetof(struct __sk_buff, cb[0])),
1559 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1560 offsetof(struct __sk_buff, cb[1])),
1561 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1562 offsetof(struct __sk_buff, cb[2])),
1563 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1564 offsetof(struct __sk_buff, cb[3])),
1565 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1566 offsetof(struct __sk_buff, cb[4])),
1567 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1568 offsetof(struct __sk_buff, cb[0])),
1569 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1570 offsetof(struct __sk_buff, cb[1])),
1571 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572 offsetof(struct __sk_buff, cb[2])),
1573 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1574 offsetof(struct __sk_buff, cb[3])),
1575 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1576 offsetof(struct __sk_buff, cb[4])),
1577 BPF_EXIT_INSN(),
1578 },
1579 .result = ACCEPT,
1580 },
1581 {
1582 "check cb access: word, unaligned 1",
1583 .insns = {
1584 BPF_MOV64_IMM(BPF_REG_0, 0),
1585 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1586 offsetof(struct __sk_buff, cb[0]) + 2),
1587 BPF_EXIT_INSN(),
1588 },
1589 .errstr = "misaligned context access",
1590 .result = REJECT,
1591 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1592 },
1593 {
1594 "check cb access: word, unaligned 2",
1595 .insns = {
1596 BPF_MOV64_IMM(BPF_REG_0, 0),
1597 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1598 offsetof(struct __sk_buff, cb[4]) + 1),
1599 BPF_EXIT_INSN(),
1600 },
1601 .errstr = "misaligned context access",
1602 .result = REJECT,
1603 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1604 },
1605 {
1606 "check cb access: word, unaligned 3",
1607 .insns = {
1608 BPF_MOV64_IMM(BPF_REG_0, 0),
1609 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1610 offsetof(struct __sk_buff, cb[4]) + 2),
1611 BPF_EXIT_INSN(),
1612 },
1613 .errstr = "misaligned context access",
1614 .result = REJECT,
1615 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1616 },
1617 {
1618 "check cb access: word, unaligned 4",
1619 .insns = {
1620 BPF_MOV64_IMM(BPF_REG_0, 0),
1621 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1622 offsetof(struct __sk_buff, cb[4]) + 3),
1623 BPF_EXIT_INSN(),
1624 },
1625 .errstr = "misaligned context access",
1626 .result = REJECT,
1627 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1628 },
1629 {
1630 "check cb access: double",
1631 .insns = {
1632 BPF_MOV64_IMM(BPF_REG_0, 0),
1633 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1634 offsetof(struct __sk_buff, cb[0])),
1635 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1636 offsetof(struct __sk_buff, cb[2])),
1637 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1638 offsetof(struct __sk_buff, cb[0])),
1639 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1640 offsetof(struct __sk_buff, cb[2])),
1641 BPF_EXIT_INSN(),
1642 },
1643 .result = ACCEPT,
1644 },
1645 {
1646 "check cb access: double, unaligned 1",
1647 .insns = {
1648 BPF_MOV64_IMM(BPF_REG_0, 0),
1649 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1650 offsetof(struct __sk_buff, cb[1])),
1651 BPF_EXIT_INSN(),
1652 },
1653 .errstr = "misaligned context access",
1654 .result = REJECT,
1655 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1656 },
1657 {
1658 "check cb access: double, unaligned 2",
1659 .insns = {
1660 BPF_MOV64_IMM(BPF_REG_0, 0),
1661 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1662 offsetof(struct __sk_buff, cb[3])),
1663 BPF_EXIT_INSN(),
1664 },
1665 .errstr = "misaligned context access",
1666 .result = REJECT,
1667 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1668 },
1669 {
1670 "check cb access: double, oob 1",
1671 .insns = {
1672 BPF_MOV64_IMM(BPF_REG_0, 0),
1673 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1674 offsetof(struct __sk_buff, cb[4])),
1675 BPF_EXIT_INSN(),
1676 },
1677 .errstr = "invalid bpf_context access",
1678 .result = REJECT,
1679 },
1680 {
1681 "check cb access: double, oob 2",
1682 .insns = {
1683 BPF_MOV64_IMM(BPF_REG_0, 0),
1684 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1685 offsetof(struct __sk_buff, cb[4])),
1686 BPF_EXIT_INSN(),
1687 },
1688 .errstr = "invalid bpf_context access",
1689 .result = REJECT,
1690 },
1691 {
1692 "check __sk_buff->ifindex dw store not permitted",
1693 .insns = {
1694 BPF_MOV64_IMM(BPF_REG_0, 0),
1695 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1696 offsetof(struct __sk_buff, ifindex)),
1697 BPF_EXIT_INSN(),
1698 },
1699 .errstr = "invalid bpf_context access",
1700 .result = REJECT,
1701 },
1702 {
1703 "check __sk_buff->ifindex dw load not permitted",
1704 .insns = {
1705 BPF_MOV64_IMM(BPF_REG_0, 0),
1706 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1707 offsetof(struct __sk_buff, ifindex)),
1708 BPF_EXIT_INSN(),
1709 },
1710 .errstr = "invalid bpf_context access",
1711 .result = REJECT,
1712 },
1713 {
1714 "check cb access: double, wrong type",
1715 .insns = {
1716 BPF_MOV64_IMM(BPF_REG_0, 0),
1717 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1718 offsetof(struct __sk_buff, cb[0])),
1719 BPF_EXIT_INSN(),
1720 },
1721 .errstr = "invalid bpf_context access",
1722 .result = REJECT,
1723 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1724 },
1725 {
1726 "check out of range skb->cb access",
1727 .insns = {
1728 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1729 offsetof(struct __sk_buff, cb[0]) + 256),
1730 BPF_EXIT_INSN(),
1731 },
1732 .errstr = "invalid bpf_context access",
1733 .errstr_unpriv = "",
1734 .result = REJECT,
1735 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
1736 },
1737 {
1738 "write skb fields from socket prog",
1739 .insns = {
1740 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1741 offsetof(struct __sk_buff, cb[4])),
1742 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1743 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1744 offsetof(struct __sk_buff, mark)),
1745 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746 offsetof(struct __sk_buff, tc_index)),
1747 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1748 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1749 offsetof(struct __sk_buff, cb[0])),
1750 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1751 offsetof(struct __sk_buff, cb[2])),
1752 BPF_EXIT_INSN(),
1753 },
1754 .result = ACCEPT,
1755 .errstr_unpriv = "R1 leaks addr",
1756 .result_unpriv = REJECT,
1757 },
1758 {
1759 "write skb fields from tc_cls_act prog",
1760 .insns = {
1761 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1762 offsetof(struct __sk_buff, cb[0])),
1763 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1764 offsetof(struct __sk_buff, mark)),
1765 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1766 offsetof(struct __sk_buff, tc_index)),
1767 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1768 offsetof(struct __sk_buff, tc_index)),
1769 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1770 offsetof(struct __sk_buff, cb[3])),
1771 BPF_EXIT_INSN(),
1772 },
1773 .errstr_unpriv = "",
1774 .result_unpriv = REJECT,
1775 .result = ACCEPT,
1776 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1777 },
1778 {
1779 "PTR_TO_STACK store/load",
1780 .insns = {
1781 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1782 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1783 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1784 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1785 BPF_EXIT_INSN(),
1786 },
1787 .result = ACCEPT,
1788 },
1789 {
1790 "PTR_TO_STACK store/load - bad alignment on off",
1791 .insns = {
1792 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1794 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1795 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1796 BPF_EXIT_INSN(),
1797 },
1798 .result = REJECT,
1799 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
1800 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1801 },
1802 {
1803 "PTR_TO_STACK store/load - bad alignment on reg",
1804 .insns = {
1805 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1807 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1808 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1809 BPF_EXIT_INSN(),
1810 },
1811 .result = REJECT,
1812 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
1813 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1814 },
1815 {
1816 "PTR_TO_STACK store/load - out of bounds low",
1817 .insns = {
1818 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1819 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
1820 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1821 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1822 BPF_EXIT_INSN(),
1823 },
1824 .result = REJECT,
1825 .errstr = "invalid stack off=-79992 size=8",
1826 },
1827 {
1828 "PTR_TO_STACK store/load - out of bounds high",
1829 .insns = {
1830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1832 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1833 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1834 BPF_EXIT_INSN(),
1835 },
1836 .result = REJECT,
1837 .errstr = "invalid stack off=0 size=8",
1838 },
1839 {
1840 "unpriv: return pointer",
1841 .insns = {
1842 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
1843 BPF_EXIT_INSN(),
1844 },
1845 .result = ACCEPT,
1846 .result_unpriv = REJECT,
1847 .errstr_unpriv = "R0 leaks addr",
1848 },
1849 {
1850 "unpriv: add const to pointer",
1851 .insns = {
1852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
1853 BPF_MOV64_IMM(BPF_REG_0, 0),
1854 BPF_EXIT_INSN(),
1855 },
1856 .result = ACCEPT,
1857 },
1858 {
1859 "unpriv: add pointer to pointer",
1860 .insns = {
1861 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
1862 BPF_MOV64_IMM(BPF_REG_0, 0),
1863 BPF_EXIT_INSN(),
1864 },
1865 .result = ACCEPT,
1866 .result_unpriv = REJECT,
1867 .errstr_unpriv = "R1 pointer += pointer",
1868 },
1869 {
1870 "unpriv: neg pointer",
1871 .insns = {
1872 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
1873 BPF_MOV64_IMM(BPF_REG_0, 0),
1874 BPF_EXIT_INSN(),
1875 },
1876 .result = ACCEPT,
1877 .result_unpriv = REJECT,
1878 .errstr_unpriv = "R1 pointer arithmetic",
1879 },
1880 {
1881 "unpriv: cmp pointer with const",
1882 .insns = {
1883 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1884 BPF_MOV64_IMM(BPF_REG_0, 0),
1885 BPF_EXIT_INSN(),
1886 },
1887 .result = ACCEPT,
1888 .result_unpriv = REJECT,
1889 .errstr_unpriv = "R1 pointer comparison",
1890 },
1891 {
1892 "unpriv: cmp pointer with pointer",
1893 .insns = {
1894 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1895 BPF_MOV64_IMM(BPF_REG_0, 0),
1896 BPF_EXIT_INSN(),
1897 },
1898 .result = ACCEPT,
1899 .result_unpriv = REJECT,
1900 .errstr_unpriv = "R10 pointer comparison",
1901 },
1902 {
1903 "unpriv: check that printk is disallowed",
1904 .insns = {
1905 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1906 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1908 BPF_MOV64_IMM(BPF_REG_2, 8),
1909 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
1910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1911 BPF_FUNC_trace_printk),
1912 BPF_MOV64_IMM(BPF_REG_0, 0),
1913 BPF_EXIT_INSN(),
1914 },
1915 .errstr_unpriv = "unknown func bpf_trace_printk#6",
1916 .result_unpriv = REJECT,
1917 .result = ACCEPT,
1918 },
1919 {
1920 "unpriv: pass pointer to helper function",
1921 .insns = {
1922 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1923 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1925 BPF_LD_MAP_FD(BPF_REG_1, 0),
1926 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1927 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
1928 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1929 BPF_FUNC_map_update_elem),
1930 BPF_MOV64_IMM(BPF_REG_0, 0),
1931 BPF_EXIT_INSN(),
1932 },
1933 .fixup_map1 = { 3 },
1934 .errstr_unpriv = "R4 leaks addr",
1935 .result_unpriv = REJECT,
1936 .result = ACCEPT,
1937 },
1938 {
1939 "unpriv: indirectly pass pointer on stack to helper function",
1940 .insns = {
1941 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1944 BPF_LD_MAP_FD(BPF_REG_1, 0),
1945 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1946 BPF_FUNC_map_lookup_elem),
1947 BPF_MOV64_IMM(BPF_REG_0, 0),
1948 BPF_EXIT_INSN(),
1949 },
1950 .fixup_map1 = { 3 },
1951 .errstr = "invalid indirect read from stack off -8+0 size 8",
1952 .result = REJECT,
1953 },
1954 {
1955 "unpriv: mangle pointer on stack 1",
1956 .insns = {
1957 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1958 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
1959 BPF_MOV64_IMM(BPF_REG_0, 0),
1960 BPF_EXIT_INSN(),
1961 },
1962 .errstr_unpriv = "attempt to corrupt spilled",
1963 .result_unpriv = REJECT,
1964 .result = ACCEPT,
1965 },
1966 {
1967 "unpriv: mangle pointer on stack 2",
1968 .insns = {
1969 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1970 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
1971 BPF_MOV64_IMM(BPF_REG_0, 0),
1972 BPF_EXIT_INSN(),
1973 },
1974 .errstr_unpriv = "attempt to corrupt spilled",
1975 .result_unpriv = REJECT,
1976 .result = ACCEPT,
1977 },
1978 {
1979 "unpriv: read pointer from stack in small chunks",
1980 .insns = {
1981 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1982 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
1983 BPF_MOV64_IMM(BPF_REG_0, 0),
1984 BPF_EXIT_INSN(),
1985 },
1986 .errstr = "invalid size",
1987 .result = REJECT,
1988 },
1989 {
1990 "unpriv: write pointer into ctx",
1991 .insns = {
1992 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
1993 BPF_MOV64_IMM(BPF_REG_0, 0),
1994 BPF_EXIT_INSN(),
1995 },
1996 .errstr_unpriv = "R1 leaks addr",
1997 .result_unpriv = REJECT,
1998 .errstr = "invalid bpf_context access",
1999 .result = REJECT,
2000 },
2001 {
2002 "unpriv: spill/fill of ctx",
2003 .insns = {
2004 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2006 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2007 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2008 BPF_MOV64_IMM(BPF_REG_0, 0),
2009 BPF_EXIT_INSN(),
2010 },
2011 .result = ACCEPT,
2012 },
2013 {
2014 "unpriv: spill/fill of ctx 2",
2015 .insns = {
2016 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2018 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2019 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2020 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2021 BPF_FUNC_get_hash_recalc),
2022 BPF_EXIT_INSN(),
2023 },
2024 .result = ACCEPT,
2025 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2026 },
2027 {
2028 "unpriv: spill/fill of ctx 3",
2029 .insns = {
2030 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2032 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2033 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2034 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2035 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2036 BPF_FUNC_get_hash_recalc),
2037 BPF_EXIT_INSN(),
2038 },
2039 .result = REJECT,
2040 .errstr = "R1 type=fp expected=ctx",
2041 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2042 },
2043 {
2044 "unpriv: spill/fill of ctx 4",
2045 .insns = {
2046 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2047 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2048 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2049 BPF_MOV64_IMM(BPF_REG_0, 1),
2050 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2051 BPF_REG_0, -8, 0),
2052 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2053 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2054 BPF_FUNC_get_hash_recalc),
2055 BPF_EXIT_INSN(),
2056 },
2057 .result = REJECT,
2058 .errstr = "R1 type=inv expected=ctx",
2059 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2060 },
2061 {
2062 "unpriv: spill/fill of different pointers stx",
2063 .insns = {
2064 BPF_MOV64_IMM(BPF_REG_3, 42),
2065 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2067 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2068 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2069 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2070 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2071 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2072 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2073 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2074 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2075 offsetof(struct __sk_buff, mark)),
2076 BPF_MOV64_IMM(BPF_REG_0, 0),
2077 BPF_EXIT_INSN(),
2078 },
2079 .result = REJECT,
2080 .errstr = "same insn cannot be used with different pointers",
2081 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2082 },
2083 {
2084 "unpriv: spill/fill of different pointers ldx",
2085 .insns = {
2086 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2088 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2089 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2090 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2091 -(__s32)offsetof(struct bpf_perf_event_data,
2092 sample_period) - 8),
2093 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2094 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2095 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2096 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2097 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2098 offsetof(struct bpf_perf_event_data,
2099 sample_period)),
2100 BPF_MOV64_IMM(BPF_REG_0, 0),
2101 BPF_EXIT_INSN(),
2102 },
2103 .result = REJECT,
2104 .errstr = "same insn cannot be used with different pointers",
2105 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2106 },
2107 {
2108 "unpriv: write pointer into map elem value",
2109 .insns = {
2110 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2111 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2112 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2113 BPF_LD_MAP_FD(BPF_REG_1, 0),
2114 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2115 BPF_FUNC_map_lookup_elem),
2116 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2117 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2118 BPF_EXIT_INSN(),
2119 },
2120 .fixup_map1 = { 3 },
2121 .errstr_unpriv = "R0 leaks addr",
2122 .result_unpriv = REJECT,
2123 .result = ACCEPT,
2124 },
2125 {
2126 "unpriv: partial copy of pointer",
2127 .insns = {
2128 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2129 BPF_MOV64_IMM(BPF_REG_0, 0),
2130 BPF_EXIT_INSN(),
2131 },
2132 .errstr_unpriv = "R10 partial copy",
2133 .result_unpriv = REJECT,
2134 .result = ACCEPT,
2135 },
2136 {
2137 "unpriv: pass pointer to tail_call",
2138 .insns = {
2139 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2140 BPF_LD_MAP_FD(BPF_REG_2, 0),
2141 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2142 BPF_FUNC_tail_call),
2143 BPF_MOV64_IMM(BPF_REG_0, 0),
2144 BPF_EXIT_INSN(),
2145 },
2146 .fixup_prog = { 1 },
2147 .errstr_unpriv = "R3 leaks addr into helper",
2148 .result_unpriv = REJECT,
2149 .result = ACCEPT,
2150 },
2151 {
2152 "unpriv: cmp map pointer with zero",
2153 .insns = {
2154 BPF_MOV64_IMM(BPF_REG_1, 0),
2155 BPF_LD_MAP_FD(BPF_REG_1, 0),
2156 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2157 BPF_MOV64_IMM(BPF_REG_0, 0),
2158 BPF_EXIT_INSN(),
2159 },
2160 .fixup_map1 = { 1 },
2161 .errstr_unpriv = "R1 pointer comparison",
2162 .result_unpriv = REJECT,
2163 .result = ACCEPT,
2164 },
2165 {
2166 "unpriv: write into frame pointer",
2167 .insns = {
2168 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2169 BPF_MOV64_IMM(BPF_REG_0, 0),
2170 BPF_EXIT_INSN(),
2171 },
2172 .errstr = "frame pointer is read only",
2173 .result = REJECT,
2174 },
2175 {
2176 "unpriv: spill/fill frame pointer",
2177 .insns = {
2178 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2180 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2181 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2182 BPF_MOV64_IMM(BPF_REG_0, 0),
2183 BPF_EXIT_INSN(),
2184 },
2185 .errstr = "frame pointer is read only",
2186 .result = REJECT,
2187 },
2188 {
2189 "unpriv: cmp of frame pointer",
2190 .insns = {
2191 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2192 BPF_MOV64_IMM(BPF_REG_0, 0),
2193 BPF_EXIT_INSN(),
2194 },
2195 .errstr_unpriv = "R10 pointer comparison",
2196 .result_unpriv = REJECT,
2197 .result = ACCEPT,
2198 },
2199 {
2200 "unpriv: adding of fp",
2201 .insns = {
2202 BPF_MOV64_IMM(BPF_REG_0, 0),
2203 BPF_MOV64_IMM(BPF_REG_1, 0),
2204 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2205 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2206 BPF_EXIT_INSN(),
2207 },
2208 .result = ACCEPT,
2209 },
2210 {
2211 "unpriv: cmp of stack pointer",
2212 .insns = {
2213 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2215 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2216 BPF_MOV64_IMM(BPF_REG_0, 0),
2217 BPF_EXIT_INSN(),
2218 },
2219 .errstr_unpriv = "R2 pointer comparison",
2220 .result_unpriv = REJECT,
2221 .result = ACCEPT,
2222 },
2223 {
2224 "stack pointer arithmetic",
2225 .insns = {
2226 BPF_MOV64_IMM(BPF_REG_1, 4),
2227 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2228 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2231 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2232 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2233 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2234 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2235 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2236 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2237 BPF_MOV64_IMM(BPF_REG_0, 0),
2238 BPF_EXIT_INSN(),
2239 },
2240 .result = ACCEPT,
2241 },
2242 {
2243 "raw_stack: no skb_load_bytes",
2244 .insns = {
2245 BPF_MOV64_IMM(BPF_REG_2, 4),
2246 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2248 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2249 BPF_MOV64_IMM(BPF_REG_4, 8),
2250 /* Call to skb_load_bytes() omitted. */
2251 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2252 BPF_EXIT_INSN(),
2253 },
2254 .result = REJECT,
2255 .errstr = "invalid read from stack off -8+0 size 8",
2256 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2257 },
2258 {
2259 "raw_stack: skb_load_bytes, negative len",
2260 .insns = {
2261 BPF_MOV64_IMM(BPF_REG_2, 4),
2262 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2264 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2265 BPF_MOV64_IMM(BPF_REG_4, -8),
2266 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2267 BPF_FUNC_skb_load_bytes),
2268 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2269 BPF_EXIT_INSN(),
2270 },
2271 .result = REJECT,
2272 .errstr = "R4 min value is negative",
2273 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2274 },
2275 {
2276 "raw_stack: skb_load_bytes, negative len 2",
2277 .insns = {
2278 BPF_MOV64_IMM(BPF_REG_2, 4),
2279 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2281 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2282 BPF_MOV64_IMM(BPF_REG_4, ~0),
2283 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2284 BPF_FUNC_skb_load_bytes),
2285 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2286 BPF_EXIT_INSN(),
2287 },
2288 .result = REJECT,
2289 .errstr = "R4 min value is negative",
2290 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2291 },
2292 {
2293 "raw_stack: skb_load_bytes, zero len",
2294 .insns = {
2295 BPF_MOV64_IMM(BPF_REG_2, 4),
2296 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2298 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2299 BPF_MOV64_IMM(BPF_REG_4, 0),
2300 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2301 BPF_FUNC_skb_load_bytes),
2302 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2303 BPF_EXIT_INSN(),
2304 },
2305 .result = REJECT,
2306 .errstr = "invalid stack type R3",
2307 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2308 },
2309 {
2310 "raw_stack: skb_load_bytes, no init",
2311 .insns = {
2312 BPF_MOV64_IMM(BPF_REG_2, 4),
2313 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2314 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2315 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2316 BPF_MOV64_IMM(BPF_REG_4, 8),
2317 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2318 BPF_FUNC_skb_load_bytes),
2319 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2320 BPF_EXIT_INSN(),
2321 },
2322 .result = ACCEPT,
2323 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2324 },
2325 {
2326 "raw_stack: skb_load_bytes, init",
2327 .insns = {
2328 BPF_MOV64_IMM(BPF_REG_2, 4),
2329 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2331 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2332 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2333 BPF_MOV64_IMM(BPF_REG_4, 8),
2334 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2335 BPF_FUNC_skb_load_bytes),
2336 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2337 BPF_EXIT_INSN(),
2338 },
2339 .result = ACCEPT,
2340 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2341 },
2342 {
2343 "raw_stack: skb_load_bytes, spilled regs around bounds",
2344 .insns = {
2345 BPF_MOV64_IMM(BPF_REG_2, 4),
2346 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2348 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2349 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2350 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2351 BPF_MOV64_IMM(BPF_REG_4, 8),
2352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2353 BPF_FUNC_skb_load_bytes),
2354 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2355 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2356 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2357 offsetof(struct __sk_buff, mark)),
2358 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2359 offsetof(struct __sk_buff, priority)),
2360 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2361 BPF_EXIT_INSN(),
2362 },
2363 .result = ACCEPT,
2364 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2365 },
2366 {
2367 "raw_stack: skb_load_bytes, spilled regs corruption",
2368 .insns = {
2369 BPF_MOV64_IMM(BPF_REG_2, 4),
2370 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2371 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2372 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2373 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2374 BPF_MOV64_IMM(BPF_REG_4, 8),
2375 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2376 BPF_FUNC_skb_load_bytes),
2377 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2378 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2379 offsetof(struct __sk_buff, mark)),
2380 BPF_EXIT_INSN(),
2381 },
2382 .result = REJECT,
2383 .errstr = "R0 invalid mem access 'inv'",
2384 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2385 },
2386 {
2387 "raw_stack: skb_load_bytes, spilled regs corruption 2",
2388 .insns = {
2389 BPF_MOV64_IMM(BPF_REG_2, 4),
2390 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2392 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2393 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2394 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2395 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2396 BPF_MOV64_IMM(BPF_REG_4, 8),
2397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2398 BPF_FUNC_skb_load_bytes),
2399 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2400 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2401 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
2402 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2403 offsetof(struct __sk_buff, mark)),
2404 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2405 offsetof(struct __sk_buff, priority)),
2406 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2407 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
2408 offsetof(struct __sk_buff, pkt_type)),
2409 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2410 BPF_EXIT_INSN(),
2411 },
2412 .result = REJECT,
2413 .errstr = "R3 invalid mem access 'inv'",
2414 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2415 },
2416 {
2417 "raw_stack: skb_load_bytes, spilled regs + data",
2418 .insns = {
2419 BPF_MOV64_IMM(BPF_REG_2, 4),
2420 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2421 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2422 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2423 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2424 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2425 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2426 BPF_MOV64_IMM(BPF_REG_4, 8),
2427 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2428 BPF_FUNC_skb_load_bytes),
2429 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2430 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2431 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
2432 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2433 offsetof(struct __sk_buff, mark)),
2434 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2435 offsetof(struct __sk_buff, priority)),
2436 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2437 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2438 BPF_EXIT_INSN(),
2439 },
2440 .result = ACCEPT,
2441 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2442 },
2443 {
2444 "raw_stack: skb_load_bytes, invalid access 1",
2445 .insns = {
2446 BPF_MOV64_IMM(BPF_REG_2, 4),
2447 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2449 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2450 BPF_MOV64_IMM(BPF_REG_4, 8),
2451 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2452 BPF_FUNC_skb_load_bytes),
2453 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2454 BPF_EXIT_INSN(),
2455 },
2456 .result = REJECT,
2457 .errstr = "invalid stack type R3 off=-513 access_size=8",
2458 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2459 },
2460 {
2461 "raw_stack: skb_load_bytes, invalid access 2",
2462 .insns = {
2463 BPF_MOV64_IMM(BPF_REG_2, 4),
2464 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2465 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2466 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2467 BPF_MOV64_IMM(BPF_REG_4, 8),
2468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2469 BPF_FUNC_skb_load_bytes),
2470 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2471 BPF_EXIT_INSN(),
2472 },
2473 .result = REJECT,
2474 .errstr = "invalid stack type R3 off=-1 access_size=8",
2475 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2476 },
2477 {
2478 "raw_stack: skb_load_bytes, invalid access 3",
2479 .insns = {
2480 BPF_MOV64_IMM(BPF_REG_2, 4),
2481 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2482 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2483 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2484 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2485 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2486 BPF_FUNC_skb_load_bytes),
2487 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2488 BPF_EXIT_INSN(),
2489 },
2490 .result = REJECT,
2491 .errstr = "R4 min value is negative",
2492 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2493 },
2494 {
2495 "raw_stack: skb_load_bytes, invalid access 4",
2496 .insns = {
2497 BPF_MOV64_IMM(BPF_REG_2, 4),
2498 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2499 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2500 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2501 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2502 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2503 BPF_FUNC_skb_load_bytes),
