2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 * Copyright (c) 2017 Facebook
6 * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of version 2 of the GNU General Public
10 * License as published by the Free Software Foundation.
14 #include <asm/types.h>
15 #include <linux/types.h>
27 #include <sys/capability.h>
29 #include <linux/unistd.h>
30 #include <linux/filter.h>
31 #include <linux/bpf_perf_event.h>
32 #include <linux/bpf.h>
33 #include <linux/if_ether.h>
38 # include "autoconf.h"
40 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
41 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
44 #include "bpf_rlimit.h"
47 #include "../../../include/linux/filter.h"
49 #define MAX_INSNS BPF_MAXINSNS
51 #define MAX_NR_MAPS 13
52 #define POINTER_VALUE 0xcafe4all
53 #define TEST_DATA_LEN 64
55 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
56 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
58 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
59 static bool unpriv_disabled = false;
63 struct bpf_insn insns[MAX_INSNS];
64 int fixup_map_hash_8b[MAX_FIXUPS];
65 int fixup_map_hash_48b[MAX_FIXUPS];
66 int fixup_map_hash_16b[MAX_FIXUPS];
67 int fixup_map_array_48b[MAX_FIXUPS];
68 int fixup_map_sockmap[MAX_FIXUPS];
69 int fixup_map_sockhash[MAX_FIXUPS];
70 int fixup_map_xskmap[MAX_FIXUPS];
71 int fixup_map_stacktrace[MAX_FIXUPS];
72 int fixup_prog1[MAX_FIXUPS];
73 int fixup_prog2[MAX_FIXUPS];
74 int fixup_map_in_map[MAX_FIXUPS];
75 int fixup_cgroup_storage[MAX_FIXUPS];
76 int fixup_percpu_cgroup_storage[MAX_FIXUPS];
78 const char *errstr_unpriv;
84 } result, result_unpriv;
85 enum bpf_prog_type prog_type;
87 __u8 data[TEST_DATA_LEN];
88 void (*fill_helper)(struct bpf_test *self);
91 /* Note we want this to be 64 bit aligned so that the end of our array is
92 * actually the end of the structure.
94 #define MAX_ENTRIES 11
106 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
108 /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
110 unsigned int len = BPF_MAXINSNS;
111 struct bpf_insn *insn = self->insns;
114 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
116 for (j = 0; j < PUSH_CNT; j++) {
117 insn[i++] = BPF_LD_ABS(BPF_B, 0);
118 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
120 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
121 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
122 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
123 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
124 BPF_FUNC_skb_vlan_push),
125 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
129 for (j = 0; j < PUSH_CNT; j++) {
130 insn[i++] = BPF_LD_ABS(BPF_B, 0);
131 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
133 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
134 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
135 BPF_FUNC_skb_vlan_pop),
136 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
142 for (; i < len - 1; i++)
143 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
144 insn[len - 1] = BPF_EXIT_INSN();
147 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
149 struct bpf_insn *insn = self->insns;
150 unsigned int len = BPF_MAXINSNS;
153 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
154 insn[i++] = BPF_LD_ABS(BPF_B, 0);
155 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
158 insn[i++] = BPF_LD_ABS(BPF_B, 1);
159 insn[i] = BPF_EXIT_INSN();
162 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
164 struct bpf_insn *insn = self->insns;
168 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
169 while (i < self->retval) {
170 uint64_t val = bpf_semi_rand_get();
171 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
176 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
178 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
179 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
180 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
181 insn[i] = BPF_EXIT_INSN();
183 self->retval = (uint32_t)res;
186 /* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */
187 #define BPF_SK_LOOKUP \
188 /* struct bpf_sock_tuple tuple = {} */ \
189 BPF_MOV64_IMM(BPF_REG_2, 0), \
190 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8), \
191 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -16), \
192 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -24), \
193 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -32), \
194 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -40), \
195 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -48), \
196 /* sk = sk_lookup_tcp(ctx, &tuple, sizeof tuple, 0, 0) */ \
197 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), \
198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), \
199 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)), \
200 BPF_MOV64_IMM(BPF_REG_4, 0), \
201 BPF_MOV64_IMM(BPF_REG_5, 0), \
202 BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp)
204 static struct bpf_test tests[] = {
208 BPF_MOV64_IMM(BPF_REG_1, 1),
209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
210 BPF_MOV64_IMM(BPF_REG_2, 3),
211 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
213 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
214 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
221 "DIV32 by 0, zero check 1",
223 BPF_MOV32_IMM(BPF_REG_0, 42),
224 BPF_MOV32_IMM(BPF_REG_1, 0),
225 BPF_MOV32_IMM(BPF_REG_2, 1),
226 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
233 "DIV32 by 0, zero check 2",
235 BPF_MOV32_IMM(BPF_REG_0, 42),
236 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
237 BPF_MOV32_IMM(BPF_REG_2, 1),
238 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
245 "DIV64 by 0, zero check",
