2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of version 2 of the GNU General Public
8 * License as published by the Free Software Foundation.
12 #include <asm/types.h>
13 #include <linux/types.h>
24 #include <sys/capability.h>
25 #include <sys/resource.h>
27 #include <linux/unistd.h>
28 #include <linux/filter.h>
29 #include <linux/bpf_perf_event.h>
30 #include <linux/bpf.h>
35 # include "autoconf.h"
37 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
38 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
42 #include "../../../include/linux/filter.h"
45 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
52 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
53 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
57 struct bpf_insn insns
[MAX_INSNS
];
58 int fixup_map1
[MAX_FIXUPS
];
59 int fixup_map2
[MAX_FIXUPS
];
60 int fixup_prog
[MAX_FIXUPS
];
61 int fixup_map_in_map
[MAX_FIXUPS
];
63 const char *errstr_unpriv
;
68 } result
, result_unpriv
;
69 enum bpf_prog_type prog_type
;
73 /* Note we want this to be 64 bit aligned so that the end of our array is
74 * actually the end of the structure.
76 #define MAX_ENTRIES 11
83 static struct bpf_test tests
[] = {
87 BPF_MOV64_IMM(BPF_REG_1
, 1),
88 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 2),
89 BPF_MOV64_IMM(BPF_REG_2
, 3),
90 BPF_ALU64_REG(BPF_SUB
, BPF_REG_1
, BPF_REG_2
),
91 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -1),
92 BPF_ALU64_IMM(BPF_MUL
, BPF_REG_1
, 3),
93 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_1
),
104 .errstr
= "unreachable",
110 BPF_JMP_IMM(BPF_JA
, 0, 0, 1),
111 BPF_JMP_IMM(BPF_JA
, 0, 0, 0),
114 .errstr
= "unreachable",
120 BPF_JMP_IMM(BPF_JA
, 0, 0, 1),
123 .errstr
= "jump out of range",
127 "out of range jump2",
129 BPF_JMP_IMM(BPF_JA
, 0, 0, -2),
132 .errstr
= "jump out of range",
138 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 0, 1),
139 BPF_LD_IMM64(BPF_REG_0
, 0),
140 BPF_LD_IMM64(BPF_REG_0
, 0),
141 BPF_LD_IMM64(BPF_REG_0
, 1),
142 BPF_LD_IMM64(BPF_REG_0
, 1),
143 BPF_MOV64_IMM(BPF_REG_0
, 2),
146 .errstr
= "invalid BPF_LD_IMM insn",
147 .errstr_unpriv
= "R1 pointer comparison",
153 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 0, 1),
154 BPF_LD_IMM64(BPF_REG_0
, 0),
155 BPF_LD_IMM64(BPF_REG_0
, 0),
156 BPF_LD_IMM64(BPF_REG_0
, 1),
157 BPF_LD_IMM64(BPF_REG_0
, 1),
160 .errstr
= "invalid BPF_LD_IMM insn",
161 .errstr_unpriv
= "R1 pointer comparison",
167 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 0, 1),
168 BPF_RAW_INSN(BPF_LD
| BPF_IMM
| BPF_DW
, 0, 0, 0, 0),
169 BPF_LD_IMM64(BPF_REG_0
, 0),
170 BPF_LD_IMM64(BPF_REG_0
, 0),
171 BPF_LD_IMM64(BPF_REG_0
, 1),
172 BPF_LD_IMM64(BPF_REG_0
, 1),
175 .errstr
= "invalid bpf_ld_imm64 insn",
181 BPF_RAW_INSN(BPF_LD
| BPF_IMM
| BPF_DW
, 0, 0, 0, 0),
184 .errstr
= "invalid bpf_ld_imm64 insn",
190 BPF_RAW_INSN(BPF_LD
| BPF_IMM
| BPF_DW
, 0, 0, 0, 0),
192 .errstr
= "invalid bpf_ld_imm64 insn",
198 BPF_RAW_INSN(BPF_LD
| BPF_IMM
| BPF_DW
, 0, 0, 0, 0),
199 BPF_RAW_INSN(0, 0, 0, 0, 0),
207 BPF_RAW_INSN(BPF_LD
| BPF_IMM
| BPF_DW
, 0, 0, 0, 1),
208 BPF_RAW_INSN(0, 0, 0, 0, 1),
216 BPF_RAW_INSN(BPF_LD
| BPF_IMM
| BPF_DW
, 0, 0, 1, 1),
217 BPF_RAW_INSN(0, 0, 0, 0, 1),
220 .errstr
= "uses reserved fields",
226 BPF_RAW_INSN(BPF_LD
| BPF_IMM
| BPF_DW
, 0, 0, 0, 1),
227 BPF_RAW_INSN(0, 0, 0, 1, 1),
230 .errstr
= "invalid bpf_ld_imm64 insn",
236 BPF_RAW_INSN(BPF_LD
| BPF_IMM
| BPF_DW
, 0, 0, 0, 1),
237 BPF_RAW_INSN(0, BPF_REG_1
, 0, 0, 1),
240 .errstr
= "invalid bpf_ld_imm64 insn",
246 BPF_RAW_INSN(BPF_LD
| BPF_IMM
| BPF_DW
, 0, 0, 0, 1),
247 BPF_RAW_INSN(0, 0, BPF_REG_1
, 0, 1),
250 .errstr
= "invalid bpf_ld_imm64 insn",
256 BPF_MOV64_IMM(BPF_REG_1
, 0),
257 BPF_RAW_INSN(BPF_LD
| BPF_IMM
| BPF_DW
, 0, BPF_REG_1
, 0, 1),
258 BPF_RAW_INSN(0, 0, 0, 0, 1),
261 .errstr
= "not pointing to valid bpf_map",
267 BPF_MOV64_IMM(BPF_REG_1
, 0),
268 BPF_RAW_INSN(BPF_LD
| BPF_IMM
| BPF_DW
, 0, BPF_REG_1
, 0, 1),
269 BPF_RAW_INSN(0, 0, BPF_REG_1
, 0, 1),
272 .errstr
= "invalid bpf_ld_imm64 insn",
278 BPF_ALU64_REG(BPF_MOV
, BPF_REG_0
, BPF_REG_2
),
280 .errstr
= "jump out of range",
286 BPF_JMP_IMM(BPF_JA
, 0, 0, -1),
289 .errstr
= "back-edge",
295 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
296 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_0
),
297 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_0
),
298 BPF_JMP_IMM(BPF_JA
, 0, 0, -4),
301 .errstr
= "back-edge",
307 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
308 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_0
),
309 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_0
),
310 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 0, -3),
313 .errstr
= "back-edge",
317 "read uninitialized register",
319 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
322 .errstr
= "R2 !read_ok",
326 "read invalid register",
328 BPF_MOV64_REG(BPF_REG_0
, -1),
331 .errstr
= "R15 is invalid",
335 "program doesn't init R0 before exit",
337 BPF_ALU64_REG(BPF_MOV
, BPF_REG_2
, BPF_REG_1
),
340 .errstr
= "R0 !read_ok",
344 "program doesn't init R0 before exit in all branches",
346 BPF_JMP_IMM(BPF_JGE
, BPF_REG_1
, 0, 2),
347 BPF_MOV64_IMM(BPF_REG_0
, 1),
348 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 2),
351 .errstr
= "R0 !read_ok",
352 .errstr_unpriv
= "R1 pointer comparison",
356 "stack out of bounds",
358 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, 8, 0),
361 .errstr
= "invalid stack",
365 "invalid call insn1",
367 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
| BPF_X
, 0, 0, 0, 0),
370 .errstr
= "BPF_CALL uses reserved",
374 "invalid call insn2",
376 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 1, 0),
379 .errstr
= "BPF_CALL uses reserved",
383 "invalid function call",
385 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0, 1234567),
388 .errstr
= "invalid func unknown#1234567",
392 "uninitialized stack1",
394 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
395 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
396 BPF_LD_MAP_FD(BPF_REG_1
, 0),
397 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
398 BPF_FUNC_map_lookup_elem
),
402 .errstr
= "invalid indirect read from stack",
406 "uninitialized stack2",
408 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
409 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_2
, -8),
412 .errstr
= "invalid read from stack",
416 "invalid fp arithmetic",
417 /* If this gets ever changed, make sure JITs can deal with it. */
419 BPF_MOV64_IMM(BPF_REG_0
, 0),
420 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
421 BPF_ALU64_IMM(BPF_SUB
, BPF_REG_1
, 8),
422 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_0
, 0),
425 .errstr_unpriv
= "R1 pointer arithmetic",
426 .result_unpriv
= REJECT
,
427 .errstr
= "R1 invalid mem access",
431 "non-invalid fp arithmetic",
433 BPF_MOV64_IMM(BPF_REG_0
, 0),
434 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -8),
440 "invalid argument register",
442 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
443 BPF_FUNC_get_cgroup_classid
),
444 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
445 BPF_FUNC_get_cgroup_classid
),
448 .errstr
= "R1 !read_ok",
450 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
453 "non-invalid argument register",
455 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_1
),
456 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
457 BPF_FUNC_get_cgroup_classid
),
458 BPF_ALU64_REG(BPF_MOV
, BPF_REG_1
, BPF_REG_6
),
459 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
460 BPF_FUNC_get_cgroup_classid
),
464 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
467 "check valid spill/fill",
469 /* spill R1(ctx) into stack */
470 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_1
, -8),
471 /* fill it back into R2 */
472 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_10
, -8),
473 /* should be able to access R0 = *(R2 + 8) */
474 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
475 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
478 .errstr_unpriv
= "R0 leaks addr",
480 .result_unpriv
= REJECT
,
483 "check valid spill/fill, skb mark",
485 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_1
),
486 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_6
, -8),
487 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_10
, -8),
488 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_0
,
489 offsetof(struct __sk_buff
, mark
)),
493 .result_unpriv
= ACCEPT
,
496 "check corrupted spill/fill",
498 /* spill R1(ctx) into stack */
499 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_1
, -8),
500 /* mess up with R1 pointer on stack */
501 BPF_ST_MEM(BPF_B
, BPF_REG_10
, -7, 0x23),
502 /* fill back into R0 should fail */
503 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_10
, -8),
506 .errstr_unpriv
= "attempt to corrupt spilled",
507 .errstr
= "corrupted spill",
511 "invalid src register in STX",
513 BPF_STX_MEM(BPF_B
, BPF_REG_10
, -1, -1),
516 .errstr
= "R15 is invalid",
520 "invalid dst register in STX",
522 BPF_STX_MEM(BPF_B
, 14, BPF_REG_10
, -1),
525 .errstr
= "R14 is invalid",
529 "invalid dst register in ST",
531 BPF_ST_MEM(BPF_B
, 14, -1, -1),
534 .errstr
= "R14 is invalid",
538 "invalid src register in LDX",
540 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, 12, 0),
543 .errstr
= "R12 is invalid",
547 "invalid dst register in LDX",
549 BPF_LDX_MEM(BPF_B
, 11, BPF_REG_1
, 0),
552 .errstr
= "R11 is invalid",
558 BPF_RAW_INSN(0, 0, 0, 0, 0),
561 .errstr
= "invalid BPF_LD_IMM",
567 BPF_RAW_INSN(1, 0, 0, 0, 0),
570 .errstr
= "BPF_LDX uses reserved fields",
576 BPF_RAW_INSN(-1, 0, 0, 0, 0),
579 .errstr
= "invalid BPF_ALU opcode f0",
585 BPF_RAW_INSN(-1, -1, -1, -1, -1),
588 .errstr
= "invalid BPF_ALU opcode f0",
594 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
597 .errstr
= "BPF_ALU uses reserved fields",
601 "misaligned read from stack",
603 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
604 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_2
, -4),
607 .errstr
= "misaligned access",
611 "invalid map_fd for function call",
613 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
614 BPF_ALU64_REG(BPF_MOV
, BPF_REG_2
, BPF_REG_10
),
615 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
616 BPF_LD_MAP_FD(BPF_REG_1
, 0),
617 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
618 BPF_FUNC_map_delete_elem
),
621 .errstr
= "fd 0 is not pointing to valid bpf_map",
625 "don't check return value before access",
627 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
628 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
629 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
630 BPF_LD_MAP_FD(BPF_REG_1
, 0),
631 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
632 BPF_FUNC_map_lookup_elem
),
633 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0, 0),
637 .errstr
= "R0 invalid mem access 'map_value_or_null'",
641 "access memory with incorrect alignment",
643 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
644 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
645 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
646 BPF_LD_MAP_FD(BPF_REG_1
, 0),
647 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
648 BPF_FUNC_map_lookup_elem
),
649 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 1),
650 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 4, 0),
654 .errstr
= "misaligned access",
658 "sometimes access memory with incorrect alignment",
660 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
661 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
662 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
663 BPF_LD_MAP_FD(BPF_REG_1
, 0),
664 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
665 BPF_FUNC_map_lookup_elem
),
666 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 2),
667 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0, 0),
669 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0, 1),
673 .errstr
= "R0 invalid mem access",
674 .errstr_unpriv
= "R0 leaks addr",
680 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
681 BPF_STX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_1
, -8),
682 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 0, 1),
683 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -8, 0),
684 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 1, 1),
685 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -16, 1),
686 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 2, 1),
687 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -8, 2),
688 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 3, 1),
689 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -16, 3),
690 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 4, 1),
691 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -8, 4),
692 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 5, 1),
693 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -32, 5),
694 BPF_MOV64_IMM(BPF_REG_0
, 0),
697 .errstr_unpriv
= "R1 pointer comparison",
698 .result_unpriv
= REJECT
,
704 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
705 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 0, 2),
706 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -8, 0),
707 BPF_JMP_IMM(BPF_JA
, 0, 0, 14),
708 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 1, 2),
709 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -16, 0),
710 BPF_JMP_IMM(BPF_JA
, 0, 0, 11),
711 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 2, 2),
712 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -32, 0),
713 BPF_JMP_IMM(BPF_JA
, 0, 0, 8),
714 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 3, 2),
715 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -40, 0),
716 BPF_JMP_IMM(BPF_JA
, 0, 0, 5),
717 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 4, 2),
718 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -48, 0),
719 BPF_JMP_IMM(BPF_JA
, 0, 0, 2),
720 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 5, 1),
721 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -56, 0),
722 BPF_MOV64_IMM(BPF_REG_0
, 0),
725 .errstr_unpriv
= "R1 pointer comparison",
726 .result_unpriv
= REJECT
,
732 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
733 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 0, 3),
734 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -8, 0),
735 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
736 BPF_JMP_IMM(BPF_JA
, 0, 0, 19),
737 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 1, 3),
738 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -16, 0),
739 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -16),
740 BPF_JMP_IMM(BPF_JA
, 0, 0, 15),
741 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 2, 3),
742 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -32, 0),
743 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -32),
744 BPF_JMP_IMM(BPF_JA
, 0, 0, 11),
745 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 3, 3),
746 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -40, 0),
747 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -40),
748 BPF_JMP_IMM(BPF_JA
, 0, 0, 7),
749 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 4, 3),
750 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -48, 0),
751 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -48),
752 BPF_JMP_IMM(BPF_JA
, 0, 0, 3),
753 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 5, 0),
754 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, -56, 0),
755 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -56),
756 BPF_LD_MAP_FD(BPF_REG_1
, 0),
757 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
758 BPF_FUNC_map_delete_elem
),
761 .fixup_map1
= { 24 },
762 .errstr_unpriv
= "R1 pointer comparison",
763 .result_unpriv
= REJECT
,
769 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 1),
770 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 2),
771 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 3),
772 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 4),
773 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 1),
774 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 2),
775 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 3),
776 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 4),
777 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 1),
778 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 2),
779 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 3),
780 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 4),
781 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 1),
782 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 2),
783 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 3),
784 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 4),
785 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 1),
786 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 2),
787 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 3),
788 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 4),
789 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 1),
790 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 2),
791 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 3),
792 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 4),
793 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 1),
794 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 2),
795 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 3),
796 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 4),
797 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 1),
798 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 2),
799 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 3),
800 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 4),
801 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 1),
802 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 2),
803 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 3),
804 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 4),
805 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 0),
806 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 0),
807 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 0),
808 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 0),
809 BPF_MOV64_IMM(BPF_REG_0
, 0),
812 .errstr_unpriv
= "R1 pointer comparison",
813 .result_unpriv
= REJECT
,
819 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
820 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_2
),
821 BPF_JMP_IMM(BPF_JGE
, BPF_REG_1
, 0, 2),
822 BPF_STX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_3
, -8),
823 BPF_JMP_IMM(BPF_JA
, 0, 0, 2),
824 BPF_STX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_2
, -8),
825 BPF_JMP_IMM(BPF_JA
, 0, 0, 0),
826 BPF_MOV64_IMM(BPF_REG_0
, 0),
827 BPF_JMP_IMM(BPF_JGE
, BPF_REG_1
, 0, 2),
828 BPF_STX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_3
, -8),
829 BPF_JMP_IMM(BPF_JA
, 0, 0, 2),
830 BPF_STX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_2
, -8),
831 BPF_JMP_IMM(BPF_JA
, 0, 0, 0),
832 BPF_MOV64_IMM(BPF_REG_0
, 0),
833 BPF_JMP_IMM(BPF_JGE
, BPF_REG_1
, 0, 2),
834 BPF_STX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_3
, -8),
835 BPF_JMP_IMM(BPF_JA
, 0, 0, 2),
836 BPF_STX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_2
, -8),
837 BPF_JMP_IMM(BPF_JA
, 0, 0, 0),
838 BPF_MOV64_IMM(BPF_REG_0
, 0),
839 BPF_JMP_IMM(BPF_JGE
, BPF_REG_1
, 0, 2),
840 BPF_STX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_3
, -8),
841 BPF_JMP_IMM(BPF_JA
, 0, 0, 2),
842 BPF_STX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_2
, -8),
843 BPF_JMP_IMM(BPF_JA
, 0, 0, 0),
844 BPF_MOV64_IMM(BPF_REG_0
, 0),
845 BPF_JMP_IMM(BPF_JGE
, BPF_REG_1
, 0, 2),
846 BPF_STX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_3
, -8),
847 BPF_JMP_IMM(BPF_JA
, 0, 0, 2),
848 BPF_STX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_2
, -8),
849 BPF_JMP_IMM(BPF_JA
, 0, 0, 0),
850 BPF_MOV64_IMM(BPF_REG_0
, 0),
853 .errstr_unpriv
= "R1 pointer comparison",
854 .result_unpriv
= REJECT
,
858 "access skb fields ok",
860 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
861 offsetof(struct __sk_buff
, len
)),
862 BPF_JMP_IMM(BPF_JGE
, BPF_REG_0
, 0, 1),
863 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
864 offsetof(struct __sk_buff
, mark
)),
865 BPF_JMP_IMM(BPF_JGE
, BPF_REG_0
, 0, 1),
866 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
867 offsetof(struct __sk_buff
, pkt_type
)),
868 BPF_JMP_IMM(BPF_JGE
, BPF_REG_0
, 0, 1),
869 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
870 offsetof(struct __sk_buff
, queue_mapping
)),
871 BPF_JMP_IMM(BPF_JGE
, BPF_REG_0
, 0, 0),
872 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
873 offsetof(struct __sk_buff
, protocol
)),
874 BPF_JMP_IMM(BPF_JGE
, BPF_REG_0
, 0, 0),
875 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
876 offsetof(struct __sk_buff
, vlan_present
)),
877 BPF_JMP_IMM(BPF_JGE
, BPF_REG_0
, 0, 0),
878 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
879 offsetof(struct __sk_buff
, vlan_tci
)),
880 BPF_JMP_IMM(BPF_JGE
, BPF_REG_0
, 0, 0),
881 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
882 offsetof(struct __sk_buff
, napi_id
)),
883 BPF_JMP_IMM(BPF_JGE
, BPF_REG_0
, 0, 0),
889 "access skb fields bad1",
891 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
, -4),
894 .errstr
= "invalid bpf_context access",
898 "access skb fields bad2",
900 BPF_JMP_IMM(BPF_JGE
, BPF_REG_1
, 0, 9),
901 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
902 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
903 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
904 BPF_LD_MAP_FD(BPF_REG_1
, 0),
905 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
906 BPF_FUNC_map_lookup_elem
),
907 BPF_JMP_IMM(BPF_JNE
, BPF_REG_0
, 0, 1),
909 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
910 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
911 offsetof(struct __sk_buff
, pkt_type
)),
915 .errstr
= "different pointers",
916 .errstr_unpriv
= "R1 pointer comparison",
920 "access skb fields bad3",
922 BPF_JMP_IMM(BPF_JGE
, BPF_REG_1
, 0, 2),
923 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
924 offsetof(struct __sk_buff
, pkt_type
)),
926 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
927 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
928 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
929 BPF_LD_MAP_FD(BPF_REG_1
, 0),
930 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
931 BPF_FUNC_map_lookup_elem
),
932 BPF_JMP_IMM(BPF_JNE
, BPF_REG_0
, 0, 1),
934 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
935 BPF_JMP_IMM(BPF_JA
, 0, 0, -12),
938 .errstr
= "different pointers",
939 .errstr_unpriv
= "R1 pointer comparison",
943 "access skb fields bad4",
945 BPF_JMP_IMM(BPF_JGE
, BPF_REG_1
, 0, 3),
946 BPF_LDX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_1
,
947 offsetof(struct __sk_buff
, len
)),
948 BPF_MOV64_IMM(BPF_REG_0
, 0),
950 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
951 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
952 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
953 BPF_LD_MAP_FD(BPF_REG_1
, 0),
954 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
955 BPF_FUNC_map_lookup_elem
),
956 BPF_JMP_IMM(BPF_JNE
, BPF_REG_0
, 0, 1),
958 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
959 BPF_JMP_IMM(BPF_JA
, 0, 0, -13),
962 .errstr
= "different pointers",
963 .errstr_unpriv
= "R1 pointer comparison",
967 "check skb->mark is not writeable by sockets",
969 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_1
,
970 offsetof(struct __sk_buff
, mark
)),
973 .errstr
= "invalid bpf_context access",
974 .errstr_unpriv
= "R1 leaks addr",
978 "check skb->tc_index is not writeable by sockets",
980 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_1
,
981 offsetof(struct __sk_buff
, tc_index
)),
984 .errstr
= "invalid bpf_context access",
985 .errstr_unpriv
= "R1 leaks addr",
989 "check cb access: byte",
991 BPF_MOV64_IMM(BPF_REG_0
, 0),
992 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
993 offsetof(struct __sk_buff
, cb
[0])),
994 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
995 offsetof(struct __sk_buff
, cb
[0]) + 1),
996 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
997 offsetof(struct __sk_buff
, cb
[0]) + 2),
998 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
999 offsetof(struct __sk_buff
, cb
[0]) + 3),
1000 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1001 offsetof(struct __sk_buff
, cb
[1])),
1002 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1003 offsetof(struct __sk_buff
, cb
[1]) + 1),
1004 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1005 offsetof(struct __sk_buff
, cb
[1]) + 2),
1006 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1007 offsetof(struct __sk_buff
, cb
[1]) + 3),
1008 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1009 offsetof(struct __sk_buff
, cb
[2])),
1010 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1011 offsetof(struct __sk_buff
, cb
[2]) + 1),
1012 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1013 offsetof(struct __sk_buff
, cb
[2]) + 2),
1014 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1015 offsetof(struct __sk_buff
, cb
[2]) + 3),
1016 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1017 offsetof(struct __sk_buff
, cb
[3])),
1018 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1019 offsetof(struct __sk_buff
, cb
[3]) + 1),
1020 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1021 offsetof(struct __sk_buff
, cb
[3]) + 2),
1022 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1023 offsetof(struct __sk_buff
, cb
[3]) + 3),
1024 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1025 offsetof(struct __sk_buff
, cb
[4])),