2504 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2505 BPF_EXIT_INSN(),
2506 },
2507 .result = REJECT,
2508 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
2509 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2510 },
2511 {
2512 "raw_stack: skb_load_bytes, invalid access 5",
2513 .insns = {
2514 BPF_MOV64_IMM(BPF_REG_2, 4),
2515 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2516 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2517 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2518 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2519 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2520 BPF_FUNC_skb_load_bytes),
2521 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2522 BPF_EXIT_INSN(),
2523 },
2524 .result = REJECT,
2525 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
2526 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2527 },
2528 {
2529 "raw_stack: skb_load_bytes, invalid access 6",
2530 .insns = {
2531 BPF_MOV64_IMM(BPF_REG_2, 4),
2532 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2534 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2535 BPF_MOV64_IMM(BPF_REG_4, 0),
2536 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2537 BPF_FUNC_skb_load_bytes),
2538 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2539 BPF_EXIT_INSN(),
2540 },
2541 .result = REJECT,
2542 .errstr = "invalid stack type R3 off=-512 access_size=0",
2543 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2544 },
2545 {
2546 "raw_stack: skb_load_bytes, large access",
2547 .insns = {
2548 BPF_MOV64_IMM(BPF_REG_2, 4),
2549 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2550 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2551 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2552 BPF_MOV64_IMM(BPF_REG_4, 512),
2553 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2554 BPF_FUNC_skb_load_bytes),
2555 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2556 BPF_EXIT_INSN(),
2557 },
2558 .result = ACCEPT,
2559 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2560 },
2561 {
2562 "direct packet access: test1",
2563 .insns = {
2564 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2565 offsetof(struct __sk_buff, data)),
2566 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2567 offsetof(struct __sk_buff, data_end)),
2568 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2570 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2571 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2572 BPF_MOV64_IMM(BPF_REG_0, 0),
2573 BPF_EXIT_INSN(),
2574 },
2575 .result = ACCEPT,
2576 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2577 },
2578 {
2579 "direct packet access: test2",
2580 .insns = {
2581 BPF_MOV64_IMM(BPF_REG_0, 1),
2582 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
2583 offsetof(struct __sk_buff, data_end)),
2584 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2585 offsetof(struct __sk_buff, data)),
2586 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
2588 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
2589 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
2590 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
2591 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
2592 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2593 offsetof(struct __sk_buff, data)),
2594 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
2595 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
2596 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
2597 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
2598 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
2599 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
2600 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2601 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2602 offsetof(struct __sk_buff, data_end)),
2603 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
2604 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
2605 BPF_MOV64_IMM(BPF_REG_0, 0),
2606 BPF_EXIT_INSN(),
2607 },
2608 .result = ACCEPT,
2609 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2610 },
2611 {
2612 "direct packet access: test3",
2613 .insns = {
2614 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2615 offsetof(struct __sk_buff, data)),
2616 BPF_MOV64_IMM(BPF_REG_0, 0),
2617 BPF_EXIT_INSN(),
2618 },
2619 .errstr = "invalid bpf_context access off=76",
2620 .result = REJECT,
2621 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2622 },
2623 {
2624 "direct packet access: test4 (write)",
2625 .insns = {
2626 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2627 offsetof(struct __sk_buff, data)),
2628 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2629 offsetof(struct __sk_buff, data_end)),
2630 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2632 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2633 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2634 BPF_MOV64_IMM(BPF_REG_0, 0),
2635 BPF_EXIT_INSN(),
2636 },
2637 .result = ACCEPT,
2638 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2639 },
2640 {
2641 "direct packet access: test5 (pkt_end >= reg, good access)",
2642 .insns = {
2643 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2644 offsetof(struct __sk_buff, data)),
2645 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2646 offsetof(struct __sk_buff, data_end)),
2647 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2649 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2650 BPF_MOV64_IMM(BPF_REG_0, 1),
2651 BPF_EXIT_INSN(),
2652 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2653 BPF_MOV64_IMM(BPF_REG_0, 0),
2654 BPF_EXIT_INSN(),
2655 },
2656 .result = ACCEPT,
2657 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2658 },
2659 {
2660 "direct packet access: test6 (pkt_end >= reg, bad access)",
2661 .insns = {
2662 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2663 offsetof(struct __sk_buff, data)),
2664 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2665 offsetof(struct __sk_buff, data_end)),
2666 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2668 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2669 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2670 BPF_MOV64_IMM(BPF_REG_0, 1),
2671 BPF_EXIT_INSN(),
2672 BPF_MOV64_IMM(BPF_REG_0, 0),
2673 BPF_EXIT_INSN(),
2674 },
2675 .errstr = "invalid access to packet",
2676 .result = REJECT,
2677 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2678 },
2679 {
2680 "direct packet access: test7 (pkt_end >= reg, both accesses)",
2681 .insns = {
2682 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2683 offsetof(struct __sk_buff, data)),
2684 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2685 offsetof(struct __sk_buff, data_end)),
2686 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2688 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2689 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2690 BPF_MOV64_IMM(BPF_REG_0, 1),
2691 BPF_EXIT_INSN(),
2692 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2693 BPF_MOV64_IMM(BPF_REG_0, 0),
2694 BPF_EXIT_INSN(),
2695 },
2696 .errstr = "invalid access to packet",
2697 .result = REJECT,
2698 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2699 },
2700 {
2701 "direct packet access: test8 (double test, variant 1)",
2702 .insns = {
2703 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2704 offsetof(struct __sk_buff, data)),
2705 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2706 offsetof(struct __sk_buff, data_end)),
2707 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2709 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
2710 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2711 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2712 BPF_MOV64_IMM(BPF_REG_0, 1),
2713 BPF_EXIT_INSN(),
2714 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2715 BPF_MOV64_IMM(BPF_REG_0, 0),
2716 BPF_EXIT_INSN(),
2717 },
2718 .result = ACCEPT,
2719 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2720 },
2721 {
2722 "direct packet access: test9 (double test, variant 2)",
2723 .insns = {
2724 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2725 offsetof(struct __sk_buff, data)),
2726 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2727 offsetof(struct __sk_buff, data_end)),
2728 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2730 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2731 BPF_MOV64_IMM(BPF_REG_0, 1),
2732 BPF_EXIT_INSN(),
2733 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2734 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2735 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2736 BPF_MOV64_IMM(BPF_REG_0, 0),
2737 BPF_EXIT_INSN(),
2738 },
2739 .result = ACCEPT,
2740 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2741 },
2742 {
2743 "direct packet access: test10 (write invalid)",
2744 .insns = {
2745 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2746 offsetof(struct __sk_buff, data)),
2747 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2748 offsetof(struct __sk_buff, data_end)),
2749 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2751 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
2752 BPF_MOV64_IMM(BPF_REG_0, 0),
2753 BPF_EXIT_INSN(),
2754 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2755 BPF_MOV64_IMM(BPF_REG_0, 0),
2756 BPF_EXIT_INSN(),
2757 },
2758 .errstr = "invalid access to packet",
2759 .result = REJECT,
2760 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2761 },
2762 {
2763 "direct packet access: test11 (shift, good access)",
2764 .insns = {
2765 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2766 offsetof(struct __sk_buff, data)),
2767 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2768 offsetof(struct __sk_buff, data_end)),
2769 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2771 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2772 BPF_MOV64_IMM(BPF_REG_3, 144),
2773 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2775 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
2776 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2777 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2778 BPF_MOV64_IMM(BPF_REG_0, 1),
2779 BPF_EXIT_INSN(),
2780 BPF_MOV64_IMM(BPF_REG_0, 0),
2781 BPF_EXIT_INSN(),
2782 },
2783 .result = ACCEPT,
2784 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2785 },
2786 {
2787 "direct packet access: test12 (and, good access)",
2788 .insns = {
2789 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2790 offsetof(struct __sk_buff, data)),
2791 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2792 offsetof(struct __sk_buff, data_end)),
2793 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2794 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2795 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2796 BPF_MOV64_IMM(BPF_REG_3, 144),
2797 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2798 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2799 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2800 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2801 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2802 BPF_MOV64_IMM(BPF_REG_0, 1),
2803 BPF_EXIT_INSN(),
2804 BPF_MOV64_IMM(BPF_REG_0, 0),
2805 BPF_EXIT_INSN(),
2806 },
2807 .result = ACCEPT,
2808 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2809 },
2810 {
2811 "direct packet access: test13 (branches, good access)",
2812 .insns = {
2813 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2814 offsetof(struct __sk_buff, data)),
2815 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2816 offsetof(struct __sk_buff, data_end)),
2817 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2819 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
2820 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2821 offsetof(struct __sk_buff, mark)),
2822 BPF_MOV64_IMM(BPF_REG_4, 1),
2823 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
2824 BPF_MOV64_IMM(BPF_REG_3, 14),
2825 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
2826 BPF_MOV64_IMM(BPF_REG_3, 24),
2827 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2829 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2830 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2831 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2832 BPF_MOV64_IMM(BPF_REG_0, 1),
2833 BPF_EXIT_INSN(),
2834 BPF_MOV64_IMM(BPF_REG_0, 0),
2835 BPF_EXIT_INSN(),
2836 },
2837 .result = ACCEPT,
2838 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2839 },
2840 {
2841 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
2842 .insns = {
2843 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2844 offsetof(struct __sk_buff, data)),
2845 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2846 offsetof(struct __sk_buff, data_end)),
2847 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2849 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
2850 BPF_MOV64_IMM(BPF_REG_5, 12),
2851 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
2852 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2853 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2854 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
2855 BPF_MOV64_IMM(BPF_REG_0, 1),
2856 BPF_EXIT_INSN(),
2857 BPF_MOV64_IMM(BPF_REG_0, 0),
2858 BPF_EXIT_INSN(),
2859 },
2860 .result = ACCEPT,
2861 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2862 },
2863 {
2864 "direct packet access: test15 (spill with xadd)",
2865 .insns = {
2866 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2867 offsetof(struct __sk_buff, data)),
2868 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2869 offsetof(struct __sk_buff, data_end)),
2870 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2871 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2872 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2873 BPF_MOV64_IMM(BPF_REG_5, 4096),
2874 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2875 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2876 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2877 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
2878 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
2879 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
2880 BPF_MOV64_IMM(BPF_REG_0, 0),
2881 BPF_EXIT_INSN(),
2882 },
2883 .errstr = "R2 invalid mem access 'inv'",
2884 .result = REJECT,
2885 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2886 },
2887 {
2888 "direct packet access: test16 (arith on data_end)",
2889 .insns = {
2890 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2891 offsetof(struct __sk_buff, data)),
2892 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2893 offsetof(struct __sk_buff, data_end)),
2894 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2895 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
2897 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2898 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2899 BPF_MOV64_IMM(BPF_REG_0, 0),
2900 BPF_EXIT_INSN(),
2901 },
2902 .errstr = "invalid access to packet",
2903 .result = REJECT,
2904 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2905 },
2906 {
2907 "direct packet access: test17 (pruning, alignment)",
2908 .insns = {
2909 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2910 offsetof(struct __sk_buff, data)),
2911 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2912 offsetof(struct __sk_buff, data_end)),
2913 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2914 offsetof(struct __sk_buff, mark)),
2915 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
2917 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
2918 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2919 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
2920 BPF_MOV64_IMM(BPF_REG_0, 0),
2921 BPF_EXIT_INSN(),
2922 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
2923 BPF_JMP_A(-6),
2924 },
2925 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
2926 .result = REJECT,
2927 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2928 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2929 },
2930 {
2931 "direct packet access: test18 (imm += pkt_ptr, 1)",
2932 .insns = {
2933 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2934 offsetof(struct __sk_buff, data)),
2935 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2936 offsetof(struct __sk_buff, data_end)),
2937 BPF_MOV64_IMM(BPF_REG_0, 8),
2938 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2939 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2940 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2941 BPF_MOV64_IMM(BPF_REG_0, 0),
2942 BPF_EXIT_INSN(),
2943 },
2944 .result = ACCEPT,
2945 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2946 },
2947 {
2948 "direct packet access: test19 (imm += pkt_ptr, 2)",
2949 .insns = {
2950 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2951 offsetof(struct __sk_buff, data)),
2952 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2953 offsetof(struct __sk_buff, data_end)),
2954 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2956 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
2957 BPF_MOV64_IMM(BPF_REG_4, 4),
2958 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2959 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
2960 BPF_MOV64_IMM(BPF_REG_0, 0),
2961 BPF_EXIT_INSN(),
2962 },
2963 .result = ACCEPT,
2964 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2965 },
2966 {
2967 "direct packet access: test20 (x += pkt_ptr, 1)",
2968 .insns = {
2969 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2970 offsetof(struct __sk_buff, data)),
2971 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2972 offsetof(struct __sk_buff, data_end)),
2973 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
2974 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
2975 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
2976 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
2977 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
2978 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2979 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2980 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
2981 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
2982 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
2983 BPF_MOV64_IMM(BPF_REG_0, 0),
2984 BPF_EXIT_INSN(),
2985 },
2986 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2987 .result = ACCEPT,
2988 },
2989 {
2990 "direct packet access: test21 (x += pkt_ptr, 2)",
2991 .insns = {
2992 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2993 offsetof(struct __sk_buff, data)),
2994 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2995 offsetof(struct __sk_buff, data_end)),
2996 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2997 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2998 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
2999 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3000 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3001 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3002 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3003 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3004 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3006 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3007 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3008 BPF_MOV64_IMM(BPF_REG_0, 0),
3009 BPF_EXIT_INSN(),
3010 },
3011 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3012 .result = ACCEPT,
3013 },
3014 {
3015 "direct packet access: test22 (x += pkt_ptr, 3)",
3016 .insns = {
3017 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3018 offsetof(struct __sk_buff, data)),
3019 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3020 offsetof(struct __sk_buff, data_end)),
3021 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3022 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3023 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3024 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3025 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3026 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3027 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3028 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3029 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3030 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3031 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3032 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3033 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3035 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3036 BPF_MOV64_IMM(BPF_REG_2, 1),
3037 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3038 BPF_MOV64_IMM(BPF_REG_0, 0),
3039 BPF_EXIT_INSN(),
3040 },
3041 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3042 .result = ACCEPT,
3043 },
3044 {
3045 "direct packet access: test23 (x += pkt_ptr, 4)",
3046 .insns = {
3047 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3048 offsetof(struct __sk_buff, data)),
3049 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3050 offsetof(struct __sk_buff, data_end)),
3051 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3052 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3053 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3054 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3055 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3056 BPF_MOV64_IMM(BPF_REG_0, 31),
3057 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3058 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3059 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3061 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3062 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3063 BPF_MOV64_IMM(BPF_REG_0, 0),
3064 BPF_EXIT_INSN(),
3065 },
3066 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3067 .result = REJECT,
3068 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3069 },
3070 {
3071 "direct packet access: test24 (x += pkt_ptr, 5)",
3072 .insns = {
3073 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3074 offsetof(struct __sk_buff, data)),
3075 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3076 offsetof(struct __sk_buff, data_end)),
3077 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3078 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3079 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3080 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3081 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3082 BPF_MOV64_IMM(BPF_REG_0, 64),
3083 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3084 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3085 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3087 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3088 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3089 BPF_MOV64_IMM(BPF_REG_0, 0),
3090 BPF_EXIT_INSN(),
3091 },
3092 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3093 .result = ACCEPT,
3094 },
3095 {
3096 "direct packet access: test25 (marking on <, good access)",
3097 .insns = {
3098 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3099 offsetof(struct __sk_buff, data)),
3100 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3101 offsetof(struct __sk_buff, data_end)),
3102 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3104 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3105 BPF_MOV64_IMM(BPF_REG_0, 0),
3106 BPF_EXIT_INSN(),
3107 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3108 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3109 },
3110 .result = ACCEPT,
3111 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3112 },
3113 {
3114 "direct packet access: test26 (marking on <, bad access)",
3115 .insns = {
3116 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3117 offsetof(struct __sk_buff, data)),
3118 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3119 offsetof(struct __sk_buff, data_end)),
3120 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3122 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3123 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3124 BPF_MOV64_IMM(BPF_REG_0, 0),
3125 BPF_EXIT_INSN(),
3126 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3127 },
3128 .result = REJECT,
3129 .errstr = "invalid access to packet",
3130 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3131 },
3132 {
3133 "direct packet access: test27 (marking on <=, good access)",
3134 .insns = {
3135 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3136 offsetof(struct __sk_buff, data)),
3137 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3138 offsetof(struct __sk_buff, data_end)),
3139 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3140 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3141 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3142 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3143 BPF_MOV64_IMM(BPF_REG_0, 1),
3144 BPF_EXIT_INSN(),
3145 },
3146 .result = ACCEPT,
3147 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3148 },
3149 {
3150 "direct packet access: test28 (marking on <=, bad access)",
3151 .insns = {
3152 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3153 offsetof(struct __sk_buff, data)),
3154 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3155 offsetof(struct __sk_buff, data_end)),
3156 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3157 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3158 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3159 BPF_MOV64_IMM(BPF_REG_0, 1),
3160 BPF_EXIT_INSN(),
3161 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3162 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3163 },
3164 .result = REJECT,
3165 .errstr = "invalid access to packet",
3166 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3167 },
3168 {
3169 "helper access to packet: test1, valid packet_ptr range",
3170 .insns = {
3171 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3172 offsetof(struct xdp_md, data)),
3173 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3174 offsetof(struct xdp_md, data_end)),
3175 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3177 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3178 BPF_LD_MAP_FD(BPF_REG_1, 0),
3179 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3180 BPF_MOV64_IMM(BPF_REG_4, 0),
3181 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3182 BPF_FUNC_map_update_elem),
3183 BPF_MOV64_IMM(BPF_REG_0, 0),
3184 BPF_EXIT_INSN(),
3185 },
3186 .fixup_map1 = { 5 },
3187 .result_unpriv = ACCEPT,
3188 .result = ACCEPT,
3189 .prog_type = BPF_PROG_TYPE_XDP,
3190 },
3191 {
3192 "helper access to packet: test2, unchecked packet_ptr",
3193 .insns = {
3194 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3195 offsetof(struct xdp_md, data)),
3196 BPF_LD_MAP_FD(BPF_REG_1, 0),
3197 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3198 BPF_FUNC_map_lookup_elem),
3199 BPF_MOV64_IMM(BPF_REG_0, 0),
3200 BPF_EXIT_INSN(),
3201 },
3202 .fixup_map1 = { 1 },
3203 .result = REJECT,
3204 .errstr = "invalid access to packet",
3205 .prog_type = BPF_PROG_TYPE_XDP,
3206 },
3207 {
3208 "helper access to packet: test3, variable add",
3209 .insns = {
3210 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3211 offsetof(struct xdp_md, data)),
3212 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3213 offsetof(struct xdp_md, data_end)),
3214 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3215 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3216 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3217 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3218 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3219 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3220 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3221 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3222 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3223 BPF_LD_MAP_FD(BPF_REG_1, 0),
3224 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3225 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3226 BPF_FUNC_map_lookup_elem),
3227 BPF_MOV64_IMM(BPF_REG_0, 0),
3228 BPF_EXIT_INSN(),
3229 },
3230 .fixup_map1 = { 11 },
3231 .result = ACCEPT,
3232 .prog_type = BPF_PROG_TYPE_XDP,
3233 },
3234 {
3235 "helper access to packet: test4, packet_ptr with bad range",
3236 .insns = {
3237 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3238 offsetof(struct xdp_md, data)),
3239 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3240 offsetof(struct xdp_md, data_end)),
3241 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3242 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3243 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3244 BPF_MOV64_IMM(BPF_REG_0, 0),
3245 BPF_EXIT_INSN(),
3246 BPF_LD_MAP_FD(BPF_REG_1, 0),
3247 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3248 BPF_FUNC_map_lookup_elem),
3249 BPF_MOV64_IMM(BPF_REG_0, 0),
3250 BPF_EXIT_INSN(),
3251 },
3252 .fixup_map1 = { 7 },
3253 .result = REJECT,
3254 .errstr = "invalid access to packet",
3255 .prog_type = BPF_PROG_TYPE_XDP,
3256 },
3257 {
3258 "helper access to packet: test5, packet_ptr with too short range",
3259 .insns = {
3260 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3261 offsetof(struct xdp_md, data)),
3262 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3263 offsetof(struct xdp_md, data_end)),
3264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3265 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3266 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3267 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3268 BPF_LD_MAP_FD(BPF_REG_1, 0),
3269 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3270 BPF_FUNC_map_lookup_elem),
3271 BPF_MOV64_IMM(BPF_REG_0, 0),
3272 BPF_EXIT_INSN(),
3273 },
3274 .fixup_map1 = { 6 },
3275 .result = REJECT,
3276 .errstr = "invalid access to packet",
3277 .prog_type = BPF_PROG_TYPE_XDP,
3278 },
3279 {
3280 "helper access to packet: test6, cls valid packet_ptr range",
3281 .insns = {
3282 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3283 offsetof(struct __sk_buff, data)),
3284 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3285 offsetof(struct __sk_buff, data_end)),
3286 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3287 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3288 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3289 BPF_LD_MAP_FD(BPF_REG_1, 0),
3290 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3291 BPF_MOV64_IMM(BPF_REG_4, 0),
3292 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3293 BPF_FUNC_map_update_elem),
3294 BPF_MOV64_IMM(BPF_REG_0, 0),
3295 BPF_EXIT_INSN(),
3296 },
3297 .fixup_map1 = { 5 },
3298 .result = ACCEPT,
3299 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3300 },
3301 {
3302 "helper access to packet: test7, cls unchecked packet_ptr",
3303 .insns = {
3304 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3305 offsetof(struct __sk_buff, data)),
3306 BPF_LD_MAP_FD(BPF_REG_1, 0),
3307 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3308 BPF_FUNC_map_lookup_elem),
3309 BPF_MOV64_IMM(BPF_REG_0, 0),
3310 BPF_EXIT_INSN(),
3311 },
3312 .fixup_map1 = { 1 },
3313 .result = REJECT,
3314 .errstr = "invalid access to packet",
3315 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3316 },