247 BPF_MOV32_IMM(BPF_REG_0, 42),
248 BPF_MOV32_IMM(BPF_REG_1, 0),
249 BPF_MOV32_IMM(BPF_REG_2, 1),
250 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
257 "MOD32 by 0, zero check 1",
259 BPF_MOV32_IMM(BPF_REG_0, 42),
260 BPF_MOV32_IMM(BPF_REG_1, 0),
261 BPF_MOV32_IMM(BPF_REG_2, 1),
262 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
269 "MOD32 by 0, zero check 2",
271 BPF_MOV32_IMM(BPF_REG_0, 42),
272 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
273 BPF_MOV32_IMM(BPF_REG_2, 1),
274 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
281 "MOD64 by 0, zero check",
283 BPF_MOV32_IMM(BPF_REG_0, 42),
284 BPF_MOV32_IMM(BPF_REG_1, 0),
285 BPF_MOV32_IMM(BPF_REG_2, 1),
286 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
293 "DIV32 by 0, zero check ok, cls",
295 BPF_MOV32_IMM(BPF_REG_0, 42),
296 BPF_MOV32_IMM(BPF_REG_1, 2),
297 BPF_MOV32_IMM(BPF_REG_2, 16),
298 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
299 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
302 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
307 "DIV32 by 0, zero check 1, cls",
309 BPF_MOV32_IMM(BPF_REG_1, 0),
310 BPF_MOV32_IMM(BPF_REG_0, 1),
311 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
314 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
319 "DIV32 by 0, zero check 2, cls",
321 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
322 BPF_MOV32_IMM(BPF_REG_0, 1),
323 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
326 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
331 "DIV64 by 0, zero check, cls",
333 BPF_MOV32_IMM(BPF_REG_1, 0),
334 BPF_MOV32_IMM(BPF_REG_0, 1),
335 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
338 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
343 "MOD32 by 0, zero check ok, cls",
345 BPF_MOV32_IMM(BPF_REG_0, 42),
346 BPF_MOV32_IMM(BPF_REG_1, 3),
347 BPF_MOV32_IMM(BPF_REG_2, 5),
348 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
349 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
352 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
357 "MOD32 by 0, zero check 1, cls",
359 BPF_MOV32_IMM(BPF_REG_1, 0),
360 BPF_MOV32_IMM(BPF_REG_0, 1),
361 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
364 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
369 "MOD32 by 0, zero check 2, cls",
371 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
372 BPF_MOV32_IMM(BPF_REG_0, 1),
373 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
376 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
381 "MOD64 by 0, zero check 1, cls",
383 BPF_MOV32_IMM(BPF_REG_1, 0),
384 BPF_MOV32_IMM(BPF_REG_0, 2),
385 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
388 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
393 "MOD64 by 0, zero check 2, cls",
395 BPF_MOV32_IMM(BPF_REG_1, 0),
396 BPF_MOV32_IMM(BPF_REG_0, -1),
397 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
400 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
404 /* Just make sure that JITs used udiv/umod as otherwise we get
405 * an exception from INT_MIN/-1 overflow similarly as with div
409 "DIV32 overflow, check 1",
411 BPF_MOV32_IMM(BPF_REG_1, -1),
412 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
413 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
416 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
421 "DIV32 overflow, check 2",
423 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
424 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
427 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
432 "DIV64 overflow, check 1",
434 BPF_MOV64_IMM(BPF_REG_1, -1),
435 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
436 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
439 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
444 "DIV64 overflow, check 2",
446 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
447 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
450 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
455 "MOD32 overflow, check 1",
457 BPF_MOV32_IMM(BPF_REG_1, -1),
458 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
459 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
462 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
467 "MOD32 overflow, check 2",
469 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
470 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
473 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
478 "MOD64 overflow, check 1",
480 BPF_MOV64_IMM(BPF_REG_1, -1),
481 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
482 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
483 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
484 BPF_MOV32_IMM(BPF_REG_0, 0),
485 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
486 BPF_MOV32_IMM(BPF_REG_0, 1),
489 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
494 "MOD64 overflow, check 2",
496 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
497 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
498 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
499 BPF_MOV32_IMM(BPF_REG_0, 0),
500 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
501 BPF_MOV32_IMM(BPF_REG_0, 1),
504 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
509 "xor32 zero extend check",
511 BPF_MOV32_IMM(BPF_REG_2, -1),
512 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
513 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
514 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
515 BPF_MOV32_IMM(BPF_REG_0, 2),
516 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
517 BPF_MOV32_IMM(BPF_REG_0, 1),
520 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
528 .errstr = "unknown opcode 00",
536 .errstr = "R0 !read_ok",