1026 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1027 offsetof(struct __sk_buff
, cb
[4]) + 1),
1028 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1029 offsetof(struct __sk_buff
, cb
[4]) + 2),
1030 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1031 offsetof(struct __sk_buff
, cb
[4]) + 3),
1032 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1033 offsetof(struct __sk_buff
, cb
[0])),
1034 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1035 offsetof(struct __sk_buff
, cb
[0]) + 1),
1036 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1037 offsetof(struct __sk_buff
, cb
[0]) + 2),
1038 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1039 offsetof(struct __sk_buff
, cb
[0]) + 3),
1040 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1041 offsetof(struct __sk_buff
, cb
[1])),
1042 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1043 offsetof(struct __sk_buff
, cb
[1]) + 1),
1044 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1045 offsetof(struct __sk_buff
, cb
[1]) + 2),
1046 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1047 offsetof(struct __sk_buff
, cb
[1]) + 3),
1048 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1049 offsetof(struct __sk_buff
, cb
[2])),
1050 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1051 offsetof(struct __sk_buff
, cb
[2]) + 1),
1052 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1053 offsetof(struct __sk_buff
, cb
[2]) + 2),
1054 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1055 offsetof(struct __sk_buff
, cb
[2]) + 3),
1056 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1057 offsetof(struct __sk_buff
, cb
[3])),
1058 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1059 offsetof(struct __sk_buff
, cb
[3]) + 1),
1060 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1061 offsetof(struct __sk_buff
, cb
[3]) + 2),
1062 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1063 offsetof(struct __sk_buff
, cb
[3]) + 3),
1064 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1065 offsetof(struct __sk_buff
, cb
[4])),
1066 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1067 offsetof(struct __sk_buff
, cb
[4]) + 1),
1068 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1069 offsetof(struct __sk_buff
, cb
[4]) + 2),
1070 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1071 offsetof(struct __sk_buff
, cb
[4]) + 3),
1077 "__sk_buff->hash, offset 0, byte store not permitted",
1079 BPF_MOV64_IMM(BPF_REG_0
, 0),
1080 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1081 offsetof(struct __sk_buff
, hash
)),
1084 .errstr
= "invalid bpf_context access",
1088 "__sk_buff->tc_index, offset 3, byte store not permitted",
1090 BPF_MOV64_IMM(BPF_REG_0
, 0),
1091 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1092 offsetof(struct __sk_buff
, tc_index
) + 3),
1095 .errstr
= "invalid bpf_context access",
1099 "check skb->hash byte load permitted",
1101 BPF_MOV64_IMM(BPF_REG_0
, 0),
1102 #if __BYTE_ORDER == __LITTLE_ENDIAN
1103 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1104 offsetof(struct __sk_buff
, hash
)),
1106 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1107 offsetof(struct __sk_buff
, hash
) + 3),
1114 "check skb->hash byte load not permitted 1",
1116 BPF_MOV64_IMM(BPF_REG_0
, 0),
1117 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1118 offsetof(struct __sk_buff
, hash
) + 1),
1121 .errstr
= "invalid bpf_context access",
1125 "check skb->hash byte load not permitted 2",
1127 BPF_MOV64_IMM(BPF_REG_0
, 0),
1128 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1129 offsetof(struct __sk_buff
, hash
) + 2),
1132 .errstr
= "invalid bpf_context access",
1136 "check skb->hash byte load not permitted 3",
1138 BPF_MOV64_IMM(BPF_REG_0
, 0),
1139 #if __BYTE_ORDER == __LITTLE_ENDIAN
1140 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1141 offsetof(struct __sk_buff
, hash
) + 3),
1143 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
1144 offsetof(struct __sk_buff
, hash
)),
1148 .errstr
= "invalid bpf_context access",
1152 "check cb access: byte, wrong type",
1154 BPF_MOV64_IMM(BPF_REG_0
, 0),
1155 BPF_STX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
,
1156 offsetof(struct __sk_buff
, cb
[0])),
1159 .errstr
= "invalid bpf_context access",
1161 .prog_type
= BPF_PROG_TYPE_CGROUP_SOCK
,
1164 "check cb access: half",
1166 BPF_MOV64_IMM(BPF_REG_0
, 0),
1167 BPF_STX_MEM(BPF_H
, BPF_REG_1
, BPF_REG_0
,
1168 offsetof(struct __sk_buff
, cb
[0])),
1169 BPF_STX_MEM(BPF_H
, BPF_REG_1
, BPF_REG_0
,
1170 offsetof(struct __sk_buff
, cb
[0]) + 2),
1171 BPF_STX_MEM(BPF_H
, BPF_REG_1
, BPF_REG_0
,
1172 offsetof(struct __sk_buff
, cb
[1])),
1173 BPF_STX_MEM(BPF_H
, BPF_REG_1
, BPF_REG_0
,
1174 offsetof(struct __sk_buff
, cb
[1]) + 2),
1175 BPF_STX_MEM(BPF_H
, BPF_REG_1
, BPF_REG_0
,
1176 offsetof(struct __sk_buff
, cb
[2])),
1177 BPF_STX_MEM(BPF_H
, BPF_REG_1
, BPF_REG_0
,
1178 offsetof(struct __sk_buff
, cb
[2]) + 2),
1179 BPF_STX_MEM(BPF_H
, BPF_REG_1
, BPF_REG_0
,
1180 offsetof(struct __sk_buff
, cb
[3])),
1181 BPF_STX_MEM(BPF_H
, BPF_REG_1
, BPF_REG_0
,
1182 offsetof(struct __sk_buff
, cb
[3]) + 2),
1183 BPF_STX_MEM(BPF_H
, BPF_REG_1
, BPF_REG_0
,
1184 offsetof(struct __sk_buff
, cb
[4])),
1185 BPF_STX_MEM(BPF_H
, BPF_REG_1
, BPF_REG_0
,
1186 offsetof(struct __sk_buff
, cb
[4]) + 2),
1187 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
1188 offsetof(struct __sk_buff
, cb
[0])),
1189 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
1190 offsetof(struct __sk_buff
, cb
[0]) + 2),
1191 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
1192 offsetof(struct __sk_buff
, cb
[1])),
1193 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
1194 offsetof(struct __sk_buff
, cb
[1]) + 2),
1195 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
1196 offsetof(struct __sk_buff
, cb
[2])),
1197 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
1198 offsetof(struct __sk_buff
, cb
[2]) + 2),
1199 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
1200 offsetof(struct __sk_buff
, cb
[3])),
1201 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
1202 offsetof(struct __sk_buff
, cb
[3]) + 2),
1203 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
1204 offsetof(struct __sk_buff
, cb
[4])),
1205 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
1206 offsetof(struct __sk_buff
, cb
[4]) + 2),
1212 "check cb access: half, unaligned",
1214 BPF_MOV64_IMM(BPF_REG_0
, 0),
1215 BPF_STX_MEM(BPF_H
, BPF_REG_1
, BPF_REG_0
,
1216 offsetof(struct __sk_buff
, cb
[0]) + 1),
1219 .errstr
= "misaligned access",
1223 "check __sk_buff->hash, offset 0, half store not permitted",
1225 BPF_MOV64_IMM(BPF_REG_0
, 0),
1226 BPF_STX_MEM(BPF_H
, BPF_REG_1
, BPF_REG_0
,
1227 offsetof(struct __sk_buff
, hash
)),
1230 .errstr
= "invalid bpf_context access",
1234 "check __sk_buff->tc_index, offset 2, half store not permitted",
1236 BPF_MOV64_IMM(BPF_REG_0
, 0),
1237 BPF_STX_MEM(BPF_H
, BPF_REG_1
, BPF_REG_0
,
1238 offsetof(struct __sk_buff
, tc_index
) + 2),
1241 .errstr
= "invalid bpf_context access",
1245 "check skb->hash half load permitted",
1247 BPF_MOV64_IMM(BPF_REG_0
, 0),
1248 #if __BYTE_ORDER == __LITTLE_ENDIAN
1249 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
1250 offsetof(struct __sk_buff
, hash
)),
1252 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
1253 offsetof(struct __sk_buff
, hash
) + 2),
1260 "check skb->hash half load not permitted",
1262 BPF_MOV64_IMM(BPF_REG_0
, 0),
1263 #if __BYTE_ORDER == __LITTLE_ENDIAN
1264 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
1265 offsetof(struct __sk_buff
, hash
) + 2),
1267 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
1268 offsetof(struct __sk_buff
, hash
)),
1272 .errstr
= "invalid bpf_context access",
1276 "check cb access: half, wrong type",
1278 BPF_MOV64_IMM(BPF_REG_0
, 0),
1279 BPF_STX_MEM(BPF_H
, BPF_REG_1
, BPF_REG_0
,
1280 offsetof(struct __sk_buff
, cb
[0])),
1283 .errstr
= "invalid bpf_context access",
1285 .prog_type
= BPF_PROG_TYPE_CGROUP_SOCK
,
1288 "check cb access: word",
1290 BPF_MOV64_IMM(BPF_REG_0
, 0),
1291 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
,
1292 offsetof(struct __sk_buff
, cb
[0])),
1293 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
,
1294 offsetof(struct __sk_buff
, cb
[1])),
1295 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
,
1296 offsetof(struct __sk_buff
, cb
[2])),
1297 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
,
1298 offsetof(struct __sk_buff
, cb
[3])),
1299 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
,
1300 offsetof(struct __sk_buff
, cb
[4])),
1301 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
1302 offsetof(struct __sk_buff
, cb
[0])),
1303 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
1304 offsetof(struct __sk_buff
, cb
[1])),
1305 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
1306 offsetof(struct __sk_buff
, cb
[2])),
1307 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
1308 offsetof(struct __sk_buff
, cb
[3])),
1309 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
1310 offsetof(struct __sk_buff
, cb
[4])),
1316 "check cb access: word, unaligned 1",
1318 BPF_MOV64_IMM(BPF_REG_0
, 0),
1319 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
,
1320 offsetof(struct __sk_buff
, cb
[0]) + 2),
1323 .errstr
= "misaligned access",
1327 "check cb access: word, unaligned 2",
1329 BPF_MOV64_IMM(BPF_REG_0
, 0),
1330 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
,
1331 offsetof(struct __sk_buff
, cb
[4]) + 1),
1334 .errstr
= "misaligned access",
1338 "check cb access: word, unaligned 3",
1340 BPF_MOV64_IMM(BPF_REG_0
, 0),
1341 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
,
1342 offsetof(struct __sk_buff
, cb
[4]) + 2),
1345 .errstr
= "misaligned access",
1349 "check cb access: word, unaligned 4",
1351 BPF_MOV64_IMM(BPF_REG_0
, 0),
1352 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
,
1353 offsetof(struct __sk_buff
, cb
[4]) + 3),
1356 .errstr
= "misaligned access",
1360 "check cb access: double",
1362 BPF_MOV64_IMM(BPF_REG_0
, 0),
1363 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_0
,
1364 offsetof(struct __sk_buff
, cb
[0])),
1365 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_0
,
1366 offsetof(struct __sk_buff
, cb
[2])),
1367 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_1
,
1368 offsetof(struct __sk_buff
, cb
[0])),
1369 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_1
,
1370 offsetof(struct __sk_buff
, cb
[2])),
1376 "check cb access: double, unaligned 1",
1378 BPF_MOV64_IMM(BPF_REG_0
, 0),
1379 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_0
,
1380 offsetof(struct __sk_buff
, cb
[1])),
1383 .errstr
= "misaligned access",
1387 "check cb access: double, unaligned 2",
1389 BPF_MOV64_IMM(BPF_REG_0
, 0),
1390 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_0
,
1391 offsetof(struct __sk_buff
, cb
[3])),
1394 .errstr
= "misaligned access",
1398 "check cb access: double, oob 1",
1400 BPF_MOV64_IMM(BPF_REG_0
, 0),
1401 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_0
,
1402 offsetof(struct __sk_buff
, cb
[4])),
1405 .errstr
= "invalid bpf_context access",
1409 "check cb access: double, oob 2",
1411 BPF_MOV64_IMM(BPF_REG_0
, 0),
1412 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_1
,
1413 offsetof(struct __sk_buff
, cb
[4])),
1416 .errstr
= "invalid bpf_context access",
1420 "check __sk_buff->ifindex dw store not permitted",
1422 BPF_MOV64_IMM(BPF_REG_0
, 0),
1423 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_0
,
1424 offsetof(struct __sk_buff
, ifindex
)),
1427 .errstr
= "invalid bpf_context access",
1431 "check __sk_buff->ifindex dw load not permitted",
1433 BPF_MOV64_IMM(BPF_REG_0
, 0),
1434 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_1
,
1435 offsetof(struct __sk_buff
, ifindex
)),
1438 .errstr
= "invalid bpf_context access",
1442 "check cb access: double, wrong type",
1444 BPF_MOV64_IMM(BPF_REG_0
, 0),
1445 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_0
,
1446 offsetof(struct __sk_buff
, cb
[0])),
1449 .errstr
= "invalid bpf_context access",
1451 .prog_type
= BPF_PROG_TYPE_CGROUP_SOCK
,
1454 "check out of range skb->cb access",
1456 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
1457 offsetof(struct __sk_buff
, cb
[0]) + 256),
1460 .errstr
= "invalid bpf_context access",
1461 .errstr_unpriv
= "",
1463 .prog_type
= BPF_PROG_TYPE_SCHED_ACT
,
1466 "write skb fields from socket prog",
1468 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
1469 offsetof(struct __sk_buff
, cb
[4])),
1470 BPF_JMP_IMM(BPF_JGE
, BPF_REG_0
, 0, 1),
1471 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
1472 offsetof(struct __sk_buff
, mark
)),
1473 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
1474 offsetof(struct __sk_buff
, tc_index
)),
1475 BPF_JMP_IMM(BPF_JGE
, BPF_REG_0
, 0, 1),
1476 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_1
,
1477 offsetof(struct __sk_buff
, cb
[0])),
1478 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_1
,
1479 offsetof(struct __sk_buff
, cb
[2])),
1483 .errstr_unpriv
= "R1 leaks addr",
1484 .result_unpriv
= REJECT
,
1487 "write skb fields from tc_cls_act prog",
1489 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
1490 offsetof(struct __sk_buff
, cb
[0])),
1491 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
,
1492 offsetof(struct __sk_buff
, mark
)),
1493 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
1494 offsetof(struct __sk_buff
, tc_index
)),
1495 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
,
1496 offsetof(struct __sk_buff
, tc_index
)),
1497 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
,
1498 offsetof(struct __sk_buff
, cb
[3])),
1501 .errstr_unpriv
= "",
1502 .result_unpriv
= REJECT
,
1504 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
1507 "PTR_TO_STACK store/load",
1509 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
1510 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -10),
1511 BPF_ST_MEM(BPF_DW
, BPF_REG_1
, 2, 0xfaceb00c),
1512 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_1
, 2),
1518 "PTR_TO_STACK store/load - bad alignment on off",
1520 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
1521 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -8),
1522 BPF_ST_MEM(BPF_DW
, BPF_REG_1
, 2, 0xfaceb00c),
1523 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_1
, 2),
1527 .errstr
= "misaligned access off -6 size 8",
1530 "PTR_TO_STACK store/load - bad alignment on reg",
1532 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
1533 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -10),
1534 BPF_ST_MEM(BPF_DW
, BPF_REG_1
, 8, 0xfaceb00c),
1535 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_1
, 8),
1539 .errstr
= "misaligned access off -2 size 8",
1542 "PTR_TO_STACK store/load - out of bounds low",
1544 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
1545 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -80000),
1546 BPF_ST_MEM(BPF_DW
, BPF_REG_1
, 8, 0xfaceb00c),
1547 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_1
, 8),
1551 .errstr
= "invalid stack off=-79992 size=8",
1554 "PTR_TO_STACK store/load - out of bounds high",
1556 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
1557 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -8),
1558 BPF_ST_MEM(BPF_DW
, BPF_REG_1
, 8, 0xfaceb00c),
1559 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_1
, 8),
1563 .errstr
= "invalid stack off=0 size=8",
1566 "unpriv: return pointer",
1568 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_10
),
1572 .result_unpriv
= REJECT
,
1573 .errstr_unpriv
= "R0 leaks addr",
1576 "unpriv: add const to pointer",
1578 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 8),
1579 BPF_MOV64_IMM(BPF_REG_0
, 0),
1583 .result_unpriv
= REJECT
,
1584 .errstr_unpriv
= "R1 pointer arithmetic",
1587 "unpriv: add pointer to pointer",
1589 BPF_ALU64_REG(BPF_ADD
, BPF_REG_1
, BPF_REG_10
),
1590 BPF_MOV64_IMM(BPF_REG_0
, 0),
1594 .result_unpriv
= REJECT
,
1595 .errstr_unpriv
= "R1 pointer arithmetic",
1598 "unpriv: neg pointer",
1600 BPF_ALU64_IMM(BPF_NEG
, BPF_REG_1
, 0),
1601 BPF_MOV64_IMM(BPF_REG_0
, 0),
1605 .result_unpriv
= REJECT
,
1606 .errstr_unpriv
= "R1 pointer arithmetic",
1609 "unpriv: cmp pointer with const",
1611 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 0, 0),
1612 BPF_MOV64_IMM(BPF_REG_0
, 0),
1616 .result_unpriv
= REJECT
,
1617 .errstr_unpriv
= "R1 pointer comparison",
1620 "unpriv: cmp pointer with pointer",
1622 BPF_JMP_REG(BPF_JEQ
, BPF_REG_1
, BPF_REG_10
, 0),
1623 BPF_MOV64_IMM(BPF_REG_0
, 0),
1627 .result_unpriv
= REJECT
,
1628 .errstr_unpriv
= "R10 pointer comparison",
1631 "unpriv: check that printk is disallowed",
1633 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
1634 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
1635 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -8),
1636 BPF_MOV64_IMM(BPF_REG_2
, 8),
1637 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_1
),
1638 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
1639 BPF_FUNC_trace_printk
),
1640 BPF_MOV64_IMM(BPF_REG_0
, 0),
1643 .errstr_unpriv
= "unknown func bpf_trace_printk#6",
1644 .result_unpriv
= REJECT
,
1648 "unpriv: pass pointer to helper function",
1650 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
1651 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
1652 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
1653 BPF_LD_MAP_FD(BPF_REG_1
, 0),
1654 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_2
),
1655 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_2
),
1656 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
1657 BPF_FUNC_map_update_elem
),
1658 BPF_MOV64_IMM(BPF_REG_0
, 0),
1661 .fixup_map1
= { 3 },
1662 .errstr_unpriv
= "R4 leaks addr",
1663 .result_unpriv
= REJECT
,
1667 "unpriv: indirectly pass pointer on stack to helper function",
1669 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_10
, -8),
1670 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
1671 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
1672 BPF_LD_MAP_FD(BPF_REG_1
, 0),
1673 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
1674 BPF_FUNC_map_lookup_elem
),
1675 BPF_MOV64_IMM(BPF_REG_0
, 0),
1678 .fixup_map1
= { 3 },
1679 .errstr
= "invalid indirect read from stack off -8+0 size 8",
1683 "unpriv: mangle pointer on stack 1",
1685 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_10
, -8),
1686 BPF_ST_MEM(BPF_W
, BPF_REG_10
, -8, 0),
1687 BPF_MOV64_IMM(BPF_REG_0
, 0),
1690 .errstr_unpriv
= "attempt to corrupt spilled",
1691 .result_unpriv
= REJECT
,
1695 "unpriv: mangle pointer on stack 2",
1697 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_10
, -8),
1698 BPF_ST_MEM(BPF_B
, BPF_REG_10
, -1, 0),
1699 BPF_MOV64_IMM(BPF_REG_0
, 0),
1702 .errstr_unpriv
= "attempt to corrupt spilled",
1703 .result_unpriv
= REJECT
,
1707 "unpriv: read pointer from stack in small chunks",
1709 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_10
, -8),
1710 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_10
, -8),
1711 BPF_MOV64_IMM(BPF_REG_0
, 0),
1714 .errstr
= "invalid size",
1718 "unpriv: write pointer into ctx",
1720 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_1
, 0),
1721 BPF_MOV64_IMM(BPF_REG_0
, 0),
1724 .errstr_unpriv
= "R1 leaks addr",
1725 .result_unpriv
= REJECT
,
1726 .errstr
= "invalid bpf_context access",
1730 "unpriv: spill/fill of ctx",
1732 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
1733 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -8),
1734 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_1
, 0),
1735 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_6
, 0),
1736 BPF_MOV64_IMM(BPF_REG_0
, 0),
1742 "unpriv: spill/fill of ctx 2",
1744 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
1745 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -8),
1746 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_1
, 0),
1747 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_6
, 0),
1748 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
1749 BPF_FUNC_get_hash_recalc
),
1753 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
1756 "unpriv: spill/fill of ctx 3",
1758 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
1759 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -8),
1760 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_1
, 0),
1761 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_10
, 0),
1762 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_6
, 0),
1763 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
1764 BPF_FUNC_get_hash_recalc
),
1768 .errstr
= "R1 type=fp expected=ctx",
1769 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
1772 "unpriv: spill/fill of ctx 4",
1774 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
1775 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -8),
1776 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_1
, 0),
1777 BPF_MOV64_IMM(BPF_REG_0
, 1),
1778 BPF_RAW_INSN(BPF_STX
| BPF_XADD
| BPF_DW
, BPF_REG_10
,
1780 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_6
, 0),
1781 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
1782 BPF_FUNC_get_hash_recalc
),
1786 .errstr
= "R1 type=inv expected=ctx",
1787 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
1790 "unpriv: spill/fill of different pointers stx",
1792 BPF_MOV64_IMM(BPF_REG_3
, 42),
1793 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
1794 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -8),
1795 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 0, 3),
1796 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
1797 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -16),
1798 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_2
, 0),
1799 BPF_JMP_IMM(BPF_JNE
, BPF_REG_1
, 0, 1),
1800 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_1
, 0),
1801 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_6
, 0),
1802 BPF_STX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_3
,
1803 offsetof(struct __sk_buff
, mark
)),
1804 BPF_MOV64_IMM(BPF_REG_0
, 0),
1808 .errstr
= "same insn cannot be used with different pointers",
1809 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
1812 "unpriv: spill/fill of different pointers ldx",
1814 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
1815 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -8),
1816 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 0, 3),
1817 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
1818 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
,
1819 -(__s32
)offsetof(struct bpf_perf_event_data
,
1820 sample_period
) - 8),
1821 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_2
, 0),
1822 BPF_JMP_IMM(BPF_JNE
, BPF_REG_1
, 0, 1),
1823 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_1
, 0),
1824 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_6
, 0),
1825 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_1
,
1826 offsetof(struct bpf_perf_event_data
,
1828 BPF_MOV64_IMM(BPF_REG_0
, 0),
1832 .errstr
= "same insn cannot be used with different pointers",
1833 .prog_type
= BPF_PROG_TYPE_PERF_EVENT
,
1836 "unpriv: write pointer into map elem value",
1838 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
1839 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
1840 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
1841 BPF_LD_MAP_FD(BPF_REG_1
, 0),
1842 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
1843 BPF_FUNC_map_lookup_elem
),
1844 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 1),
1845 BPF_STX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_0
, 0),
1848 .fixup_map1
= { 3 },
1849 .errstr_unpriv
= "R0 leaks addr",
1850 .result_unpriv
= REJECT
,
1854 "unpriv: partial copy of pointer",
1856 BPF_MOV32_REG(BPF_REG_1
, BPF_REG_10
),
1857 BPF_MOV64_IMM(BPF_REG_0
, 0),
1860 .errstr_unpriv
= "R10 partial copy",
1861 .result_unpriv
= REJECT
,
1865 "unpriv: pass pointer to tail_call",
1867 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_1
),
1868 BPF_LD_MAP_FD(BPF_REG_2
, 0),
1869 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
1870 BPF_FUNC_tail_call
),
1871 BPF_MOV64_IMM(BPF_REG_0
, 0),
1874 .fixup_prog
= { 1 },
1875 .errstr_unpriv
= "R3 leaks addr into helper",
1876 .result_unpriv
= REJECT
,
1880 "unpriv: cmp map pointer with zero",
1882 BPF_MOV64_IMM(BPF_REG_1
, 0),
1883 BPF_LD_MAP_FD(BPF_REG_1
, 0),
1884 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_1
, 0, 0),
1885 BPF_MOV64_IMM(BPF_REG_0
, 0),
1888 .fixup_map1
= { 1 },
1889 .errstr_unpriv
= "R1 pointer comparison",
1890 .result_unpriv
= REJECT
,
1894 "unpriv: write into frame pointer",
1896 BPF_MOV64_REG(BPF_REG_10
, BPF_REG_1
),
1897 BPF_MOV64_IMM(BPF_REG_0
, 0),
1900 .errstr
= "frame pointer is read only",
1904 "unpriv: spill/fill frame pointer",
1906 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
1907 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -8),
1908 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_10
, 0),
1909 BPF_LDX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_6
, 0),
1910 BPF_MOV64_IMM(BPF_REG_0
, 0),
1913 .errstr
= "frame pointer is read only",
1917 "unpriv: cmp of frame pointer",
1919 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_10
, 0, 0),
1920 BPF_MOV64_IMM(BPF_REG_0
, 0),
1923 .errstr_unpriv
= "R10 pointer comparison",
1924 .result_unpriv
= REJECT
,
1928 "unpriv: adding of fp",
1930 BPF_MOV64_IMM(BPF_REG_0
, 0),
1931 BPF_MOV64_IMM(BPF_REG_1
, 0),
1932 BPF_ALU64_REG(BPF_ADD
, BPF_REG_1
, BPF_REG_10
),
1933 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_0
, -8),
1936 .errstr_unpriv
= "pointer arithmetic prohibited",
1937 .result_unpriv
= REJECT
,
1938 .errstr
= "R1 invalid mem access",
1942 "unpriv: cmp of stack pointer",
1944 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
1945 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