3317 {
3318 "helper access to packet: test8, cls variable add",
3319 .insns = {
3320 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3321 offsetof(struct __sk_buff, data)),
3322 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3323 offsetof(struct __sk_buff, data_end)),
3324 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3326 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3327 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3328 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3329 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3330 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3332 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3333 BPF_LD_MAP_FD(BPF_REG_1, 0),
3334 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3335 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3336 BPF_FUNC_map_lookup_elem),
3337 BPF_MOV64_IMM(BPF_REG_0, 0),
3338 BPF_EXIT_INSN(),
3339 },
3340 .fixup_map1 = { 11 },
3341 .result = ACCEPT,
3342 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3343 },
3344 {
3345 "helper access to packet: test9, cls packet_ptr with bad range",
3346 .insns = {
3347 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3348 offsetof(struct __sk_buff, data)),
3349 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3350 offsetof(struct __sk_buff, data_end)),
3351 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3352 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3353 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3354 BPF_MOV64_IMM(BPF_REG_0, 0),
3355 BPF_EXIT_INSN(),
3356 BPF_LD_MAP_FD(BPF_REG_1, 0),
3357 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3358 BPF_FUNC_map_lookup_elem),
3359 BPF_MOV64_IMM(BPF_REG_0, 0),
3360 BPF_EXIT_INSN(),
3361 },
3362 .fixup_map1 = { 7 },
3363 .result = REJECT,
3364 .errstr = "invalid access to packet",
3365 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3366 },
3367 {
3368 "helper access to packet: test10, cls packet_ptr with too short range",
3369 .insns = {
3370 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3371 offsetof(struct __sk_buff, data)),
3372 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3373 offsetof(struct __sk_buff, data_end)),
3374 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3375 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3377 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3378 BPF_LD_MAP_FD(BPF_REG_1, 0),
3379 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3380 BPF_FUNC_map_lookup_elem),
3381 BPF_MOV64_IMM(BPF_REG_0, 0),
3382 BPF_EXIT_INSN(),
3383 },
3384 .fixup_map1 = { 6 },
3385 .result = REJECT,
3386 .errstr = "invalid access to packet",
3387 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3388 },
3389 {
3390 "helper access to packet: test11, cls unsuitable helper 1",
3391 .insns = {
3392 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3393 offsetof(struct __sk_buff, data)),
3394 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3395 offsetof(struct __sk_buff, data_end)),
3396 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3397 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
3399 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
3400 BPF_MOV64_IMM(BPF_REG_2, 0),
3401 BPF_MOV64_IMM(BPF_REG_4, 42),
3402 BPF_MOV64_IMM(BPF_REG_5, 0),
3403 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3404 BPF_FUNC_skb_store_bytes),
3405 BPF_MOV64_IMM(BPF_REG_0, 0),
3406 BPF_EXIT_INSN(),
3407 },
3408 .result = REJECT,
3409 .errstr = "helper access to the packet",
3410 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3411 },
3412 {
3413 "helper access to packet: test12, cls unsuitable helper 2",
3414 .insns = {
3415 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3416 offsetof(struct __sk_buff, data)),
3417 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3418 offsetof(struct __sk_buff, data_end)),
3419 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
3421 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
3422 BPF_MOV64_IMM(BPF_REG_2, 0),
3423 BPF_MOV64_IMM(BPF_REG_4, 4),
3424 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3425 BPF_FUNC_skb_load_bytes),
3426 BPF_MOV64_IMM(BPF_REG_0, 0),
3427 BPF_EXIT_INSN(),
3428 },
3429 .result = REJECT,
3430 .errstr = "helper access to the packet",
3431 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3432 },
3433 {
3434 "helper access to packet: test13, cls helper ok",
3435 .insns = {
3436 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3437 offsetof(struct __sk_buff, data)),
3438 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3439 offsetof(struct __sk_buff, data_end)),
3440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3441 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3443 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3444 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3445 BPF_MOV64_IMM(BPF_REG_2, 4),
3446 BPF_MOV64_IMM(BPF_REG_3, 0),
3447 BPF_MOV64_IMM(BPF_REG_4, 0),
3448 BPF_MOV64_IMM(BPF_REG_5, 0),
3449 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3450 BPF_FUNC_csum_diff),
3451 BPF_MOV64_IMM(BPF_REG_0, 0),
3452 BPF_EXIT_INSN(),
3453 },
3454 .result = ACCEPT,
3455 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3456 },
3457 {
3458 "helper access to packet: test14, cls helper ok sub",
3459 .insns = {
3460 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3461 offsetof(struct __sk_buff, data)),
3462 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3463 offsetof(struct __sk_buff, data_end)),
3464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3465 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3466 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3467 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3468 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
3469 BPF_MOV64_IMM(BPF_REG_2, 4),
3470 BPF_MOV64_IMM(BPF_REG_3, 0),
3471 BPF_MOV64_IMM(BPF_REG_4, 0),
3472 BPF_MOV64_IMM(BPF_REG_5, 0),
3473 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3474 BPF_FUNC_csum_diff),
3475 BPF_MOV64_IMM(BPF_REG_0, 0),
3476 BPF_EXIT_INSN(),
3477 },
3478 .result = ACCEPT,
3479 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3480 },
3481 {
3482 "helper access to packet: test15, cls helper fail sub",
3483 .insns = {
3484 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3485 offsetof(struct __sk_buff, data)),
3486 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3487 offsetof(struct __sk_buff, data_end)),
3488 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3489 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3490 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3491 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3492 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
3493 BPF_MOV64_IMM(BPF_REG_2, 4),
3494 BPF_MOV64_IMM(BPF_REG_3, 0),
3495 BPF_MOV64_IMM(BPF_REG_4, 0),
3496 BPF_MOV64_IMM(BPF_REG_5, 0),
3497 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3498 BPF_FUNC_csum_diff),
3499 BPF_MOV64_IMM(BPF_REG_0, 0),
3500 BPF_EXIT_INSN(),
3501 },
3502 .result = REJECT,
3503 .errstr = "invalid access to packet",
3504 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3505 },
3506 {
3507 "helper access to packet: test16, cls helper fail range 1",
3508 .insns = {
3509 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3510 offsetof(struct __sk_buff, data)),
3511 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3512 offsetof(struct __sk_buff, data_end)),
3513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3514 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3515 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3516 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3517 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3518 BPF_MOV64_IMM(BPF_REG_2, 8),
3519 BPF_MOV64_IMM(BPF_REG_3, 0),
3520 BPF_MOV64_IMM(BPF_REG_4, 0),
3521 BPF_MOV64_IMM(BPF_REG_5, 0),
3522 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3523 BPF_FUNC_csum_diff),
3524 BPF_MOV64_IMM(BPF_REG_0, 0),
3525 BPF_EXIT_INSN(),
3526 },
3527 .result = REJECT,
3528 .errstr = "invalid access to packet",
3529 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3530 },
3531 {
3532 "helper access to packet: test17, cls helper fail range 2",
3533 .insns = {
3534 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3535 offsetof(struct __sk_buff, data)),
3536 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3537 offsetof(struct __sk_buff, data_end)),
3538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3539 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3541 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3542 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3543 BPF_MOV64_IMM(BPF_REG_2, -9),
3544 BPF_MOV64_IMM(BPF_REG_3, 0),
3545 BPF_MOV64_IMM(BPF_REG_4, 0),
3546 BPF_MOV64_IMM(BPF_REG_5, 0),
3547 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3548 BPF_FUNC_csum_diff),
3549 BPF_MOV64_IMM(BPF_REG_0, 0),
3550 BPF_EXIT_INSN(),
3551 },
3552 .result = REJECT,
3553 .errstr = "R2 min value is negative",
3554 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3555 },
3556 {
3557 "helper access to packet: test18, cls helper fail range 3",
3558 .insns = {
3559 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3560 offsetof(struct __sk_buff, data)),
3561 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3562 offsetof(struct __sk_buff, data_end)),
3563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3564 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3565 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3566 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3567 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3568 BPF_MOV64_IMM(BPF_REG_2, ~0),
3569 BPF_MOV64_IMM(BPF_REG_3, 0),
3570 BPF_MOV64_IMM(BPF_REG_4, 0),
3571 BPF_MOV64_IMM(BPF_REG_5, 0),
3572 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3573 BPF_FUNC_csum_diff),
3574 BPF_MOV64_IMM(BPF_REG_0, 0),
3575 BPF_EXIT_INSN(),
3576 },
3577 .result = REJECT,
3578 .errstr = "R2 min value is negative",
3579 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3580 },
3581 {
3582 "helper access to packet: test19, cls helper range zero",
3583 .insns = {
3584 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3585 offsetof(struct __sk_buff, data)),
3586 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3587 offsetof(struct __sk_buff, data_end)),
3588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3589 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3591 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3592 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3593 BPF_MOV64_IMM(BPF_REG_2, 0),
3594 BPF_MOV64_IMM(BPF_REG_3, 0),
3595 BPF_MOV64_IMM(BPF_REG_4, 0),
3596 BPF_MOV64_IMM(BPF_REG_5, 0),
3597 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3598 BPF_FUNC_csum_diff),
3599 BPF_MOV64_IMM(BPF_REG_0, 0),
3600 BPF_EXIT_INSN(),
3601 },
3602 .result = ACCEPT,
3603 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3604 },
3605 {
3606 "helper access to packet: test20, pkt end as input",
3607 .insns = {
3608 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3609 offsetof(struct __sk_buff, data)),
3610 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3611 offsetof(struct __sk_buff, data_end)),
3612 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3613 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3615 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3616 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
3617 BPF_MOV64_IMM(BPF_REG_2, 4),
3618 BPF_MOV64_IMM(BPF_REG_3, 0),
3619 BPF_MOV64_IMM(BPF_REG_4, 0),
3620 BPF_MOV64_IMM(BPF_REG_5, 0),
3621 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3622 BPF_FUNC_csum_diff),
3623 BPF_MOV64_IMM(BPF_REG_0, 0),
3624 BPF_EXIT_INSN(),
3625 },
3626 .result = REJECT,
3627 .errstr = "R1 type=pkt_end expected=fp",
3628 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3629 },
3630 {
3631 "helper access to packet: test21, wrong reg",
3632 .insns = {
3633 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3634 offsetof(struct __sk_buff, data)),
3635 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3636 offsetof(struct __sk_buff, data_end)),
3637 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3638 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3639 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3640 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3641 BPF_MOV64_IMM(BPF_REG_2, 4),
3642 BPF_MOV64_IMM(BPF_REG_3, 0),
3643 BPF_MOV64_IMM(BPF_REG_4, 0),
3644 BPF_MOV64_IMM(BPF_REG_5, 0),
3645 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3646 BPF_FUNC_csum_diff),
3647 BPF_MOV64_IMM(BPF_REG_0, 0),
3648 BPF_EXIT_INSN(),
3649 },
3650 .result = REJECT,
3651 .errstr = "invalid access to packet",
3652 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3653 },
3654 {
3655 "valid map access into an array with a constant",
3656 .insns = {
3657 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3658 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3660 BPF_LD_MAP_FD(BPF_REG_1, 0),
3661 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3662 BPF_FUNC_map_lookup_elem),
3663 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3664 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3665 offsetof(struct test_val, foo)),
3666 BPF_EXIT_INSN(),
3667 },
3668 .fixup_map2 = { 3 },
3669 .errstr_unpriv = "R0 leaks addr",
3670 .result_unpriv = REJECT,
3671 .result = ACCEPT,
3672 },
3673 {
3674 "valid map access into an array with a register",
3675 .insns = {
3676 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3677 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3678 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3679 BPF_LD_MAP_FD(BPF_REG_1, 0),
3680 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3681 BPF_FUNC_map_lookup_elem),
3682 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3683 BPF_MOV64_IMM(BPF_REG_1, 4),
3684 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3685 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3686 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3687 offsetof(struct test_val, foo)),
3688 BPF_EXIT_INSN(),
3689 },
3690 .fixup_map2 = { 3 },
3691 .errstr_unpriv = "R0 leaks addr",
3692 .result_unpriv = REJECT,
3693 .result = ACCEPT,
3694 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3695 },
3696 {
3697 "valid map access into an array with a variable",
3698 .insns = {
3699 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3700 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3702 BPF_LD_MAP_FD(BPF_REG_1, 0),
3703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3704 BPF_FUNC_map_lookup_elem),
3705 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3706 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3707 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
3708 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3709 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3710 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3711 offsetof(struct test_val, foo)),
3712 BPF_EXIT_INSN(),
3713 },
3714 .fixup_map2 = { 3 },
3715 .errstr_unpriv = "R0 leaks addr",
3716 .result_unpriv = REJECT,
3717 .result = ACCEPT,
3718 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3719 },
3720 {
3721 "valid map access into an array with a signed variable",
3722 .insns = {
3723 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3724 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3725 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3726 BPF_LD_MAP_FD(BPF_REG_1, 0),
3727 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3728 BPF_FUNC_map_lookup_elem),
3729 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
3730 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3731 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
3732 BPF_MOV32_IMM(BPF_REG_1, 0),
3733 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3734 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3735 BPF_MOV32_IMM(BPF_REG_1, 0),
3736 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3737 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3738 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3739 offsetof(struct test_val, foo)),
3740 BPF_EXIT_INSN(),
3741 },
3742 .fixup_map2 = { 3 },
3743 .errstr_unpriv = "R0 leaks addr",
3744 .result_unpriv = REJECT,
3745 .result = ACCEPT,
3746 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3747 },
3748 {
3749 "invalid map access into an array with a constant",
3750 .insns = {
3751 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3752 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3754 BPF_LD_MAP_FD(BPF_REG_1, 0),
3755 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3756 BPF_FUNC_map_lookup_elem),
3757 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3758 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
3759 offsetof(struct test_val, foo)),
3760 BPF_EXIT_INSN(),
3761 },
3762 .fixup_map2 = { 3 },
3763 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
3764 .result = REJECT,
3765 },
3766 {
3767 "invalid map access into an array with a register",
3768 .insns = {
3769 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3770 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3771 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3772 BPF_LD_MAP_FD(BPF_REG_1, 0),
3773 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3774 BPF_FUNC_map_lookup_elem),
3775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3776 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
3777 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3778 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3779 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3780 offsetof(struct test_val, foo)),
3781 BPF_EXIT_INSN(),
3782 },
3783 .fixup_map2 = { 3 },
3784 .errstr = "R0 min value is outside of the array range",
3785 .result = REJECT,
3786 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3787 },
3788 {
3789 "invalid map access into an array with a variable",
3790 .insns = {
3791 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3792 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3794 BPF_LD_MAP_FD(BPF_REG_1, 0),
3795 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3796 BPF_FUNC_map_lookup_elem),
3797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3798 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3799 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3800 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3801 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3802 offsetof(struct test_val, foo)),
3803 BPF_EXIT_INSN(),
3804 },
3805 .fixup_map2 = { 3 },
3806 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
3807 .result = REJECT,
3808 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3809 },
3810 {
3811 "invalid map access into an array with no floor check",
3812 .insns = {
3813 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3814 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3815 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3816 BPF_LD_MAP_FD(BPF_REG_1, 0),
3817 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3818 BPF_FUNC_map_lookup_elem),
3819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3820 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
3821 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3822 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3823 BPF_MOV32_IMM(BPF_REG_1, 0),
3824 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3825 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3826 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3827 offsetof(struct test_val, foo)),
3828 BPF_EXIT_INSN(),
3829 },
3830 .fixup_map2 = { 3 },
3831 .errstr_unpriv = "R0 leaks addr",
3832 .errstr = "R0 unbounded memory access",
3833 .result_unpriv = REJECT,
3834 .result = REJECT,
3835 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3836 },
3837 {
3838 "invalid map access into an array with a invalid max check",
3839 .insns = {
3840 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3841 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3843 BPF_LD_MAP_FD(BPF_REG_1, 0),
3844 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3845 BPF_FUNC_map_lookup_elem),
3846 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3847 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3848 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
3849 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3850 BPF_MOV32_IMM(BPF_REG_1, 0),
3851 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3852 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3853 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3854 offsetof(struct test_val, foo)),
3855 BPF_EXIT_INSN(),
3856 },
3857 .fixup_map2 = { 3 },
3858 .errstr_unpriv = "R0 leaks addr",
3859 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
3860 .result_unpriv = REJECT,
3861 .result = REJECT,
3862 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3863 },
3864 {
3865 "invalid map access into an array with a invalid max check",
3866 .insns = {
3867 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3868 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3870 BPF_LD_MAP_FD(BPF_REG_1, 0),
3871 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3872 BPF_FUNC_map_lookup_elem),
3873 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
3874 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
3875 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3876 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3878 BPF_LD_MAP_FD(BPF_REG_1, 0),
3879 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3880 BPF_FUNC_map_lookup_elem),
3881 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
3882 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
3883 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3884 offsetof(struct test_val, foo)),
3885 BPF_EXIT_INSN(),
3886 },
3887 .fixup_map2 = { 3, 11 },
3888 .errstr_unpriv = "R0 pointer += pointer",
3889 .errstr = "R0 invalid mem access 'inv'",
3890 .result_unpriv = REJECT,
3891 .result = REJECT,
3892 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3893 },
3894 {
3895 "multiple registers share map_lookup_elem result",
3896 .insns = {
3897 BPF_MOV64_IMM(BPF_REG_1, 10),
3898 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3899 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3901 BPF_LD_MAP_FD(BPF_REG_1, 0),
3902 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3903 BPF_FUNC_map_lookup_elem),
3904 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3905 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3906 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3907 BPF_EXIT_INSN(),
3908 },
3909 .fixup_map1 = { 4 },
3910 .result = ACCEPT,
3911 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3912 },
3913 {
3914 "alu ops on ptr_to_map_value_or_null, 1",
3915 .insns = {
3916 BPF_MOV64_IMM(BPF_REG_1, 10),
3917 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3918 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3920 BPF_LD_MAP_FD(BPF_REG_1, 0),
3921 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3922 BPF_FUNC_map_lookup_elem),
3923 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
3925 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
3926 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3927 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3928 BPF_EXIT_INSN(),
3929 },
3930 .fixup_map1 = { 4 },
3931 .errstr = "R4 invalid mem access",
3932 .result = REJECT,
3933 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3934 },
3935 {
3936 "alu ops on ptr_to_map_value_or_null, 2",
3937 .insns = {
3938 BPF_MOV64_IMM(BPF_REG_1, 10),
3939 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3940 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3942 BPF_LD_MAP_FD(BPF_REG_1, 0),
3943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3944 BPF_FUNC_map_lookup_elem),
3945 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3946 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
3947 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3948 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3949 BPF_EXIT_INSN(),
3950 },
3951 .fixup_map1 = { 4 },
3952 .errstr = "R4 invalid mem access",
3953 .result = REJECT,
3954 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3955 },
3956 {
3957 "alu ops on ptr_to_map_value_or_null, 3",
3958 .insns = {
3959 BPF_MOV64_IMM(BPF_REG_1, 10),
3960 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3961 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3962 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3963 BPF_LD_MAP_FD(BPF_REG_1, 0),
3964 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3965 BPF_FUNC_map_lookup_elem),
3966 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3967 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
3968 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3969 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3970 BPF_EXIT_INSN(),
3971 },
3972 .fixup_map1 = { 4 },
3973 .errstr = "R4 invalid mem access",
3974 .result = REJECT,
3975 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3976 },
3977 {
3978 "invalid memory access with multiple map_lookup_elem calls",
3979 .insns = {
3980 BPF_MOV64_IMM(BPF_REG_1, 10),
3981 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3982 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3984 BPF_LD_MAP_FD(BPF_REG_1, 0),
3985 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
3986 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
3987 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3988 BPF_FUNC_map_lookup_elem),
3989 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3990 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
3991 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3992 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3993 BPF_FUNC_map_lookup_elem),
3994 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3995 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3996 BPF_EXIT_INSN(),
3997 },
3998 .fixup_map1 = { 4 },
3999 .result = REJECT,
4000 .errstr = "R4 !read_ok",
4001 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4002 },
4003 {
4004 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4005 .insns = {
4006 BPF_MOV64_IMM(BPF_REG_1, 10),
4007 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4008 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4009 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4010 BPF_LD_MAP_FD(BPF_REG_1, 0),
4011 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4012 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4013 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4014 BPF_FUNC_map_lookup_elem),
4015 BPF_MOV64_IMM(BPF_REG_2, 10),
4016 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4017 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4018 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4019 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4020 BPF_FUNC_map_lookup_elem),
4021 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4022 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4023 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4024 BPF_EXIT_INSN(),
4025 },
4026 .fixup_map1 = { 4 },
4027 .result = ACCEPT,
4028 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4029 },
4030 {
4031 "invalid map access from else condition",
4032 .insns = {
4033 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4034 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4035 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4036 BPF_LD_MAP_FD(BPF_REG_1, 0),
4037 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4038 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4039 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4040 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4042 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4043 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4044 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4045 BPF_EXIT_INSN(),
4046 },
4047 .fixup_map2 = { 3 },
4048 .errstr = "R0 unbounded memory access",
4049 .result = REJECT,
4050 .errstr_unpriv = "R0 leaks addr",
4051 .result_unpriv = REJECT,
4052 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4053 },
4054 {
4055 "constant register |= constant should keep constant type",
4056 .insns = {
4057 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4059 BPF_MOV64_IMM(BPF_REG_2, 34),
4060 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4061 BPF_MOV64_IMM(BPF_REG_3, 0),
4062 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4063 BPF_EXIT_INSN(),
4064 },
4065 .result = ACCEPT,
4066 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4067 },
4068 {
4069 "constant register |= constant should not bypass stack boundary checks",
4070 .insns = {
4071 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4073 BPF_MOV64_IMM(BPF_REG_2, 34),
4074 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4075 BPF_MOV64_IMM(BPF_REG_3, 0),
4076 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4077 BPF_EXIT_INSN(),
4078 },
4079 .errstr = "invalid stack type R1 off=-48 access_size=58",
4080 .result = REJECT,
4081 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4082 },
4083 {
4084 "constant register |= constant register should keep constant type",
4085 .insns = {
4086 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4088 BPF_MOV64_IMM(BPF_REG_2, 34),
4089 BPF_MOV64_IMM(BPF_REG_4, 13),
4090 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4091 BPF_MOV64_IMM(BPF_REG_3, 0),
4092 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4093 BPF_EXIT_INSN(),
4094 },
4095 .result = ACCEPT,
4096 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4097 },
4098 {
4099 "constant register |= constant register should not bypass stack boundary checks",
4100 .insns = {
4101 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4103 BPF_MOV64_IMM(BPF_REG_2, 34),
4104 BPF_MOV64_IMM(BPF_REG_4, 24),
4105 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4106 BPF_MOV64_IMM(BPF_REG_3, 0),
4107 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4108 BPF_EXIT_INSN(),
4109 },
4110 .errstr = "invalid stack type R1 off=-48 access_size=58",
4111 .result = REJECT,
4112 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4113 },
4114 {
4115 "invalid direct packet write for LWT_IN",
4116 .insns = {
4117 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4118 offsetof(struct __sk_buff, data)),
4119 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4120 offsetof(struct __sk_buff, data_end)),
4121 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4122 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4123 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4124 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4125 BPF_MOV64_IMM(BPF_REG_0, 0),
4126 BPF_EXIT_INSN(),
4127 },
4128 .errstr = "cannot write into packet",
4129 .result = REJECT,
4130 .prog_type = BPF_PROG_TYPE_LWT_IN,
4131 },
4132 {
4133 "invalid direct packet write for LWT_OUT",
4134 .insns = {
4135 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4136 offsetof(struct __sk_buff, data)),
4137 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4138 offsetof(struct __sk_buff, data_end)),