545 .errstr = "unreachable",
551 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
552 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
555 .errstr = "unreachable",
561 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
564 .errstr = "jump out of range",
568 "out of range jump2",
570 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
573 .errstr = "jump out of range",
579 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
580 BPF_LD_IMM64(BPF_REG_0, 0),
581 BPF_LD_IMM64(BPF_REG_0, 0),
582 BPF_LD_IMM64(BPF_REG_0, 1),
583 BPF_LD_IMM64(BPF_REG_0, 1),
584 BPF_MOV64_IMM(BPF_REG_0, 2),
587 .errstr = "invalid BPF_LD_IMM insn",
588 .errstr_unpriv = "R1 pointer comparison",
594 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
595 BPF_LD_IMM64(BPF_REG_0, 0),
596 BPF_LD_IMM64(BPF_REG_0, 0),
597 BPF_LD_IMM64(BPF_REG_0, 1),
598 BPF_LD_IMM64(BPF_REG_0, 1),
601 .errstr = "invalid BPF_LD_IMM insn",
602 .errstr_unpriv = "R1 pointer comparison",
608 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
609 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
610 BPF_LD_IMM64(BPF_REG_0, 0),
611 BPF_LD_IMM64(BPF_REG_0, 0),
612 BPF_LD_IMM64(BPF_REG_0, 1),
613 BPF_LD_IMM64(BPF_REG_0, 1),
616 .errstr = "invalid bpf_ld_imm64 insn",
622 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
625 .errstr = "invalid bpf_ld_imm64 insn",
631 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
633 .errstr = "invalid bpf_ld_imm64 insn",
639 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
640 BPF_RAW_INSN(0, 0, 0, 0, 0),
648 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
649 BPF_RAW_INSN(0, 0, 0, 0, 1),
658 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
659 BPF_RAW_INSN(0, 0, 0, 0, 1),
662 .errstr = "uses reserved fields",
668 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
669 BPF_RAW_INSN(0, 0, 0, 1, 1),
672 .errstr = "invalid bpf_ld_imm64 insn",
678 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
679 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
682 .errstr = "invalid bpf_ld_imm64 insn",
688 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
689 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
692 .errstr = "invalid bpf_ld_imm64 insn",
698 BPF_MOV64_IMM(BPF_REG_1, 0),
699 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
700 BPF_RAW_INSN(0, 0, 0, 0, 1),
703 .errstr = "not pointing to valid bpf_map",
709 BPF_MOV64_IMM(BPF_REG_1, 0),
710 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
711 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
714 .errstr = "invalid bpf_ld_imm64 insn",
720 BPF_MOV64_IMM(BPF_REG_0, 1),
721 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
725 .errstr = "unknown opcode c4",
730 BPF_MOV64_IMM(BPF_REG_0, 1),
731 BPF_MOV64_IMM(BPF_REG_1, 5),
732 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
736 .errstr = "unknown opcode cc",
741 BPF_MOV64_IMM(BPF_REG_0, 1),
742 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
750 BPF_MOV64_IMM(BPF_REG_0, 1),
751 BPF_MOV64_IMM(BPF_REG_1, 5),
752 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
760 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
762 .errstr = "not an exit",
768 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
771 .errstr = "back-edge",
777 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
778 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
779 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
780 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
783 .errstr = "back-edge",
789 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
790 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
791 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
795 .errstr = "back-edge",
799 "read uninitialized register",
801 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
804 .errstr = "R2 !read_ok",
808 "read invalid register",
810 BPF_MOV64_REG(BPF_REG_0, -1),
813 .errstr = "R15 is invalid",
817 "program doesn't init R0 before exit",
819 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
822 .errstr = "R0 !read_ok",
826 "program doesn't init R0 before exit in all branches",
828 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
829 BPF_MOV64_IMM(BPF_REG_0, 1),
830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
833 .errstr = "R0 !read_ok",
834 .errstr_unpriv = "R1 pointer comparison",
838 "stack out of bounds",
840 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
843 .errstr = "invalid stack",
847 "invalid call insn1",
849 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
852 .errstr = "unknown opcode 8d",
856 "invalid call insn2",
858 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
861 .errstr = "BPF_CALL uses reserved",
865 "invalid function call",
867 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
870 .errstr = "invalid func unknown#1234567",
874 "uninitialized stack1",
876 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
878 BPF_LD_MAP_FD(BPF_REG_1, 0),
879 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
880 BPF_FUNC_map_lookup_elem),
883 .fixup_map_hash_8b = { 2 },
884 .errstr = "invalid indirect read from stack",
888 "uninitialized stack2",
890 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
891 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
894 .errstr = "invalid read from stack",
898 "invalid fp arithmetic",
899 /* If this gets ever changed, make sure JITs can deal with it. */
901 BPF_MOV64_IMM(BPF_REG_0, 0),
902 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
903 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
904 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
907 .errstr = "R1 subtraction from stack pointer",
911 "non-invalid fp arithmetic",