1946 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_2
, 0, 0),
1947 BPF_MOV64_IMM(BPF_REG_0
, 0),
1950 .errstr_unpriv
= "R2 pointer comparison",
1951 .result_unpriv
= REJECT
,
1955 "stack pointer arithmetic",
1957 BPF_MOV64_IMM(BPF_REG_1
, 4),
1958 BPF_JMP_IMM(BPF_JA
, 0, 0, 0),
1959 BPF_MOV64_REG(BPF_REG_7
, BPF_REG_10
),
1960 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_7
, -10),
1961 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_7
, -10),
1962 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_7
),
1963 BPF_ALU64_REG(BPF_ADD
, BPF_REG_2
, BPF_REG_1
),
1964 BPF_ST_MEM(0, BPF_REG_2
, 4, 0),
1965 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_7
),
1966 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, 8),
1967 BPF_ST_MEM(0, BPF_REG_2
, 4, 0),
1968 BPF_MOV64_IMM(BPF_REG_0
, 0),
1974 "raw_stack: no skb_load_bytes",
1976 BPF_MOV64_IMM(BPF_REG_2
, 4),
1977 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
1978 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -8),
1979 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
1980 BPF_MOV64_IMM(BPF_REG_4
, 8),
1981 /* Call to skb_load_bytes() omitted. */
1982 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, 0),
1986 .errstr
= "invalid read from stack off -8+0 size 8",
1987 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
1990 "raw_stack: skb_load_bytes, negative len",
1992 BPF_MOV64_IMM(BPF_REG_2
, 4),
1993 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
1994 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -8),
1995 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
1996 BPF_MOV64_IMM(BPF_REG_4
, -8),
1997 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
1998 BPF_FUNC_skb_load_bytes
),
1999 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, 0),
2003 .errstr
= "invalid stack type R3",
2004 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2007 "raw_stack: skb_load_bytes, negative len 2",
2009 BPF_MOV64_IMM(BPF_REG_2
, 4),
2010 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
2011 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -8),
2012 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
2013 BPF_MOV64_IMM(BPF_REG_4
, ~0),
2014 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2015 BPF_FUNC_skb_load_bytes
),
2016 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, 0),
2020 .errstr
= "invalid stack type R3",
2021 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2024 "raw_stack: skb_load_bytes, zero len",
2026 BPF_MOV64_IMM(BPF_REG_2
, 4),
2027 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
2028 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -8),
2029 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
2030 BPF_MOV64_IMM(BPF_REG_4
, 0),
2031 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2032 BPF_FUNC_skb_load_bytes
),
2033 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, 0),
2037 .errstr
= "invalid stack type R3",
2038 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2041 "raw_stack: skb_load_bytes, no init",
2043 BPF_MOV64_IMM(BPF_REG_2
, 4),
2044 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
2045 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -8),
2046 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
2047 BPF_MOV64_IMM(BPF_REG_4
, 8),
2048 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2049 BPF_FUNC_skb_load_bytes
),
2050 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, 0),
2054 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2057 "raw_stack: skb_load_bytes, init",
2059 BPF_MOV64_IMM(BPF_REG_2
, 4),
2060 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
2061 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -8),
2062 BPF_ST_MEM(BPF_DW
, BPF_REG_6
, 0, 0xcafe),
2063 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
2064 BPF_MOV64_IMM(BPF_REG_4
, 8),
2065 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2066 BPF_FUNC_skb_load_bytes
),
2067 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, 0),
2071 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2074 "raw_stack: skb_load_bytes, spilled regs around bounds",
2076 BPF_MOV64_IMM(BPF_REG_2
, 4),
2077 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
2078 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -16),
2079 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_1
, -8),
2080 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_1
, 8),
2081 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
2082 BPF_MOV64_IMM(BPF_REG_4
, 8),
2083 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2084 BPF_FUNC_skb_load_bytes
),
2085 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, -8),
2086 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_6
, 8),
2087 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_0
,
2088 offsetof(struct __sk_buff
, mark
)),
2089 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_2
,
2090 offsetof(struct __sk_buff
, priority
)),
2091 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_2
),
2095 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2098 "raw_stack: skb_load_bytes, spilled regs corruption",
2100 BPF_MOV64_IMM(BPF_REG_2
, 4),
2101 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
2102 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -8),
2103 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_1
, 0),
2104 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
2105 BPF_MOV64_IMM(BPF_REG_4
, 8),
2106 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2107 BPF_FUNC_skb_load_bytes
),
2108 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, 0),
2109 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_0
,
2110 offsetof(struct __sk_buff
, mark
)),
2114 .errstr
= "R0 invalid mem access 'inv'",
2115 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2118 "raw_stack: skb_load_bytes, spilled regs corruption 2",
2120 BPF_MOV64_IMM(BPF_REG_2
, 4),
2121 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
2122 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -16),
2123 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_1
, -8),
2124 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_1
, 0),
2125 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_1
, 8),
2126 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
2127 BPF_MOV64_IMM(BPF_REG_4
, 8),
2128 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2129 BPF_FUNC_skb_load_bytes
),
2130 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, -8),
2131 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_6
, 8),
2132 BPF_LDX_MEM(BPF_DW
, BPF_REG_3
, BPF_REG_6
, 0),
2133 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_0
,
2134 offsetof(struct __sk_buff
, mark
)),
2135 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_2
,
2136 offsetof(struct __sk_buff
, priority
)),
2137 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_2
),
2138 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_3
,
2139 offsetof(struct __sk_buff
, pkt_type
)),
2140 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_3
),
2144 .errstr
= "R3 invalid mem access 'inv'",
2145 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2148 "raw_stack: skb_load_bytes, spilled regs + data",
2150 BPF_MOV64_IMM(BPF_REG_2
, 4),
2151 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
2152 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -16),
2153 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_1
, -8),
2154 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_1
, 0),
2155 BPF_STX_MEM(BPF_DW
, BPF_REG_6
, BPF_REG_1
, 8),
2156 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
2157 BPF_MOV64_IMM(BPF_REG_4
, 8),
2158 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2159 BPF_FUNC_skb_load_bytes
),
2160 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, -8),
2161 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_6
, 8),
2162 BPF_LDX_MEM(BPF_DW
, BPF_REG_3
, BPF_REG_6
, 0),
2163 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_0
,
2164 offsetof(struct __sk_buff
, mark
)),
2165 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_2
,
2166 offsetof(struct __sk_buff
, priority
)),
2167 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_2
),
2168 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_3
),
2172 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2175 "raw_stack: skb_load_bytes, invalid access 1",
2177 BPF_MOV64_IMM(BPF_REG_2
, 4),
2178 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
2179 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -513),
2180 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
2181 BPF_MOV64_IMM(BPF_REG_4
, 8),
2182 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2183 BPF_FUNC_skb_load_bytes
),
2184 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, 0),
2188 .errstr
= "invalid stack type R3 off=-513 access_size=8",
2189 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2192 "raw_stack: skb_load_bytes, invalid access 2",
2194 BPF_MOV64_IMM(BPF_REG_2
, 4),
2195 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
2196 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -1),
2197 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
2198 BPF_MOV64_IMM(BPF_REG_4
, 8),
2199 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2200 BPF_FUNC_skb_load_bytes
),
2201 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, 0),
2205 .errstr
= "invalid stack type R3 off=-1 access_size=8",
2206 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2209 "raw_stack: skb_load_bytes, invalid access 3",
2211 BPF_MOV64_IMM(BPF_REG_2
, 4),
2212 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
2213 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, 0xffffffff),
2214 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
2215 BPF_MOV64_IMM(BPF_REG_4
, 0xffffffff),
2216 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2217 BPF_FUNC_skb_load_bytes
),
2218 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, 0),
2222 .errstr
= "invalid stack type R3 off=-1 access_size=-1",
2223 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2226 "raw_stack: skb_load_bytes, invalid access 4",
2228 BPF_MOV64_IMM(BPF_REG_2
, 4),
2229 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
2230 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -1),
2231 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
2232 BPF_MOV64_IMM(BPF_REG_4
, 0x7fffffff),
2233 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2234 BPF_FUNC_skb_load_bytes
),
2235 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, 0),
2239 .errstr
= "invalid stack type R3 off=-1 access_size=2147483647",
2240 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2243 "raw_stack: skb_load_bytes, invalid access 5",
2245 BPF_MOV64_IMM(BPF_REG_2
, 4),
2246 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
2247 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -512),
2248 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
2249 BPF_MOV64_IMM(BPF_REG_4
, 0x7fffffff),
2250 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2251 BPF_FUNC_skb_load_bytes
),
2252 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, 0),
2256 .errstr
= "invalid stack type R3 off=-512 access_size=2147483647",
2257 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2260 "raw_stack: skb_load_bytes, invalid access 6",
2262 BPF_MOV64_IMM(BPF_REG_2
, 4),
2263 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
2264 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -512),
2265 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
2266 BPF_MOV64_IMM(BPF_REG_4
, 0),
2267 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2268 BPF_FUNC_skb_load_bytes
),
2269 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, 0),
2273 .errstr
= "invalid stack type R3 off=-512 access_size=0",
2274 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2277 "raw_stack: skb_load_bytes, large access",
2279 BPF_MOV64_IMM(BPF_REG_2
, 4),
2280 BPF_ALU64_REG(BPF_MOV
, BPF_REG_6
, BPF_REG_10
),
2281 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, -512),
2282 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
2283 BPF_MOV64_IMM(BPF_REG_4
, 512),
2284 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2285 BPF_FUNC_skb_load_bytes
),
2286 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_6
, 0),
2290 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2293 "direct packet access: test1",
2295 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2296 offsetof(struct __sk_buff
, data
)),
2297 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2298 offsetof(struct __sk_buff
, data_end
)),
2299 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2300 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
2301 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 1),
2302 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_2
, 0),
2303 BPF_MOV64_IMM(BPF_REG_0
, 0),
2307 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2310 "direct packet access: test2",
2312 BPF_MOV64_IMM(BPF_REG_0
, 1),
2313 BPF_LDX_MEM(BPF_W
, BPF_REG_4
, BPF_REG_1
,
2314 offsetof(struct __sk_buff
, data_end
)),
2315 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2316 offsetof(struct __sk_buff
, data
)),
2317 BPF_MOV64_REG(BPF_REG_5
, BPF_REG_3
),
2318 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_5
, 14),
2319 BPF_JMP_REG(BPF_JGT
, BPF_REG_5
, BPF_REG_4
, 15),
2320 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_3
, 7),
2321 BPF_LDX_MEM(BPF_B
, BPF_REG_4
, BPF_REG_3
, 12),
2322 BPF_ALU64_IMM(BPF_MUL
, BPF_REG_4
, 14),
2323 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2324 offsetof(struct __sk_buff
, data
)),
2325 BPF_ALU64_REG(BPF_ADD
, BPF_REG_3
, BPF_REG_4
),
2326 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_1
),
2327 BPF_ALU64_IMM(BPF_LSH
, BPF_REG_2
, 48),
2328 BPF_ALU64_IMM(BPF_RSH
, BPF_REG_2
, 48),
2329 BPF_ALU64_REG(BPF_ADD
, BPF_REG_3
, BPF_REG_2
),
2330 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_3
),
2331 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, 8),
2332 BPF_LDX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_1
,
2333 offsetof(struct __sk_buff
, data_end
)),
2334 BPF_JMP_REG(BPF_JGT
, BPF_REG_2
, BPF_REG_1
, 1),
2335 BPF_LDX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_3
, 4),
2336 BPF_MOV64_IMM(BPF_REG_0
, 0),
2340 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2343 "direct packet access: test3",
2345 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2346 offsetof(struct __sk_buff
, data
)),
2347 BPF_MOV64_IMM(BPF_REG_0
, 0),
2350 .errstr
= "invalid bpf_context access off=76",
2352 .prog_type
= BPF_PROG_TYPE_SOCKET_FILTER
,
2355 "direct packet access: test4 (write)",
2357 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2358 offsetof(struct __sk_buff
, data
)),
2359 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2360 offsetof(struct __sk_buff
, data_end
)),
2361 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2362 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
2363 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 1),
2364 BPF_STX_MEM(BPF_B
, BPF_REG_2
, BPF_REG_2
, 0),
2365 BPF_MOV64_IMM(BPF_REG_0
, 0),
2369 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2372 "direct packet access: test5 (pkt_end >= reg, good access)",
2374 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2375 offsetof(struct __sk_buff
, data
)),
2376 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2377 offsetof(struct __sk_buff
, data_end
)),
2378 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2379 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
2380 BPF_JMP_REG(BPF_JGE
, BPF_REG_3
, BPF_REG_0
, 2),
2381 BPF_MOV64_IMM(BPF_REG_0
, 1),
2383 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_2
, 0),
2384 BPF_MOV64_IMM(BPF_REG_0
, 0),
2388 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2391 "direct packet access: test6 (pkt_end >= reg, bad access)",
2393 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2394 offsetof(struct __sk_buff
, data
)),
2395 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2396 offsetof(struct __sk_buff
, data_end
)),
2397 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2398 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
2399 BPF_JMP_REG(BPF_JGE
, BPF_REG_3
, BPF_REG_0
, 3),
2400 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_2
, 0),
2401 BPF_MOV64_IMM(BPF_REG_0
, 1),
2403 BPF_MOV64_IMM(BPF_REG_0
, 0),
2406 .errstr
= "invalid access to packet",
2408 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2411 "direct packet access: test7 (pkt_end >= reg, both accesses)",
2413 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2414 offsetof(struct __sk_buff
, data
)),
2415 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2416 offsetof(struct __sk_buff
, data_end
)),
2417 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2418 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
2419 BPF_JMP_REG(BPF_JGE
, BPF_REG_3
, BPF_REG_0
, 3),
2420 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_2
, 0),
2421 BPF_MOV64_IMM(BPF_REG_0
, 1),
2423 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_2
, 0),
2424 BPF_MOV64_IMM(BPF_REG_0
, 0),
2427 .errstr
= "invalid access to packet",
2429 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2432 "direct packet access: test8 (double test, variant 1)",
2434 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2435 offsetof(struct __sk_buff
, data
)),
2436 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2437 offsetof(struct __sk_buff
, data_end
)),
2438 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2439 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
2440 BPF_JMP_REG(BPF_JGE
, BPF_REG_3
, BPF_REG_0
, 4),
2441 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 1),
2442 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_2
, 0),
2443 BPF_MOV64_IMM(BPF_REG_0
, 1),
2445 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_2
, 0),
2446 BPF_MOV64_IMM(BPF_REG_0
, 0),
2450 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2453 "direct packet access: test9 (double test, variant 2)",
2455 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2456 offsetof(struct __sk_buff
, data
)),
2457 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2458 offsetof(struct __sk_buff
, data_end
)),
2459 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2460 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
2461 BPF_JMP_REG(BPF_JGE
, BPF_REG_3
, BPF_REG_0
, 2),
2462 BPF_MOV64_IMM(BPF_REG_0
, 1),
2464 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 1),
2465 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_2
, 0),
2466 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_2
, 0),
2467 BPF_MOV64_IMM(BPF_REG_0
, 0),
2471 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2474 "direct packet access: test10 (write invalid)",
2476 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2477 offsetof(struct __sk_buff
, data
)),
2478 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2479 offsetof(struct __sk_buff
, data_end
)),
2480 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2481 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
2482 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 2),
2483 BPF_MOV64_IMM(BPF_REG_0
, 0),
2485 BPF_STX_MEM(BPF_B
, BPF_REG_2
, BPF_REG_2
, 0),
2486 BPF_MOV64_IMM(BPF_REG_0
, 0),
2489 .errstr
= "invalid access to packet",
2491 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2494 "direct packet access: test11 (shift, good access)",
2496 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2497 offsetof(struct __sk_buff
, data
)),
2498 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2499 offsetof(struct __sk_buff
, data_end
)),
2500 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2501 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 22),
2502 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 8),
2503 BPF_MOV64_IMM(BPF_REG_3
, 144),
2504 BPF_MOV64_REG(BPF_REG_5
, BPF_REG_3
),
2505 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_5
, 23),
2506 BPF_ALU64_IMM(BPF_RSH
, BPF_REG_5
, 3),
2507 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_2
),
2508 BPF_ALU64_REG(BPF_ADD
, BPF_REG_6
, BPF_REG_5
),
2509 BPF_MOV64_IMM(BPF_REG_0
, 1),
2511 BPF_MOV64_IMM(BPF_REG_0
, 0),
2515 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2518 "direct packet access: test12 (and, good access)",
2520 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2521 offsetof(struct __sk_buff
, data
)),
2522 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2523 offsetof(struct __sk_buff
, data_end
)),
2524 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2525 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 22),
2526 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 8),
2527 BPF_MOV64_IMM(BPF_REG_3
, 144),
2528 BPF_MOV64_REG(BPF_REG_5
, BPF_REG_3
),
2529 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_5
, 23),
2530 BPF_ALU64_IMM(BPF_AND
, BPF_REG_5
, 15),
2531 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_2
),
2532 BPF_ALU64_REG(BPF_ADD
, BPF_REG_6
, BPF_REG_5
),
2533 BPF_MOV64_IMM(BPF_REG_0
, 1),
2535 BPF_MOV64_IMM(BPF_REG_0
, 0),
2539 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2542 "direct packet access: test13 (branches, good access)",
2544 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2545 offsetof(struct __sk_buff
, data
)),
2546 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2547 offsetof(struct __sk_buff
, data_end
)),
2548 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2549 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 22),
2550 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 13),
2551 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2552 offsetof(struct __sk_buff
, mark
)),
2553 BPF_MOV64_IMM(BPF_REG_4
, 1),
2554 BPF_JMP_REG(BPF_JGT
, BPF_REG_3
, BPF_REG_4
, 2),
2555 BPF_MOV64_IMM(BPF_REG_3
, 14),
2556 BPF_JMP_IMM(BPF_JA
, 0, 0, 1),
2557 BPF_MOV64_IMM(BPF_REG_3
, 24),
2558 BPF_MOV64_REG(BPF_REG_5
, BPF_REG_3
),
2559 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_5
, 23),
2560 BPF_ALU64_IMM(BPF_AND
, BPF_REG_5
, 15),
2561 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_2
),
2562 BPF_ALU64_REG(BPF_ADD
, BPF_REG_6
, BPF_REG_5
),
2563 BPF_MOV64_IMM(BPF_REG_0
, 1),
2565 BPF_MOV64_IMM(BPF_REG_0
, 0),
2569 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2572 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
2574 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2575 offsetof(struct __sk_buff
, data
)),
2576 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2577 offsetof(struct __sk_buff
, data_end
)),
2578 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2579 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 22),
2580 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 7),
2581 BPF_MOV64_IMM(BPF_REG_5
, 12),
2582 BPF_ALU64_IMM(BPF_RSH
, BPF_REG_5
, 4),
2583 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_2
),
2584 BPF_ALU64_REG(BPF_ADD
, BPF_REG_6
, BPF_REG_5
),
2585 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_6
, 0),
2586 BPF_MOV64_IMM(BPF_REG_0
, 1),
2588 BPF_MOV64_IMM(BPF_REG_0
, 0),
2592 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2595 "direct packet access: test15 (spill with xadd)",
2597 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2598 offsetof(struct __sk_buff
, data
)),
2599 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2600 offsetof(struct __sk_buff
, data_end
)),
2601 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2602 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
2603 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 8),
2604 BPF_MOV64_IMM(BPF_REG_5
, 4096),
2605 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_10
),
2606 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_4
, -8),
2607 BPF_STX_MEM(BPF_DW
, BPF_REG_4
, BPF_REG_2
, 0),
2608 BPF_STX_XADD(BPF_DW
, BPF_REG_4
, BPF_REG_5
, 0),
2609 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_4
, 0),
2610 BPF_STX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_5
, 0),
2611 BPF_MOV64_IMM(BPF_REG_0
, 0),
2614 .errstr
= "R2 invalid mem access 'inv'",
2616 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2619 "direct packet access: test16 (arith on data_end)",
2621 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2622 offsetof(struct __sk_buff
, data
)),
2623 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2624 offsetof(struct __sk_buff
, data_end
)),
2625 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2626 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
2627 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_3
, 16),
2628 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 1),
2629 BPF_STX_MEM(BPF_B
, BPF_REG_2
, BPF_REG_2
, 0),
2630 BPF_MOV64_IMM(BPF_REG_0
, 0),
2633 .errstr
= "invalid access to packet",
2635 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2638 "direct packet access: test17 (pruning, alignment)",
2640 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2641 offsetof(struct __sk_buff
, data
)),
2642 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2643 offsetof(struct __sk_buff
, data_end
)),
2644 BPF_LDX_MEM(BPF_W
, BPF_REG_7
, BPF_REG_1
,
2645 offsetof(struct __sk_buff
, mark
)),
2646 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2647 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 14),
2648 BPF_JMP_IMM(BPF_JGT
, BPF_REG_7
, 1, 4),
2649 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 1),
2650 BPF_STX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_0
, -4),
2651 BPF_MOV64_IMM(BPF_REG_0
, 0),
2653 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 1),
2656 .errstr
= "misaligned packet access off 2+15+-4 size 4",
2658 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2659 .flags
= F_LOAD_WITH_STRICT_ALIGNMENT
,
2662 "direct packet access: test18 (imm += pkt_ptr, 1)",