4139 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4140 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4141 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4142 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4143 BPF_MOV64_IMM(BPF_REG_0, 0),
4144 BPF_EXIT_INSN(),
4145 },
4146 .errstr = "cannot write into packet",
4147 .result = REJECT,
4148 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4149 },
4150 {
4151 "direct packet write for LWT_XMIT",
4152 .insns = {
4153 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4154 offsetof(struct __sk_buff, data)),
4155 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4156 offsetof(struct __sk_buff, data_end)),
4157 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4158 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4159 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4160 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4161 BPF_MOV64_IMM(BPF_REG_0, 0),
4162 BPF_EXIT_INSN(),
4163 },
4164 .result = ACCEPT,
4165 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4166 },
4167 {
4168 "direct packet read for LWT_IN",
4169 .insns = {
4170 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4171 offsetof(struct __sk_buff, data)),
4172 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4173 offsetof(struct __sk_buff, data_end)),
4174 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4175 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4176 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4177 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4178 BPF_MOV64_IMM(BPF_REG_0, 0),
4179 BPF_EXIT_INSN(),
4180 },
4181 .result = ACCEPT,
4182 .prog_type = BPF_PROG_TYPE_LWT_IN,
4183 },
4184 {
4185 "direct packet read for LWT_OUT",
4186 .insns = {
4187 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4188 offsetof(struct __sk_buff, data)),
4189 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4190 offsetof(struct __sk_buff, data_end)),
4191 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4193 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4194 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4195 BPF_MOV64_IMM(BPF_REG_0, 0),
4196 BPF_EXIT_INSN(),
4197 },
4198 .result = ACCEPT,
4199 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4200 },
4201 {
4202 "direct packet read for LWT_XMIT",
4203 .insns = {
4204 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4205 offsetof(struct __sk_buff, data)),
4206 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4207 offsetof(struct __sk_buff, data_end)),
4208 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4210 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4211 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4212 BPF_MOV64_IMM(BPF_REG_0, 0),
4213 BPF_EXIT_INSN(),
4214 },
4215 .result = ACCEPT,
4216 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4217 },
4218 {
4219 "overlapping checks for direct packet access",
4220 .insns = {
4221 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4222 offsetof(struct __sk_buff, data)),
4223 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4224 offsetof(struct __sk_buff, data_end)),
4225 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4227 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4230 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4231 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4232 BPF_MOV64_IMM(BPF_REG_0, 0),
4233 BPF_EXIT_INSN(),
4234 },
4235 .result = ACCEPT,
4236 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4237 },
4238 {
4239 "invalid access of tc_classid for LWT_IN",
4240 .insns = {
4241 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4242 offsetof(struct __sk_buff, tc_classid)),
4243 BPF_EXIT_INSN(),
4244 },
4245 .result = REJECT,
4246 .errstr = "invalid bpf_context access",
4247 },
4248 {
4249 "invalid access of tc_classid for LWT_OUT",
4250 .insns = {
4251 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4252 offsetof(struct __sk_buff, tc_classid)),
4253 BPF_EXIT_INSN(),
4254 },
4255 .result = REJECT,
4256 .errstr = "invalid bpf_context access",
4257 },
4258 {
4259 "invalid access of tc_classid for LWT_XMIT",
4260 .insns = {
4261 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4262 offsetof(struct __sk_buff, tc_classid)),
4263 BPF_EXIT_INSN(),
4264 },
4265 .result = REJECT,
4266 .errstr = "invalid bpf_context access",
4267 },
4268 {
4269 "leak pointer into ctx 1",
4270 .insns = {
4271 BPF_MOV64_IMM(BPF_REG_0, 0),
4272 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4273 offsetof(struct __sk_buff, cb[0])),
4274 BPF_LD_MAP_FD(BPF_REG_2, 0),
4275 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
4276 offsetof(struct __sk_buff, cb[0])),
4277 BPF_EXIT_INSN(),
4278 },
4279 .fixup_map1 = { 2 },
4280 .errstr_unpriv = "R2 leaks addr into mem",
4281 .result_unpriv = REJECT,
4282 .result = ACCEPT,
4283 },
4284 {
4285 "leak pointer into ctx 2",
4286 .insns = {
4287 BPF_MOV64_IMM(BPF_REG_0, 0),
4288 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4289 offsetof(struct __sk_buff, cb[0])),
4290 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
4291 offsetof(struct __sk_buff, cb[0])),
4292 BPF_EXIT_INSN(),
4293 },
4294 .errstr_unpriv = "R10 leaks addr into mem",
4295 .result_unpriv = REJECT,
4296 .result = ACCEPT,
4297 },
4298 {
4299 "leak pointer into ctx 3",
4300 .insns = {
4301 BPF_MOV64_IMM(BPF_REG_0, 0),
4302 BPF_LD_MAP_FD(BPF_REG_2, 0),
4303 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
4304 offsetof(struct __sk_buff, cb[0])),
4305 BPF_EXIT_INSN(),
4306 },
4307 .fixup_map1 = { 1 },
4308 .errstr_unpriv = "R2 leaks addr into ctx",
4309 .result_unpriv = REJECT,
4310 .result = ACCEPT,
4311 },
4312 {
4313 "leak pointer into map val",
4314 .insns = {
4315 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
4316 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4317 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4318 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4319 BPF_LD_MAP_FD(BPF_REG_1, 0),
4320 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4321 BPF_FUNC_map_lookup_elem),
4322 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4323 BPF_MOV64_IMM(BPF_REG_3, 0),
4324 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
4325 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
4326 BPF_MOV64_IMM(BPF_REG_0, 0),
4327 BPF_EXIT_INSN(),
4328 },
4329 .fixup_map1 = { 4 },
4330 .errstr_unpriv = "R6 leaks addr into mem",
4331 .result_unpriv = REJECT,
4332 .result = ACCEPT,
4333 },
4334 {
4335 "helper access to map: full range",
4336 .insns = {
4337 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4339 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4340 BPF_LD_MAP_FD(BPF_REG_1, 0),
4341 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4342 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4343 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4344 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4345 BPF_MOV64_IMM(BPF_REG_3, 0),
4346 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4347 BPF_EXIT_INSN(),
4348 },
4349 .fixup_map2 = { 3 },
4350 .result = ACCEPT,
4351 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4352 },
4353 {
4354 "helper access to map: partial range",
4355 .insns = {
4356 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4358 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4359 BPF_LD_MAP_FD(BPF_REG_1, 0),
4360 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4361 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4362 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4363 BPF_MOV64_IMM(BPF_REG_2, 8),
4364 BPF_MOV64_IMM(BPF_REG_3, 0),
4365 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4366 BPF_EXIT_INSN(),
4367 },
4368 .fixup_map2 = { 3 },
4369 .result = ACCEPT,
4370 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4371 },
4372 {
4373 "helper access to map: empty range",
4374 .insns = {
4375 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4377 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4378 BPF_LD_MAP_FD(BPF_REG_1, 0),
4379 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4380 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4381 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4382 BPF_MOV64_IMM(BPF_REG_2, 0),
4383 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4384 BPF_EXIT_INSN(),
4385 },
4386 .fixup_map2 = { 3 },
4387 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
4388 .result = REJECT,
4389 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4390 },
4391 {
4392 "helper access to map: out-of-bound range",
4393 .insns = {
4394 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4395 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4396 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4397 BPF_LD_MAP_FD(BPF_REG_1, 0),
4398 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4399 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4400 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4401 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
4402 BPF_MOV64_IMM(BPF_REG_3, 0),
4403 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4404 BPF_EXIT_INSN(),
4405 },
4406 .fixup_map2 = { 3 },
4407 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
4408 .result = REJECT,
4409 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4410 },
4411 {
4412 "helper access to map: negative range",
4413 .insns = {
4414 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4416 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4417 BPF_LD_MAP_FD(BPF_REG_1, 0),
4418 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4419 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4420 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4421 BPF_MOV64_IMM(BPF_REG_2, -8),
4422 BPF_MOV64_IMM(BPF_REG_3, 0),
4423 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4424 BPF_EXIT_INSN(),
4425 },
4426 .fixup_map2 = { 3 },
4427 .errstr = "R2 min value is negative",
4428 .result = REJECT,
4429 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4430 },
4431 {
4432 "helper access to adjusted map (via const imm): full range",
4433 .insns = {
4434 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4436 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4437 BPF_LD_MAP_FD(BPF_REG_1, 0),
4438 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4439 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4440 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4441 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4442 offsetof(struct test_val, foo)),
4443 BPF_MOV64_IMM(BPF_REG_2,
4444 sizeof(struct test_val) -
4445 offsetof(struct test_val, foo)),
4446 BPF_MOV64_IMM(BPF_REG_3, 0),
4447 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4448 BPF_EXIT_INSN(),
4449 },
4450 .fixup_map2 = { 3 },
4451 .result = ACCEPT,
4452 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4453 },
4454 {
4455 "helper access to adjusted map (via const imm): partial range",
4456 .insns = {
4457 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4459 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4460 BPF_LD_MAP_FD(BPF_REG_1, 0),
4461 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4462 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4463 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4465 offsetof(struct test_val, foo)),
4466 BPF_MOV64_IMM(BPF_REG_2, 8),
4467 BPF_MOV64_IMM(BPF_REG_3, 0),
4468 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4469 BPF_EXIT_INSN(),
4470 },
4471 .fixup_map2 = { 3 },
4472 .result = ACCEPT,
4473 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4474 },
4475 {
4476 "helper access to adjusted map (via const imm): empty range",
4477 .insns = {
4478 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4480 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4481 BPF_LD_MAP_FD(BPF_REG_1, 0),
4482 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4483 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4484 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4485 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4486 offsetof(struct test_val, foo)),
4487 BPF_MOV64_IMM(BPF_REG_2, 0),
4488 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4489 BPF_EXIT_INSN(),
4490 },
4491 .fixup_map2 = { 3 },
4492 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
4493 .result = REJECT,
4494 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4495 },
4496 {
4497 "helper access to adjusted map (via const imm): out-of-bound range",
4498 .insns = {
4499 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4501 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4502 BPF_LD_MAP_FD(BPF_REG_1, 0),
4503 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4504 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4505 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4507 offsetof(struct test_val, foo)),
4508 BPF_MOV64_IMM(BPF_REG_2,
4509 sizeof(struct test_val) -
4510 offsetof(struct test_val, foo) + 8),
4511 BPF_MOV64_IMM(BPF_REG_3, 0),
4512 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4513 BPF_EXIT_INSN(),
4514 },
4515 .fixup_map2 = { 3 },
4516 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4517 .result = REJECT,
4518 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4519 },
4520 {
4521 "helper access to adjusted map (via const imm): negative range (> adjustment)",
4522 .insns = {
4523 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4525 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4526 BPF_LD_MAP_FD(BPF_REG_1, 0),
4527 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4528 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4529 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4530 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4531 offsetof(struct test_val, foo)),
4532 BPF_MOV64_IMM(BPF_REG_2, -8),
4533 BPF_MOV64_IMM(BPF_REG_3, 0),
4534 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4535 BPF_EXIT_INSN(),
4536 },
4537 .fixup_map2 = { 3 },
4538 .errstr = "R2 min value is negative",
4539 .result = REJECT,
4540 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4541 },
4542 {
4543 "helper access to adjusted map (via const imm): negative range (< adjustment)",
4544 .insns = {
4545 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4546 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4547 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4548 BPF_LD_MAP_FD(BPF_REG_1, 0),
4549 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4550 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4551 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4552 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4553 offsetof(struct test_val, foo)),
4554 BPF_MOV64_IMM(BPF_REG_2, -1),
4555 BPF_MOV64_IMM(BPF_REG_3, 0),
4556 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4557 BPF_EXIT_INSN(),
4558 },
4559 .fixup_map2 = { 3 },
4560 .errstr = "R2 min value is negative",
4561 .result = REJECT,
4562 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4563 },
4564 {
4565 "helper access to adjusted map (via const reg): full range",
4566 .insns = {
4567 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4569 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4570 BPF_LD_MAP_FD(BPF_REG_1, 0),
4571 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4572 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4573 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4574 BPF_MOV64_IMM(BPF_REG_3,
4575 offsetof(struct test_val, foo)),
4576 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4577 BPF_MOV64_IMM(BPF_REG_2,
4578 sizeof(struct test_val) -
4579 offsetof(struct test_val, foo)),
4580 BPF_MOV64_IMM(BPF_REG_3, 0),
4581 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4582 BPF_EXIT_INSN(),
4583 },
4584 .fixup_map2 = { 3 },
4585 .result = ACCEPT,
4586 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4587 },
4588 {
4589 "helper access to adjusted map (via const reg): partial range",
4590 .insns = {
4591 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4593 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4594 BPF_LD_MAP_FD(BPF_REG_1, 0),
4595 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4596 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4597 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4598 BPF_MOV64_IMM(BPF_REG_3,
4599 offsetof(struct test_val, foo)),
4600 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4601 BPF_MOV64_IMM(BPF_REG_2, 8),
4602 BPF_MOV64_IMM(BPF_REG_3, 0),
4603 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4604 BPF_EXIT_INSN(),
4605 },
4606 .fixup_map2 = { 3 },
4607 .result = ACCEPT,
4608 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4609 },
4610 {
4611 "helper access to adjusted map (via const reg): empty range",
4612 .insns = {
4613 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4615 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4616 BPF_LD_MAP_FD(BPF_REG_1, 0),
4617 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4618 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4619 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4620 BPF_MOV64_IMM(BPF_REG_3, 0),
4621 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4622 BPF_MOV64_IMM(BPF_REG_2, 0),
4623 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4624 BPF_EXIT_INSN(),
4625 },
4626 .fixup_map2 = { 3 },
4627 .errstr = "R1 min value is outside of the array range",
4628 .result = REJECT,
4629 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4630 },
4631 {
4632 "helper access to adjusted map (via const reg): out-of-bound range",
4633 .insns = {
4634 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4635 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4636 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4637 BPF_LD_MAP_FD(BPF_REG_1, 0),
4638 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4639 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4640 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4641 BPF_MOV64_IMM(BPF_REG_3,
4642 offsetof(struct test_val, foo)),
4643 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4644 BPF_MOV64_IMM(BPF_REG_2,
4645 sizeof(struct test_val) -
4646 offsetof(struct test_val, foo) + 8),
4647 BPF_MOV64_IMM(BPF_REG_3, 0),
4648 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4649 BPF_EXIT_INSN(),
4650 },
4651 .fixup_map2 = { 3 },
4652 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4653 .result = REJECT,
4654 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4655 },
4656 {
4657 "helper access to adjusted map (via const reg): negative range (> adjustment)",
4658 .insns = {
4659 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4661 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4662 BPF_LD_MAP_FD(BPF_REG_1, 0),
4663 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4664 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4665 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4666 BPF_MOV64_IMM(BPF_REG_3,
4667 offsetof(struct test_val, foo)),
4668 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4669 BPF_MOV64_IMM(BPF_REG_2, -8),
4670 BPF_MOV64_IMM(BPF_REG_3, 0),
4671 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4672 BPF_EXIT_INSN(),
4673 },
4674 .fixup_map2 = { 3 },
4675 .errstr = "R2 min value is negative",
4676 .result = REJECT,
4677 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4678 },
4679 {
4680 "helper access to adjusted map (via const reg): negative range (< adjustment)",
4681 .insns = {
4682 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4683 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4684 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4685 BPF_LD_MAP_FD(BPF_REG_1, 0),
4686 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4688 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4689 BPF_MOV64_IMM(BPF_REG_3,
4690 offsetof(struct test_val, foo)),
4691 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4692 BPF_MOV64_IMM(BPF_REG_2, -1),
4693 BPF_MOV64_IMM(BPF_REG_3, 0),
4694 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4695 BPF_EXIT_INSN(),
4696 },
4697 .fixup_map2 = { 3 },
4698 .errstr = "R2 min value is negative",
4699 .result = REJECT,
4700 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4701 },
4702 {
4703 "helper access to adjusted map (via variable): full range",
4704 .insns = {
4705 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4706 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4707 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4708 BPF_LD_MAP_FD(BPF_REG_1, 0),
4709 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4710 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4711 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4712 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4713 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4714 offsetof(struct test_val, foo), 4),
4715 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4716 BPF_MOV64_IMM(BPF_REG_2,
4717 sizeof(struct test_val) -
4718 offsetof(struct test_val, foo)),
4719 BPF_MOV64_IMM(BPF_REG_3, 0),
4720 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4721 BPF_EXIT_INSN(),
4722 },
4723 .fixup_map2 = { 3 },
4724 .result = ACCEPT,
4725 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4726 },
4727 {
4728 "helper access to adjusted map (via variable): partial range",
4729 .insns = {
4730 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4732 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4733 BPF_LD_MAP_FD(BPF_REG_1, 0),
4734 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4735 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4736 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4737 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4738 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4739 offsetof(struct test_val, foo), 4),
4740 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4741 BPF_MOV64_IMM(BPF_REG_2, 8),
4742 BPF_MOV64_IMM(BPF_REG_3, 0),
4743 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4744 BPF_EXIT_INSN(),
4745 },
4746 .fixup_map2 = { 3 },
4747 .result = ACCEPT,
4748 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4749 },
4750 {
4751 "helper access to adjusted map (via variable): empty range",
4752 .insns = {
4753 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4755 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4756 BPF_LD_MAP_FD(BPF_REG_1, 0),
4757 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4758 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4759 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4760 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4761 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4762 offsetof(struct test_val, foo), 3),
4763 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4764 BPF_MOV64_IMM(BPF_REG_2, 0),
4765 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4766 BPF_EXIT_INSN(),
4767 },
4768 .fixup_map2 = { 3 },
4769 .errstr = "R1 min value is outside of the array range",
4770 .result = REJECT,
4771 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4772 },
4773 {
4774 "helper access to adjusted map (via variable): no max check",
4775 .insns = {
4776 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4778 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4779 BPF_LD_MAP_FD(BPF_REG_1, 0),
4780 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4782 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4783 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4784 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4785 BPF_MOV64_IMM(BPF_REG_2, 1),
4786 BPF_MOV64_IMM(BPF_REG_3, 0),
4787 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4788 BPF_EXIT_INSN(),
4789 },
4790 .fixup_map2 = { 3 },
4791 .errstr = "R1 unbounded memory access",
4792 .result = REJECT,
4793 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4794 },
4795 {
4796 "helper access to adjusted map (via variable): wrong max check",
4797 .insns = {
4798 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4800 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4801 BPF_LD_MAP_FD(BPF_REG_1, 0),
4802 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4804 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4805 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4806 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4807 offsetof(struct test_val, foo), 4),
4808 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4809 BPF_MOV64_IMM(BPF_REG_2,
4810 sizeof(struct test_val) -
4811 offsetof(struct test_val, foo) + 1),
4812 BPF_MOV64_IMM(BPF_REG_3, 0),
4813 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4814 BPF_EXIT_INSN(),
4815 },
4816 .fixup_map2 = { 3 },
4817 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
4818 .result = REJECT,
4819 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4820 },
4821 {
4822 "helper access to map: bounds check using <, good access",
4823 .insns = {
4824 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4825 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4826 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4827 BPF_LD_MAP_FD(BPF_REG_1, 0),
4828 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4829 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4831 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4832 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
4833 BPF_MOV64_IMM(BPF_REG_0, 0),
4834 BPF_EXIT_INSN(),
4835 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4836 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4837 BPF_MOV64_IMM(BPF_REG_0, 0),
4838 BPF_EXIT_INSN(),
4839 },
4840 .fixup_map2 = { 3 },
4841 .result = ACCEPT,
4842 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4843 },
4844 {
4845 "helper access to map: bounds check using <, bad access",
4846 .insns = {
4847 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4849 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4850 BPF_LD_MAP_FD(BPF_REG_1, 0),
4851 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4852 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4853 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4854 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4855 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
4856 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4857 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4858 BPF_MOV64_IMM(BPF_REG_0, 0),
4859 BPF_EXIT_INSN(),
4860 BPF_MOV64_IMM(BPF_REG_0, 0),
4861 BPF_EXIT_INSN(),
4862 },
4863 .fixup_map2 = { 3 },
4864 .result = REJECT,
4865 .errstr = "R1 unbounded memory access",
4866 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4867 },
4868 {
4869 "helper access to map: bounds check using <=, good access",
4870 .insns = {
4871 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4873 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4874 BPF_LD_MAP_FD(BPF_REG_1, 0),
4875 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4876 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4877 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4878 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4879 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
4880 BPF_MOV64_IMM(BPF_REG_0, 0),
4881 BPF_EXIT_INSN(),
4882 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4883 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4884 BPF_MOV64_IMM(BPF_REG_0, 0),
4885 BPF_EXIT_INSN(),
4886 },
4887 .fixup_map2 = { 3 },
4888 .result = ACCEPT,
4889 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4890 },
4891 {
4892 "helper access to map: bounds check using <=, bad access",
4893 .insns = {
4894 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4895 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4896 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4897 BPF_LD_MAP_FD(BPF_REG_1, 0),
4898 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4899 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4900 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4901 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4902 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
4903 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4904 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4905 BPF_MOV64_IMM(BPF_REG_0, 0),
4906 BPF_EXIT_INSN(),
4907 BPF_MOV64_IMM(BPF_REG_0, 0),
4908 BPF_EXIT_INSN(),
4909 },
4910 .fixup_map2 = { 3 },
4911 .result = REJECT,
4912 .errstr = "R1 unbounded memory access",
4913 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4914 },
4915 {
4916 "helper access to map: bounds check using s<, good access",
4917 .insns = {
4918 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4920 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4921 BPF_LD_MAP_FD(BPF_REG_1, 0),
4922 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4923 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4924 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4925 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4926 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4927 BPF_MOV64_IMM(BPF_REG_0, 0),
4928 BPF_EXIT_INSN(),
4929 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
4930 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4931 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4932 BPF_MOV64_IMM(BPF_REG_0, 0),
4933 BPF_EXIT_INSN(),
4934 },
4935 .fixup_map2 = { 3 },
4936 .result = ACCEPT,
4937 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4938 },
4939 {
4940 "helper access to map: bounds check using s<, good access 2",
4941 .insns = {
4942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4944 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4945 BPF_LD_MAP_FD(BPF_REG_1, 0),
4946 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4947 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4948 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4949 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4950 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4951 BPF_MOV64_IMM(BPF_REG_0, 0),
4952 BPF_EXIT_INSN(),
4953 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
4954 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4955 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4956 BPF_MOV64_IMM(BPF_REG_0, 0),
4957 BPF_EXIT_INSN(),
4958 },
4959 .fixup_map2 = { 3 },
4960 .result = ACCEPT,
4961 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4962 },
4963 {
4964 "helper access to map: bounds check using s<, bad access",
4965 .insns = {
4966 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4968 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4969 BPF_LD_MAP_FD(BPF_REG_1, 0),
4970 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4971 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4972 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4973 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
4974 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4975 BPF_MOV64_IMM(BPF_REG_0, 0),
4976 BPF_EXIT_INSN(),
4977 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
4978 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4979 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4980 BPF_MOV64_IMM(BPF_REG_0, 0),
4981 BPF_EXIT_INSN(),
4982 },
4983 .fixup_map2 = { 3 },
4984 .result = REJECT,
4985 .errstr = "R1 min value is negative",
4986 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4987 },
4988 {
4989 "helper access to map: bounds check using s<=, good access",
4990 .insns = {