913 BPF_MOV64_IMM(BPF_REG_0, 0),
914 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
920 "invalid argument register",
922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
923 BPF_FUNC_get_cgroup_classid),
924 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
925 BPF_FUNC_get_cgroup_classid),
928 .errstr = "R1 !read_ok",
930 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
933 "non-invalid argument register",
935 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
936 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
937 BPF_FUNC_get_cgroup_classid),
938 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
939 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
940 BPF_FUNC_get_cgroup_classid),
944 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
947 "check valid spill/fill",
949 /* spill R1(ctx) into stack */
950 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
951 /* fill it back into R2 */
952 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
953 /* should be able to access R0 = *(R2 + 8) */
954 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
955 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
958 .errstr_unpriv = "R0 leaks addr",
960 .result_unpriv = REJECT,
961 .retval = POINTER_VALUE,
964 "check valid spill/fill, skb mark",
966 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
967 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
968 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
969 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
970 offsetof(struct __sk_buff, mark)),
974 .result_unpriv = ACCEPT,
977 "check corrupted spill/fill",
979 /* spill R1(ctx) into stack */
980 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
981 /* mess up with R1 pointer on stack */
982 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
983 /* fill back into R0 should fail */
984 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
987 .errstr_unpriv = "attempt to corrupt spilled",
988 .errstr = "corrupted spill",
992 "invalid src register in STX",
994 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
997 .errstr = "R15 is invalid",
1001 "invalid dst register in STX",
1003 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
1006 .errstr = "R14 is invalid",
1010 "invalid dst register in ST",
1012 BPF_ST_MEM(BPF_B, 14, -1, -1),
1015 .errstr = "R14 is invalid",
1019 "invalid src register in LDX",
1021 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1024 .errstr = "R12 is invalid",
1028 "invalid dst register in LDX",
1030 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1033 .errstr = "R11 is invalid",
1039 BPF_RAW_INSN(0, 0, 0, 0, 0),
1042 .errstr = "unknown opcode 00",
1048 BPF_RAW_INSN(1, 0, 0, 0, 0),
1051 .errstr = "BPF_LDX uses reserved fields",
1057 BPF_RAW_INSN(-1, 0, 0, 0, 0),
1060 .errstr = "unknown opcode ff",
1066 BPF_RAW_INSN(-1, -1, -1, -1, -1),
1069 .errstr = "unknown opcode ff",
1075 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1078 .errstr = "BPF_ALU uses reserved fields",
1082 "misaligned read from stack",
1084 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1085 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1088 .errstr = "misaligned stack access",
1092 "invalid map_fd for function call",
1094 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1095 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1096 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1097 BPF_LD_MAP_FD(BPF_REG_1, 0),
1098 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1099 BPF_FUNC_map_delete_elem),
1102 .errstr = "fd 0 is not pointing to valid bpf_map",
1106 "don't check return value before access",
1108 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1109 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1111 BPF_LD_MAP_FD(BPF_REG_1, 0),
1112 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1113 BPF_FUNC_map_lookup_elem),
1114 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1117 .fixup_map_hash_8b = { 3 },
1118 .errstr = "R0 invalid mem access 'map_value_or_null'",
1122 "access memory with incorrect alignment",
1124 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1125 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1126 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1127 BPF_LD_MAP_FD(BPF_REG_1, 0),
1128 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1129 BPF_FUNC_map_lookup_elem),
1130 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1131 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1134 .fixup_map_hash_8b = { 3 },
1135 .errstr = "misaligned value access",
1137 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1140 "sometimes access memory with incorrect alignment",
1142 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1143 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1145 BPF_LD_MAP_FD(BPF_REG_1, 0),
1146 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1147 BPF_FUNC_map_lookup_elem),
1148 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1149 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1151 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1154 .fixup_map_hash_8b = { 3 },
1155 .errstr = "R0 invalid mem access",
1156 .errstr_unpriv = "R0 leaks addr",
1158 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1164 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1165 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1166 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1168 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1169 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1170 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1171 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1172 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1174 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1175 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1176 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1177 BPF_MOV64_IMM(BPF_REG_0, 0),