2664 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2665 offsetof(struct __sk_buff
, data
)),
2666 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2667 offsetof(struct __sk_buff
, data_end
)),
2668 BPF_MOV64_IMM(BPF_REG_0
, 8),
2669 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_2
),
2670 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 1),
2671 BPF_STX_MEM(BPF_B
, BPF_REG_2
, BPF_REG_2
, 0),
2672 BPF_MOV64_IMM(BPF_REG_0
, 0),
2676 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2679 "direct packet access: test19 (imm += pkt_ptr, 2)",
2681 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2682 offsetof(struct __sk_buff
, data
)),
2683 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2684 offsetof(struct __sk_buff
, data_end
)),
2685 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2686 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
2687 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 3),
2688 BPF_MOV64_IMM(BPF_REG_4
, 4),
2689 BPF_ALU64_REG(BPF_ADD
, BPF_REG_4
, BPF_REG_2
),
2690 BPF_STX_MEM(BPF_B
, BPF_REG_4
, BPF_REG_4
, 0),
2691 BPF_MOV64_IMM(BPF_REG_0
, 0),
2695 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2698 "direct packet access: test20 (x += pkt_ptr, 1)",
2700 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2701 offsetof(struct __sk_buff
, data
)),
2702 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2703 offsetof(struct __sk_buff
, data_end
)),
2704 BPF_MOV64_IMM(BPF_REG_0
, 0xffffffff),
2705 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -8),
2706 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_10
, -8),
2707 BPF_ALU64_IMM(BPF_AND
, BPF_REG_0
, 0xffff),
2708 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_0
),
2709 BPF_ALU64_REG(BPF_ADD
, BPF_REG_4
, BPF_REG_2
),
2710 BPF_MOV64_REG(BPF_REG_5
, BPF_REG_4
),
2711 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_4
, 0xffff - 1),
2712 BPF_JMP_REG(BPF_JGT
, BPF_REG_4
, BPF_REG_3
, 1),
2713 BPF_STX_MEM(BPF_DW
, BPF_REG_5
, BPF_REG_4
, 0),
2714 BPF_MOV64_IMM(BPF_REG_0
, 0),
2717 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2721 "direct packet access: test21 (x += pkt_ptr, 2)",
2723 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2724 offsetof(struct __sk_buff
, data
)),
2725 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2726 offsetof(struct __sk_buff
, data_end
)),
2727 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2728 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
2729 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 9),
2730 BPF_MOV64_IMM(BPF_REG_4
, 0xffffffff),
2731 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_4
, -8),
2732 BPF_LDX_MEM(BPF_DW
, BPF_REG_4
, BPF_REG_10
, -8),
2733 BPF_ALU64_IMM(BPF_AND
, BPF_REG_4
, 0xffff),
2734 BPF_ALU64_REG(BPF_ADD
, BPF_REG_4
, BPF_REG_2
),
2735 BPF_MOV64_REG(BPF_REG_5
, BPF_REG_4
),
2736 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_4
, 0xffff - 1),
2737 BPF_JMP_REG(BPF_JGT
, BPF_REG_4
, BPF_REG_3
, 1),
2738 BPF_STX_MEM(BPF_DW
, BPF_REG_5
, BPF_REG_4
, 0),
2739 BPF_MOV64_IMM(BPF_REG_0
, 0),
2742 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2746 "direct packet access: test22 (x += pkt_ptr, 3)",
2748 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2749 offsetof(struct __sk_buff
, data
)),
2750 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2751 offsetof(struct __sk_buff
, data_end
)),
2752 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
2753 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
2754 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_2
, -8),
2755 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_3
, -16),
2756 BPF_LDX_MEM(BPF_DW
, BPF_REG_3
, BPF_REG_10
, -16),
2757 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 11),
2758 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_10
, -8),
2759 BPF_MOV64_IMM(BPF_REG_4
, 0xffffffff),
2760 BPF_STX_XADD(BPF_DW
, BPF_REG_10
, BPF_REG_4
, -8),
2761 BPF_LDX_MEM(BPF_DW
, BPF_REG_4
, BPF_REG_10
, -8),
2762 BPF_ALU64_IMM(BPF_RSH
, BPF_REG_4
, 48),
2763 BPF_ALU64_REG(BPF_ADD
, BPF_REG_4
, BPF_REG_2
),
2764 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_4
),
2765 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 2),
2766 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 2),
2767 BPF_MOV64_IMM(BPF_REG_2
, 1),
2768 BPF_STX_MEM(BPF_H
, BPF_REG_4
, BPF_REG_2
, 0),
2769 BPF_MOV64_IMM(BPF_REG_0
, 0),
2772 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2776 "direct packet access: test23 (x += pkt_ptr, 4)",
2778 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2779 offsetof(struct __sk_buff
, data
)),
2780 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2781 offsetof(struct __sk_buff
, data_end
)),
2782 BPF_MOV64_IMM(BPF_REG_0
, 0xffffffff),
2783 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -8),
2784 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_10
, -8),
2785 BPF_ALU64_IMM(BPF_AND
, BPF_REG_0
, 0xffff),
2786 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_0
),
2787 BPF_MOV64_IMM(BPF_REG_0
, 31),
2788 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_4
),
2789 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_2
),
2790 BPF_MOV64_REG(BPF_REG_5
, BPF_REG_0
),
2791 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 0xffff - 1),
2792 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 1),
2793 BPF_STX_MEM(BPF_DW
, BPF_REG_5
, BPF_REG_0
, 0),
2794 BPF_MOV64_IMM(BPF_REG_0
, 0),
2797 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2799 .errstr
= "cannot add integer value with 47 upper zero bits to ptr_to_packet",
2802 "direct packet access: test24 (x += pkt_ptr, 5)",
2804 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2805 offsetof(struct __sk_buff
, data
)),
2806 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2807 offsetof(struct __sk_buff
, data_end
)),
2808 BPF_MOV64_IMM(BPF_REG_0
, 0xffffffff),
2809 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -8),
2810 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_10
, -8),
2811 BPF_ALU64_IMM(BPF_AND
, BPF_REG_0
, 0xff),
2812 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_0
),
2813 BPF_MOV64_IMM(BPF_REG_0
, 64),
2814 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_4
),
2815 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_2
),
2816 BPF_MOV64_REG(BPF_REG_5
, BPF_REG_0
),
2817 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 0xffff - 1),
2818 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 1),
2819 BPF_STX_MEM(BPF_DW
, BPF_REG_5
, BPF_REG_0
, 0),
2820 BPF_MOV64_IMM(BPF_REG_0
, 0),
2823 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2827 "helper access to packet: test1, valid packet_ptr range",
2829 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2830 offsetof(struct xdp_md
, data
)),
2831 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2832 offsetof(struct xdp_md
, data_end
)),
2833 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_2
),
2834 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 8),
2835 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_3
, 5),
2836 BPF_LD_MAP_FD(BPF_REG_1
, 0),
2837 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_2
),
2838 BPF_MOV64_IMM(BPF_REG_4
, 0),
2839 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2840 BPF_FUNC_map_update_elem
),
2841 BPF_MOV64_IMM(BPF_REG_0
, 0),
2844 .fixup_map1
= { 5 },
2845 .result_unpriv
= ACCEPT
,
2847 .prog_type
= BPF_PROG_TYPE_XDP
,
2850 "helper access to packet: test2, unchecked packet_ptr",
2852 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2853 offsetof(struct xdp_md
, data
)),
2854 BPF_LD_MAP_FD(BPF_REG_1
, 0),
2855 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2856 BPF_FUNC_map_lookup_elem
),
2857 BPF_MOV64_IMM(BPF_REG_0
, 0),
2860 .fixup_map1
= { 1 },
2862 .errstr
= "invalid access to packet",
2863 .prog_type
= BPF_PROG_TYPE_XDP
,
2866 "helper access to packet: test3, variable add",
2868 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2869 offsetof(struct xdp_md
, data
)),
2870 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2871 offsetof(struct xdp_md
, data_end
)),
2872 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_2
),
2873 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_4
, 8),
2874 BPF_JMP_REG(BPF_JGT
, BPF_REG_4
, BPF_REG_3
, 10),
2875 BPF_LDX_MEM(BPF_B
, BPF_REG_5
, BPF_REG_2
, 0),
2876 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_2
),
2877 BPF_ALU64_REG(BPF_ADD
, BPF_REG_4
, BPF_REG_5
),
2878 BPF_MOV64_REG(BPF_REG_5
, BPF_REG_4
),
2879 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_5
, 8),
2880 BPF_JMP_REG(BPF_JGT
, BPF_REG_5
, BPF_REG_3
, 4),
2881 BPF_LD_MAP_FD(BPF_REG_1
, 0),
2882 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_4
),
2883 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2884 BPF_FUNC_map_lookup_elem
),
2885 BPF_MOV64_IMM(BPF_REG_0
, 0),
2888 .fixup_map1
= { 11 },
2890 .prog_type
= BPF_PROG_TYPE_XDP
,
2893 "helper access to packet: test4, packet_ptr with bad range",
2895 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2896 offsetof(struct xdp_md
, data
)),
2897 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2898 offsetof(struct xdp_md
, data_end
)),
2899 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_2
),
2900 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_4
, 4),
2901 BPF_JMP_REG(BPF_JGT
, BPF_REG_4
, BPF_REG_3
, 2),
2902 BPF_MOV64_IMM(BPF_REG_0
, 0),
2904 BPF_LD_MAP_FD(BPF_REG_1
, 0),
2905 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2906 BPF_FUNC_map_lookup_elem
),
2907 BPF_MOV64_IMM(BPF_REG_0
, 0),
2910 .fixup_map1
= { 7 },
2912 .errstr
= "invalid access to packet",
2913 .prog_type
= BPF_PROG_TYPE_XDP
,
2916 "helper access to packet: test5, packet_ptr with too short range",
2918 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2919 offsetof(struct xdp_md
, data
)),
2920 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2921 offsetof(struct xdp_md
, data_end
)),
2922 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, 1),
2923 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_2
),
2924 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_4
, 7),
2925 BPF_JMP_REG(BPF_JGT
, BPF_REG_4
, BPF_REG_3
, 3),
2926 BPF_LD_MAP_FD(BPF_REG_1
, 0),
2927 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2928 BPF_FUNC_map_lookup_elem
),
2929 BPF_MOV64_IMM(BPF_REG_0
, 0),
2932 .fixup_map1
= { 6 },
2934 .errstr
= "invalid access to packet",
2935 .prog_type
= BPF_PROG_TYPE_XDP
,
2938 "helper access to packet: test6, cls valid packet_ptr range",
2940 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2941 offsetof(struct __sk_buff
, data
)),
2942 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2943 offsetof(struct __sk_buff
, data_end
)),
2944 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_2
),
2945 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 8),
2946 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_3
, 5),
2947 BPF_LD_MAP_FD(BPF_REG_1
, 0),
2948 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_2
),
2949 BPF_MOV64_IMM(BPF_REG_4
, 0),
2950 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2951 BPF_FUNC_map_update_elem
),
2952 BPF_MOV64_IMM(BPF_REG_0
, 0),
2955 .fixup_map1
= { 5 },
2957 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2960 "helper access to packet: test7, cls unchecked packet_ptr",
2962 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2963 offsetof(struct __sk_buff
, data
)),
2964 BPF_LD_MAP_FD(BPF_REG_1
, 0),
2965 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2966 BPF_FUNC_map_lookup_elem
),
2967 BPF_MOV64_IMM(BPF_REG_0
, 0),
2970 .fixup_map1
= { 1 },
2972 .errstr
= "invalid access to packet",
2973 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
2976 "helper access to packet: test8, cls variable add",
2978 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
2979 offsetof(struct __sk_buff
, data
)),
2980 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
2981 offsetof(struct __sk_buff
, data_end
)),
2982 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_2
),
2983 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_4
, 8),
2984 BPF_JMP_REG(BPF_JGT
, BPF_REG_4
, BPF_REG_3
, 10),
2985 BPF_LDX_MEM(BPF_B
, BPF_REG_5
, BPF_REG_2
, 0),
2986 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_2
),
2987 BPF_ALU64_REG(BPF_ADD
, BPF_REG_4
, BPF_REG_5
),
2988 BPF_MOV64_REG(BPF_REG_5
, BPF_REG_4
),
2989 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_5
, 8),
2990 BPF_JMP_REG(BPF_JGT
, BPF_REG_5
, BPF_REG_3
, 4),
2991 BPF_LD_MAP_FD(BPF_REG_1
, 0),
2992 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_4
),
2993 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
2994 BPF_FUNC_map_lookup_elem
),
2995 BPF_MOV64_IMM(BPF_REG_0
, 0),
2998 .fixup_map1
= { 11 },
3000 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
3003 "helper access to packet: test9, cls packet_ptr with bad range",
3005 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
3006 offsetof(struct __sk_buff
, data
)),
3007 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
3008 offsetof(struct __sk_buff
, data_end
)),
3009 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_2
),
3010 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_4
, 4),
3011 BPF_JMP_REG(BPF_JGT
, BPF_REG_4
, BPF_REG_3
, 2),
3012 BPF_MOV64_IMM(BPF_REG_0
, 0),
3014 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3015 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3016 BPF_FUNC_map_lookup_elem
),
3017 BPF_MOV64_IMM(BPF_REG_0
, 0),
3020 .fixup_map1
= { 7 },
3022 .errstr
= "invalid access to packet",
3023 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
3026 "helper access to packet: test10, cls packet_ptr with too short range",
3028 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
3029 offsetof(struct __sk_buff
, data
)),
3030 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
3031 offsetof(struct __sk_buff
, data_end
)),
3032 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, 1),
3033 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_2
),
3034 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_4
, 7),
3035 BPF_JMP_REG(BPF_JGT
, BPF_REG_4
, BPF_REG_3
, 3),
3036 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3037 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3038 BPF_FUNC_map_lookup_elem
),
3039 BPF_MOV64_IMM(BPF_REG_0
, 0),
3042 .fixup_map1
= { 6 },
3044 .errstr
= "invalid access to packet",
3045 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
3048 "helper access to packet: test11, cls unsuitable helper 1",
3050 BPF_LDX_MEM(BPF_W
, BPF_REG_6
, BPF_REG_1
,
3051 offsetof(struct __sk_buff
, data
)),
3052 BPF_LDX_MEM(BPF_W
, BPF_REG_7
, BPF_REG_1
,
3053 offsetof(struct __sk_buff
, data_end
)),
3054 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, 1),
3055 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
3056 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_3
, 7),
3057 BPF_JMP_REG(BPF_JGT
, BPF_REG_3
, BPF_REG_7
, 4),
3058 BPF_MOV64_IMM(BPF_REG_2
, 0),
3059 BPF_MOV64_IMM(BPF_REG_4
, 42),
3060 BPF_MOV64_IMM(BPF_REG_5
, 0),
3061 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3062 BPF_FUNC_skb_store_bytes
),
3063 BPF_MOV64_IMM(BPF_REG_0
, 0),
3067 .errstr
= "helper access to the packet",
3068 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
3071 "helper access to packet: test12, cls unsuitable helper 2",
3073 BPF_LDX_MEM(BPF_W
, BPF_REG_6
, BPF_REG_1
,
3074 offsetof(struct __sk_buff
, data
)),
3075 BPF_LDX_MEM(BPF_W
, BPF_REG_7
, BPF_REG_1
,
3076 offsetof(struct __sk_buff
, data_end
)),
3077 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_6
),
3078 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, 8),
3079 BPF_JMP_REG(BPF_JGT
, BPF_REG_6
, BPF_REG_7
, 3),
3080 BPF_MOV64_IMM(BPF_REG_2
, 0),
3081 BPF_MOV64_IMM(BPF_REG_4
, 4),
3082 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3083 BPF_FUNC_skb_load_bytes
),
3084 BPF_MOV64_IMM(BPF_REG_0
, 0),
3088 .errstr
= "helper access to the packet",
3089 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
3092 "helper access to packet: test13, cls helper ok",
3094 BPF_LDX_MEM(BPF_W
, BPF_REG_6
, BPF_REG_1
,
3095 offsetof(struct __sk_buff
, data
)),
3096 BPF_LDX_MEM(BPF_W
, BPF_REG_7
, BPF_REG_1
,
3097 offsetof(struct __sk_buff
, data_end
)),
3098 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, 1),
3099 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_6
),
3100 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 7),
3101 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_7
, 6),
3102 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_6
),
3103 BPF_MOV64_IMM(BPF_REG_2
, 4),
3104 BPF_MOV64_IMM(BPF_REG_3
, 0),
3105 BPF_MOV64_IMM(BPF_REG_4
, 0),
3106 BPF_MOV64_IMM(BPF_REG_5
, 0),
3107 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3108 BPF_FUNC_csum_diff
),
3109 BPF_MOV64_IMM(BPF_REG_0
, 0),
3113 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
3116 "helper access to packet: test14, cls helper fail sub",
3118 BPF_LDX_MEM(BPF_W
, BPF_REG_6
, BPF_REG_1
,
3119 offsetof(struct __sk_buff
, data
)),
3120 BPF_LDX_MEM(BPF_W
, BPF_REG_7
, BPF_REG_1
,
3121 offsetof(struct __sk_buff
, data_end
)),
3122 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, 1),
3123 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_6
),
3124 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 7),
3125 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_7
, 6),
3126 BPF_ALU64_IMM(BPF_SUB
, BPF_REG_1
, 4),
3127 BPF_MOV64_IMM(BPF_REG_2
, 4),
3128 BPF_MOV64_IMM(BPF_REG_3
, 0),
3129 BPF_MOV64_IMM(BPF_REG_4
, 0),
3130 BPF_MOV64_IMM(BPF_REG_5
, 0),
3131 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3132 BPF_FUNC_csum_diff
),
3133 BPF_MOV64_IMM(BPF_REG_0
, 0),
3137 .errstr
= "type=inv expected=fp",
3138 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
3141 "helper access to packet: test15, cls helper fail range 1",
3143 BPF_LDX_MEM(BPF_W
, BPF_REG_6
, BPF_REG_1
,
3144 offsetof(struct __sk_buff
, data
)),
3145 BPF_LDX_MEM(BPF_W
, BPF_REG_7
, BPF_REG_1
,
3146 offsetof(struct __sk_buff
, data_end
)),
3147 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, 1),
3148 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_6
),
3149 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 7),
3150 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_7
, 6),
3151 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_6
),
3152 BPF_MOV64_IMM(BPF_REG_2
, 8),
3153 BPF_MOV64_IMM(BPF_REG_3
, 0),
3154 BPF_MOV64_IMM(BPF_REG_4
, 0),
3155 BPF_MOV64_IMM(BPF_REG_5
, 0),
3156 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3157 BPF_FUNC_csum_diff
),
3158 BPF_MOV64_IMM(BPF_REG_0
, 0),
3162 .errstr
= "invalid access to packet",
3163 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
3166 "helper access to packet: test16, cls helper fail range 2",
3168 BPF_LDX_MEM(BPF_W
, BPF_REG_6
, BPF_REG_1
,
3169 offsetof(struct __sk_buff
, data
)),
3170 BPF_LDX_MEM(BPF_W
, BPF_REG_7
, BPF_REG_1
,
3171 offsetof(struct __sk_buff
, data_end
)),
3172 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, 1),
3173 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_6
),
3174 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 7),
3175 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_7
, 6),
3176 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_6
),
3177 BPF_MOV64_IMM(BPF_REG_2
, -9),
3178 BPF_MOV64_IMM(BPF_REG_3
, 0),
3179 BPF_MOV64_IMM(BPF_REG_4
, 0),
3180 BPF_MOV64_IMM(BPF_REG_5
, 0),
3181 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3182 BPF_FUNC_csum_diff
),
3183 BPF_MOV64_IMM(BPF_REG_0
, 0),
3187 .errstr
= "invalid access to packet",
3188 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
3191 "helper access to packet: test17, cls helper fail range 3",
3193 BPF_LDX_MEM(BPF_W
, BPF_REG_6
, BPF_REG_1
,
3194 offsetof(struct __sk_buff
, data
)),
3195 BPF_LDX_MEM(BPF_W
, BPF_REG_7
, BPF_REG_1
,
3196 offsetof(struct __sk_buff
, data_end
)),
3197 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, 1),
3198 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_6
),
3199 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 7),
3200 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_7
, 6),
3201 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_6
),
3202 BPF_MOV64_IMM(BPF_REG_2
, ~0),
3203 BPF_MOV64_IMM(BPF_REG_3
, 0),
3204 BPF_MOV64_IMM(BPF_REG_4
, 0),
3205 BPF_MOV64_IMM(BPF_REG_5
, 0),
3206 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3207 BPF_FUNC_csum_diff
),
3208 BPF_MOV64_IMM(BPF_REG_0
, 0),
3212 .errstr
= "invalid access to packet",
3213 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
3216 "helper access to packet: test18, cls helper fail range zero",
3218 BPF_LDX_MEM(BPF_W
, BPF_REG_6
, BPF_REG_1
,
3219 offsetof(struct __sk_buff
, data
)),
3220 BPF_LDX_MEM(BPF_W
, BPF_REG_7
, BPF_REG_1
,
3221 offsetof(struct __sk_buff
, data_end
)),
3222 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, 1),
3223 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_6
),
3224 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 7),
3225 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_7
, 6),
3226 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_6
),
3227 BPF_MOV64_IMM(BPF_REG_2
, 0),
3228 BPF_MOV64_IMM(BPF_REG_3
, 0),
3229 BPF_MOV64_IMM(BPF_REG_4
, 0),
3230 BPF_MOV64_IMM(BPF_REG_5
, 0),
3231 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3232 BPF_FUNC_csum_diff
),
3233 BPF_MOV64_IMM(BPF_REG_0
, 0),
3237 .errstr
= "invalid access to packet",
3238 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
3241 "helper access to packet: test19, pkt end as input",
3243 BPF_LDX_MEM(BPF_W
, BPF_REG_6
, BPF_REG_1
,
3244 offsetof(struct __sk_buff
, data
)),
3245 BPF_LDX_MEM(BPF_W
, BPF_REG_7
, BPF_REG_1
,
3246 offsetof(struct __sk_buff
, data_end
)),
3247 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, 1),
3248 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_6
),
3249 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 7),
3250 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_7
, 6),
3251 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_7
),
3252 BPF_MOV64_IMM(BPF_REG_2
, 4),
3253 BPF_MOV64_IMM(BPF_REG_3
, 0),
3254 BPF_MOV64_IMM(BPF_REG_4
, 0),
3255 BPF_MOV64_IMM(BPF_REG_5
, 0),
3256 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3257 BPF_FUNC_csum_diff
),
3258 BPF_MOV64_IMM(BPF_REG_0
, 0),
3262 .errstr
= "R1 type=pkt_end expected=fp",
3263 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
3266 "helper access to packet: test20, wrong reg",
3268 BPF_LDX_MEM(BPF_W
, BPF_REG_6
, BPF_REG_1
,
3269 offsetof(struct __sk_buff
, data
)),
3270 BPF_LDX_MEM(BPF_W
, BPF_REG_7
, BPF_REG_1
,
3271 offsetof(struct __sk_buff
, data_end
)),
3272 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_6
, 1),
3273 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_6
),
3274 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 7),
3275 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_7
, 6),
3276 BPF_MOV64_IMM(BPF_REG_2
, 4),
3277 BPF_MOV64_IMM(BPF_REG_3
, 0),
3278 BPF_MOV64_IMM(BPF_REG_4
, 0),
3279 BPF_MOV64_IMM(BPF_REG_5
, 0),
3280 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3281 BPF_FUNC_csum_diff
),
3282 BPF_MOV64_IMM(BPF_REG_0
, 0),
3286 .errstr
= "invalid access to packet",
3287 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
3290 "valid map access into an array with a constant",
3292 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
3293 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3294 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3295 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3296 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3297 BPF_FUNC_map_lookup_elem
),
3298 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 1),
3299 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0,
3300 offsetof(struct test_val
, foo
)),
3303 .fixup_map2
= { 3 },
3304 .errstr_unpriv
= "R0 leaks addr",
3305 .result_unpriv
= REJECT
,
3309 "valid map access into an array with a register",
3311 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
3312 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3313 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3314 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3315 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3316 BPF_FUNC_map_lookup_elem
),
3317 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 4),
3318 BPF_MOV64_IMM(BPF_REG_1
, 4),
3319 BPF_ALU64_IMM(BPF_LSH
, BPF_REG_1
, 2),
3320 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
3321 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0,
3322 offsetof(struct test_val
, foo
)),
3325 .fixup_map2
= { 3 },
3326 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
3327 .result_unpriv
= REJECT
,
3329 .flags
= F_NEEDS_EFFICIENT_UNALIGNED_ACCESS
,
3332 "valid map access into an array with a variable",
3334 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
3335 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3336 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3337 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3338 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3339 BPF_FUNC_map_lookup_elem
),
3340 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 5),
3341 BPF_LDX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
, 0),
3342 BPF_JMP_IMM(BPF_JGE
, BPF_REG_1
, MAX_ENTRIES
, 3),
3343 BPF_ALU64_IMM(BPF_LSH
, BPF_REG_1
, 2),
3344 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
3345 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0,
3346 offsetof(struct test_val
, foo
)),
3349 .fixup_map2
= { 3 },
3350 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
3351 .result_unpriv
= REJECT
,
3353 .flags
= F_NEEDS_EFFICIENT_UNALIGNED_ACCESS
,
3356 "valid map access into an array with a signed variable",