4991 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4992 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4993 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4994 BPF_LD_MAP_FD(BPF_REG_1, 0),
4995 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4996 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4997 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4998 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4999 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5000 BPF_MOV64_IMM(BPF_REG_0, 0),
5001 BPF_EXIT_INSN(),
5002 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5003 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5004 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5005 BPF_MOV64_IMM(BPF_REG_0, 0),
5006 BPF_EXIT_INSN(),
5007 },
5008 .fixup_map2 = { 3 },
5009 .result = ACCEPT,
5010 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5011 },
5012 {
5013 "helper access to map: bounds check using s<=, good access 2",
5014 .insns = {
5015 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5016 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5017 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5018 BPF_LD_MAP_FD(BPF_REG_1, 0),
5019 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5020 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5021 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5022 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5023 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5024 BPF_MOV64_IMM(BPF_REG_0, 0),
5025 BPF_EXIT_INSN(),
5026 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5027 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5028 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5029 BPF_MOV64_IMM(BPF_REG_0, 0),
5030 BPF_EXIT_INSN(),
5031 },
5032 .fixup_map2 = { 3 },
5033 .result = ACCEPT,
5034 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5035 },
5036 {
5037 "helper access to map: bounds check using s<=, bad access",
5038 .insns = {
5039 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5041 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5042 BPF_LD_MAP_FD(BPF_REG_1, 0),
5043 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5044 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5045 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5046 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5047 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5048 BPF_MOV64_IMM(BPF_REG_0, 0),
5049 BPF_EXIT_INSN(),
5050 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5051 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5052 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5053 BPF_MOV64_IMM(BPF_REG_0, 0),
5054 BPF_EXIT_INSN(),
5055 },
5056 .fixup_map2 = { 3 },
5057 .result = REJECT,
5058 .errstr = "R1 min value is negative",
5059 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5060 },
5061 {
5062 "map element value is preserved across register spilling",
5063 .insns = {
5064 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5066 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5067 BPF_LD_MAP_FD(BPF_REG_1, 0),
5068 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5069 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5070 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5071 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5073 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5074 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5075 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5076 BPF_EXIT_INSN(),
5077 },
5078 .fixup_map2 = { 3 },
5079 .errstr_unpriv = "R0 leaks addr",
5080 .result = ACCEPT,
5081 .result_unpriv = REJECT,
5082 },
5083 {
5084 "map element value or null is marked on register spilling",
5085 .insns = {
5086 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5088 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5089 BPF_LD_MAP_FD(BPF_REG_1, 0),
5090 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5091 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5092 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
5093 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5094 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5095 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5096 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5097 BPF_EXIT_INSN(),
5098 },
5099 .fixup_map2 = { 3 },
5100 .errstr_unpriv = "R0 leaks addr",
5101 .result = ACCEPT,
5102 .result_unpriv = REJECT,
5103 },
5104 {
5105 "map element value store of cleared call register",
5106 .insns = {
5107 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5108 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5109 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5110 BPF_LD_MAP_FD(BPF_REG_1, 0),
5111 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5112 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5113 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
5114 BPF_EXIT_INSN(),
5115 },
5116 .fixup_map2 = { 3 },
5117 .errstr_unpriv = "R1 !read_ok",
5118 .errstr = "R1 !read_ok",
5119 .result = REJECT,
5120 .result_unpriv = REJECT,
5121 },
5122 {
5123 "map element value with unaligned store",
5124 .insns = {
5125 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5126 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5127 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5128 BPF_LD_MAP_FD(BPF_REG_1, 0),
5129 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5130 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
5131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5132 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5133 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
5134 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
5135 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5136 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
5137 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
5138 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
5139 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
5140 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
5141 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
5142 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
5143 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
5144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
5145 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
5146 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
5147 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
5148 BPF_EXIT_INSN(),
5149 },
5150 .fixup_map2 = { 3 },
5151 .errstr_unpriv = "R0 leaks addr",
5152 .result = ACCEPT,
5153 .result_unpriv = REJECT,
5154 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5155 },
5156 {
5157 "map element value with unaligned load",
5158 .insns = {
5159 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5161 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5162 BPF_LD_MAP_FD(BPF_REG_1, 0),
5163 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5164 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5165 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5166 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
5167 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5168 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5169 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
5170 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5171 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
5172 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
5173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
5174 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5175 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
5176 BPF_EXIT_INSN(),
5177 },
5178 .fixup_map2 = { 3 },
5179 .errstr_unpriv = "R0 leaks addr",
5180 .result = ACCEPT,
5181 .result_unpriv = REJECT,
5182 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5183 },
5184 {
5185 "map element value illegal alu op, 1",
5186 .insns = {
5187 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5189 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5190 BPF_LD_MAP_FD(BPF_REG_1, 0),
5191 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5192 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5193 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
5194 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5195 BPF_EXIT_INSN(),
5196 },
5197 .fixup_map2 = { 3 },
5198 .errstr_unpriv = "R0 bitwise operator &= on pointer",
5199 .errstr = "invalid mem access 'inv'",
5200 .result = REJECT,
5201 .result_unpriv = REJECT,
5202 },
5203 {
5204 "map element value illegal alu op, 2",
5205 .insns = {
5206 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5207 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5208 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5209 BPF_LD_MAP_FD(BPF_REG_1, 0),
5210 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5211 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5212 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
5213 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5214 BPF_EXIT_INSN(),
5215 },
5216 .fixup_map2 = { 3 },
5217 .errstr_unpriv = "R0 32-bit pointer arithmetic prohibited",
5218 .errstr = "invalid mem access 'inv'",
5219 .result = REJECT,
5220 .result_unpriv = REJECT,
5221 },
5222 {
5223 "map element value illegal alu op, 3",
5224 .insns = {
5225 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5227 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5228 BPF_LD_MAP_FD(BPF_REG_1, 0),
5229 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5230 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5231 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
5232 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5233 BPF_EXIT_INSN(),
5234 },
5235 .fixup_map2 = { 3 },
5236 .errstr_unpriv = "R0 pointer arithmetic with /= operator",
5237 .errstr = "invalid mem access 'inv'",
5238 .result = REJECT,
5239 .result_unpriv = REJECT,
5240 },
5241 {
5242 "map element value illegal alu op, 4",
5243 .insns = {
5244 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5245 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5246 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5247 BPF_LD_MAP_FD(BPF_REG_1, 0),
5248 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5250 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
5251 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5252 BPF_EXIT_INSN(),
5253 },
5254 .fixup_map2 = { 3 },
5255 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5256 .errstr = "invalid mem access 'inv'",
5257 .result = REJECT,
5258 .result_unpriv = REJECT,
5259 },
5260 {
5261 "map element value illegal alu op, 5",
5262 .insns = {
5263 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5265 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5266 BPF_LD_MAP_FD(BPF_REG_1, 0),
5267 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5269 BPF_MOV64_IMM(BPF_REG_3, 4096),
5270 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5271 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5272 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5273 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
5274 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
5275 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5276 BPF_EXIT_INSN(),
5277 },
5278 .fixup_map2 = { 3 },
5279 .errstr = "R0 invalid mem access 'inv'",
5280 .result = REJECT,
5281 },
5282 {
5283 "map element value is preserved across register spilling",
5284 .insns = {
5285 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5287 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5288 BPF_LD_MAP_FD(BPF_REG_1, 0),
5289 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5290 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
5292 offsetof(struct test_val, foo)),
5293 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5294 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5295 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5296 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5297 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5298 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5299 BPF_EXIT_INSN(),
5300 },
5301 .fixup_map2 = { 3 },
5302 .errstr_unpriv = "R0 leaks addr",
5303 .result = ACCEPT,
5304 .result_unpriv = REJECT,
5305 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5306 },
5307 {
5308 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
5309 .insns = {
5310 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5312 BPF_MOV64_IMM(BPF_REG_0, 0),
5313 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5314 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5315 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5316 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5317 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5318 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5319 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5320 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5321 BPF_MOV64_IMM(BPF_REG_2, 16),
5322 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5323 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5324 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5325 BPF_MOV64_IMM(BPF_REG_4, 0),
5326 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5327 BPF_MOV64_IMM(BPF_REG_3, 0),
5328 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5329 BPF_MOV64_IMM(BPF_REG_0, 0),
5330 BPF_EXIT_INSN(),
5331 },
5332 .result = ACCEPT,
5333 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5334 },
5335 {
5336 "helper access to variable memory: stack, bitwise AND, zero included",
5337 .insns = {
5338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5340 BPF_MOV64_IMM(BPF_REG_2, 16),
5341 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5342 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5343 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5344 BPF_MOV64_IMM(BPF_REG_3, 0),
5345 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5346 BPF_EXIT_INSN(),
5347 },
5348 .errstr = "invalid indirect read from stack off -64+0 size 64",
5349 .result = REJECT,
5350 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5351 },
5352 {
5353 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
5354 .insns = {
5355 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5356 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5357 BPF_MOV64_IMM(BPF_REG_2, 16),
5358 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5359 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5360 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
5361 BPF_MOV64_IMM(BPF_REG_4, 0),
5362 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5363 BPF_MOV64_IMM(BPF_REG_3, 0),
5364 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5365 BPF_MOV64_IMM(BPF_REG_0, 0),
5366 BPF_EXIT_INSN(),
5367 },
5368 .errstr = "invalid stack type R1 off=-64 access_size=65",
5369 .result = REJECT,
5370 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5371 },
5372 {
5373 "helper access to variable memory: stack, JMP, correct bounds",
5374 .insns = {
5375 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5377 BPF_MOV64_IMM(BPF_REG_0, 0),
5378 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5379 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5380 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5381 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5382 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5383 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5384 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5385 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5386 BPF_MOV64_IMM(BPF_REG_2, 16),
5387 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5388 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5389 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
5390 BPF_MOV64_IMM(BPF_REG_4, 0),
5391 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5392 BPF_MOV64_IMM(BPF_REG_3, 0),
5393 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5394 BPF_MOV64_IMM(BPF_REG_0, 0),
5395 BPF_EXIT_INSN(),
5396 },
5397 .result = ACCEPT,
5398 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5399 },
5400 {
5401 "helper access to variable memory: stack, JMP (signed), correct bounds",
5402 .insns = {
5403 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5405 BPF_MOV64_IMM(BPF_REG_0, 0),
5406 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5407 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5408 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5409 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5410 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5411 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5412 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5413 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5414 BPF_MOV64_IMM(BPF_REG_2, 16),
5415 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5416 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5417 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
5418 BPF_MOV64_IMM(BPF_REG_4, 0),
5419 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5420 BPF_MOV64_IMM(BPF_REG_3, 0),
5421 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5422 BPF_MOV64_IMM(BPF_REG_0, 0),
5423 BPF_EXIT_INSN(),
5424 },
5425 .result = ACCEPT,
5426 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5427 },
5428 {
5429 "helper access to variable memory: stack, JMP, bounds + offset",
5430 .insns = {
5431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5433 BPF_MOV64_IMM(BPF_REG_2, 16),
5434 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5435 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5436 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
5437 BPF_MOV64_IMM(BPF_REG_4, 0),
5438 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
5439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5440 BPF_MOV64_IMM(BPF_REG_3, 0),
5441 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5442 BPF_MOV64_IMM(BPF_REG_0, 0),
5443 BPF_EXIT_INSN(),
5444 },
5445 .errstr = "invalid stack type R1 off=-64 access_size=65",
5446 .result = REJECT,
5447 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5448 },
5449 {
5450 "helper access to variable memory: stack, JMP, wrong max",
5451 .insns = {
5452 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5454 BPF_MOV64_IMM(BPF_REG_2, 16),
5455 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5456 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5457 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
5458 BPF_MOV64_IMM(BPF_REG_4, 0),
5459 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5460 BPF_MOV64_IMM(BPF_REG_3, 0),
5461 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5462 BPF_MOV64_IMM(BPF_REG_0, 0),
5463 BPF_EXIT_INSN(),
5464 },
5465 .errstr = "invalid stack type R1 off=-64 access_size=65",
5466 .result = REJECT,
5467 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5468 },
5469 {
5470 "helper access to variable memory: stack, JMP, no max check",
5471 .insns = {
5472 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5474 BPF_MOV64_IMM(BPF_REG_2, 16),
5475 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5476 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5477 BPF_MOV64_IMM(BPF_REG_4, 0),
5478 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5479 BPF_MOV64_IMM(BPF_REG_3, 0),
5480 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5481 BPF_MOV64_IMM(BPF_REG_0, 0),
5482 BPF_EXIT_INSN(),
5483 },
5484 /* because max wasn't checked, signed min is negative */
5485 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
5486 .result = REJECT,
5487 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5488 },
5489 {
5490 "helper access to variable memory: stack, JMP, no min check",
5491 .insns = {
5492 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5494 BPF_MOV64_IMM(BPF_REG_2, 16),
5495 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5496 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5497 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
5498 BPF_MOV64_IMM(BPF_REG_3, 0),
5499 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5500 BPF_MOV64_IMM(BPF_REG_0, 0),
5501 BPF_EXIT_INSN(),
5502 },
5503 .errstr = "invalid indirect read from stack off -64+0 size 64",
5504 .result = REJECT,
5505 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5506 },
5507 {
5508 "helper access to variable memory: stack, JMP (signed), no min check",
5509 .insns = {
5510 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5511 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5512 BPF_MOV64_IMM(BPF_REG_2, 16),
5513 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5514 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5515 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
5516 BPF_MOV64_IMM(BPF_REG_3, 0),
5517 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5518 BPF_MOV64_IMM(BPF_REG_0, 0),
5519 BPF_EXIT_INSN(),
5520 },
5521 .errstr = "R2 min value is negative",
5522 .result = REJECT,
5523 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5524 },
5525 {
5526 "helper access to variable memory: map, JMP, correct bounds",
5527 .insns = {
5528 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5529 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5530 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5531 BPF_LD_MAP_FD(BPF_REG_1, 0),
5532 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5533 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5534 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5535 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5536 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5537 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5538 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5539 sizeof(struct test_val), 4),
5540 BPF_MOV64_IMM(BPF_REG_4, 0),
5541 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5542 BPF_MOV64_IMM(BPF_REG_3, 0),
5543 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5544 BPF_MOV64_IMM(BPF_REG_0, 0),
5545 BPF_EXIT_INSN(),
5546 },
5547 .fixup_map2 = { 3 },
5548 .result = ACCEPT,
5549 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5550 },
5551 {
5552 "helper access to variable memory: map, JMP, wrong max",
5553 .insns = {
5554 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5555 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5556 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5557 BPF_LD_MAP_FD(BPF_REG_1, 0),
5558 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5559 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5560 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5561 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5562 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5563 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5564 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5565 sizeof(struct test_val) + 1, 4),
5566 BPF_MOV64_IMM(BPF_REG_4, 0),
5567 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5568 BPF_MOV64_IMM(BPF_REG_3, 0),
5569 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5570 BPF_MOV64_IMM(BPF_REG_0, 0),
5571 BPF_EXIT_INSN(),
5572 },
5573 .fixup_map2 = { 3 },
5574 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
5575 .result = REJECT,
5576 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5577 },
5578 {
5579 "helper access to variable memory: map adjusted, JMP, correct bounds",
5580 .insns = {
5581 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5583 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5584 BPF_LD_MAP_FD(BPF_REG_1, 0),
5585 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5586 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5587 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5589 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5590 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5591 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5592 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5593 sizeof(struct test_val) - 20, 4),
5594 BPF_MOV64_IMM(BPF_REG_4, 0),
5595 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5596 BPF_MOV64_IMM(BPF_REG_3, 0),
5597 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5598 BPF_MOV64_IMM(BPF_REG_0, 0),
5599 BPF_EXIT_INSN(),
5600 },
5601 .fixup_map2 = { 3 },
5602 .result = ACCEPT,
5603 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5604 },
5605 {
5606 "helper access to variable memory: map adjusted, JMP, wrong max",
5607 .insns = {
5608 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5610 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5611 BPF_LD_MAP_FD(BPF_REG_1, 0),
5612 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5613 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5614 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5616 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5617 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5618 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5619 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5620 sizeof(struct test_val) - 19, 4),
5621 BPF_MOV64_IMM(BPF_REG_4, 0),
5622 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5623 BPF_MOV64_IMM(BPF_REG_3, 0),
5624 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5625 BPF_MOV64_IMM(BPF_REG_0, 0),
5626 BPF_EXIT_INSN(),
5627 },
5628 .fixup_map2 = { 3 },
5629 .errstr = "R1 min value is outside of the array range",
5630 .result = REJECT,
5631 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5632 },
5633 {
5634 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
5635 .insns = {
5636 BPF_MOV64_IMM(BPF_REG_1, 0),
5637 BPF_MOV64_IMM(BPF_REG_2, 0),
5638 BPF_MOV64_IMM(BPF_REG_3, 0),
5639 BPF_MOV64_IMM(BPF_REG_4, 0),
5640 BPF_MOV64_IMM(BPF_REG_5, 0),
5641 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5642 BPF_EXIT_INSN(),
5643 },
5644 .result = ACCEPT,
5645 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5646 },
5647 {
5648 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
5649 .insns = {
5650 BPF_MOV64_IMM(BPF_REG_1, 0),
5651 BPF_MOV64_IMM(BPF_REG_2, 0),
5652 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5653 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5654 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5655 BPF_MOV64_IMM(BPF_REG_3, 0),
5656 BPF_MOV64_IMM(BPF_REG_4, 0),
5657 BPF_MOV64_IMM(BPF_REG_5, 0),
5658 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5659 BPF_EXIT_INSN(),
5660 },
5661 .errstr = "R1 type=inv expected=fp",
5662 .result = REJECT,
5663 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5664 },
5665 {
5666 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
5667 .insns = {
5668 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5669 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5670 BPF_MOV64_IMM(BPF_REG_2, 0),
5671 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5672 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
5673 BPF_MOV64_IMM(BPF_REG_3, 0),
5674 BPF_MOV64_IMM(BPF_REG_4, 0),
5675 BPF_MOV64_IMM(BPF_REG_5, 0),
5676 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5677 BPF_EXIT_INSN(),
5678 },
5679 .result = ACCEPT,
5680 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5681 },
5682 {
5683 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
5684 .insns = {
5685 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5686 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5688 BPF_LD_MAP_FD(BPF_REG_1, 0),
5689 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5690 BPF_FUNC_map_lookup_elem),
5691 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5692 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5693 BPF_MOV64_IMM(BPF_REG_2, 0),
5694 BPF_MOV64_IMM(BPF_REG_3, 0),
5695 BPF_MOV64_IMM(BPF_REG_4, 0),
5696 BPF_MOV64_IMM(BPF_REG_5, 0),
5697 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5698 BPF_EXIT_INSN(),
5699 },
5700 .fixup_map1 = { 3 },
5701 .result = ACCEPT,
5702 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5703 },
5704 {
5705 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
5706 .insns = {
5707 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5708 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5709 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5710 BPF_LD_MAP_FD(BPF_REG_1, 0),
5711 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5712 BPF_FUNC_map_lookup_elem),
5713 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5714 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5715 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
5716 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5717 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5718 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5719 BPF_MOV64_IMM(BPF_REG_3, 0),
5720 BPF_MOV64_IMM(BPF_REG_4, 0),
5721 BPF_MOV64_IMM(BPF_REG_5, 0),
5722 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5723 BPF_EXIT_INSN(),
5724 },
5725 .fixup_map1 = { 3 },
5726 .result = ACCEPT,
5727 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5728 },
5729 {
5730 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
5731 .insns = {
5732 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5733 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5734 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5735 BPF_LD_MAP_FD(BPF_REG_1, 0),
5736 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5737 BPF_FUNC_map_lookup_elem),
5738 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5739 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5740 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5741 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5742 BPF_MOV64_IMM(BPF_REG_3, 0),
5743 BPF_MOV64_IMM(BPF_REG_4, 0),
5744 BPF_MOV64_IMM(BPF_REG_5, 0),
5745 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5746 BPF_EXIT_INSN(),
5747 },
5748 .fixup_map1 = { 3 },
5749 .result = ACCEPT,
5750 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5751 },
5752 {
5753 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
5754 .insns = {
5755 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5756 offsetof(struct __sk_buff, data)),
5757 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5758 offsetof(struct __sk_buff, data_end)),
5759 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
5760 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5761 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
5762 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5763 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
5764 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5765 BPF_MOV64_IMM(BPF_REG_3, 0),
5766 BPF_MOV64_IMM(BPF_REG_4, 0),
5767 BPF_MOV64_IMM(BPF_REG_5, 0),
5768 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5769 BPF_EXIT_INSN(),
5770 },
5771 .result = ACCEPT,
5772 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5773 },
5774 {
5775 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
5776 .insns = {
5777 BPF_MOV64_IMM(BPF_REG_1, 0),
5778 BPF_MOV64_IMM(BPF_REG_2, 0),
5779 BPF_MOV64_IMM(BPF_REG_3, 0),
5780 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5781 BPF_EXIT_INSN(),
5782 },
5783 .errstr = "R1 type=inv expected=fp",
5784 .result = REJECT,
5785 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5786 },
5787 {
5788 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
5789 .insns = {
5790 BPF_MOV64_IMM(BPF_REG_1, 0),
5791 BPF_MOV64_IMM(BPF_REG_2, 1),
5792 BPF_MOV64_IMM(BPF_REG_3, 0),