1180 .errstr_unpriv = "R1 pointer comparison",
1181 .result_unpriv = REJECT,
1187 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1188 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1189 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1190 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1191 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1192 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1193 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1194 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1195 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1196 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1197 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1198 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1199 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1200 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1201 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1202 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1203 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1204 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1205 BPF_MOV64_IMM(BPF_REG_0, 0),
1208 .errstr_unpriv = "R1 pointer comparison",
1209 .result_unpriv = REJECT,
1215 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1216 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1217 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1218 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1219 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1220 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1221 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1223 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1224 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1225 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1227 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1228 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1229 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1231 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1233 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1234 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1235 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1237 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1239 BPF_LD_MAP_FD(BPF_REG_1, 0),
1240 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1241 BPF_FUNC_map_delete_elem),
1244 .fixup_map_hash_8b = { 24 },
1245 .errstr_unpriv = "R1 pointer comparison",
1246 .result_unpriv = REJECT,
1253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1257 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1259 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1260 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1261 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1262 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1266 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1269 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1270 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1271 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1272 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1273 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1274 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1275 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1276 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1277 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1278 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1279 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1280 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1281 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1282 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1283 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1284 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1285 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1286 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1287 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1288 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1289 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1290 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1291 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1292 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1293 BPF_MOV64_IMM(BPF_REG_0, 0),
1296 .errstr_unpriv = "R1 pointer comparison",
1297 .result_unpriv = REJECT,
1303 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1304 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1305 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1306 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1307 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1308 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1309 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1310 BPF_MOV64_IMM(BPF_REG_0, 0),
1311 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1312 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1313 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1314 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1315 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1316 BPF_MOV64_IMM(BPF_REG_0, 0),
1317 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1318 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1319 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1320 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1321 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1322 BPF_MOV64_IMM(BPF_REG_0, 0),