3358 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
3359 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3360 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3361 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3362 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3363 BPF_FUNC_map_lookup_elem
),
3364 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 9),
3365 BPF_LDX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
, 0),
3366 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_1
, 0xffffffff, 1),
3367 BPF_MOV32_IMM(BPF_REG_1
, 0),
3368 BPF_MOV32_IMM(BPF_REG_2
, MAX_ENTRIES
),
3369 BPF_JMP_REG(BPF_JSGT
, BPF_REG_2
, BPF_REG_1
, 1),
3370 BPF_MOV32_IMM(BPF_REG_1
, 0),
3371 BPF_ALU32_IMM(BPF_LSH
, BPF_REG_1
, 2),
3372 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
3373 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0,
3374 offsetof(struct test_val
, foo
)),
3377 .fixup_map2
= { 3 },
3378 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
3379 .result_unpriv
= REJECT
,
3381 .flags
= F_NEEDS_EFFICIENT_UNALIGNED_ACCESS
,
3384 "invalid map access into an array with a constant",
3386 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
3387 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3388 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3389 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3390 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3391 BPF_FUNC_map_lookup_elem
),
3392 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 1),
3393 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, (MAX_ENTRIES
+ 1) << 2,
3394 offsetof(struct test_val
, foo
)),
3397 .fixup_map2
= { 3 },
3398 .errstr
= "invalid access to map value, value_size=48 off=48 size=8",
3402 "invalid map access into an array with a register",
3404 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
3405 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3406 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3407 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3408 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3409 BPF_FUNC_map_lookup_elem
),
3410 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 4),
3411 BPF_MOV64_IMM(BPF_REG_1
, MAX_ENTRIES
+ 1),
3412 BPF_ALU64_IMM(BPF_LSH
, BPF_REG_1
, 2),
3413 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
3414 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0,
3415 offsetof(struct test_val
, foo
)),
3418 .fixup_map2
= { 3 },
3419 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
3420 .errstr
= "R0 min value is outside of the array range",
3421 .result_unpriv
= REJECT
,
3423 .flags
= F_NEEDS_EFFICIENT_UNALIGNED_ACCESS
,
3426 "invalid map access into an array with a variable",
3428 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
3429 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3430 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3431 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3432 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3433 BPF_FUNC_map_lookup_elem
),
3434 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 4),
3435 BPF_LDX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
, 0),
3436 BPF_ALU64_IMM(BPF_LSH
, BPF_REG_1
, 2),
3437 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
3438 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0,
3439 offsetof(struct test_val
, foo
)),
3442 .fixup_map2
= { 3 },
3443 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
3444 .errstr
= "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
3445 .result_unpriv
= REJECT
,
3447 .flags
= F_NEEDS_EFFICIENT_UNALIGNED_ACCESS
,
3450 "invalid map access into an array with no floor check",
3452 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
3453 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3454 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3455 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3456 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3457 BPF_FUNC_map_lookup_elem
),
3458 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 7),
3459 BPF_LDX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
, 0),
3460 BPF_MOV32_IMM(BPF_REG_2
, MAX_ENTRIES
),
3461 BPF_JMP_REG(BPF_JSGT
, BPF_REG_2
, BPF_REG_1
, 1),
3462 BPF_MOV32_IMM(BPF_REG_1
, 0),
3463 BPF_ALU32_IMM(BPF_LSH
, BPF_REG_1
, 2),
3464 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
3465 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0,
3466 offsetof(struct test_val
, foo
)),
3469 .fixup_map2
= { 3 },
3470 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
3471 .errstr
= "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
3472 .result_unpriv
= REJECT
,
3474 .flags
= F_NEEDS_EFFICIENT_UNALIGNED_ACCESS
,
3477 "invalid map access into an array with a invalid max check",
3479 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
3480 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3481 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3482 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3483 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3484 BPF_FUNC_map_lookup_elem
),
3485 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 7),
3486 BPF_LDX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
, 0),
3487 BPF_MOV32_IMM(BPF_REG_2
, MAX_ENTRIES
+ 1),
3488 BPF_JMP_REG(BPF_JGT
, BPF_REG_2
, BPF_REG_1
, 1),
3489 BPF_MOV32_IMM(BPF_REG_1
, 0),
3490 BPF_ALU32_IMM(BPF_LSH
, BPF_REG_1
, 2),
3491 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
3492 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0,
3493 offsetof(struct test_val
, foo
)),
3496 .fixup_map2
= { 3 },
3497 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
3498 .errstr
= "invalid access to map value, value_size=48 off=44 size=8",
3499 .result_unpriv
= REJECT
,
3501 .flags
= F_NEEDS_EFFICIENT_UNALIGNED_ACCESS
,
3504 "invalid map access into an array with a invalid max check",
3506 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
3507 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3508 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3509 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3510 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3511 BPF_FUNC_map_lookup_elem
),
3512 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 10),
3513 BPF_MOV64_REG(BPF_REG_8
, BPF_REG_0
),
3514 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
3515 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3516 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3517 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3518 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3519 BPF_FUNC_map_lookup_elem
),
3520 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 2),
3521 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_8
),
3522 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_0
,
3523 offsetof(struct test_val
, foo
)),
3526 .fixup_map2
= { 3, 11 },
3527 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
3528 .errstr
= "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
3529 .result_unpriv
= REJECT
,
3531 .flags
= F_NEEDS_EFFICIENT_UNALIGNED_ACCESS
,
3534 "multiple registers share map_lookup_elem result",
3536 BPF_MOV64_IMM(BPF_REG_1
, 10),
3537 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_1
, -8),
3538 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3539 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3540 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3541 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3542 BPF_FUNC_map_lookup_elem
),
3543 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_0
),
3544 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 1),
3545 BPF_ST_MEM(BPF_DW
, BPF_REG_4
, 0, 0),
3548 .fixup_map1
= { 4 },
3550 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
3553 "alu ops on ptr_to_map_value_or_null, 1",
3555 BPF_MOV64_IMM(BPF_REG_1
, 10),
3556 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_1
, -8),
3557 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3558 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3559 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3560 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3561 BPF_FUNC_map_lookup_elem
),
3562 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_0
),
3563 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_4
, -2),
3564 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_4
, 2),
3565 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 1),
3566 BPF_ST_MEM(BPF_DW
, BPF_REG_4
, 0, 0),
3569 .fixup_map1
= { 4 },
3570 .errstr
= "R4 invalid mem access",
3572 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
3575 "alu ops on ptr_to_map_value_or_null, 2",
3577 BPF_MOV64_IMM(BPF_REG_1
, 10),
3578 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_1
, -8),
3579 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3580 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3581 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3582 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3583 BPF_FUNC_map_lookup_elem
),
3584 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_0
),
3585 BPF_ALU64_IMM(BPF_AND
, BPF_REG_4
, -1),
3586 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 1),
3587 BPF_ST_MEM(BPF_DW
, BPF_REG_4
, 0, 0),
3590 .fixup_map1
= { 4 },
3591 .errstr
= "R4 invalid mem access",
3593 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
3596 "alu ops on ptr_to_map_value_or_null, 3",
3598 BPF_MOV64_IMM(BPF_REG_1
, 10),
3599 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_1
, -8),
3600 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3601 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3602 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3603 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3604 BPF_FUNC_map_lookup_elem
),
3605 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_0
),
3606 BPF_ALU64_IMM(BPF_LSH
, BPF_REG_4
, 1),
3607 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 1),
3608 BPF_ST_MEM(BPF_DW
, BPF_REG_4
, 0, 0),
3611 .fixup_map1
= { 4 },
3612 .errstr
= "R4 invalid mem access",
3614 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
3617 "invalid memory access with multiple map_lookup_elem calls",
3619 BPF_MOV64_IMM(BPF_REG_1
, 10),
3620 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_1
, -8),
3621 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3622 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3623 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3624 BPF_MOV64_REG(BPF_REG_8
, BPF_REG_1
),
3625 BPF_MOV64_REG(BPF_REG_7
, BPF_REG_2
),
3626 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3627 BPF_FUNC_map_lookup_elem
),
3628 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_0
),
3629 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_8
),
3630 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_7
),
3631 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3632 BPF_FUNC_map_lookup_elem
),
3633 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 1),
3634 BPF_ST_MEM(BPF_DW
, BPF_REG_4
, 0, 0),
3637 .fixup_map1
= { 4 },
3639 .errstr
= "R4 !read_ok",
3640 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
3643 "valid indirect map_lookup_elem access with 2nd lookup in branch",
3645 BPF_MOV64_IMM(BPF_REG_1
, 10),
3646 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_1
, -8),
3647 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3648 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3649 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3650 BPF_MOV64_REG(BPF_REG_8
, BPF_REG_1
),
3651 BPF_MOV64_REG(BPF_REG_7
, BPF_REG_2
),
3652 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3653 BPF_FUNC_map_lookup_elem
),
3654 BPF_MOV64_IMM(BPF_REG_2
, 10),
3655 BPF_JMP_IMM(BPF_JNE
, BPF_REG_2
, 0, 3),
3656 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_8
),
3657 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_7
),
3658 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3659 BPF_FUNC_map_lookup_elem
),
3660 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_0
),
3661 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 1),
3662 BPF_ST_MEM(BPF_DW
, BPF_REG_4
, 0, 0),
3665 .fixup_map1
= { 4 },
3667 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
3670 "multiple registers share map_lookup_elem bad reg type",
3672 BPF_MOV64_IMM(BPF_REG_1
, 10),
3673 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_1
, -8),
3674 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3675 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3676 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3677 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3678 BPF_FUNC_map_lookup_elem
),
3679 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_0
),
3680 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_0
),
3681 BPF_MOV64_REG(BPF_REG_4
, BPF_REG_0
),
3682 BPF_MOV64_REG(BPF_REG_5
, BPF_REG_0
),
3683 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 1),
3684 BPF_MOV64_IMM(BPF_REG_1
, 1),
3685 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 1),
3686 BPF_MOV64_IMM(BPF_REG_1
, 2),
3687 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_3
, 0, 1),
3688 BPF_ST_MEM(BPF_DW
, BPF_REG_3
, 0, 0),
3689 BPF_MOV64_IMM(BPF_REG_1
, 3),
3692 .fixup_map1
= { 4 },
3694 .errstr
= "R3 invalid mem access 'inv'",
3695 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
3698 "invalid map access from else condition",
3700 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
3701 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3702 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3703 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3704 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0, BPF_FUNC_map_lookup_elem
),
3705 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 6),
3706 BPF_LDX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
, 0),
3707 BPF_JMP_IMM(BPF_JGE
, BPF_REG_1
, MAX_ENTRIES
-1, 1),
3708 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 1),
3709 BPF_ALU64_IMM(BPF_LSH
, BPF_REG_1
, 2),
3710 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
3711 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0, offsetof(struct test_val
, foo
)),
3714 .fixup_map2
= { 3 },
3715 .errstr
= "R0 unbounded memory access, make sure to bounds check any array access into a map",
3717 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
3718 .result_unpriv
= REJECT
,
3719 .flags
= F_NEEDS_EFFICIENT_UNALIGNED_ACCESS
,
3722 "constant register |= constant should keep constant type",
3724 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
3725 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -48),
3726 BPF_MOV64_IMM(BPF_REG_2
, 34),
3727 BPF_ALU64_IMM(BPF_OR
, BPF_REG_2
, 13),
3728 BPF_MOV64_IMM(BPF_REG_3
, 0),
3729 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
3733 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
3736 "constant register |= constant should not bypass stack boundary checks",
3738 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
3739 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -48),
3740 BPF_MOV64_IMM(BPF_REG_2
, 34),
3741 BPF_ALU64_IMM(BPF_OR
, BPF_REG_2
, 24),
3742 BPF_MOV64_IMM(BPF_REG_3
, 0),
3743 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
3746 .errstr
= "invalid stack type R1 off=-48 access_size=58",
3748 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
3751 "constant register |= constant register should keep constant type",
3753 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
3754 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -48),
3755 BPF_MOV64_IMM(BPF_REG_2
, 34),
3756 BPF_MOV64_IMM(BPF_REG_4
, 13),
3757 BPF_ALU64_REG(BPF_OR
, BPF_REG_2
, BPF_REG_4
),
3758 BPF_MOV64_IMM(BPF_REG_3
, 0),
3759 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
3763 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
3766 "constant register |= constant register should not bypass stack boundary checks",
3768 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
3769 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -48),
3770 BPF_MOV64_IMM(BPF_REG_2
, 34),
3771 BPF_MOV64_IMM(BPF_REG_4
, 24),
3772 BPF_ALU64_REG(BPF_OR
, BPF_REG_2
, BPF_REG_4
),
3773 BPF_MOV64_IMM(BPF_REG_3
, 0),
3774 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
3777 .errstr
= "invalid stack type R1 off=-48 access_size=58",
3779 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
3782 "invalid direct packet write for LWT_IN",
3784 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
3785 offsetof(struct __sk_buff
, data
)),
3786 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
3787 offsetof(struct __sk_buff
, data_end
)),
3788 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
3789 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
3790 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 1),
3791 BPF_STX_MEM(BPF_B
, BPF_REG_2
, BPF_REG_2
, 0),
3792 BPF_MOV64_IMM(BPF_REG_0
, 0),
3795 .errstr
= "cannot write into packet",
3797 .prog_type
= BPF_PROG_TYPE_LWT_IN
,
3800 "invalid direct packet write for LWT_OUT",
3802 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
3803 offsetof(struct __sk_buff
, data
)),
3804 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
3805 offsetof(struct __sk_buff
, data_end
)),
3806 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
3807 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
3808 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 1),
3809 BPF_STX_MEM(BPF_B
, BPF_REG_2
, BPF_REG_2
, 0),
3810 BPF_MOV64_IMM(BPF_REG_0
, 0),
3813 .errstr
= "cannot write into packet",
3815 .prog_type
= BPF_PROG_TYPE_LWT_OUT
,
3818 "direct packet write for LWT_XMIT",
3820 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
3821 offsetof(struct __sk_buff
, data
)),
3822 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
3823 offsetof(struct __sk_buff
, data_end
)),
3824 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
3825 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
3826 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 1),
3827 BPF_STX_MEM(BPF_B
, BPF_REG_2
, BPF_REG_2
, 0),
3828 BPF_MOV64_IMM(BPF_REG_0
, 0),
3832 .prog_type
= BPF_PROG_TYPE_LWT_XMIT
,
3835 "direct packet read for LWT_IN",
3837 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
3838 offsetof(struct __sk_buff
, data
)),
3839 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
3840 offsetof(struct __sk_buff
, data_end
)),
3841 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
3842 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
3843 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 1),
3844 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_2
, 0),
3845 BPF_MOV64_IMM(BPF_REG_0
, 0),
3849 .prog_type
= BPF_PROG_TYPE_LWT_IN
,
3852 "direct packet read for LWT_OUT",
3854 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
3855 offsetof(struct __sk_buff
, data
)),
3856 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
3857 offsetof(struct __sk_buff
, data_end
)),
3858 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
3859 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
3860 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 1),
3861 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_2
, 0),
3862 BPF_MOV64_IMM(BPF_REG_0
, 0),
3866 .prog_type
= BPF_PROG_TYPE_LWT_OUT
,
3869 "direct packet read for LWT_XMIT",
3871 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
3872 offsetof(struct __sk_buff
, data
)),
3873 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
3874 offsetof(struct __sk_buff
, data_end
)),
3875 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
3876 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
3877 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 1),
3878 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_2
, 0),
3879 BPF_MOV64_IMM(BPF_REG_0
, 0),
3883 .prog_type
= BPF_PROG_TYPE_LWT_XMIT
,
3886 "overlapping checks for direct packet access",
3888 BPF_LDX_MEM(BPF_W
, BPF_REG_2
, BPF_REG_1
,
3889 offsetof(struct __sk_buff
, data
)),
3890 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_1
,
3891 offsetof(struct __sk_buff
, data_end
)),
3892 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
3893 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 8),
3894 BPF_JMP_REG(BPF_JGT
, BPF_REG_0
, BPF_REG_3
, 4),
3895 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_2
),
3896 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 6),
3897 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_3
, 1),
3898 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_2
, 6),
3899 BPF_MOV64_IMM(BPF_REG_0
, 0),
3903 .prog_type
= BPF_PROG_TYPE_LWT_XMIT
,
3906 "invalid access of tc_classid for LWT_IN",
3908 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
3909 offsetof(struct __sk_buff
, tc_classid
)),
3913 .errstr
= "invalid bpf_context access",
3916 "invalid access of tc_classid for LWT_OUT",
3918 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
3919 offsetof(struct __sk_buff
, tc_classid
)),
3923 .errstr
= "invalid bpf_context access",
3926 "invalid access of tc_classid for LWT_XMIT",
3928 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
3929 offsetof(struct __sk_buff
, tc_classid
)),
3933 .errstr
= "invalid bpf_context access",
3936 "leak pointer into ctx 1",
3938 BPF_MOV64_IMM(BPF_REG_0
, 0),
3939 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_0
,
3940 offsetof(struct __sk_buff
, cb
[0])),
3941 BPF_LD_MAP_FD(BPF_REG_2
, 0),
3942 BPF_STX_XADD(BPF_DW
, BPF_REG_1
, BPF_REG_2
,
3943 offsetof(struct __sk_buff
, cb
[0])),
3946 .fixup_map1
= { 2 },
3947 .errstr_unpriv
= "R2 leaks addr into mem",
3948 .result_unpriv
= REJECT
,
3952 "leak pointer into ctx 2",
3954 BPF_MOV64_IMM(BPF_REG_0
, 0),
3955 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_0
,
3956 offsetof(struct __sk_buff
, cb
[0])),
3957 BPF_STX_XADD(BPF_DW
, BPF_REG_1
, BPF_REG_10
,
3958 offsetof(struct __sk_buff
, cb
[0])),
3961 .errstr_unpriv
= "R10 leaks addr into mem",
3962 .result_unpriv
= REJECT
,
3966 "leak pointer into ctx 3",
3968 BPF_MOV64_IMM(BPF_REG_0
, 0),
3969 BPF_LD_MAP_FD(BPF_REG_2
, 0),
3970 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_2
,
3971 offsetof(struct __sk_buff
, cb
[0])),
3974 .fixup_map1
= { 1 },
3975 .errstr_unpriv
= "R2 leaks addr into ctx",
3976 .result_unpriv
= REJECT
,
3980 "leak pointer into map val",
3982 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_1
),
3983 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
3984 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
3985 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
3986 BPF_LD_MAP_FD(BPF_REG_1
, 0),
3987 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
3988 BPF_FUNC_map_lookup_elem
),
3989 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 3),
3990 BPF_MOV64_IMM(BPF_REG_3
, 0),
3991 BPF_STX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_3
, 0),
3992 BPF_STX_XADD(BPF_DW
, BPF_REG_0
, BPF_REG_6
, 0),
3993 BPF_MOV64_IMM(BPF_REG_0
, 0),
3996 .fixup_map1
= { 4 },
3997 .errstr_unpriv
= "R6 leaks addr into mem",
3998 .result_unpriv
= REJECT
,
4002 "helper access to map: full range",
4004 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4005 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4006 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4007 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4008 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4009 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 4),
4010 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4011 BPF_MOV64_IMM(BPF_REG_2
, sizeof(struct test_val
)),
4012 BPF_MOV64_IMM(BPF_REG_3
, 0),
4013 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4016 .fixup_map2
= { 3 },
4018 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4021 "helper access to map: partial range",
4023 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4024 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4025 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4026 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4027 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4028 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 4),
4029 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4030 BPF_MOV64_IMM(BPF_REG_2
, 8),
4031 BPF_MOV64_IMM(BPF_REG_3
, 0),
4032 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4035 .fixup_map2
= { 3 },
4037 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4040 "helper access to map: empty range",
4042 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4043 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4044 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4045 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4046 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4047 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 4),
4048 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4049 BPF_MOV64_IMM(BPF_REG_2
, 0),
4050 BPF_MOV64_IMM(BPF_REG_3
, 0),
4051 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4054 .fixup_map2
= { 3 },
4055 .errstr
= "invalid access to map value, value_size=48 off=0 size=0",
4057 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4060 "helper access to map: out-of-bound range",
4062 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4063 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4064 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4065 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4066 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4067 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 4),
4068 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4069 BPF_MOV64_IMM(BPF_REG_2
, sizeof(struct test_val
) + 8),
4070 BPF_MOV64_IMM(BPF_REG_3
, 0),
4071 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4074 .fixup_map2
= { 3 },
4075 .errstr