5793 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5794 BPF_EXIT_INSN(),
5795 },
5796 .errstr = "R1 type=inv expected=fp",
5797 .result = REJECT,
5798 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5799 },
5800 {
5801 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5802 .insns = {
5803 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5804 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5805 BPF_MOV64_IMM(BPF_REG_2, 0),
5806 BPF_MOV64_IMM(BPF_REG_3, 0),
5807 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5808 BPF_EXIT_INSN(),
5809 },
5810 .result = ACCEPT,
5811 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5812 },
5813 {
5814 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5815 .insns = {
5816 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5819 BPF_LD_MAP_FD(BPF_REG_1, 0),
5820 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5821 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5822 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5823 BPF_MOV64_IMM(BPF_REG_2, 0),
5824 BPF_MOV64_IMM(BPF_REG_3, 0),
5825 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5826 BPF_EXIT_INSN(),
5827 },
5828 .fixup_map1 = { 3 },
5829 .result = ACCEPT,
5830 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5831 },
5832 {
5833 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5834 .insns = {
5835 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5838 BPF_LD_MAP_FD(BPF_REG_1, 0),
5839 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5840 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5841 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5842 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5843 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5845 BPF_MOV64_IMM(BPF_REG_3, 0),
5846 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5847 BPF_EXIT_INSN(),
5848 },
5849 .fixup_map1 = { 3 },
5850 .result = ACCEPT,
5851 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5852 },
5853 {
5854 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5855 .insns = {
5856 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5857 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5858 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5859 BPF_LD_MAP_FD(BPF_REG_1, 0),
5860 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5861 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5862 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5863 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5864 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
5865 BPF_MOV64_IMM(BPF_REG_3, 0),
5866 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5867 BPF_EXIT_INSN(),
5868 },
5869 .fixup_map1 = { 3 },
5870 .result = ACCEPT,
5871 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5872 },
5873 {
5874 "helper access to variable memory: 8 bytes leak",
5875 .insns = {
5876 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5878 BPF_MOV64_IMM(BPF_REG_0, 0),
5879 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5880 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5881 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5882 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5883 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5884 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5885 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5886 BPF_MOV64_IMM(BPF_REG_2, 0),
5887 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5888 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5889 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
5890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5891 BPF_MOV64_IMM(BPF_REG_3, 0),
5892 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5893 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5894 BPF_EXIT_INSN(),
5895 },
5896 .errstr = "invalid indirect read from stack off -64+32 size 64",
5897 .result = REJECT,
5898 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5899 },
5900 {
5901 "helper access to variable memory: 8 bytes no leak (init memory)",
5902 .insns = {
5903 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5904 BPF_MOV64_IMM(BPF_REG_0, 0),
5905 BPF_MOV64_IMM(BPF_REG_0, 0),
5906 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5907 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5908 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5909 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5910 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5911 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5912 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5913 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5914 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5915 BPF_MOV64_IMM(BPF_REG_2, 0),
5916 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
5917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
5918 BPF_MOV64_IMM(BPF_REG_3, 0),
5919 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5920 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5921 BPF_EXIT_INSN(),
5922 },
5923 .result = ACCEPT,
5924 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5925 },
5926 {
5927 "invalid and of negative number",
5928 .insns = {
5929 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5930 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5932 BPF_LD_MAP_FD(BPF_REG_1, 0),
5933 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5934 BPF_FUNC_map_lookup_elem),
5935 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5936 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
5937 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
5938 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5939 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5940 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5941 offsetof(struct test_val, foo)),
5942 BPF_EXIT_INSN(),
5943 },
5944 .fixup_map2 = { 3 },
5945 .errstr = "R0 max value is outside of the array range",
5946 .result = REJECT,
5947 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5948 },
5949 {
5950 "invalid range check",
5951 .insns = {
5952 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5953 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5954 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5955 BPF_LD_MAP_FD(BPF_REG_1, 0),
5956 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5957 BPF_FUNC_map_lookup_elem),
5958 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
5959 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5960 BPF_MOV64_IMM(BPF_REG_9, 1),
5961 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
5962 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
5963 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
5964 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
5965 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
5966 BPF_MOV32_IMM(BPF_REG_3, 1),
5967 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
5968 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
5969 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
5970 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
5971 BPF_MOV64_REG(BPF_REG_0, 0),
5972 BPF_EXIT_INSN(),
5973 },
5974 .fixup_map2 = { 3 },
5975 .errstr = "R0 max value is outside of the array range",
5976 .result = REJECT,
5977 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5978 },
5979 {
5980 "map in map access",
5981 .insns = {
5982 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5983 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5984 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5985 BPF_LD_MAP_FD(BPF_REG_1, 0),
5986 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5987 BPF_FUNC_map_lookup_elem),
5988 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5989 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5990 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5992 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5993 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5994 BPF_FUNC_map_lookup_elem),
5995 BPF_MOV64_REG(BPF_REG_0, 0),
5996 BPF_EXIT_INSN(),
5997 },
5998 .fixup_map_in_map = { 3 },
5999 .result = ACCEPT,
6000 },
6001 {
6002 "invalid inner map pointer",
6003 .insns = {
6004 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6005 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6007 BPF_LD_MAP_FD(BPF_REG_1, 0),
6008 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6009 BPF_FUNC_map_lookup_elem),
6010 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6011 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6012 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6014 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6015 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
6016 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6017 BPF_FUNC_map_lookup_elem),
6018 BPF_MOV64_REG(BPF_REG_0, 0),
6019 BPF_EXIT_INSN(),
6020 },
6021 .fixup_map_in_map = { 3 },
6022 .errstr = "R1 type=inv expected=map_ptr",
6023 .errstr_unpriv = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
6024 .result = REJECT,
6025 },
6026 {
6027 "forgot null checking on the inner map pointer",
6028 .insns = {
6029 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6030 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6032 BPF_LD_MAP_FD(BPF_REG_1, 0),
6033 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6034 BPF_FUNC_map_lookup_elem),
6035 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6036 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6037 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6038 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6039 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6040 BPF_FUNC_map_lookup_elem),
6041 BPF_MOV64_REG(BPF_REG_0, 0),
6042 BPF_EXIT_INSN(),
6043 },
6044 .fixup_map_in_map = { 3 },
6045 .errstr = "R1 type=map_value_or_null expected=map_ptr",
6046 .result = REJECT,
6047 },
6048 {
6049 "ld_abs: check calling conv, r1",
6050 .insns = {
6051 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6052 BPF_MOV64_IMM(BPF_REG_1, 0),
6053 BPF_LD_ABS(BPF_W, -0x200000),
6054 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6055 BPF_EXIT_INSN(),
6056 },
6057 .errstr = "R1 !read_ok",
6058 .result = REJECT,
6059 },
6060 {
6061 "ld_abs: check calling conv, r2",
6062 .insns = {
6063 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6064 BPF_MOV64_IMM(BPF_REG_2, 0),
6065 BPF_LD_ABS(BPF_W, -0x200000),
6066 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6067 BPF_EXIT_INSN(),
6068 },
6069 .errstr = "R2 !read_ok",
6070 .result = REJECT,
6071 },
6072 {
6073 "ld_abs: check calling conv, r3",
6074 .insns = {
6075 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6076 BPF_MOV64_IMM(BPF_REG_3, 0),
6077 BPF_LD_ABS(BPF_W, -0x200000),
6078 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6079 BPF_EXIT_INSN(),
6080 },
6081 .errstr = "R3 !read_ok",
6082 .result = REJECT,
6083 },
6084 {
6085 "ld_abs: check calling conv, r4",
6086 .insns = {
6087 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6088 BPF_MOV64_IMM(BPF_REG_4, 0),
6089 BPF_LD_ABS(BPF_W, -0x200000),
6090 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6091 BPF_EXIT_INSN(),
6092 },
6093 .errstr = "R4 !read_ok",
6094 .result = REJECT,
6095 },
6096 {
6097 "ld_abs: check calling conv, r5",
6098 .insns = {
6099 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6100 BPF_MOV64_IMM(BPF_REG_5, 0),
6101 BPF_LD_ABS(BPF_W, -0x200000),
6102 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6103 BPF_EXIT_INSN(),
6104 },
6105 .errstr = "R5 !read_ok",
6106 .result = REJECT,
6107 },
6108 {
6109 "ld_abs: check calling conv, r7",
6110 .insns = {
6111 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6112 BPF_MOV64_IMM(BPF_REG_7, 0),
6113 BPF_LD_ABS(BPF_W, -0x200000),
6114 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6115 BPF_EXIT_INSN(),
6116 },
6117 .result = ACCEPT,
6118 },
6119 {
6120 "ld_abs: tests on r6 and skb data reload helper",
6121 .insns = {
6122 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6123 BPF_LD_ABS(BPF_B, 0),
6124 BPF_LD_ABS(BPF_H, 0),
6125 BPF_LD_ABS(BPF_W, 0),
6126 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
6127 BPF_MOV64_IMM(BPF_REG_6, 0),
6128 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
6129 BPF_MOV64_IMM(BPF_REG_2, 1),
6130 BPF_MOV64_IMM(BPF_REG_3, 2),
6131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6132 BPF_FUNC_skb_vlan_push),
6133 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
6134 BPF_LD_ABS(BPF_B, 0),
6135 BPF_LD_ABS(BPF_H, 0),
6136 BPF_LD_ABS(BPF_W, 0),
6137 BPF_MOV64_IMM(BPF_REG_0, 42),
6138 BPF_EXIT_INSN(),
6139 },
6140 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6141 .result = ACCEPT,
6142 },
6143 {
6144 "ld_ind: check calling conv, r1",
6145 .insns = {
6146 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6147 BPF_MOV64_IMM(BPF_REG_1, 1),
6148 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
6149 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6150 BPF_EXIT_INSN(),
6151 },
6152 .errstr = "R1 !read_ok",
6153 .result = REJECT,
6154 },
6155 {
6156 "ld_ind: check calling conv, r2",
6157 .insns = {
6158 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6159 BPF_MOV64_IMM(BPF_REG_2, 1),
6160 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
6161 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6162 BPF_EXIT_INSN(),
6163 },
6164 .errstr = "R2 !read_ok",
6165 .result = REJECT,
6166 },
6167 {
6168 "ld_ind: check calling conv, r3",
6169 .insns = {
6170 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6171 BPF_MOV64_IMM(BPF_REG_3, 1),
6172 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
6173 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6174 BPF_EXIT_INSN(),
6175 },
6176 .errstr = "R3 !read_ok",
6177 .result = REJECT,
6178 },
6179 {
6180 "ld_ind: check calling conv, r4",
6181 .insns = {
6182 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6183 BPF_MOV64_IMM(BPF_REG_4, 1),
6184 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
6185 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6186 BPF_EXIT_INSN(),
6187 },
6188 .errstr = "R4 !read_ok",
6189 .result = REJECT,
6190 },
6191 {
6192 "ld_ind: check calling conv, r5",
6193 .insns = {
6194 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6195 BPF_MOV64_IMM(BPF_REG_5, 1),
6196 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
6197 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6198 BPF_EXIT_INSN(),
6199 },
6200 .errstr = "R5 !read_ok",
6201 .result = REJECT,
6202 },
6203 {
6204 "ld_ind: check calling conv, r7",
6205 .insns = {
6206 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6207 BPF_MOV64_IMM(BPF_REG_7, 1),
6208 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
6209 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6210 BPF_EXIT_INSN(),
6211 },
6212 .result = ACCEPT,
6213 },
6214 {
6215 "check bpf_perf_event_data->sample_period byte load permitted",
6216 .insns = {
6217 BPF_MOV64_IMM(BPF_REG_0, 0),
6218 #if __BYTE_ORDER == __LITTLE_ENDIAN
6219 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6220 offsetof(struct bpf_perf_event_data, sample_period)),
6221 #else
6222 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6223 offsetof(struct bpf_perf_event_data, sample_period) + 7),
6224 #endif
6225 BPF_EXIT_INSN(),
6226 },
6227 .result = ACCEPT,
6228 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6229 },
6230 {
6231 "check bpf_perf_event_data->sample_period half load permitted",
6232 .insns = {
6233 BPF_MOV64_IMM(BPF_REG_0, 0),
6234 #if __BYTE_ORDER == __LITTLE_ENDIAN
6235 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6236 offsetof(struct bpf_perf_event_data, sample_period)),
6237 #else
6238 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6239 offsetof(struct bpf_perf_event_data, sample_period) + 6),
6240 #endif
6241 BPF_EXIT_INSN(),
6242 },
6243 .result = ACCEPT,
6244 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6245 },
6246 {
6247 "check bpf_perf_event_data->sample_period word load permitted",
6248 .insns = {
6249 BPF_MOV64_IMM(BPF_REG_0, 0),
6250 #if __BYTE_ORDER == __LITTLE_ENDIAN
6251 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6252 offsetof(struct bpf_perf_event_data, sample_period)),
6253 #else
6254 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6255 offsetof(struct bpf_perf_event_data, sample_period) + 4),
6256 #endif
6257 BPF_EXIT_INSN(),
6258 },
6259 .result = ACCEPT,
6260 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6261 },
6262 {
6263 "check bpf_perf_event_data->sample_period dword load permitted",
6264 .insns = {
6265 BPF_MOV64_IMM(BPF_REG_0, 0),
6266 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
6267 offsetof(struct bpf_perf_event_data, sample_period)),
6268 BPF_EXIT_INSN(),
6269 },
6270 .result = ACCEPT,
6271 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6272 },
6273 {
6274 "check skb->data half load not permitted",
6275 .insns = {
6276 BPF_MOV64_IMM(BPF_REG_0, 0),
6277 #if __BYTE_ORDER == __LITTLE_ENDIAN
6278 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6279 offsetof(struct __sk_buff, data)),
6280 #else
6281 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6282 offsetof(struct __sk_buff, data) + 2),
6283 #endif
6284 BPF_EXIT_INSN(),
6285 },
6286 .result = REJECT,
6287 .errstr = "invalid bpf_context access",
6288 },
6289 {
6290 "check skb->tc_classid half load not permitted for lwt prog",
6291 .insns = {
6292 BPF_MOV64_IMM(BPF_REG_0, 0),
6293 #if __BYTE_ORDER == __LITTLE_ENDIAN
6294 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6295 offsetof(struct __sk_buff, tc_classid)),
6296 #else
6297 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6298 offsetof(struct __sk_buff, tc_classid) + 2),
6299 #endif
6300 BPF_EXIT_INSN(),
6301 },
6302 .result = REJECT,
6303 .errstr = "invalid bpf_context access",
6304 .prog_type = BPF_PROG_TYPE_LWT_IN,
6305 },
6306 {
6307 "bounds checks mixing signed and unsigned, positive bounds",
6308 .insns = {
6309 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6310 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6312 BPF_LD_MAP_FD(BPF_REG_1, 0),
6313 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6314 BPF_FUNC_map_lookup_elem),
6315 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6316 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6317 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6318 BPF_MOV64_IMM(BPF_REG_2, 2),
6319 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
6320 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
6321 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6322 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6323 BPF_MOV64_IMM(BPF_REG_0, 0),
6324 BPF_EXIT_INSN(),
6325 },
6326 .fixup_map1 = { 3 },
6327 .errstr = "R0 min value is negative",
6328 .result = REJECT,
6329 },
6330 {
6331 "bounds checks mixing signed and unsigned",
6332 .insns = {
6333 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6334 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6335 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6336 BPF_LD_MAP_FD(BPF_REG_1, 0),
6337 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6338 BPF_FUNC_map_lookup_elem),
6339 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6340 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6341 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6342 BPF_MOV64_IMM(BPF_REG_2, -1),
6343 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6344 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6345 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6346 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6347 BPF_MOV64_IMM(BPF_REG_0, 0),
6348 BPF_EXIT_INSN(),
6349 },
6350 .fixup_map1 = { 3 },
6351 .errstr = "R0 min value is negative",
6352 .result = REJECT,
6353 },
6354 {
6355 "bounds checks mixing signed and unsigned, variant 2",
6356 .insns = {
6357 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6358 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6360 BPF_LD_MAP_FD(BPF_REG_1, 0),
6361 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6362 BPF_FUNC_map_lookup_elem),
6363 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6364 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6365 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6366 BPF_MOV64_IMM(BPF_REG_2, -1),
6367 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6368 BPF_MOV64_IMM(BPF_REG_8, 0),
6369 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
6370 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6371 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6372 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6373 BPF_MOV64_IMM(BPF_REG_0, 0),
6374 BPF_EXIT_INSN(),
6375 },
6376 .fixup_map1 = { 3 },
6377 .errstr = "R8 invalid mem access 'inv'",
6378 .result = REJECT,
6379 },
6380 {
6381 "bounds checks mixing signed and unsigned, variant 3",
6382 .insns = {
6383 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6384 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6386 BPF_LD_MAP_FD(BPF_REG_1, 0),
6387 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6388 BPF_FUNC_map_lookup_elem),
6389 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6390 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6391 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6392 BPF_MOV64_IMM(BPF_REG_2, -1),
6393 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
6394 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
6395 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6396 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6397 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6398 BPF_MOV64_IMM(BPF_REG_0, 0),
6399 BPF_EXIT_INSN(),
6400 },
6401 .fixup_map1 = { 3 },
6402 .errstr = "R8 invalid mem access 'inv'",
6403 .result = REJECT,
6404 },
6405 {
6406 "bounds checks mixing signed and unsigned, variant 4",
6407 .insns = {
6408 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6409 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6410 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6411 BPF_LD_MAP_FD(BPF_REG_1, 0),
6412 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6413 BPF_FUNC_map_lookup_elem),
6414 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6415 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6416 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6417 BPF_MOV64_IMM(BPF_REG_2, 1),
6418 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
6419 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6420 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6421 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6422 BPF_MOV64_IMM(BPF_REG_0, 0),
6423 BPF_EXIT_INSN(),
6424 },
6425 .fixup_map1 = { 3 },
6426 .result = ACCEPT,
6427 },
6428 {
6429 "bounds checks mixing signed and unsigned, variant 5",
6430 .insns = {
6431 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6432 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6433 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6434 BPF_LD_MAP_FD(BPF_REG_1, 0),
6435 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6436 BPF_FUNC_map_lookup_elem),
6437 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6438 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6439 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6440 BPF_MOV64_IMM(BPF_REG_2, -1),
6441 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6442 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
6443 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
6444 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6445 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6446 BPF_MOV64_IMM(BPF_REG_0, 0),
6447 BPF_EXIT_INSN(),
6448 },
6449 .fixup_map1 = { 3 },
6450 .errstr = "R0 min value is negative",
6451 .result = REJECT,
6452 },
6453 {
6454 "bounds checks mixing signed and unsigned, variant 6",
6455 .insns = {
6456 BPF_MOV64_IMM(BPF_REG_2, 0),
6457 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
6458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
6459 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6460 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
6461 BPF_MOV64_IMM(BPF_REG_6, -1),
6462 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
6463 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
6464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
6465 BPF_MOV64_IMM(BPF_REG_5, 0),
6466 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
6467 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6468 BPF_FUNC_skb_load_bytes),
6469 BPF_MOV64_IMM(BPF_REG_0, 0),
6470 BPF_EXIT_INSN(),
6471 },
6472 .errstr = "R4 min value is negative, either use unsigned",
6473 .result = REJECT,
6474 },
6475 {
6476 "bounds checks mixing signed and unsigned, variant 7",
6477 .insns = {
6478 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6479 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6481 BPF_LD_MAP_FD(BPF_REG_1, 0),
6482 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6483 BPF_FUNC_map_lookup_elem),
6484 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6485 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6486 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6487 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
6488 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6489 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6490 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6491 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6492 BPF_MOV64_IMM(BPF_REG_0, 0),
6493 BPF_EXIT_INSN(),
6494 },
6495 .fixup_map1 = { 3 },
6496 .result = ACCEPT,
6497 },
6498 {
6499 "bounds checks mixing signed and unsigned, variant 8",
6500 .insns = {
6501 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6502 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6503 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6504 BPF_LD_MAP_FD(BPF_REG_1, 0),
6505 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6506 BPF_FUNC_map_lookup_elem),
6507 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6508 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6509 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6510 BPF_MOV64_IMM(BPF_REG_2, -1),
6511 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6512 BPF_MOV64_IMM(BPF_REG_0, 0),
6513 BPF_EXIT_INSN(),
6514 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6515 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6516 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6517 BPF_MOV64_IMM(BPF_REG_0, 0),
6518 BPF_EXIT_INSN(),
6519 },
6520 .fixup_map1 = { 3 },
6521 .errstr = "R0 min value is negative",
6522 .result = REJECT,
6523 },
6524 {
6525 "bounds checks mixing signed and unsigned, variant 9",
6526 .insns = {
6527 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6528 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6529 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6530 BPF_LD_MAP_FD(BPF_REG_1, 0),
6531 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6532 BPF_FUNC_map_lookup_elem),
6533 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6534 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6535 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6536 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
6537 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6538 BPF_MOV64_IMM(BPF_REG_0, 0),
6539 BPF_EXIT_INSN(),
6540 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6541 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6542 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6543 BPF_MOV64_IMM(BPF_REG_0, 0),
6544 BPF_EXIT_INSN(),
6545 },
6546 .fixup_map1 = { 3 },
6547 .result = ACCEPT,
6548 },
6549 {
6550 "bounds checks mixing signed and unsigned, variant 10",
6551 .insns = {
6552 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6553 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6554 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6555 BPF_LD_MAP_FD(BPF_REG_1, 0),
6556 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6557 BPF_FUNC_map_lookup_elem),
6558 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6559 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6560 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6561 BPF_MOV64_IMM(BPF_REG_2, 0),
6562 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6563 BPF_MOV64_IMM(BPF_REG_0, 0),
6564 BPF_EXIT_INSN(),
6565 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6566 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6567 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6568 BPF_MOV64_IMM(BPF_REG_0, 0),
6569 BPF_EXIT_INSN(),
6570 },
6571 .fixup_map1 = { 3 },
6572 .errstr = "R0 min value is negative",
6573 .result = REJECT,
6574 },
6575 {
6576 "bounds checks mixing signed and unsigned, variant 11",
6577 .insns = {
6578 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6579 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6580 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6581 BPF_LD_MAP_FD(BPF_REG_1, 0),
6582 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6583 BPF_FUNC_map_lookup_elem),
6584 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6585 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6586 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6587 BPF_MOV64_IMM(BPF_REG_2, -1),
6588 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6589 /* Dead branch. */
6590 BPF_MOV64_IMM(BPF_REG_0, 0),
6591 BPF_EXIT_INSN(),
6592 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6593 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6594 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6595 BPF_MOV64_IMM(BPF_REG_0, 0),
6596 BPF_EXIT_INSN(),
6597 },
6598 .fixup_map1 = { 3 },
6599 .errstr = "R0 min value is negative",
6600 .result = REJECT,
6601 },
6602 {
6603 "bounds checks mixing signed and unsigned, variant 12",
6604 .insns = {
6605 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6606 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6608 BPF_LD_MAP_FD(BPF_REG_1, 0),
6609 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6610 BPF_FUNC_map_lookup_elem),
6611 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6612 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6613 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6614 BPF_MOV64_IMM(BPF_REG_2, -6),
6615 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6616 BPF_MOV64_IMM(BPF_REG_0, 0),
6617 BPF_EXIT_INSN(),
6618 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6619 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6620 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6621 BPF_MOV64_IMM(BPF_REG_0, 0),
6622 BPF_EXIT_INSN(),
6623 },
6624 .fixup_map1 = { 3 },
6625 .errstr = "R0 min value is negative",
6626 .result = REJECT,
6627 },
6628 {
6629 "bounds checks mixing signed and unsigned, variant 13",
6630 .insns = {
6631 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6632 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6633 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6634 BPF_LD_MAP_FD(BPF_REG_1, 0),
6635 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6636 BPF_FUNC_map_lookup_elem),
6637 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6638 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6639 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6640 BPF_MOV64_IMM(BPF_REG_2, 2),
6641 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6642 BPF_MOV64_IMM(BPF_REG_7, 1),
6643 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
6644 BPF_MOV64_IMM(BPF_REG_0, 0),
6645 BPF_EXIT_INSN(),
6646 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
6647 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
6648 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
6649 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6650 BPF_MOV64_IMM(BPF_REG_0, 0),
6651 BPF_EXIT_INSN(),
6652 },
6653 .fixup_map1 = { 3 },
6654 .errstr = "R0 min value is negative",
6655 .result = REJECT,
6656 },
6657 {
6658 "bounds checks mixing signed and unsigned, variant 14",
6659 .insns = {
6660 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
6661 offsetof(struct __sk_buff, mark)),
6662 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6663 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6665 BPF_LD_MAP_FD(BPF_REG_1, 0),
6666 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6667 BPF_FUNC_map_lookup_elem),
6668 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6669 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6670 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6671 BPF_MOV64_IMM(BPF_REG_2, -1),
6672 BPF_MOV64_IMM(BPF_REG_8, 2),
6673 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
6674 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
6675 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6676 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6677 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6678 BPF_MOV64_IMM(BPF_REG_0, 0),
6679 BPF_EXIT_INSN(),
6680 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
6681 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
6682 },
6683 .fixup_map1 = { 4 },
6684 .errstr = "R0 min value is negative",
6685 .result = REJECT,
6686 },
6687 {
6688 "bounds checks mixing signed and unsigned, variant 15",
6689 .insns = {
6690 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6691 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6692 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6693 BPF_LD_MAP_FD(BPF_REG_1, 0),
6694 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6695 BPF_FUNC_map_lookup_elem),
6696 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6697 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6698 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6699 BPF_MOV64_IMM(BPF_REG_2, -6),
6700 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6701 BPF_MOV64_IMM(BPF_REG_0, 0),
6702 BPF_EXIT_INSN(),
6703 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6704 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
6705 BPF_MOV64_IMM(BPF_REG_0, 0),
6706 BPF_EXIT_INSN(),
6707 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6708 BPF_MOV64_IMM(BPF_REG_0, 0),
6709 BPF_EXIT_INSN(),
6710 },
6711 .fixup_map1 = { 3 },
6712 .errstr_unpriv = "R0 pointer comparison prohibited",
6713 .errstr = "R0 min value is negative",
6714 .result = REJECT,
6715 .result_unpriv = REJECT,
6716 },
6717 {
6718 "subtraction bounds (map value) variant 1",
6719 .insns = {
6720 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6721 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6722 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6723 BPF_LD_MAP_FD(BPF_REG_1, 0),
6724 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6725 BPF_FUNC_map_lookup_elem),
6726 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6727 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6728 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
6729 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
6730 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
6731 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
6732 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
6733 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6734 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6735 BPF_EXIT_INSN(),
6736 BPF_MOV64_IMM(BPF_REG_0, 0),
6737 BPF_EXIT_INSN(),
6738 },
6739 .fixup_map1 = { 3 },
6740 .errstr = "R0 max value is outside of the array range",
6741 .result = REJECT,
6742 },
6743 {
6744 "subtraction bounds (map value) variant 2",
6745 .insns = {
6746 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6747 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6748 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6749 BPF_LD_MAP_FD(BPF_REG_1, 0),
6750 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6751 BPF_FUNC_map_lookup_elem),
6752 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6753 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6754 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
6755 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
6756 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
6757 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
6758 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6759 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6760 BPF_EXIT_INSN(),
6761 BPF_MOV64_IMM(BPF_REG_0, 0),
6762 BPF_EXIT_INSN(),
6763 },
6764 .fixup_map1 = { 3 },
6765 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
6766 .result = REJECT,
6767 },
6768 {
6769 "variable-offset ctx access",
6770 .insns = {
6771 /* Get an unknown value */
6772 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
6773 /* Make it small and 4-byte aligned */
6774 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
6775 /* add it to skb. We now have either &skb->len or
6776 * &skb->pkt_type, but we don't know which
6777 */
6778 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
6779 /* dereference it */
6780 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
6781 BPF_EXIT_INSN(),
6782 },
6783 .errstr = "variable ctx access var_off=(0x0; 0x4)",
6784 .result = REJECT,
6785 .prog_type = BPF_PROG_TYPE_LWT_IN,
6786 },
6787 {
6788 "variable-offset stack access",
6789 .insns = {
6790 /* Fill the top 8 bytes of the stack */
6791 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6792 /* Get an unknown value */
6793 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
6794 /* Make it small and 4-byte aligned */
6795 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
6796 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
6797 /* add it to fp. We now have either fp-4 or fp-8, but
6798 * we don't know which
6799 */
6800 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
6801 /* dereference it */
6802 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
6803 BPF_EXIT_INSN(),
6804 },
6805 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
6806 .result = REJECT,
6807 .prog_type = BPF_PROG_TYPE_LWT_IN,
6808 },
6809 {
6810 "liveness pruning and write screening",
6811 .insns = {
6812 /* Get an unknown value */
6813 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
6814 /* branch conditions teach us nothing about R2 */
6815 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
6816 BPF_MOV64_IMM(BPF_REG_0, 0),
6817 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
6818 BPF_MOV64_IMM(BPF_REG_0, 0),
6819 BPF_EXIT_INSN(),
6820 },
6821 .errstr = "R0 !read_ok",
6822 .result = REJECT,
6823 .prog_type = BPF_PROG_TYPE_LWT_IN,
6824 },
6825 {
6826 "varlen_map_value_access pruning",
6827 .insns = {
6828 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6829 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6831 BPF_LD_MAP_FD(BPF_REG_1, 0),
6832 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6833 BPF_FUNC_map_lookup_elem),
6834 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6835 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6836 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
6837 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
6838 BPF_MOV32_IMM(BPF_REG_1, 0),
6839 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
6840 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6841 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
6842 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
6843 offsetof(struct test_val, foo)),
6844 BPF_EXIT_INSN(),
6845 },
6846 .fixup_map2 = { 3 },
6847 .errstr_unpriv = "R0 leaks addr",
6848 .errstr = "R0 unbounded memory access",
6849 .result_unpriv = REJECT,
6850 .result = REJECT,
6851 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6852 },
6853 {
6854 "invalid 64-bit BPF_END",
6855 .insns = {
6856 BPF_MOV32_IMM(BPF_REG_0, 0),
6857 {
6858 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
6859 .dst_reg = BPF_REG_0,
6860 .src_reg = 0,
6861 .off = 0,
6862 .imm = 32,
6863 },
6864 BPF_EXIT_INSN(),
6865 },
6866 .errstr = "BPF_END uses reserved fields",
6867 .result = REJECT,
6868 },
6869 {
6870 "meta access, test1",
6871 .insns = {
6872 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6873 offsetof(struct xdp_md, data_meta)),
6874 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6875 offsetof(struct xdp_md, data)),
6876 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6878 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
6879 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6880 BPF_MOV64_IMM(BPF_REG_0, 0),
6881 BPF_EXIT_INSN(),
6882 },
6883 .result = ACCEPT,
6884 .prog_type = BPF_PROG_TYPE_XDP,
6885 },
6886 {
6887 "meta access, test2",
6888 .insns = {
6889 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6890 offsetof(struct xdp_md, data_meta)),
6891 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6892 offsetof(struct xdp_md, data)),
6893 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6894 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
6895 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
6896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
6897 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
6898 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6899 BPF_MOV64_IMM(BPF_REG_0, 0),
6900 BPF_EXIT_INSN(),
6901 },
6902 .result = REJECT,
6903 .errstr = "invalid access to packet, off=-8",
6904 .prog_type = BPF_PROG_TYPE_XDP,
6905 },
6906 {
6907 "meta access, test3",
6908 .insns = {
6909 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6910 offsetof(struct xdp_md, data_meta)),
6911 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6912 offsetof(struct xdp_md, data_end)),
6913 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6914 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6915 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
6916 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6917 BPF_MOV64_IMM(BPF_REG_0, 0),
6918 BPF_EXIT_INSN(),
6919 },
6920 .result = REJECT,
6921 .errstr = "invalid access to packet",
6922 .prog_type = BPF_PROG_TYPE_XDP,
6923 },
6924 {
6925 "meta access, test4",
6926 .insns = {
6927 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6928 offsetof(struct xdp_md, data_meta)),
6929 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6930 offsetof(struct xdp_md, data_end)),
6931 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
6932 offsetof(struct xdp_md, data)),
6933 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6934 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6935 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
6936 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6937 BPF_MOV64_IMM(BPF_REG_0, 0),
6938 BPF_EXIT_INSN(),
6939 },
6940 .result = REJECT,
6941 .errstr = "invalid access to packet",
6942 .prog_type = BPF_PROG_TYPE_XDP,
6943 },
6944 {
6945 "meta access, test5",
6946 .insns = {
6947 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6948 offsetof(struct xdp_md, data_meta)),
6949 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
6950 offsetof(struct xdp_md, data)),
6951 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6952 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6953 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
6954 BPF_MOV64_IMM(BPF_REG_2, -8),
6955 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6956 BPF_FUNC_xdp_adjust_meta),
6957 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
6958 BPF_MOV64_IMM(BPF_REG_0, 0),
6959 BPF_EXIT_INSN(),
6960 },
6961 .result = REJECT,
6962 .errstr = "R3 !read_ok",
6963 .prog_type = BPF_PROG_TYPE_XDP,
6964 },
6965 {
6966 "meta access, test6",
6967 .insns = {
6968 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6969 offsetof(struct xdp_md, data_meta)),
6970 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6971 offsetof(struct xdp_md, data)),
6972 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6973 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6974 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
6975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
6976 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
6977 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6978 BPF_MOV64_IMM(BPF_REG_0, 0),
6979 BPF_EXIT_INSN(),
6980 },
6981 .result = REJECT,
6982 .errstr = "invalid access to packet",
6983 .prog_type = BPF_PROG_TYPE_XDP,
6984 },
6985 {
6986 "meta access, test7",
6987 .insns = {
6988 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6989 offsetof(struct xdp_md, data_meta)),
6990 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6991 offsetof(struct xdp_md, data)),
6992 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6994 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
6995 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
6996 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
6997 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6998 BPF_MOV64_IMM(BPF_REG_0, 0),
6999 BPF_EXIT_INSN(),
7000 },
7001 .result = ACCEPT,
7002 .prog_type = BPF_PROG_TYPE_XDP,
7003 },
7004 {
7005 "meta access, test8",
7006 .insns = {
7007 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7008 offsetof(struct xdp_md, data_meta)),
7009 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7010 offsetof(struct xdp_md, data)),
7011 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7012 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
7013 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7014 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7015 BPF_MOV64_IMM(BPF_REG_0, 0),
7016 BPF_EXIT_INSN(),
7017 },
7018 .result = ACCEPT,
7019 .prog_type = BPF_PROG_TYPE_XDP,
7020 },
7021 {
7022 "meta access, test9",
7023 .insns = {
7024 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7025 offsetof(struct xdp_md, data_meta)),
7026 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7027 offsetof(struct xdp_md, data)),
7028 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7029 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
7030 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7031 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7032 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7033 BPF_MOV64_IMM(BPF_REG_0, 0),
7034 BPF_EXIT_INSN(),
7035 },
7036 .result = REJECT,
7037 .errstr = "invalid access to packet",
7038 .prog_type = BPF_PROG_TYPE_XDP,
7039 },
7040 {
7041 "meta access, test10",
7042 .insns = {
7043 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7044 offsetof(struct xdp_md, data_meta)),
7045 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7046 offsetof(struct xdp_md, data)),
7047 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7048 offsetof(struct xdp_md, data_end)),
7049 BPF_MOV64_IMM(BPF_REG_5, 42),
7050 BPF_MOV64_IMM(BPF_REG_6, 24),
7051 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
7052 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
7053 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
7054 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
7055 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
7056 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
7057 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
7058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
7059 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
7060 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
7061 BPF_MOV64_IMM(BPF_REG_0, 0),
7062 BPF_EXIT_INSN(),
7063 },
7064 .result = REJECT,
7065 .errstr = "invalid access to packet",
7066 .prog_type = BPF_PROG_TYPE_XDP,
7067 },
7068 {
7069 "meta access, test11",
7070 .insns = {
7071 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7072 offsetof(struct xdp_md, data_meta)),
7073 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7074 offsetof(struct xdp_md, data)),
7075 BPF_MOV64_IMM(BPF_REG_5, 42),
7076 BPF_MOV64_IMM(BPF_REG_6, 24),
7077 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
7078 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
7079 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
7080 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
7081 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
7082 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
7083 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
7084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
7085 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
7086 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
7087 BPF_MOV64_IMM(BPF_REG_0, 0),
7088 BPF_EXIT_INSN(),
7089 },
7090 .result = ACCEPT,
7091 .prog_type = BPF_PROG_TYPE_XDP,
7092 },
7093 {
7094 "meta access, test12",
7095 .insns = {
7096 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7097 offsetof(struct xdp_md, data_meta)),
7098 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7099 offsetof(struct xdp_md, data)),
7100 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7101 offsetof(struct xdp_md, data_end)),
7102 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
7103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
7104 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
7105 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
7106 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
7107 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
7108 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
7109 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7110 BPF_MOV64_IMM(BPF_REG_0, 0),
7111 BPF_EXIT_INSN(),
7112 },
7113 .result = ACCEPT,
7114 .prog_type = BPF_PROG_TYPE_XDP,
7115 },
7116 {
7117 "arithmetic ops make PTR_TO_CTX unusable",
7118 .insns = {
7119 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
7120 offsetof(struct __sk_buff, data) -
7121 offsetof(struct __sk_buff, mark)),
7122 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7123 offsetof(struct __sk_buff, mark)),
7124 BPF_EXIT_INSN(),
7125 },
7126 .errstr = "dereference of modified ctx ptr R1 off=68+8, ctx+const is allowed, ctx+const+const is not",
7127 .result = REJECT,
7128 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7129 },
7130 {
7131 "XDP pkt read, pkt_end mangling, bad access 1",
7132 .insns = {
7133 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7134 offsetof(struct xdp_md, data)),
7135 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7136 offsetof(struct xdp_md, data_end)),
7137 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7139 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
7140 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7141 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7142 BPF_MOV64_IMM(BPF_REG_0, 0),
7143 BPF_EXIT_INSN(),
7144 },
7145 .errstr = "R1 offset is outside of the packet",
7146 .result = REJECT,
7147 .prog_type = BPF_PROG_TYPE_XDP,
7148 },
7149 {
7150 "XDP pkt read, pkt_end mangling, bad access 2",
7151 .insns = {
7152 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7153 offsetof(struct xdp_md, data)),
7154 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7155 offsetof(struct xdp_md, data_end)),
7156 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7157 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7158 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
7159 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7160 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7161 BPF_MOV64_IMM(BPF_REG_0, 0),
7162 BPF_EXIT_INSN(),
7163 },
7164 .errstr = "R1 offset is outside of the packet",
7165 .result = REJECT,
7166 .prog_type = BPF_PROG_TYPE_XDP,
7167 },
7168 {
7169 "XDP pkt read, pkt_data' > pkt_end, good access",
7170 .insns = {
7171 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7172 offsetof(struct xdp_md, data)),
7173 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7174 offsetof(struct xdp_md, data_end)),
7175 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7177 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7178 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7179 BPF_MOV64_IMM(BPF_REG_0, 0),
7180 BPF_EXIT_INSN(),
7181 },
7182 .result = ACCEPT,
7183 .prog_type = BPF_PROG_TYPE_XDP,
7184 },
7185 {
7186 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
7187 .insns = {
7188 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7189 offsetof(struct xdp_md, data)),
7190 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7191 offsetof(struct xdp_md, data_end)),
7192 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7193 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7194 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7195 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7196 BPF_MOV64_IMM(BPF_REG_0, 0),
7197 BPF_EXIT_INSN(),
7198 },
7199 .errstr = "R1 offset is outside of the packet",
7200 .result = REJECT,
7201 .prog_type = BPF_PROG_TYPE_XDP,
7202 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7203 },
7204 {
7205 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
7206 .insns = {
7207 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7208 offsetof(struct xdp_md, data)),
7209 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7210 offsetof(struct xdp_md, data_end)),
7211 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7213 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
7214 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7215 BPF_MOV64_IMM(BPF_REG_0, 0),
7216 BPF_EXIT_INSN(),
7217 },
7218 .errstr = "R1 offset is outside of the packet",
7219 .result = REJECT,
7220 .prog_type = BPF_PROG_TYPE_XDP,
7221 },
7222 {
7223 "XDP pkt read, pkt_end > pkt_data', good access",
7224 .insns = {
7225 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7226 offsetof(struct xdp_md, data)),
7227 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7228 offsetof(struct xdp_md, data_end)),
7229 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7231 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7232 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7233 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7234 BPF_MOV64_IMM(BPF_REG_0, 0),
7235 BPF_EXIT_INSN(),
7236 },
7237 .result = ACCEPT,
7238 .prog_type = BPF_PROG_TYPE_XDP,
7239 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7240 },
7241 {
7242 "XDP pkt read, pkt_end > pkt_data', bad access 1",
7243 .insns = {
7244 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7245 offsetof(struct xdp_md, data)),
7246 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7247 offsetof(struct xdp_md, data_end)),
7248 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7250 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7251 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7252 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7253 BPF_MOV64_IMM(BPF_REG_0, 0),
7254 BPF_EXIT_INSN(),
7255 },
7256 .errstr = "R1 offset is outside of the packet",
7257 .result = REJECT,
7258 .prog_type = BPF_PROG_TYPE_XDP,
7259 },
7260 {
7261 "XDP pkt read, pkt_end > pkt_data', bad access 2",
7262 .insns = {
7263 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7264 offsetof(struct xdp_md, data)),
7265 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7266 offsetof(struct xdp_md, data_end)),
7267 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7268 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7269 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7270 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7271 BPF_MOV64_IMM(BPF_REG_0, 0),
7272 BPF_EXIT_INSN(),
7273 },
7274 .errstr = "R1 offset is outside of the packet",
7275 .result = REJECT,
7276 .prog_type = BPF_PROG_TYPE_XDP,
7277 },
7278 {
7279 "XDP pkt read, pkt_data' < pkt_end, good access",
7280 .insns = {
7281 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7282 offsetof(struct xdp_md, data)),
7283 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7284 offsetof(struct xdp_md, data_end)),
7285 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7287 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7288 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7289 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7290 BPF_MOV64_IMM(BPF_REG_0, 0),
7291 BPF_EXIT_INSN(),
7292 },
7293 .result = ACCEPT,
7294 .prog_type = BPF_PROG_TYPE_XDP,
7295 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7296 },
7297 {
7298 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
7299 .insns = {
7300 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7301 offsetof(struct xdp_md, data)),
7302 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7303 offsetof(struct xdp_md, data_end)),
7304 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7305 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7306 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7307 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7308 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7309 BPF_MOV64_IMM(BPF_REG_0, 0),
7310 BPF_EXIT_INSN(),
7311 },
7312 .errstr = "R1 offset is outside of the packet",
7313 .result = REJECT,
7314 .prog_type = BPF_PROG_TYPE_XDP,
7315 },
7316 {
7317 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
7318 .insns = {
7319 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7320 offsetof(struct xdp_md, data)),
7321 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7322 offsetof(struct xdp_md, data_end)),
7323 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7324 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7325 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7326 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7327 BPF_MOV64_IMM(BPF_REG_0, 0),
7328 BPF_EXIT_INSN(),
7329 },
7330 .errstr = "R1 offset is outside of the packet",
7331 .result = REJECT,
7332 .prog_type = BPF_PROG_TYPE_XDP,
7333 },
7334 {
7335 "XDP pkt read, pkt_end < pkt_data', good access",
7336 .insns = {
7337 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7338 offsetof(struct xdp_md, data)),
7339 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7340 offsetof(struct xdp_md, data_end)),
7341 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7342 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7343 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7344 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7345 BPF_MOV64_IMM(BPF_REG_0, 0),
7346 BPF_EXIT_INSN(),
7347 },
7348 .result = ACCEPT,
7349 .prog_type = BPF_PROG_TYPE_XDP,
7350 },
7351 {
7352 "XDP pkt read, pkt_end < pkt_data', bad access 1",
7353 .insns = {
7354 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7355 offsetof(struct xdp_md, data)),
7356 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7357 offsetof(struct xdp_md, data_end)),
7358 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7360 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7361 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7362 BPF_MOV64_IMM(BPF_REG_0, 0),
7363 BPF_EXIT_INSN(),
7364 },
7365 .errstr = "R1 offset is outside of the packet",
7366 .result = REJECT,
7367 .prog_type = BPF_PROG_TYPE_XDP,
7368 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7369 },
7370 {
7371 "XDP pkt read, pkt_end < pkt_data', bad access 2",
7372 .insns = {
7373 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7374 offsetof(struct xdp_md, data)),
7375 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7376 offsetof(struct xdp_md, data_end)),
7377 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7379 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
7380 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7381 BPF_MOV64_IMM(BPF_REG_0, 0),
7382 BPF_EXIT_INSN(),
7383 },
7384 .errstr = "R1 offset is outside of the packet",
7385 .result = REJECT,
7386 .prog_type = BPF_PROG_TYPE_XDP,
7387 },
7388 {
7389 "XDP pkt read, pkt_data' >= pkt_end, good access",
7390 .insns = {
7391 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7392 offsetof(struct xdp_md, data)),
7393 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7394 offsetof(struct xdp_md, data_end)),
7395 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7396 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7397 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7398 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7399 BPF_MOV64_IMM(BPF_REG_0, 0),
7400 BPF_EXIT_INSN(),
7401 },
7402 .result = ACCEPT,
7403 .prog_type = BPF_PROG_TYPE_XDP,
7404 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7405 },
7406 {
7407 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
7408 .insns = {
7409 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7410 offsetof(struct xdp_md, data)),
7411 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7412 offsetof(struct xdp_md, data_end)),
7413 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7414 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7415 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7416 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7417 BPF_MOV64_IMM(BPF_REG_0, 0),
7418 BPF_EXIT_INSN(),
7419 },
7420 .errstr = "R1 offset is outside of the packet",
7421 .result = REJECT,
7422 .prog_type = BPF_PROG_TYPE_XDP,
7423 },
7424 {
7425 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
7426 .insns = {
7427 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7428 offsetof(struct xdp_md, data)),
7429 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7430 offsetof(struct xdp_md, data_end)),
7431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7433 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
7434 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7435 BPF_MOV64_IMM(BPF_REG_0, 0),
7436 BPF_EXIT_INSN(),
7437 },
7438 .errstr = "R1 offset is outside of the packet",
7439 .result = REJECT,
7440 .prog_type = BPF_PROG_TYPE_XDP,
7441 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7442 },
7443 {
7444 "XDP pkt read, pkt_end >= pkt_data', good access",
7445 .insns = {
7446 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7447 offsetof(struct xdp_md, data)),
7448 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7449 offsetof(struct xdp_md, data_end)),
7450 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7451 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7452 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7453 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7454 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7455 BPF_MOV64_IMM(BPF_REG_0, 0),
7456 BPF_EXIT_INSN(),
7457 },
7458 .result = ACCEPT,
7459 .prog_type = BPF_PROG_TYPE_XDP,
7460 },
7461 {
7462 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
7463 .insns = {
7464 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7465 offsetof(struct xdp_md, data)),
7466 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7467 offsetof(struct xdp_md, data_end)),
7468 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7469 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7470 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7471 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7472 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7473 BPF_MOV64_IMM(BPF_REG_0, 0),
7474 BPF_EXIT_INSN(),
7475 },
7476 .errstr = "R1 offset is outside of the packet",