= "invalid access to map value, value_size=48 off=0 size=56",
4077 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4080 "helper access to map: negative range",
4082 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4083 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4084 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4085 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4086 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4087 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 4),
4088 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4089 BPF_MOV64_IMM(BPF_REG_2
, -8),
4090 BPF_MOV64_IMM(BPF_REG_3
, 0),
4091 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4094 .fixup_map2
= { 3 },
4095 .errstr
= "invalid access to map value, value_size=48 off=0 size=-8",
4097 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4100 "helper access to adjusted map (via const imm): full range",
4102 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4103 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4104 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4105 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4106 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4107 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 5),
4108 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4109 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
,
4110 offsetof(struct test_val
, foo
)),
4111 BPF_MOV64_IMM(BPF_REG_2
,
4112 sizeof(struct test_val
) -
4113 offsetof(struct test_val
, foo
)),
4114 BPF_MOV64_IMM(BPF_REG_3
, 0),
4115 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4118 .fixup_map2
= { 3 },
4120 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4123 "helper access to adjusted map (via const imm): partial range",
4125 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4126 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4127 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4128 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4129 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4130 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 5),
4131 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4132 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
,
4133 offsetof(struct test_val
, foo
)),
4134 BPF_MOV64_IMM(BPF_REG_2
, 8),
4135 BPF_MOV64_IMM(BPF_REG_3
, 0),
4136 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4139 .fixup_map2
= { 3 },
4141 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4144 "helper access to adjusted map (via const imm): empty range",
4146 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4147 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4148 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4149 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4150 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4151 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 5),
4152 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4153 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
,
4154 offsetof(struct test_val
, foo
)),
4155 BPF_MOV64_IMM(BPF_REG_2
, 0),
4156 BPF_MOV64_IMM(BPF_REG_3
, 0),
4157 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4160 .fixup_map2
= { 3 },
4161 .errstr
= "R1 min value is outside of the array range",
4163 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4166 "helper access to adjusted map (via const imm): out-of-bound range",
4168 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4169 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4170 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4171 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4172 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4173 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 5),
4174 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4175 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
,
4176 offsetof(struct test_val
, foo
)),
4177 BPF_MOV64_IMM(BPF_REG_2
,
4178 sizeof(struct test_val
) -
4179 offsetof(struct test_val
, foo
) + 8),
4180 BPF_MOV64_IMM(BPF_REG_3
, 0),
4181 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4184 .fixup_map2
= { 3 },
4185 .errstr
= "invalid access to map value, value_size=48 off=4 size=52",
4187 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4190 "helper access to adjusted map (via const imm): negative range (> adjustment)",
4192 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4193 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4194 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4195 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4196 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4197 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 5),
4198 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4199 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
,
4200 offsetof(struct test_val
, foo
)),
4201 BPF_MOV64_IMM(BPF_REG_2
, -8),
4202 BPF_MOV64_IMM(BPF_REG_3
, 0),
4203 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4206 .fixup_map2
= { 3 },
4207 .errstr
= "invalid access to map value, value_size=48 off=4 size=-8",
4209 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4212 "helper access to adjusted map (via const imm): negative range (< adjustment)",
4214 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4215 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4216 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4217 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4218 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4219 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 5),
4220 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4221 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
,
4222 offsetof(struct test_val
, foo
)),
4223 BPF_MOV64_IMM(BPF_REG_2
, -1),
4224 BPF_MOV64_IMM(BPF_REG_3
, 0),
4225 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4228 .fixup_map2
= { 3 },
4229 .errstr
= "R1 min value is outside of the array range",
4231 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4234 "helper access to adjusted map (via const reg): full range",
4236 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4237 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4238 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4239 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4240 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4241 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 6),
4242 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4243 BPF_MOV64_IMM(BPF_REG_3
,
4244 offsetof(struct test_val
, foo
)),
4245 BPF_ALU64_REG(BPF_ADD
, BPF_REG_1
, BPF_REG_3
),
4246 BPF_MOV64_IMM(BPF_REG_2
,
4247 sizeof(struct test_val
) -
4248 offsetof(struct test_val
, foo
)),
4249 BPF_MOV64_IMM(BPF_REG_3
, 0),
4250 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4253 .fixup_map2
= { 3 },
4255 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4258 "helper access to adjusted map (via const reg): partial range",
4260 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4261 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4262 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4263 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4264 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4265 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 6),
4266 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4267 BPF_MOV64_IMM(BPF_REG_3
,
4268 offsetof(struct test_val
, foo
)),
4269 BPF_ALU64_REG(BPF_ADD
, BPF_REG_1
, BPF_REG_3
),
4270 BPF_MOV64_IMM(BPF_REG_2
, 8),
4271 BPF_MOV64_IMM(BPF_REG_3
, 0),
4272 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4275 .fixup_map2
= { 3 },
4277 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4280 "helper access to adjusted map (via const reg): empty range",
4282 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4283 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4284 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4285 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4286 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4287 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 6),
4288 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4289 BPF_MOV64_IMM(BPF_REG_3
, 0),
4290 BPF_ALU64_REG(BPF_ADD
, BPF_REG_1
, BPF_REG_3
),
4291 BPF_MOV64_IMM(BPF_REG_2
, 0),
4292 BPF_MOV64_IMM(BPF_REG_3
, 0),
4293 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4296 .fixup_map2
= { 3 },
4297 .errstr
= "R1 min value is outside of the array range",
4299 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4302 "helper access to adjusted map (via const reg): out-of-bound range",
4304 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4305 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4306 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4307 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4308 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4309 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 6),
4310 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4311 BPF_MOV64_IMM(BPF_REG_3
,
4312 offsetof(struct test_val
, foo
)),
4313 BPF_ALU64_REG(BPF_ADD
, BPF_REG_1
, BPF_REG_3
),
4314 BPF_MOV64_IMM(BPF_REG_2
,
4315 sizeof(struct test_val
) -
4316 offsetof(struct test_val
, foo
) + 8),
4317 BPF_MOV64_IMM(BPF_REG_3
, 0),
4318 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4321 .fixup_map2
= { 3 },
4322 .errstr
= "invalid access to map value, value_size=48 off=4 size=52",
4324 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4327 "helper access to adjusted map (via const reg): negative range (> adjustment)",
4329 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4330 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4331 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4332 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4333 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4334 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 6),
4335 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4336 BPF_MOV64_IMM(BPF_REG_3
,
4337 offsetof(struct test_val
, foo
)),
4338 BPF_ALU64_REG(BPF_ADD
, BPF_REG_1
, BPF_REG_3
),
4339 BPF_MOV64_IMM(BPF_REG_2
, -8),
4340 BPF_MOV64_IMM(BPF_REG_3
, 0),
4341 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4344 .fixup_map2
= { 3 },
4345 .errstr
= "invalid access to map value, value_size=48 off=4 size=-8",
4347 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4350 "helper access to adjusted map (via const reg): negative range (< adjustment)",
4352 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4353 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4354 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4355 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4356 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4357 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 6),
4358 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4359 BPF_MOV64_IMM(BPF_REG_3
,
4360 offsetof(struct test_val
, foo
)),
4361 BPF_ALU64_REG(BPF_ADD
, BPF_REG_1
, BPF_REG_3
),
4362 BPF_MOV64_IMM(BPF_REG_2
, -1),
4363 BPF_MOV64_IMM(BPF_REG_3
, 0),
4364 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4367 .fixup_map2
= { 3 },
4368 .errstr
= "R1 min value is outside of the array range",
4370 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4373 "helper access to adjusted map (via variable): full range",
4375 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4376 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4377 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4378 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4379 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4380 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 7),
4381 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4382 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_0
, 0),
4383 BPF_JMP_IMM(BPF_JGT
, BPF_REG_3
,
4384 offsetof(struct test_val
, foo
), 4),
4385 BPF_ALU64_REG(BPF_ADD
, BPF_REG_1
, BPF_REG_3
),
4386 BPF_MOV64_IMM(BPF_REG_2
,
4387 sizeof(struct test_val
) -
4388 offsetof(struct test_val
, foo
)),
4389 BPF_MOV64_IMM(BPF_REG_3
, 0),
4390 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4393 .fixup_map2
= { 3 },
4395 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4398 "helper access to adjusted map (via variable): partial range",
4400 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4401 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4402 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4403 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4404 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4405 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 7),
4406 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4407 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_0
, 0),
4408 BPF_JMP_IMM(BPF_JGT
, BPF_REG_3
,
4409 offsetof(struct test_val
, foo
), 4),
4410 BPF_ALU64_REG(BPF_ADD
, BPF_REG_1
, BPF_REG_3
),
4411 BPF_MOV64_IMM(BPF_REG_2
, 8),
4412 BPF_MOV64_IMM(BPF_REG_3
, 0),
4413 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4416 .fixup_map2
= { 3 },
4418 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4421 "helper access to adjusted map (via variable): empty range",
4423 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4424 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4425 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4426 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4427 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4428 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 7),
4429 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4430 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_0
, 0),
4431 BPF_JMP_IMM(BPF_JGT
, BPF_REG_3
,
4432 offsetof(struct test_val
, foo
), 4),
4433 BPF_ALU64_REG(BPF_ADD
, BPF_REG_1
, BPF_REG_3
),
4434 BPF_MOV64_IMM(BPF_REG_2
, 0),
4435 BPF_MOV64_IMM(BPF_REG_3
, 0),
4436 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4439 .fixup_map2
= { 3 },
4440 .errstr
= "R1 min value is outside of the array range",
4442 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4445 "helper access to adjusted map (via variable): no max check",
4447 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4448 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4449 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4450 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4451 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4452 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 6),
4453 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4454 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_0
, 0),
4455 BPF_ALU64_REG(BPF_ADD
, BPF_REG_1
, BPF_REG_3
),
4456 BPF_MOV64_IMM(BPF_REG_2
, 0),
4457 BPF_MOV64_IMM(BPF_REG_3
, 0),
4458 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4461 .fixup_map2
= { 3 },
4462 .errstr
= "R1 min value is negative, either use unsigned index or do a if (index >=0) check",
4464 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4467 "helper access to adjusted map (via variable): wrong max check",
4469 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4470 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4471 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4472 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4473 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4474 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 7),
4475 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4476 BPF_LDX_MEM(BPF_W
, BPF_REG_3
, BPF_REG_0
, 0),
4477 BPF_JMP_IMM(BPF_JGT
, BPF_REG_3
,
4478 offsetof(struct test_val
, foo
), 4),
4479 BPF_ALU64_REG(BPF_ADD
, BPF_REG_1
, BPF_REG_3
),
4480 BPF_MOV64_IMM(BPF_REG_2
,
4481 sizeof(struct test_val
) -
4482 offsetof(struct test_val
, foo
) + 1),
4483 BPF_MOV64_IMM(BPF_REG_3
, 0),
4484 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4487 .fixup_map2
= { 3 },
4488 .errstr
= "invalid access to map value, value_size=48 off=4 size=45",
4490 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4493 "map element value is preserved across register spilling",
4495 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4496 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4497 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4498 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4499 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4500 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 6),
4501 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0, 42),
4502 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
4503 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -184),
4504 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_0
, 0),
4505 BPF_LDX_MEM(BPF_DW
, BPF_REG_3
, BPF_REG_1
, 0),
4506 BPF_ST_MEM(BPF_DW
, BPF_REG_3
, 0, 42),
4509 .fixup_map2
= { 3 },
4510 .errstr_unpriv
= "R0 leaks addr",
4512 .result_unpriv
= REJECT
,
4515 "map element value or null is marked on register spilling",
4517 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4518 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4519 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4520 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4521 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4522 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
4523 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -152),
4524 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_0
, 0),
4525 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 2),
4526 BPF_LDX_MEM(BPF_DW
, BPF_REG_3
, BPF_REG_1
, 0),
4527 BPF_ST_MEM(BPF_DW
, BPF_REG_3
, 0, 42),
4530 .fixup_map2
= { 3 },
4531 .errstr_unpriv
= "R0 leaks addr",
4533 .result_unpriv
= REJECT
,
4536 "map element value store of cleared call register",
4538 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4539 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4540 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4541 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4542 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4543 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 1),
4544 BPF_STX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_1
, 0),
4547 .fixup_map2
= { 3 },
4548 .errstr_unpriv
= "R1 !read_ok",
4549 .errstr
= "R1 !read_ok",
4551 .result_unpriv
= REJECT
,
4554 "map element value with unaligned store",
4556 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4557 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4558 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4559 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4560 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4561 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 17),
4562 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 3),
4563 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0, 42),
4564 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 2, 43),
4565 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, -2, 44),
4566 BPF_MOV64_REG(BPF_REG_8
, BPF_REG_0
),
4567 BPF_ST_MEM(BPF_DW
, BPF_REG_8
, 0, 32),
4568 BPF_ST_MEM(BPF_DW
, BPF_REG_8
, 2, 33),
4569 BPF_ST_MEM(BPF_DW
, BPF_REG_8
, -2, 34),
4570 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_8
, 5),
4571 BPF_ST_MEM(BPF_DW
, BPF_REG_8
, 0, 22),
4572 BPF_ST_MEM(BPF_DW
, BPF_REG_8
, 4, 23),
4573 BPF_ST_MEM(BPF_DW
, BPF_REG_8
, -7, 24),
4574 BPF_MOV64_REG(BPF_REG_7
, BPF_REG_8
),
4575 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_7
, 3),
4576 BPF_ST_MEM(BPF_DW
, BPF_REG_7
, 0, 22),
4577 BPF_ST_MEM(BPF_DW
, BPF_REG_7
, 4, 23),
4578 BPF_ST_MEM(BPF_DW
, BPF_REG_7
, -4, 24),
4581 .fixup_map2
= { 3 },
4582 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
4584 .result_unpriv
= REJECT
,
4585 .flags
= F_NEEDS_EFFICIENT_UNALIGNED_ACCESS
,
4588 "map element value with unaligned load",
4590 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4591 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4592 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4593 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4594 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4595 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 11),
4596 BPF_LDX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
, 0),
4597 BPF_JMP_IMM(BPF_JGE
, BPF_REG_1
, MAX_ENTRIES
, 9),
4598 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 3),
4599 BPF_LDX_MEM(BPF_DW
, BPF_REG_7
, BPF_REG_0
, 0),
4600 BPF_LDX_MEM(BPF_DW
, BPF_REG_7
, BPF_REG_0
, 2),
4601 BPF_MOV64_REG(BPF_REG_8
, BPF_REG_0
),
4602 BPF_LDX_MEM(BPF_DW
, BPF_REG_7
, BPF_REG_8
, 0),
4603 BPF_LDX_MEM(BPF_DW
, BPF_REG_7
, BPF_REG_8
, 2),
4604 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 5),
4605 BPF_LDX_MEM(BPF_DW
, BPF_REG_7
, BPF_REG_0
, 0),
4606 BPF_LDX_MEM(BPF_DW
, BPF_REG_7
, BPF_REG_0
, 4),
4609 .fixup_map2
= { 3 },
4610 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
4612 .result_unpriv
= REJECT
,
4613 .flags
= F_NEEDS_EFFICIENT_UNALIGNED_ACCESS
,
4616 "map element value illegal alu op, 1",
4618 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4619 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4620 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4621 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4622 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4623 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 2),
4624 BPF_ALU64_IMM(BPF_AND
, BPF_REG_0
, 8),
4625 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0, 22),
4628 .fixup_map2
= { 3 },
4629 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
4630 .errstr
= "invalid mem access 'inv'",
4632 .result_unpriv
= REJECT
,
4635 "map element value illegal alu op, 2",
4637 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4638 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4639 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4640 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4641 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4642 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 2),
4643 BPF_ALU32_IMM(BPF_ADD
, BPF_REG_0
, 0),
4644 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0, 22),
4647 .fixup_map2
= { 3 },
4648 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
4649 .errstr
= "invalid mem access 'inv'",
4651 .result_unpriv
= REJECT
,
4654 "map element value illegal alu op, 3",
4656 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4657 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4658 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4659 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4660 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4661 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 2),
4662 BPF_ALU64_IMM(BPF_DIV
, BPF_REG_0
, 42),
4663 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0, 22),
4666 .fixup_map2
= { 3 },
4667 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
4668 .errstr
= "invalid mem access 'inv'",
4670 .result_unpriv
= REJECT
,
4673 "map element value illegal alu op, 4",
4675 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4676 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4677 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4678 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4679 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4680 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 2),
4681 BPF_ENDIAN(BPF_FROM_BE
, BPF_REG_0
, 64),
4682 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0, 22),
4685 .fixup_map2
= { 3 },
4686 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
4687 .errstr
= "invalid mem access 'inv'",
4689 .result_unpriv
= REJECT
,
4692 "map element value illegal alu op, 5",
4694 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4695 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4696 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4697 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4698 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4699 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 7),
4700 BPF_MOV64_IMM(BPF_REG_3
, 4096),
4701 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4702 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4703 BPF_STX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_0
, 0),
4704 BPF_STX_XADD(BPF_DW
, BPF_REG_2
, BPF_REG_3
, 0),
4705 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_2
, 0),
4706 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0, 22),
4709 .fixup_map2
= { 3 },
4710 .errstr_unpriv
= "R0 invalid mem access 'inv'",
4711 .errstr
= "R0 invalid mem access 'inv'",
4713 .result_unpriv
= REJECT
,
4716 "map element value is preserved across register spilling",
4718 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4719 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4720 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4721 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4722 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4723 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 7),
4724 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
,
4725 offsetof(struct test_val
, foo
)),
4726 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0, 42),
4727 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
4728 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -184),
4729 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_0
, 0),
4730 BPF_LDX_MEM(BPF_DW
, BPF_REG_3
, BPF_REG_1
, 0),
4731 BPF_ST_MEM(BPF_DW
, BPF_REG_3
, 0, 42),
4734 .fixup_map2
= { 3 },
4735 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
4737 .result_unpriv
= REJECT
,
4738 .flags
= F_NEEDS_EFFICIENT_UNALIGNED_ACCESS
,
4741 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
4743 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
4744 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -64),
4745 BPF_MOV64_IMM(BPF_REG_0
, 0),
4746 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -64),
4747 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -56),
4748 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -48),
4749 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -40),
4750 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -32),
4751 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -24),
4752 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -16),
4753 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -8),
4754 BPF_MOV64_IMM(BPF_REG_2
, 16),
4755 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_2
, -128),
4756 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_1
, -128),
4757 BPF_ALU64_IMM(BPF_AND
, BPF_REG_2
, 64),
4758 BPF_MOV64_IMM(BPF_REG_4
, 0),
4759 BPF_JMP_REG(BPF_JGE
, BPF_REG_4
, BPF_REG_2
, 2),
4760 BPF_MOV64_IMM(BPF_REG_3
, 0),
4761 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4762 BPF_MOV64_IMM(BPF_REG_0
, 0),
4766 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4769 "helper access to variable memory: stack, bitwise AND, zero included",
4771 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
4772 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -64),
4773 BPF_MOV64_IMM(BPF_REG_2
, 16),
4774 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_2
, -128),
4775 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_1
, -128),
4776 BPF_ALU64_IMM(BPF_AND
, BPF_REG_2
, 64),
4777 BPF_MOV64_IMM(BPF_REG_3
, 0),
4778 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4781 .errstr
= "invalid stack type R1 off=-64 access_size=0",
4783 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4786 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
4788 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
4789 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -64),
4790 BPF_MOV64_IMM(BPF_REG_2
, 16),
4791 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_2
, -128),
4792 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_1
, -128),
4793 BPF_ALU64_IMM(BPF_AND
, BPF_REG_2
, 65),
4794 BPF_MOV64_IMM(BPF_REG_4
, 0),
4795 BPF_JMP_REG(BPF_JGE
, BPF_REG_4
, BPF_REG_2
, 2),
4796 BPF_MOV64_IMM(BPF_REG_3
, 0),
4797 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4798 BPF_MOV64_IMM(BPF_REG_0
, 0),
4801 .errstr
= "invalid stack type R1 off=-64 access_size=65",
4803 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4806 "helper access to variable memory: stack, JMP, correct bounds",
4808 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
4809 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -64),
4810 BPF_MOV64_IMM(BPF_REG_0
, 0),
4811 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -64),
4812 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -56),
4813 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -48),
4814 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -40),
4815 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -32),
4816 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -24),
4817 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -16),
4818 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -8),
4819 BPF_MOV64_IMM(BPF_REG_2
, 16),
4820 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_2
, -128),
4821 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_1
, -128),
4822 BPF_JMP_IMM(BPF_JGT
, BPF_REG_2
, 64, 4),
4823 BPF_MOV64_IMM(BPF_REG_4
, 0),
4824 BPF_JMP_REG(BPF_JGE
, BPF_REG_4
, BPF_REG_2
, 2),
4825 BPF_MOV64_IMM(BPF_REG_3
, 0),
4826 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4827 BPF_MOV64_IMM(BPF_REG_0
, 0),
4831 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4834 "helper access to variable memory: stack, JMP (signed), correct bounds",
4836 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
4837 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -64),
4838 BPF_MOV64_IMM(BPF_REG_0
, 0),
4839 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -64),
4840 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -56),
4841 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -48),
4842 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -40),
4843 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -32),
4844 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -24),
4845 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -16),
4846 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -8),
4847 BPF_MOV64_IMM(BPF_REG_2
, 16),
4848 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_2
, -128),
4849 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_1
, -128),
4850 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_2
, 64, 4),
4851 BPF_MOV64_IMM(BPF_REG_4
, 0),
4852 BPF_JMP_REG(BPF_JSGE
, BPF_REG_4
, BPF_REG_2
, 2),
4853 BPF_MOV64_IMM(BPF_REG_3
, 0),
4854 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4855 BPF_MOV64_IMM(BPF_REG_0
, 0),
4859 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4862 "helper access to variable memory: stack, JMP, bounds + offset",
4864 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
4865 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -64),
4866 BPF_MOV64_IMM(BPF_REG_2
, 16),
4867 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_2
, -128),
4868 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_1
, -128),
4869 BPF_JMP_IMM(BPF_JGT
, BPF_REG_2
, 64, 5),
4870 BPF_MOV64_IMM(BPF_REG_4
, 0),
4871 BPF_JMP_REG(BPF_JGE
, BPF_REG_4
, BPF_REG_2
, 3),
4872 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, 1),
4873 BPF_MOV64_IMM(BPF_REG_3
, 0),
4874 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4875 BPF_MOV64_IMM(BPF_REG_0
, 0),
4878 .errstr
= "invalid stack type R1 off=-64 access_size=65",
4880 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4883 "helper access to variable memory: stack, JMP, wrong max",
4885 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
4886 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -64),
4887 BPF_MOV64_IMM(BPF_REG_2
, 16),
4888 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_2
, -128),
4889 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_1
, -128),
4890 BPF_JMP_IMM(BPF_JGT
, BPF_REG_2
, 65, 4),
4891 BPF_MOV64_IMM(BPF_REG_4
, 0),
4892 BPF_JMP_REG(BPF_JGE
, BPF_REG_4
, BPF_REG_2
, 2),
4893 BPF_MOV64_IMM(BPF_REG_3
, 0),
4894 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4895 BPF_MOV64_IMM(BPF_REG_0
, 0),
4898 .errstr
= "invalid stack type R1 off=-64 access_size=65",
4900 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4903 "helper access to variable memory: stack, JMP, no max check",
4905 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
4906 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -64),
4907 BPF_MOV64_IMM(BPF_REG_2
, 16),
4908 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_2
, -128),
4909 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_1
, -128),
4910 BPF_MOV64_IMM(BPF_REG_4
, 0),
4911 BPF_JMP_REG(BPF_JGE
, BPF_REG_4
, BPF_REG_2
, 2),
4912 BPF_MOV64_IMM(BPF_REG_3
, 0),
4913 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4914 BPF_MOV64_IMM(BPF_REG_0
, 0),
4917 .errstr
= "R2 unbounded memory access",
4919 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4922 "helper access to variable memory: stack, JMP, no min check",
4924 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
4925 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -64),
4926 BPF_MOV64_IMM(BPF_REG_2
, 16),
4927 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_2
, -128),
4928 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_1
, -128),
4929 BPF_JMP_IMM(BPF_JGT
, BPF_REG_2
, 64, 3),
4930 BPF_MOV64_IMM(BPF_REG_3
, 0),
4931 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4932 BPF_MOV64_IMM(BPF_REG_0
, 0),
4935 .errstr
= "invalid stack type R1 off=-64 access_size=0",
4937 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4940 "helper access to variable memory: stack, JMP (signed), no min check",
4942 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
4943 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -64),
4944 BPF_MOV64_IMM(BPF_REG_2
, 16),
4945 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_2
, -128),
4946 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_1
, -128),
4947 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_2
, 64, 3),
4948 BPF_MOV64_IMM(BPF_REG_3
, 0),
4949 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4950 BPF_MOV64_IMM(BPF_REG_0
, 0),
4953 .errstr
= "R2 min value is negative",
4955 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4958 "helper access to variable memory: map, JMP, correct bounds",
4960 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4961 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4962 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4963 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4964 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4965 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 10),
4966 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4967 BPF_MOV64_IMM(BPF_REG_2
, sizeof(struct test_val
)),
4968 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_2
, -128),
4969 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_10
, -128),
4970 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_2
,
4971 sizeof(struct test_val
), 4),
4972 BPF_MOV64_IMM(BPF_REG_4
, 0),
4973 BPF_JMP_REG(BPF_JSGE
, BPF_REG_4
, BPF_REG_2
, 2),
4974 BPF_MOV64_IMM(BPF_REG_3
, 0),
4975 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
4976 BPF_MOV64_IMM(BPF_REG_0
, 0),
4979 .fixup_map2
= { 3 },
4981 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
4984 "helper access to variable memory: map, JMP, wrong max",
4986 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
4987 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
4988 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
4989 BPF_LD_MAP_FD(BPF_REG_1
, 0),
4990 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
4991 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 10),
4992 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
4993 BPF_MOV64_IMM(BPF_REG_2
, sizeof(struct test_val
)),
4994 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_2
, -128),
4995 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_10
, -128),
4996 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_2
,
4997 sizeof(struct test_val
) + 1, 4),
4998 BPF_MOV64_IMM(BPF_REG_4
, 0),
4999 BPF_JMP_REG(BPF_JSGE
, BPF_REG_4
, BPF_REG_2
, 2),
5000 BPF_MOV64_IMM(BPF_REG_3
, 0),
5001 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
5002 BPF_MOV64_IMM(BPF_REG_0
, 0),
5005 .fixup_map2
= { 3 },
5006 .errstr
= "invalid access to map value, value_size=48 off=0 size=49",
5008 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
5011 "helper access to variable memory: map adjusted, JMP, correct bounds",
5013 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5014 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5015 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
5016 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5017 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
5018 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 11),
5019 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
5020 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 20),
5021 BPF_MOV64_IMM(BPF_REG_2
, sizeof(struct test_val
)),
5022 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_2
, -128),
5023 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_10
, -128),
5024 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_2
,
5025 sizeof(struct test_val
) - 20, 4),
5026 BPF_MOV64_IMM(BPF_REG_4
, 0),
5027 BPF_JMP_REG(BPF_JSGE
, BPF_REG_4
, BPF_REG_2
, 2),
5028 BPF_MOV64_IMM(BPF_REG_3
, 0),
5029 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
5030 BPF_MOV64_IMM(BPF_REG_0
, 0),
5033 .fixup_map2
= { 3 },
5035 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
5038 "helper access to variable memory: map adjusted, JMP, wrong max",
5040 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5041 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5042 BPF_ST_MEM(BPF_DW
, BPF_REG_2
, 0, 0),
5043 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5044 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem
),
5045 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 11),
5046 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
5047 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 20),
5048 BPF_MOV64_IMM(BPF_REG_2
, sizeof(struct test_val
)),
5049 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_2
, -128),
5050 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_10
, -128),
5051 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_2
,
5052 sizeof(struct test_val
) - 19, 4),
5053 BPF_MOV64_IMM(BPF_REG_4
, 0),
5054 BPF_JMP_REG(BPF_JSGE
, BPF_REG_4
, BPF_REG_2
, 2),
5055 BPF_MOV64_IMM(BPF_REG_3
, 0),
5056 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
5057 BPF_MOV64_IMM(BPF_REG_0
, 0),
5060 .fixup_map2
= { 3 },
5061 .errstr
= "R1 min value is outside of the array range",
5063 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
5066 "helper access to variable memory: size > 0 not allowed on NULL",
5068 BPF_MOV64_IMM(BPF_REG_1
, 0),
5069 BPF_MOV64_IMM(BPF_REG_2
, 0),
5070 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_2
, -128),
5071 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_10
, -128),
5072 BPF_ALU64_IMM(BPF_AND
, BPF_REG_2
, 64),
5073 BPF_MOV64_IMM(BPF_REG_3
, 0),
5074 BPF_MOV64_IMM(BPF_REG_4
, 0),
5075 BPF_MOV64_IMM(BPF_REG_5
, 0),
5076 BPF_EMIT_CALL(BPF_FUNC_csum_diff
),
5079 .errstr
= "R1 type=imm expected=fp",
5081 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
5084 "helper access to variable memory: size = 0 not allowed on != NULL",
5086 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
5087 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -8),
5088 BPF_MOV64_IMM(BPF_REG_2
, 0),
5089 BPF_STX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_2
, 0),
5090 BPF_ALU64_IMM(BPF_AND
, BPF_REG_2
, 8),
5091 BPF_MOV64_IMM(BPF_REG_3
, 0),
5092 BPF_MOV64_IMM(BPF_REG_4
, 0),
5093 BPF_MOV64_IMM(BPF_REG_5
, 0),
5094 BPF_EMIT_CALL(BPF_FUNC_csum_diff
),
5097 .errstr
= "invalid stack type R1 off=-8 access_size=0",
5099 .prog_type
= BPF_PROG_TYPE_SCHED_CLS
,
5102 "helper access to variable memory: 8 bytes leak",
5104 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
5105 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -64),
5106 BPF_MOV64_IMM(BPF_REG_0
, 0),
5107 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -64),
5108 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -56),
5109 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -48),
5110 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -40),
5111 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -24),
5112 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -16),
5113 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -8),
5114 BPF_MOV64_IMM(BPF_REG_2
, 0),
5115 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_2
, -128),
5116 BPF_LDX_MEM(BPF_DW
, BPF_REG_2
, BPF_REG_10
, -128),
5117 BPF_ALU64_IMM(BPF_AND
, BPF_REG_2
, 63),
5118 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, 1),
5119 BPF_MOV64_IMM(BPF_REG_3
, 0),
5120 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
5121 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5124 .errstr
= "invalid indirect read from stack off -64+32 size 64",
5126 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
5129 "helper access to variable memory: 8 bytes no leak (init memory)",
5131 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_10
),
5132 BPF_MOV64_IMM(BPF_REG_0
, 0),
5133 BPF_MOV64_IMM(BPF_REG_0
, 0),
5134 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -64),
5135 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -56),
5136 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -48),
5137 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -40),
5138 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -32),
5139 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -24),
5140 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -16),
5141 BPF_STX_MEM(BPF_DW
, BPF_REG_10
, BPF_REG_0
, -8),
5142 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, -64),
5143 BPF_MOV64_IMM(BPF_REG_2
, 0),
5144 BPF_ALU64_IMM(BPF_AND
, BPF_REG_2
, 32),
5145 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, 32),
5146 BPF_MOV64_IMM(BPF_REG_3
, 0),
5147 BPF_EMIT_CALL(BPF_FUNC_probe_read
),
5148 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5152 .prog_type
= BPF_PROG_TYPE_TRACEPOINT
,
5155 "invalid and of negative number",
5157 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5158 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5159 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5160 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5161 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5162 BPF_FUNC_map_lookup_elem
),
5163 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 4),
5164 BPF_MOV64_IMM(BPF_REG_1
, 6),
5165 BPF_ALU64_IMM(BPF_AND
, BPF_REG_1
, -4),
5166 BPF_ALU64_IMM(BPF_LSH
, BPF_REG_1
, 2),
5167 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
5168 BPF_ST_MEM(BPF_DW
, BPF_REG_0
, 0,
5169 offsetof(struct test_val
, foo
)),
5172 .fixup_map2
= { 3 },
5173 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5174 .errstr
= "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
5176 .result_unpriv
= REJECT
,
5177 .flags
= F_NEEDS_EFFICIENT_UNALIGNED_ACCESS
,
5180 "invalid range check",
5182 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5183 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5184 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5185 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5186 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5187 BPF_FUNC_map_lookup_elem
),
5188 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 12),
5189 BPF_LDX_MEM(BPF_W
, BPF_REG_1
, BPF_REG_0
, 0),
5190 BPF_MOV64_IMM(BPF_REG_9
, 1),
5191 BPF_ALU32_IMM(BPF_MOD
, BPF_REG_1
, 2),
5192 BPF_ALU32_IMM(BPF_ADD
, BPF_REG_1
, 1),
5193 BPF_ALU32_REG(BPF_AND
, BPF_REG_9
, BPF_REG_1
),
5194 BPF_ALU32_IMM(BPF_ADD
, BPF_REG_9
, 1),
5195 BPF_ALU32_IMM(BPF_RSH
, BPF_REG_9
, 1),
5196 BPF_MOV32_IMM(BPF_REG_3
, 1),
5197 BPF_ALU32_REG(BPF_SUB
, BPF_REG_3
, BPF_REG_9
),
5198 BPF_ALU32_IMM(BPF_MUL
, BPF_REG_3
, 0x10000000),
5199 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_3
),
5200 BPF_STX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_3
, 0),
5201 BPF_MOV64_REG(BPF_REG_0
, 0),
5204 .fixup_map2
= { 3 },
5205 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5206 .errstr
= "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
5208 .result_unpriv
= REJECT
,
5209 .flags
= F_NEEDS_EFFICIENT_UNALIGNED_ACCESS
,
5212 "map in map access",
5214 BPF_ST_MEM(0, BPF_REG_10
, -4, 0),
5215 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5216 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -4),
5217 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5218 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5219 BPF_FUNC_map_lookup_elem
),
5220 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 5),
5221 BPF_ST_MEM(0, BPF_REG_10
, -4, 0),
5222 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5223 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -4),
5224 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
5225 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5226 BPF_FUNC_map_lookup_elem
),
5227 BPF_MOV64_REG(BPF_REG_0
, 0),
5230 .fixup_map_in_map
= { 3 },
5234 "invalid inner map pointer",
5236 BPF_ST_MEM(0, BPF_REG_10
, -4, 0),
5237 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5238 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -4),
5239 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5240 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5241 BPF_FUNC_map_lookup_elem
),
5242 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 6),
5243 BPF_ST_MEM(0, BPF_REG_10
, -4, 0),
5244 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5245 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -4),
5246 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
5247 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_1
, 8),
5248 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5249 BPF_FUNC_map_lookup_elem
),
5250 BPF_MOV64_REG(BPF_REG_0
, 0),
5253 .fixup_map_in_map
= { 3 },
5254 .errstr
= "R1 type=inv expected=map_ptr",
5255 .errstr_unpriv
= "R1 pointer arithmetic prohibited",
5259 "forgot null checking on the inner map pointer",
5261 BPF_ST_MEM(0, BPF_REG_10
, -4, 0),
5262 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5263 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -4),
5264 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5265 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5266 BPF_FUNC_map_lookup_elem
),
5267 BPF_ST_MEM(0, BPF_REG_10
, -4, 0),
5268 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5269 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -4),
5270 BPF_MOV64_REG(BPF_REG_1
, BPF_REG_0
),
5271 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5272 BPF_FUNC_map_lookup_elem
),
5273 BPF_MOV64_REG(BPF_REG_0
, 0),
5276 .fixup_map_in_map
= { 3 },
5277 .errstr
= "R1 type=map_value_or_null expected=map_ptr",
5281 "ld_abs: check calling conv, r1",
5283 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_1
),
5284 BPF_MOV64_IMM(BPF_REG_1
, 0),
5285 BPF_LD_ABS(BPF_W
, -0x200000),
5286 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_1
),
5289 .errstr
= "R1 !read_ok",
5293 "ld_abs: check calling conv, r2",
5295 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_1
),
5296 BPF_MOV64_IMM(BPF_REG_2
, 0),
5297 BPF_LD_ABS(BPF_W
, -0x200000),
5298 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
5301 .errstr
= "R2 !read_ok",
5305 "ld_abs: check calling conv, r3",
5307 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_1
),
5308 BPF_MOV64_IMM(BPF_REG_3
, 0),
5309 BPF_LD_ABS(BPF_W
, -0x200000),
5310 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_3
),
5313 .errstr
= "R3 !read_ok",
5317 "ld_abs: check calling conv, r4",
5319 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_1
),
5320 BPF_MOV64_IMM(BPF_REG_4
, 0),
5321 BPF_LD_ABS(BPF_W
, -0x200000),
5322 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_4
),
5325 .errstr
= "R4 !read_ok",
5329 "ld_abs: check calling conv, r5",
5331 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_1
),
5332 BPF_MOV64_IMM(BPF_REG_5
, 0),
5333 BPF_LD_ABS(BPF_W
, -0x200000),
5334 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_5
),
5337 .errstr
= "R5 !read_ok",
5341 "ld_abs: check calling conv, r7",
5343 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_1
),
5344 BPF_MOV64_IMM(BPF_REG_7
, 0),
5345 BPF_LD_ABS(BPF_W
, -0x200000),
5346 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_7
),
5352 "ld_ind: check calling conv, r1",
5354 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_1
),
5355 BPF_MOV64_IMM(BPF_REG_1
, 1),
5356 BPF_LD_IND(BPF_W
, BPF_REG_1
, -0x200000),
5357 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_1
),
5360 .errstr
= "R1 !read_ok",
5364 "ld_ind: check calling conv, r2",
5366 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_1
),
5367 BPF_MOV64_IMM(BPF_REG_2
, 1),
5368 BPF_LD_IND(BPF_W
, BPF_REG_2
, -0x200000),
5369 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_2
),
5372 .errstr
= "R2 !read_ok",
5376 "ld_ind: check calling conv, r3",
5378 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_1
),
5379 BPF_MOV64_IMM(BPF_REG_3
, 1),
5380 BPF_LD_IND(BPF_W
, BPF_REG_3
, -0x200000),
5381 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_3
),
5384 .errstr
= "R3 !read_ok",
5388 "ld_ind: check calling conv, r4",
5390 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_1
),
5391 BPF_MOV64_IMM(BPF_REG_4
, 1),
5392 BPF_LD_IND(BPF_W
, BPF_REG_4
, -0x200000),
5393 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_4
),
5396 .errstr
= "R4 !read_ok",
5400 "ld_ind: check calling conv, r5",
5402 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_1
),
5403 BPF_MOV64_IMM(BPF_REG_5
, 1),
5404 BPF_LD_IND(BPF_W
, BPF_REG_5
, -0x200000),
5405 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_5
),
5408 .errstr
= "R5 !read_ok",
5412 "ld_ind: check calling conv, r7",
5414 BPF_MOV64_REG(BPF_REG_6
, BPF_REG_1
),
5415 BPF_MOV64_IMM(BPF_REG_7
, 1),
5416 BPF_LD_IND(BPF_W
, BPF_REG_7
, -0x200000),
5417 BPF_MOV64_REG(BPF_REG_0
, BPF_REG_7
),
5423 "check bpf_perf_event_data->sample_period byte load permitted",
5425 BPF_MOV64_IMM(BPF_REG_0
, 0),
5426 #if __BYTE_ORDER == __LITTLE_ENDIAN
5427 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
5428 offsetof(struct bpf_perf_event_data
, sample_period
)),
5430 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_1
,
5431 offsetof(struct bpf_perf_event_data
, sample_period
) + 7),
5436 .prog_type
= BPF_PROG_TYPE_PERF_EVENT
,
5439 "check bpf_perf_event_data->sample_period half load permitted",
5441 BPF_MOV64_IMM(BPF_REG_0
, 0),
5442 #if __BYTE_ORDER == __LITTLE_ENDIAN
5443 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
5444 offsetof(struct bpf_perf_event_data
, sample_period
)),
5446 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
5447 offsetof(struct bpf_perf_event_data
, sample_period
) + 6),
5452 .prog_type
= BPF_PROG_TYPE_PERF_EVENT
,
5455 "check bpf_perf_event_data->sample_period word load permitted",
5457 BPF_MOV64_IMM(BPF_REG_0
, 0),
5458 #if __BYTE_ORDER == __LITTLE_ENDIAN
5459 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
5460 offsetof(struct bpf_perf_event_data
, sample_period
)),
5462 BPF_LDX_MEM(BPF_W
, BPF_REG_0
, BPF_REG_1
,
5463 offsetof(struct bpf_perf_event_data
, sample_period
) + 4),
5468 .prog_type
= BPF_PROG_TYPE_PERF_EVENT
,
5471 "check bpf_perf_event_data->sample_period dword load permitted",