7477 .result = REJECT,
7478 .prog_type = BPF_PROG_TYPE_XDP,
7479 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7480 },
7481 {
7482 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
7483 .insns = {
7484 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7485 offsetof(struct xdp_md, data)),
7486 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7487 offsetof(struct xdp_md, data_end)),
7488 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7489 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7490 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7491 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7492 BPF_MOV64_IMM(BPF_REG_0, 0),
7493 BPF_EXIT_INSN(),
7494 },
7495 .errstr = "R1 offset is outside of the packet",
7496 .result = REJECT,
7497 .prog_type = BPF_PROG_TYPE_XDP,
7498 },
7499 {
7500 "XDP pkt read, pkt_data' <= pkt_end, good access",
7501 .insns = {
7502 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7503 offsetof(struct xdp_md, data)),
7504 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7505 offsetof(struct xdp_md, data_end)),
7506 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7507 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7508 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7509 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7510 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7511 BPF_MOV64_IMM(BPF_REG_0, 0),
7512 BPF_EXIT_INSN(),
7513 },
7514 .result = ACCEPT,
7515 .prog_type = BPF_PROG_TYPE_XDP,
7516 },
7517 {
7518 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
7519 .insns = {
7520 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7521 offsetof(struct xdp_md, data)),
7522 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7523 offsetof(struct xdp_md, data_end)),
7524 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7525 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7526 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7527 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7528 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7529 BPF_MOV64_IMM(BPF_REG_0, 0),
7530 BPF_EXIT_INSN(),
7531 },
7532 .errstr = "R1 offset is outside of the packet",
7533 .result = REJECT,
7534 .prog_type = BPF_PROG_TYPE_XDP,
7535 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7536 },
7537 {
7538 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
7539 .insns = {
7540 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7541 offsetof(struct xdp_md, data)),
7542 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7543 offsetof(struct xdp_md, data_end)),
7544 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7546 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7547 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7548 BPF_MOV64_IMM(BPF_REG_0, 0),
7549 BPF_EXIT_INSN(),
7550 },
7551 .errstr = "R1 offset is outside of the packet",
7552 .result = REJECT,
7553 .prog_type = BPF_PROG_TYPE_XDP,
7554 },
7555 {
7556 "XDP pkt read, pkt_end <= pkt_data', good access",
7557 .insns = {
7558 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7559 offsetof(struct xdp_md, data)),
7560 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7561 offsetof(struct xdp_md, data_end)),
7562 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7564 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
7565 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7566 BPF_MOV64_IMM(BPF_REG_0, 0),
7567 BPF_EXIT_INSN(),
7568 },
7569 .result = ACCEPT,
7570 .prog_type = BPF_PROG_TYPE_XDP,
7571 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7572 },
7573 {
7574 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
7575 .insns = {
7576 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7577 offsetof(struct xdp_md, data)),
7578 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7579 offsetof(struct xdp_md, data_end)),
7580 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7582 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
7583 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7584 BPF_MOV64_IMM(BPF_REG_0, 0),
7585 BPF_EXIT_INSN(),
7586 },
7587 .errstr = "R1 offset is outside of the packet",
7588 .result = REJECT,
7589 .prog_type = BPF_PROG_TYPE_XDP,
7590 },
7591 {
7592 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
7593 .insns = {
7594 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7595 offsetof(struct xdp_md, data)),
7596 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7597 offsetof(struct xdp_md, data_end)),
7598 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7599 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7600 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
7601 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7602 BPF_MOV64_IMM(BPF_REG_0, 0),
7603 BPF_EXIT_INSN(),
7604 },
7605 .errstr = "R1 offset is outside of the packet",
7606 .result = REJECT,
7607 .prog_type = BPF_PROG_TYPE_XDP,
7608 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7609 },
7610 {
7611 "XDP pkt read, pkt_meta' > pkt_data, good access",
7612 .insns = {
7613 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7614 offsetof(struct xdp_md, data_meta)),
7615 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7616 offsetof(struct xdp_md, data)),
7617 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7618 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7619 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7620 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7621 BPF_MOV64_IMM(BPF_REG_0, 0),
7622 BPF_EXIT_INSN(),
7623 },
7624 .result = ACCEPT,
7625 .prog_type = BPF_PROG_TYPE_XDP,
7626 },
7627 {
7628 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
7629 .insns = {
7630 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7631 offsetof(struct xdp_md, data_meta)),
7632 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7633 offsetof(struct xdp_md, data)),
7634 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7635 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7636 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7637 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7638 BPF_MOV64_IMM(BPF_REG_0, 0),
7639 BPF_EXIT_INSN(),
7640 },
7641 .errstr = "R1 offset is outside of the packet",
7642 .result = REJECT,
7643 .prog_type = BPF_PROG_TYPE_XDP,
7644 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7645 },
7646 {
7647 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
7648 .insns = {
7649 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7650 offsetof(struct xdp_md, data_meta)),
7651 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7652 offsetof(struct xdp_md, data)),
7653 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7654 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7655 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
7656 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7657 BPF_MOV64_IMM(BPF_REG_0, 0),
7658 BPF_EXIT_INSN(),
7659 },
7660 .errstr = "R1 offset is outside of the packet",
7661 .result = REJECT,
7662 .prog_type = BPF_PROG_TYPE_XDP,
7663 },
7664 {
7665 "XDP pkt read, pkt_data > pkt_meta', good access",
7666 .insns = {
7667 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7668 offsetof(struct xdp_md, data_meta)),
7669 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7670 offsetof(struct xdp_md, data)),
7671 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7672 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7673 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7674 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7675 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7676 BPF_MOV64_IMM(BPF_REG_0, 0),
7677 BPF_EXIT_INSN(),
7678 },
7679 .result = ACCEPT,
7680 .prog_type = BPF_PROG_TYPE_XDP,
7681 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7682 },
7683 {
7684 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
7685 .insns = {
7686 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7687 offsetof(struct xdp_md, data_meta)),
7688 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7689 offsetof(struct xdp_md, data)),
7690 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7691 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7692 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7693 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7694 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7695 BPF_MOV64_IMM(BPF_REG_0, 0),
7696 BPF_EXIT_INSN(),
7697 },
7698 .errstr = "R1 offset is outside of the packet",
7699 .result = REJECT,
7700 .prog_type = BPF_PROG_TYPE_XDP,
7701 },
7702 {
7703 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
7704 .insns = {
7705 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7706 offsetof(struct xdp_md, data_meta)),
7707 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7708 offsetof(struct xdp_md, data)),
7709 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7710 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7711 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7712 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7713 BPF_MOV64_IMM(BPF_REG_0, 0),
7714 BPF_EXIT_INSN(),
7715 },
7716 .errstr = "R1 offset is outside of the packet",
7717 .result = REJECT,
7718 .prog_type = BPF_PROG_TYPE_XDP,
7719 },
7720 {
7721 "XDP pkt read, pkt_meta' < pkt_data, good access",
7722 .insns = {
7723 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7724 offsetof(struct xdp_md, data_meta)),
7725 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7726 offsetof(struct xdp_md, data)),
7727 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7728 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7729 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7730 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7731 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7732 BPF_MOV64_IMM(BPF_REG_0, 0),
7733 BPF_EXIT_INSN(),
7734 },
7735 .result = ACCEPT,
7736 .prog_type = BPF_PROG_TYPE_XDP,
7737 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7738 },
7739 {
7740 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
7741 .insns = {
7742 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7743 offsetof(struct xdp_md, data_meta)),
7744 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7745 offsetof(struct xdp_md, data)),
7746 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7747 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7748 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7749 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7750 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7751 BPF_MOV64_IMM(BPF_REG_0, 0),
7752 BPF_EXIT_INSN(),
7753 },
7754 .errstr = "R1 offset is outside of the packet",
7755 .result = REJECT,
7756 .prog_type = BPF_PROG_TYPE_XDP,
7757 },
7758 {
7759 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
7760 .insns = {
7761 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7762 offsetof(struct xdp_md, data_meta)),
7763 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7764 offsetof(struct xdp_md, data)),
7765 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7766 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7767 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7768 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7769 BPF_MOV64_IMM(BPF_REG_0, 0),
7770 BPF_EXIT_INSN(),
7771 },
7772 .errstr = "R1 offset is outside of the packet",
7773 .result = REJECT,
7774 .prog_type = BPF_PROG_TYPE_XDP,
7775 },
7776 {
7777 "XDP pkt read, pkt_data < pkt_meta', good access",
7778 .insns = {
7779 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7780 offsetof(struct xdp_md, data_meta)),
7781 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7782 offsetof(struct xdp_md, data)),
7783 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7784 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7785 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7786 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7787 BPF_MOV64_IMM(BPF_REG_0, 0),
7788 BPF_EXIT_INSN(),
7789 },
7790 .result = ACCEPT,
7791 .prog_type = BPF_PROG_TYPE_XDP,
7792 },
7793 {
7794 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
7795 .insns = {
7796 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7797 offsetof(struct xdp_md, data_meta)),
7798 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7799 offsetof(struct xdp_md, data)),
7800 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7801 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7802 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7803 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7804 BPF_MOV64_IMM(BPF_REG_0, 0),
7805 BPF_EXIT_INSN(),
7806 },
7807 .errstr = "R1 offset is outside of the packet",
7808 .result = REJECT,
7809 .prog_type = BPF_PROG_TYPE_XDP,
7810 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7811 },
7812 {
7813 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
7814 .insns = {
7815 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7816 offsetof(struct xdp_md, data_meta)),
7817 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7818 offsetof(struct xdp_md, data)),
7819 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7820 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7821 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
7822 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7823 BPF_MOV64_IMM(BPF_REG_0, 0),
7824 BPF_EXIT_INSN(),
7825 },
7826 .errstr = "R1 offset is outside of the packet",
7827 .result = REJECT,
7828 .prog_type = BPF_PROG_TYPE_XDP,
7829 },
7830 {
7831 "XDP pkt read, pkt_meta' >= pkt_data, good access",
7832 .insns = {
7833 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7834 offsetof(struct xdp_md, data_meta)),
7835 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7836 offsetof(struct xdp_md, data)),
7837 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7838 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7839 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7840 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7841 BPF_MOV64_IMM(BPF_REG_0, 0),
7842 BPF_EXIT_INSN(),
7843 },
7844 .result = ACCEPT,
7845 .prog_type = BPF_PROG_TYPE_XDP,
7846 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7847 },
7848 {
7849 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
7850 .insns = {
7851 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7852 offsetof(struct xdp_md, data_meta)),
7853 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7854 offsetof(struct xdp_md, data)),
7855 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7856 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7857 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7858 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7859 BPF_MOV64_IMM(BPF_REG_0, 0),
7860 BPF_EXIT_INSN(),
7861 },
7862 .errstr = "R1 offset is outside of the packet",
7863 .result = REJECT,
7864 .prog_type = BPF_PROG_TYPE_XDP,
7865 },
7866 {
7867 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
7868 .insns = {
7869 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7870 offsetof(struct xdp_md, data_meta)),
7871 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7872 offsetof(struct xdp_md, data)),
7873 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7874 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7875 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
7876 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7877 BPF_MOV64_IMM(BPF_REG_0, 0),
7878 BPF_EXIT_INSN(),
7879 },
7880 .errstr = "R1 offset is outside of the packet",
7881 .result = REJECT,
7882 .prog_type = BPF_PROG_TYPE_XDP,
7883 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7884 },
7885 {
7886 "XDP pkt read, pkt_data >= pkt_meta', good access",
7887 .insns = {
7888 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7889 offsetof(struct xdp_md, data_meta)),
7890 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7891 offsetof(struct xdp_md, data)),
7892 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7893 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7894 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7895 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7896 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7897 BPF_MOV64_IMM(BPF_REG_0, 0),
7898 BPF_EXIT_INSN(),
7899 },
7900 .result = ACCEPT,
7901 .prog_type = BPF_PROG_TYPE_XDP,
7902 },
7903 {
7904 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
7905 .insns = {
7906 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7907 offsetof(struct xdp_md, data_meta)),
7908 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7909 offsetof(struct xdp_md, data)),
7910 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7911 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7912 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7913 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7914 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7915 BPF_MOV64_IMM(BPF_REG_0, 0),
7916 BPF_EXIT_INSN(),
7917 },
7918 .errstr = "R1 offset is outside of the packet",
7919 .result = REJECT,
7920 .prog_type = BPF_PROG_TYPE_XDP,
7921 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7922 },
7923 {
7924 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
7925 .insns = {
7926 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7927 offsetof(struct xdp_md, data_meta)),
7928 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7929 offsetof(struct xdp_md, data)),
7930 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7932 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7933 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7934 BPF_MOV64_IMM(BPF_REG_0, 0),
7935 BPF_EXIT_INSN(),
7936 },
7937 .errstr = "R1 offset is outside of the packet",
7938 .result = REJECT,
7939 .prog_type = BPF_PROG_TYPE_XDP,
7940 },
7941 {
7942 "XDP pkt read, pkt_meta' <= pkt_data, good access",
7943 .insns = {
7944 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7945 offsetof(struct xdp_md, data_meta)),
7946 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7947 offsetof(struct xdp_md, data)),
7948 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7949 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7950 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7951 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7952 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7953 BPF_MOV64_IMM(BPF_REG_0, 0),
7954 BPF_EXIT_INSN(),
7955 },
7956 .result = ACCEPT,
7957 .prog_type = BPF_PROG_TYPE_XDP,
7958 },
7959 {
7960 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
7961 .insns = {
7962 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7963 offsetof(struct xdp_md, data_meta)),
7964 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7965 offsetof(struct xdp_md, data)),
7966 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7968 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7969 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7970 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7971 BPF_MOV64_IMM(BPF_REG_0, 0),
7972 BPF_EXIT_INSN(),
7973 },
7974 .errstr = "R1 offset is outside of the packet",
7975 .result = REJECT,
7976 .prog_type = BPF_PROG_TYPE_XDP,
7977 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7978 },
7979 {
7980 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
7981 .insns = {
7982 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7983 offsetof(struct xdp_md, data_meta)),
7984 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7985 offsetof(struct xdp_md, data)),
7986 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7987 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7988 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7989 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7990 BPF_MOV64_IMM(BPF_REG_0, 0),
7991 BPF_EXIT_INSN(),
7992 },
7993 .errstr = "R1 offset is outside of the packet",
7994 .result = REJECT,
7995 .prog_type = BPF_PROG_TYPE_XDP,
7996 },
7997 {
7998 "XDP pkt read, pkt_data <= pkt_meta', good access",
7999 .insns = {
8000 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8001 offsetof(struct xdp_md, data_meta)),
8002 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8003 offsetof(struct xdp_md, data)),
8004 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8006 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8007 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8008 BPF_MOV64_IMM(BPF_REG_0, 0),
8009 BPF_EXIT_INSN(),
8010 },
8011 .result = ACCEPT,
8012 .prog_type = BPF_PROG_TYPE_XDP,
8013 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8014 },
8015 {
8016 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
8017 .insns = {
8018 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8019 offsetof(struct xdp_md, data_meta)),
8020 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8021 offsetof(struct xdp_md, data)),
8022 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8024 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8025 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8026 BPF_MOV64_IMM(BPF_REG_0, 0),
8027 BPF_EXIT_INSN(),
8028 },
8029 .errstr = "R1 offset is outside of the packet",
8030 .result = REJECT,
8031 .prog_type = BPF_PROG_TYPE_XDP,
8032 },
8033 {
8034 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
8035 .insns = {
8036 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8037 offsetof(struct xdp_md, data_meta)),
8038 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8039 offsetof(struct xdp_md, data)),
8040 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8042 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
8043 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8044 BPF_MOV64_IMM(BPF_REG_0, 0),
8045 BPF_EXIT_INSN(),
8046 },
8047 .errstr = "R1 offset is outside of the packet",
8048 .result = REJECT,
8049 .prog_type = BPF_PROG_TYPE_XDP,
8050 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8051 },
8052 {
8053 "bpf_exit with invalid return code. test1",
8054 .insns = {
8055 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8056 BPF_EXIT_INSN(),
8057 },
8058 .errstr = "R0 has value (0x0; 0xffffffff)",
8059 .result = REJECT,
8060 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8061 },
8062 {
8063 "bpf_exit with invalid return code. test2",
8064 .insns = {
8065 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8066 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
8067 BPF_EXIT_INSN(),
8068 },
8069 .result = ACCEPT,
8070 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8071 },
8072 {
8073 "bpf_exit with invalid return code. test3",
8074 .insns = {
8075 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8076 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
8077 BPF_EXIT_INSN(),
8078 },
8079 .errstr = "R0 has value (0x0; 0x3)",
8080 .result = REJECT,
8081 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8082 },
8083 {
8084 "bpf_exit with invalid return code. test4",
8085 .insns = {
8086 BPF_MOV64_IMM(BPF_REG_0, 1),
8087 BPF_EXIT_INSN(),
8088 },
8089 .result = ACCEPT,
8090 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8091 },
8092 {
8093 "bpf_exit with invalid return code. test5",
8094 .insns = {
8095 BPF_MOV64_IMM(BPF_REG_0, 2),
8096 BPF_EXIT_INSN(),
8097 },
8098 .errstr = "R0 has value (0x2; 0x0)",
8099 .result = REJECT,
8100 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8101 },
8102 {
8103 "bpf_exit with invalid return code. test6",
8104 .insns = {
8105 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8106 BPF_EXIT_INSN(),
8107 },
8108 .errstr = "R0 is not a known value (ctx)",
8109 .result = REJECT,
8110 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8111 },
8112 {
8113 "bpf_exit with invalid return code. test7",
8114 .insns = {
8115 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8116 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
8117 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
8118 BPF_EXIT_INSN(),
8119 },
8120 .errstr = "R0 has unknown scalar value",
8121 .result = REJECT,
8122 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8123 },
8124 };
8125
8126 static int probe_filter_length(const struct bpf_insn *fp)
8127 {
8128 int len;
8129
8130 for (len = MAX_INSNS - 1; len > 0; --len)
8131 if (fp[len].code != 0 || fp[len].imm != 0)
8132 break;
8133 return len + 1;
8134 }
8135
8136 static int create_map(uint32_t size_value, uint32_t max_elem)
8137 {
8138 int fd;
8139
8140 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
8141 size_value, max_elem, BPF_F_NO_PREALLOC);
8142 if (fd < 0)
8143 printf("Failed to create hash map '%s'!\n", strerror(errno));
8144
8145 return fd;
8146 }
8147
8148 static int create_prog_array(void)
8149 {
8150 int fd;
8151
8152 fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
8153 sizeof(int), 4, 0);
8154 if (fd < 0)
8155 printf("Failed to create prog array '%s'!\n", strerror(errno));
8156
8157 return fd;
8158 }
8159
8160 static int create_map_in_map(void)
8161 {
8162 int inner_map_fd, outer_map_fd;
8163
8164 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
8165 sizeof(int), 1, 0);
8166 if (inner_map_fd < 0) {
8167 printf("Failed to create array '%s'!\n", strerror(errno));
8168 return inner_map_fd;
8169 }
8170
8171 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
8172 sizeof(int), inner_map_fd, 1, 0);
8173 if (outer_map_fd < 0)
8174 printf("Failed to create array of maps '%s'!\n",
8175 strerror(errno));
8176
8177 close(inner_map_fd);
8178
8179 return outer_map_fd;
8180 }
8181
8182 static char bpf_vlog[32768];
8183
8184 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
8185 int *map_fds)
8186 {
8187 int *fixup_map1 = test->fixup_map1;
8188 int *fixup_map2 = test->fixup_map2;
8189 int *fixup_prog = test->fixup_prog;
8190 int *fixup_map_in_map = test->fixup_map_in_map;
8191
8192 /* Allocating HTs with 1 elem is fine here, since we only test
8193 * for verifier and not do a runtime lookup, so the only thing
8194 * that really matters is value size in this case.
8195 */
8196 if (*fixup_map1) {
8197 map_fds[0] = create_map(sizeof(long long), 1);
8198 do {
8199 prog[*fixup_map1].imm = map_fds[0];
8200 fixup_map1++;
8201 } while (*fixup_map1);
8202 }
8203
8204 if (*fixup_map2) {
8205 map_fds[1] = create_map(sizeof(struct test_val), 1);
8206 do {
8207 prog[*fixup_map2].imm = map_fds[1];
8208 fixup_map2++;
8209 } while (*fixup_map2);
8210 }
8211
8212 if (*fixup_prog) {
8213 map_fds[2] = create_prog_array();
8214 do {
8215 prog[*fixup_prog].imm = map_fds[2];
8216 fixup_prog++;
8217 } while (*fixup_prog);
8218 }
8219
8220 if (*fixup_map_in_map) {
8221 map_fds[3] = create_map_in_map();
8222 do {
8223 prog[*fixup_map_in_map].imm = map_fds[3];
8224 fixup_map_in_map++;
8225 } while (*fixup_map_in_map);
8226 }
8227 }
8228
8229 static void do_test_single(struct bpf_test *test, bool unpriv,
8230 int *passes, int *errors)
8231 {
8232 int fd_prog, expected_ret, reject_from_alignment;
8233 struct bpf_insn *prog = test->insns;
8234 int prog_len = probe_filter_length(prog);
8235 int prog_type = test->prog_type;
8236 int map_fds[MAX_NR_MAPS];
8237 const char *expected_err;
8238 int i;
8239
8240 for (i = 0; i < MAX_NR_MAPS; i++)
8241 map_fds[i] = -1;
8242
8243 do_test_fixup(test, prog, map_fds);
8244
8245 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
8246 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
8247 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
8248
8249 expected_ret = unpriv && test->result_unpriv != UNDEF ?
8250 test->result_unpriv : test->result;
8251 expected_err = unpriv && test->errstr_unpriv ?
8252 test->errstr_unpriv : test->errstr;
8253
8254 reject_from_alignment = fd_prog < 0 &&
8255 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
8256 strstr(bpf_vlog, "Unknown alignment.");
8257 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
8258 if (reject_from_alignment) {
8259 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
8260 strerror(errno));
8261 goto fail_log;
8262 }
8263 #endif
8264 if (expected_ret == ACCEPT) {
8265 if (fd_prog < 0 && !reject_from_alignment) {
8266 printf("FAIL\nFailed to load prog '%s'!\n",
8267 strerror(errno));
8268 goto fail_log;
8269 }
8270 } else {
8271 if (fd_prog >= 0) {
8272 printf("FAIL\nUnexpected success to load!\n");
8273 goto fail_log;
8274 }
8275 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
8276 printf("FAIL\nUnexpected error message!\n");
8277 goto fail_log;
8278 }
8279 }
8280
8281 (*passes)++;
8282 printf("OK%s\n", reject_from_alignment ?
8283 " (NOTE: reject due to unknown alignment)" : "");
8284 close_fds:
8285 close(fd_prog);
8286 for (i = 0; i < MAX_NR_MAPS; i++)
8287 close(map_fds[i]);
8288 sched_yield();
8289 return;
8290 fail_log:
8291 (*errors)++;
8292 printf("%s", bpf_vlog);
8293 goto close_fds;
8294 }
8295
8296 static bool is_admin(void)
8297 {
8298 cap_t caps;
8299 cap_flag_value_t sysadmin = CAP_CLEAR;
8300 const cap_value_t cap_val = CAP_SYS_ADMIN;
8301
8302 #ifdef CAP_IS_SUPPORTED
8303 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
8304 perror("cap_get_flag");
8305 return false;
8306 }
8307 #endif
8308 caps = cap_get_proc();
8309 if (!caps) {
8310 perror("cap_get_proc");
8311 return false;
8312 }
8313 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
8314 perror("cap_get_flag");
8315 if (cap_free(caps))
8316 perror("cap_free");
8317 return (sysadmin == CAP_SET);
8318 }
8319
8320 static int set_admin(bool admin)
8321 {
8322 cap_t caps;
8323 const cap_value_t cap_val = CAP_SYS_ADMIN;
8324 int ret = -1;
8325
8326 caps = cap_get_proc();
8327 if (!caps) {
8328 perror("cap_get_proc");
8329 return -1;
8330 }
8331 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
8332 admin ? CAP_SET : CAP_CLEAR)) {
8333 perror("cap_set_flag");
8334 goto out;
8335 }
8336 if (cap_set_proc(caps)) {
8337 perror("cap_set_proc");
8338 goto out;
8339 }
8340 ret = 0;
8341 out:
8342 if (cap_free(caps))
8343 perror("cap_free");
8344 return ret;
8345 }
8346
8347 static int do_test(bool unpriv, unsigned int from, unsigned int to)
8348 {
8349 int i, passes = 0, errors = 0;
8350
8351 for (i = from; i < to; i++) {
8352 struct bpf_test *test = &tests[i];
8353
8354 /* Program types that are not supported by non-root we
8355 * skip right away.
8356 */
8357 if (!test->prog_type) {
8358 if (!unpriv)
8359 set_admin(false);
8360 printf("#%d/u %s ", i, test->descr);
8361 do_test_single(test, true, &passes, &errors);
8362 if (!unpriv)
8363 set_admin(true);
8364 }
8365
8366 if (!unpriv) {
8367 printf("#%d/p %s ", i, test->descr);
8368 do_test_single(test, false, &passes, &errors);
8369 }
8370 }
8371
8372 printf("Summary: %d PASSED, %d FAILED\n", passes, errors);
8373 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
8374 }
8375
8376 int main(int argc, char **argv)
8377 {
8378 struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY };
8379 struct rlimit rlim = { 1 << 20, 1 << 20 };
8380 unsigned int from = 0, to = ARRAY_SIZE(tests);
8381 bool unpriv = !is_admin();
8382
8383 if (argc == 3) {
8384 unsigned int l = atoi(argv[argc - 2]);
8385 unsigned int u = atoi(argv[argc - 1]);
8386
8387 if (l < to && u < to) {
8388 from = l;
8389 to = u + 1;
8390 }
8391 } else if (argc == 2) {
8392 unsigned int t = atoi(argv[argc - 1]);
8393
8394 if (t < to) {
8395 from = t;
8396 to = t + 1;
8397 }
8398 }
8399
8400 setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf);
8401 return do_test(unpriv, from, to);
8402 }
Ubuntu Hirsute Linux kernel mirror