5473 BPF_MOV64_IMM(BPF_REG_0
, 0),
5474 BPF_LDX_MEM(BPF_DW
, BPF_REG_0
, BPF_REG_1
,
5475 offsetof(struct bpf_perf_event_data
, sample_period
)),
5479 .prog_type
= BPF_PROG_TYPE_PERF_EVENT
,
5482 "check skb->data half load not permitted",
5484 BPF_MOV64_IMM(BPF_REG_0
, 0),
5485 #if __BYTE_ORDER == __LITTLE_ENDIAN
5486 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
5487 offsetof(struct __sk_buff
, data
)),
5489 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
5490 offsetof(struct __sk_buff
, data
) + 2),
5495 .errstr
= "invalid bpf_context access",
5498 "check skb->tc_classid half load not permitted for lwt prog",
5500 BPF_MOV64_IMM(BPF_REG_0
, 0),
5501 #if __BYTE_ORDER == __LITTLE_ENDIAN
5502 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
5503 offsetof(struct __sk_buff
, tc_classid
)),
5505 BPF_LDX_MEM(BPF_H
, BPF_REG_0
, BPF_REG_1
,
5506 offsetof(struct __sk_buff
, tc_classid
) + 2),
5511 .errstr
= "invalid bpf_context access",
5512 .prog_type
= BPF_PROG_TYPE_LWT_IN
,
5515 "bounds checks mixing signed and unsigned, positive bounds",
5517 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5518 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5519 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5520 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5521 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5522 BPF_FUNC_map_lookup_elem
),
5523 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 7),
5524 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5525 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5526 BPF_MOV64_IMM(BPF_REG_2
, 2),
5527 BPF_JMP_REG(BPF_JGE
, BPF_REG_2
, BPF_REG_1
, 3),
5528 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_1
, 4, 2),
5529 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
5530 BPF_ST_MEM(BPF_B
, BPF_REG_0
, 0, 0),
5531 BPF_MOV64_IMM(BPF_REG_0
, 0),
5534 .fixup_map1
= { 3 },
5535 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5536 .errstr
= "R0 min value is negative",
5538 .result_unpriv
= REJECT
,
5541 "bounds checks mixing signed and unsigned",
5543 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5544 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5545 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5546 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5547 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5548 BPF_FUNC_map_lookup_elem
),
5549 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 7),
5550 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5551 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5552 BPF_MOV64_IMM(BPF_REG_2
, -1),
5553 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_2
, 3),
5554 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_1
, 1, 2),
5555 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
5556 BPF_ST_MEM(BPF_B
, BPF_REG_0
, 0, 0),
5557 BPF_MOV64_IMM(BPF_REG_0
, 0),
5560 .fixup_map1
= { 3 },
5561 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5562 .errstr
= "R0 min value is negative",
5564 .result_unpriv
= REJECT
,
5567 "bounds checks mixing signed and unsigned, variant 2",
5569 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5570 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5571 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5572 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5573 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5574 BPF_FUNC_map_lookup_elem
),
5575 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 9),
5576 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5577 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5578 BPF_MOV64_IMM(BPF_REG_2
, -1),
5579 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_2
, 5),
5580 BPF_MOV64_IMM(BPF_REG_8
, 0),
5581 BPF_ALU64_REG(BPF_ADD
, BPF_REG_8
, BPF_REG_1
),
5582 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_8
, 1, 2),
5583 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_8
),
5584 BPF_ST_MEM(BPF_B
, BPF_REG_8
, 0, 0),
5585 BPF_MOV64_IMM(BPF_REG_0
, 0),
5588 .fixup_map1
= { 3 },
5589 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5590 .errstr
= "R8 invalid mem access 'inv'",
5592 .result_unpriv
= REJECT
,
5595 "bounds checks mixing signed and unsigned, variant 3",
5597 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5598 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5599 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5600 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5601 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5602 BPF_FUNC_map_lookup_elem
),
5603 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 8),
5604 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5605 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5606 BPF_MOV64_IMM(BPF_REG_2
, -1),
5607 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_2
, 4),
5608 BPF_MOV64_REG(BPF_REG_8
, BPF_REG_1
),
5609 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_8
, 1, 2),
5610 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_8
),
5611 BPF_ST_MEM(BPF_B
, BPF_REG_8
, 0, 0),
5612 BPF_MOV64_IMM(BPF_REG_0
, 0),
5615 .fixup_map1
= { 3 },
5616 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5617 .errstr
= "R8 invalid mem access 'inv'",
5619 .result_unpriv
= REJECT
,
5622 "bounds checks mixing signed and unsigned, variant 4",
5624 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5625 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5626 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5627 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5628 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5629 BPF_FUNC_map_lookup_elem
),
5630 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 7),
5631 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5632 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5633 BPF_MOV64_IMM(BPF_REG_2
, 1),
5634 BPF_ALU64_REG(BPF_AND
, BPF_REG_1
, BPF_REG_2
),
5635 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_1
, 1, 2),
5636 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
5637 BPF_ST_MEM(BPF_B
, BPF_REG_0
, 0, 0),
5638 BPF_MOV64_IMM(BPF_REG_0
, 0),
5641 .fixup_map1
= { 3 },
5642 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5643 .errstr
= "R0 min value is negative",
5645 .result_unpriv
= REJECT
,
5648 "bounds checks mixing signed and unsigned, variant 5",
5650 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5651 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5652 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5653 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5654 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5655 BPF_FUNC_map_lookup_elem
),
5656 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 9),
5657 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5658 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5659 BPF_MOV64_IMM(BPF_REG_2
, -1),
5660 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_2
, 5),
5661 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_1
, 1, 4),
5662 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_0
, 4),
5663 BPF_ALU64_REG(BPF_SUB
, BPF_REG_0
, BPF_REG_1
),
5664 BPF_ST_MEM(BPF_B
, BPF_REG_0
, 0, 0),
5665 BPF_MOV64_IMM(BPF_REG_0
, 0),
5668 .fixup_map1
= { 3 },
5669 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5670 .errstr
= "R0 invalid mem access",
5672 .result_unpriv
= REJECT
,
5675 "bounds checks mixing signed and unsigned, variant 6",
5677 BPF_MOV64_IMM(BPF_REG_2
, 0),
5678 BPF_MOV64_REG(BPF_REG_3
, BPF_REG_10
),
5679 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_3
, -512),
5680 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5681 BPF_LDX_MEM(BPF_DW
, BPF_REG_4
, BPF_REG_10
, -16),
5682 BPF_MOV64_IMM(BPF_REG_6
, -1),
5683 BPF_JMP_REG(BPF_JGT
, BPF_REG_4
, BPF_REG_6
, 5),
5684 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_4
, 1, 4),
5685 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_4
, 1),
5686 BPF_MOV64_IMM(BPF_REG_5
, 0),
5687 BPF_ST_MEM(BPF_H
, BPF_REG_10
, -512, 0),
5688 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5689 BPF_FUNC_skb_load_bytes
),
5690 BPF_MOV64_IMM(BPF_REG_0
, 0),
5693 .errstr_unpriv
= "R4 min value is negative, either use unsigned",
5694 .errstr
= "R4 min value is negative, either use unsigned",
5696 .result_unpriv
= REJECT
,
5699 "bounds checks mixing signed and unsigned, variant 7",
5701 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5702 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5703 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5704 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5705 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5706 BPF_FUNC_map_lookup_elem
),
5707 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 7),
5708 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5709 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5710 BPF_MOV64_IMM(BPF_REG_2
, 1024 * 1024 * 1024),
5711 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_2
, 3),
5712 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_1
, 1, 2),
5713 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
5714 BPF_ST_MEM(BPF_B
, BPF_REG_0
, 0, 0),
5715 BPF_MOV64_IMM(BPF_REG_0
, 0),
5718 .fixup_map1
= { 3 },
5719 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5720 .errstr
= "R0 min value is negative",
5722 .result_unpriv
= REJECT
,
5725 "bounds checks mixing signed and unsigned, variant 8",
5727 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5728 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5729 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5730 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5731 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5732 BPF_FUNC_map_lookup_elem
),
5733 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 7),
5734 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5735 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5736 BPF_MOV64_IMM(BPF_REG_2
, 1024 * 1024 * 1024 + 1),
5737 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_2
, 3),
5738 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_1
, 1, 2),
5739 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
5740 BPF_ST_MEM(BPF_B
, BPF_REG_0
, 0, 0),
5741 BPF_MOV64_IMM(BPF_REG_0
, 0),
5744 .fixup_map1
= { 3 },
5745 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5746 .errstr
= "R0 min value is negative",
5748 .result_unpriv
= REJECT
,
5751 "bounds checks mixing signed and unsigned, variant 9",
5753 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5754 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5755 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5756 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5757 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5758 BPF_FUNC_map_lookup_elem
),
5759 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 9),
5760 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5761 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5762 BPF_MOV64_IMM(BPF_REG_2
, -1),
5763 BPF_JMP_REG(BPF_JGT
, BPF_REG_2
, BPF_REG_1
, 2),
5764 BPF_MOV64_IMM(BPF_REG_0
, 0),
5766 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_1
, 1, 2),
5767 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
5768 BPF_ST_MEM(BPF_B
, BPF_REG_0
, 0, 0),
5769 BPF_MOV64_IMM(BPF_REG_0
, 0),
5772 .fixup_map1
= { 3 },
5773 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5774 .errstr
= "R0 min value is negative",
5776 .result_unpriv
= REJECT
,
5779 "bounds checks mixing signed and unsigned, variant 10",
5781 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5782 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5783 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5784 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5785 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5786 BPF_FUNC_map_lookup_elem
),
5787 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 10),
5788 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5789 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5790 BPF_LD_IMM64(BPF_REG_2
, -9223372036854775808ULL),
5791 BPF_JMP_REG(BPF_JGT
, BPF_REG_2
, BPF_REG_1
, 2),
5792 BPF_MOV64_IMM(BPF_REG_0
, 0),
5794 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_1
, 1, 2),
5795 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
5796 BPF_ST_MEM(BPF_B
, BPF_REG_0
, 0, 0),
5797 BPF_MOV64_IMM(BPF_REG_0
, 0),
5800 .fixup_map1
= { 3 },
5801 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5802 .errstr
= "R0 min value is negative",
5804 .result_unpriv
= REJECT
,
5807 "bounds checks mixing signed and unsigned, variant 11",
5809 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5810 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5811 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5812 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5813 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5814 BPF_FUNC_map_lookup_elem
),
5815 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 9),
5816 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5817 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5818 BPF_MOV64_IMM(BPF_REG_2
, 0),
5819 BPF_JMP_REG(BPF_JGT
, BPF_REG_2
, BPF_REG_1
, 2),
5820 BPF_MOV64_IMM(BPF_REG_0
, 0),
5822 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_1
, 1, 2),
5823 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
5824 BPF_ST_MEM(BPF_B
, BPF_REG_0
, 0, 0),
5825 BPF_MOV64_IMM(BPF_REG_0
, 0),
5828 .fixup_map1
= { 3 },
5829 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5830 .errstr
= "R0 min value is negative",
5832 .result_unpriv
= REJECT
,
5835 "bounds checks mixing signed and unsigned, variant 12",
5837 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5838 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5839 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5840 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5841 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5842 BPF_FUNC_map_lookup_elem
),
5843 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 9),
5844 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5845 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5846 BPF_MOV64_IMM(BPF_REG_2
, -1),
5847 BPF_JMP_REG(BPF_JGE
, BPF_REG_2
, BPF_REG_1
, 2),
5849 BPF_MOV64_IMM(BPF_REG_0
, 0),
5851 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_1
, 1, 2),
5852 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
5853 BPF_ST_MEM(BPF_B
, BPF_REG_0
, 0, 0),
5854 BPF_MOV64_IMM(BPF_REG_0
, 0),
5857 .fixup_map1
= { 3 },
5858 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5859 .errstr
= "R0 min value is negative",
5861 .result_unpriv
= REJECT
,
5864 "bounds checks mixing signed and unsigned, variant 13",
5866 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5867 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5868 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5869 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5870 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5871 BPF_FUNC_map_lookup_elem
),
5872 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 9),
5873 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5874 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5875 BPF_MOV64_IMM(BPF_REG_2
, -6),
5876 BPF_JMP_REG(BPF_JGE
, BPF_REG_2
, BPF_REG_1
, 2),
5877 BPF_MOV64_IMM(BPF_REG_0
, 0),
5879 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_1
, 1, 2),
5880 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
5881 BPF_ST_MEM(BPF_B
, BPF_REG_0
, 0, 0),
5882 BPF_MOV64_IMM(BPF_REG_0
, 0),
5885 .fixup_map1
= { 3 },
5886 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5887 .errstr
= "R0 min value is negative",
5889 .result_unpriv
= REJECT
,
5892 "bounds checks mixing signed and unsigned, variant 14",
5894 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5895 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5896 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5897 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5898 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5899 BPF_FUNC_map_lookup_elem
),
5900 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 6),
5901 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5902 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5903 BPF_MOV64_IMM(BPF_REG_2
, 2),
5904 BPF_JMP_REG(BPF_JGE
, BPF_REG_2
, BPF_REG_1
, 2),
5905 BPF_MOV64_IMM(BPF_REG_7
, 1),
5906 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_7
, 0, 2),
5907 BPF_MOV64_IMM(BPF_REG_0
, 0),
5909 BPF_ALU64_REG(BPF_ADD
, BPF_REG_7
, BPF_REG_1
),
5910 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_7
, 4, 2),
5911 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_7
),
5912 BPF_ST_MEM(BPF_B
, BPF_REG_0
, 0, 0),
5913 BPF_MOV64_IMM(BPF_REG_0
, 0),
5916 .fixup_map1
= { 3 },
5917 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5918 .errstr
= "R0 min value is negative",
5920 .result_unpriv
= REJECT
,
5923 "bounds checks mixing signed and unsigned, variant 15",
5925 BPF_LDX_MEM(BPF_W
, BPF_REG_9
, BPF_REG_1
,
5926 offsetof(struct __sk_buff
, mark
)),
5927 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5928 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5929 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5930 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5931 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5932 BPF_FUNC_map_lookup_elem
),
5933 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 8),
5934 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5935 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5936 BPF_MOV64_IMM(BPF_REG_2
, -1),
5937 BPF_MOV64_IMM(BPF_REG_8
, 2),
5938 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_9
, 42, 6),
5939 BPF_JMP_REG(BPF_JSGT
, BPF_REG_8
, BPF_REG_1
, 3),
5940 BPF_JMP_IMM(BPF_JSGT
, BPF_REG_1
, 1, 2),
5941 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
5942 BPF_ST_MEM(BPF_B
, BPF_REG_0
, 0, 0),
5943 BPF_MOV64_IMM(BPF_REG_0
, 0),
5945 BPF_JMP_REG(BPF_JGT
, BPF_REG_1
, BPF_REG_2
, -3),
5946 BPF_JMP_IMM(BPF_JA
, 0, 0, -7),
5948 .fixup_map1
= { 4 },
5949 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5950 .errstr
= "R0 min value is negative",
5952 .result_unpriv
= REJECT
,
5955 "bounds checks mixing signed and unsigned, variant 16",
5957 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5958 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5959 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5960 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5961 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5962 BPF_FUNC_map_lookup_elem
),
5963 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 4),
5964 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -16, -8),
5965 BPF_LDX_MEM(BPF_DW
, BPF_REG_1
, BPF_REG_10
, -16),
5966 BPF_MOV64_IMM(BPF_REG_2
, -6),
5967 BPF_JMP_REG(BPF_JGE
, BPF_REG_2
, BPF_REG_1
, 2),
5968 BPF_MOV64_IMM(BPF_REG_0
, 0),
5970 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
5971 BPF_JMP_IMM(BPF_JGT
, BPF_REG_0
, 1, 2),
5972 BPF_MOV64_IMM(BPF_REG_0
, 0),
5974 BPF_ST_MEM(BPF_B
, BPF_REG_0
, 0, 0),
5975 BPF_MOV64_IMM(BPF_REG_0
, 0),
5978 .fixup_map1
= { 3 },
5979 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
5980 .errstr
= "R0 min value is negative",
5982 .result_unpriv
= REJECT
,
5985 "subtraction bounds (map value)",
5987 BPF_ST_MEM(BPF_DW
, BPF_REG_10
, -8, 0),
5988 BPF_MOV64_REG(BPF_REG_2
, BPF_REG_10
),
5989 BPF_ALU64_IMM(BPF_ADD
, BPF_REG_2
, -8),
5990 BPF_LD_MAP_FD(BPF_REG_1
, 0),
5991 BPF_RAW_INSN(BPF_JMP
| BPF_CALL
, 0, 0, 0,
5992 BPF_FUNC_map_lookup_elem
),
5993 BPF_JMP_IMM(BPF_JEQ
, BPF_REG_0
, 0, 9),
5994 BPF_LDX_MEM(BPF_B
, BPF_REG_1
, BPF_REG_0
, 0),
5995 BPF_JMP_IMM(BPF_JGT
, BPF_REG_1
, 0xff, 7),
5996 BPF_LDX_MEM(BPF_B
, BPF_REG_3
, BPF_REG_0
, 1),
5997 BPF_JMP_IMM(BPF_JGT
, BPF_REG_3
, 0xff, 5),
5998 BPF_ALU64_REG(BPF_SUB
, BPF_REG_1
, BPF_REG_3
),
5999 BPF_ALU64_IMM(BPF_RSH
, BPF_REG_1
, 56),
6000 BPF_ALU64_REG(BPF_ADD
, BPF_REG_0
, BPF_REG_1
),
6001 BPF_LDX_MEM(BPF_B
, BPF_REG_0
, BPF_REG_0
, 0),
6003 BPF_MOV64_IMM(BPF_REG_0
, 0),
6006 .fixup_map1
= { 3 },
6007 .errstr_unpriv
= "R0 pointer arithmetic prohibited",
6008 .errstr
= "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
6010 .result_unpriv
= REJECT
,
6014 static int probe_filter_length(const struct bpf_insn
*fp
)
6018 for (len
= MAX_INSNS
- 1; len
> 0; --len
)
6019 if (fp
[len
].code
!= 0 || fp
[len
].imm
!= 0)
6024 static int create_map(uint32_t size_value
, uint32_t max_elem
)
6028 fd
= bpf_create_map(BPF_MAP_TYPE_HASH
, sizeof(long long),
6029 size_value
, max_elem
, BPF_F_NO_PREALLOC
);
6031 printf("Failed to create hash map '%s'!\n", strerror(errno
));
6036 static int create_prog_array(void)
6040 fd
= bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY
, sizeof(int),
6043 printf("Failed to create prog array '%s'!\n", strerror(errno
));
6048 static int create_map_in_map(void)
6050 int inner_map_fd
, outer_map_fd
;
6052 inner_map_fd
= bpf_create_map(BPF_MAP_TYPE_ARRAY
, sizeof(int),
6054 if (inner_map_fd
< 0) {
6055 printf("Failed to create array '%s'!\n", strerror(errno
));
6056 return inner_map_fd
;
6059 outer_map_fd
= bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS
,
6060 sizeof(int), inner_map_fd
, 1, 0);
6061 if (outer_map_fd
< 0)
6062 printf("Failed to create array of maps '%s'!\n",
6065 close(inner_map_fd
);
6067 return outer_map_fd
;
6070 static char bpf_vlog
[32768];
6072 static void do_test_fixup(struct bpf_test
*test
, struct bpf_insn
*prog
,
6075 int *fixup_map1
= test
->fixup_map1
;
6076 int *fixup_map2
= test
->fixup_map2
;
6077 int *fixup_prog
= test
->fixup_prog
;
6078 int *fixup_map_in_map
= test
->fixup_map_in_map
;
6080 /* Allocating HTs with 1 elem is fine here, since we only test
6081 * for verifier and not do a runtime lookup, so the only thing
6082 * that really matters is value size in this case.
6085 map_fds
[0] = create_map(sizeof(long long), 1);
6087 prog
[*fixup_map1
].imm
= map_fds
[0];
6089 } while (*fixup_map1
);
6093 map_fds
[1] = create_map(sizeof(struct test_val
), 1);
6095 prog
[*fixup_map2
].imm
= map_fds
[1];
6097 } while (*fixup_map2
);
6101 map_fds
[2] = create_prog_array();
6103 prog
[*fixup_prog
].imm
= map_fds
[2];
6105 } while (*fixup_prog
);
6108 if (*fixup_map_in_map
) {
6109 map_fds
[3] = create_map_in_map();
6111 prog
[*fixup_map_in_map
].imm
= map_fds
[3];
6113 } while (*fixup_map_in_map
);
6117 static void do_test_single(struct bpf_test
*test
, bool unpriv
,
6118 int *passes
, int *errors
)
6120 int fd_prog
, expected_ret
, reject_from_alignment
;
6121 struct bpf_insn
*prog
= test
->insns
;
6122 int prog_len
= probe_filter_length(prog
);
6123 int prog_type
= test
->prog_type
;
6124 int map_fds
[MAX_NR_MAPS
];
6125 const char *expected_err
;
6128 for (i
= 0; i
< MAX_NR_MAPS
; i
++)
6131 do_test_fixup(test
, prog
, map_fds
);
6133 fd_prog
= bpf_verify_program(prog_type
? : BPF_PROG_TYPE_SOCKET_FILTER
,
6134 prog
, prog_len
, test
->flags
& F_LOAD_WITH_STRICT_ALIGNMENT
,
6135 "GPL", 0, bpf_vlog
, sizeof(bpf_vlog
), 1);
6137 expected_ret
= unpriv
&& test
->result_unpriv
!= UNDEF
?
6138 test
->result_unpriv
: test
->result
;
6139 expected_err
= unpriv
&& test
->errstr_unpriv
?
6140 test
->errstr_unpriv
: test
->errstr
;
6142 reject_from_alignment
= fd_prog
< 0 &&
6143 (test
->flags
& F_NEEDS_EFFICIENT_UNALIGNED_ACCESS
) &&
6144 strstr(bpf_vlog
, "Unknown alignment.");
6145 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
6146 if (reject_from_alignment
) {
6147 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
6152 if (expected_ret
== ACCEPT
) {
6153 if (fd_prog
< 0 && !reject_from_alignment
) {
6154 printf("FAIL\nFailed to load prog '%s'!\n",
6160 printf("FAIL\nUnexpected success to load!\n");
6163 if (!strstr(bpf_vlog
, expected_err
) && !reject_from_alignment
) {
6164 printf("FAIL\nUnexpected error message!\n");
6170 printf("OK%s\n", reject_from_alignment
?
6171 " (NOTE: reject due to unknown alignment)" : "");
6174 for (i
= 0; i
< MAX_NR_MAPS
; i
++)
6180 printf("%s", bpf_vlog
);
6184 static bool is_admin(void)
6187 cap_flag_value_t sysadmin
= CAP_CLEAR
;
6188 const cap_value_t cap_val
= CAP_SYS_ADMIN
;
6190 #ifdef CAP_IS_SUPPORTED
6191 if (!CAP_IS_SUPPORTED(CAP_SETFCAP
)) {
6192 perror("cap_get_flag");
6196 caps
= cap_get_proc();
6198 perror("cap_get_proc");
6201 if (cap_get_flag(caps
, cap_val
, CAP_EFFECTIVE
, &sysadmin
))
6202 perror("cap_get_flag");
6205 return (sysadmin
== CAP_SET
);
6208 static int set_admin(bool admin
)
6211 const cap_value_t cap_val
= CAP_SYS_ADMIN
;
6214 caps
= cap_get_proc();
6216 perror("cap_get_proc");
6219 if (cap_set_flag(caps
, CAP_EFFECTIVE
, 1, &cap_val
,
6220 admin
? CAP_SET
: CAP_CLEAR
)) {
6221 perror("cap_set_flag");
6224 if (cap_set_proc(caps
)) {
6225 perror("cap_set_proc");
6235 static int do_test(bool unpriv
, unsigned int from
, unsigned int to
)
6237 int i
, passes
= 0, errors
= 0;
6239 for (i
= from
; i
< to
; i
++) {
6240 struct bpf_test
*test
= &tests
[i
];
6242 /* Program types that are not supported by non-root we
6245 if (!test
->prog_type
) {
6248 printf("#%d/u %s ", i
, test
->descr
);
6249 do_test_single(test
, true, &passes
, &errors
);
6255 printf("#%d/p %s ", i
, test
->descr
);
6256 do_test_single(test
, false, &passes
, &errors
);
6260 printf("Summary: %d PASSED, %d FAILED\n", passes
, errors
);
6261 return errors
? EXIT_FAILURE
: EXIT_SUCCESS
;
6264 int main(int argc
, char **argv
)
6266 struct rlimit rinf
= { RLIM_INFINITY
, RLIM_INFINITY
};
6267 struct rlimit rlim
= { 1 << 20, 1 << 20 };
6268 unsigned int from
= 0, to
= ARRAY_SIZE(tests
);
6269 bool unpriv
= !is_admin();
6272 unsigned int l
= atoi(argv
[argc
- 2]);
6273 unsigned int u
= atoi(argv
[argc
- 1]);
6275 if (l
< to
&& u
< to
) {
6279 } else if (argc
== 2) {
6280 unsigned int t
= atoi(argv
[argc
- 1]);
6288 setrlimit(RLIMIT_MEMLOCK
, unpriv
? &rlim
: &rinf
);
6289 return do_test(unpriv
, from
, to
);