1323 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1324 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1325 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1326 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1327 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1328 BPF_MOV64_IMM(BPF_REG_0, 0),
1329 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1330 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1331 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1332 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1333 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1334 BPF_MOV64_IMM(BPF_REG_0, 0),
1337 .errstr_unpriv = "R1 pointer comparison",
1338 .result_unpriv = REJECT,
1342 "access skb fields ok",
1344 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1345 offsetof(struct __sk_buff, len)),
1346 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1347 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1348 offsetof(struct __sk_buff, mark)),
1349 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1350 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1351 offsetof(struct __sk_buff, pkt_type)),
1352 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1353 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1354 offsetof(struct __sk_buff, queue_mapping)),
1355 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1356 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1357 offsetof(struct __sk_buff, protocol)),
1358 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1359 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1360 offsetof(struct __sk_buff, vlan_present)),
1361 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1362 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1363 offsetof(struct __sk_buff, vlan_tci)),
1364 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1365 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1366 offsetof(struct __sk_buff, napi_id)),
1367 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1373 "access skb fields bad1",
1375 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1378 .errstr = "invalid bpf_context access",
1382 "access skb fields bad2",
1384 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1385 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1386 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1388 BPF_LD_MAP_FD(BPF_REG_1, 0),
1389 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1390 BPF_FUNC_map_lookup_elem),
1391 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1393 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1394 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1395 offsetof(struct __sk_buff, pkt_type)),
1398 .fixup_map_hash_8b = { 4 },
1399 .errstr = "different pointers",
1400 .errstr_unpriv = "R1 pointer comparison",
1404 "access skb fields bad3",
1406 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1407 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1408 offsetof(struct __sk_buff, pkt_type)),
1410 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1411 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1413 BPF_LD_MAP_FD(BPF_REG_1, 0),
1414 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1415 BPF_FUNC_map_lookup_elem),
1416 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1418 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1419 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1421 .fixup_map_hash_8b = { 6 },
1422 .errstr = "different pointers",
1423 .errstr_unpriv = "R1 pointer comparison",
1427 "access skb fields bad4",
1429 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1430 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1431 offsetof(struct __sk_buff, len)),
1432 BPF_MOV64_IMM(BPF_REG_0, 0),
1434 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1435 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1437 BPF_LD_MAP_FD(BPF_REG_1, 0),
1438 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1439 BPF_FUNC_map_lookup_elem),
1440 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1442 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1443 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1445 .fixup_map_hash_8b = { 7 },
1446 .errstr = "different pointers",
1447 .errstr_unpriv = "R1 pointer comparison",
1451 "invalid access __sk_buff family",
1453 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1454 offsetof(struct __sk_buff, family)),
1457 .errstr = "invalid bpf_context access",
1461 "invalid access __sk_buff remote_ip4",
1463 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1464 offsetof(struct __sk_buff, remote_ip4)),
1467 .errstr = "invalid bpf_context access",
1471 "invalid access __sk_buff local_ip4",
1473 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1474 offsetof(struct __sk_buff, local_ip4)),
1477 .errstr = "invalid bpf_context access",
1481 "invalid access __sk_buff remote_ip6",
1483 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1484 offsetof(struct __sk_buff, remote_ip6)),
1487 .errstr = "invalid bpf_context access",
1491 "invalid access __sk_buff local_ip6",
1493 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1494 offsetof(struct __sk_buff, local_ip6)),
1497 .errstr = "invalid bpf_context access",
1501 "invalid access __sk_buff remote_port",
1503 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1504 offsetof(struct __sk_buff, remote_port)),
1507 .errstr = "invalid bpf_context access",
1511 "invalid access __sk_buff remote_port",
1513 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1514 offsetof(struct __sk_buff, local_port)),
1517 .errstr = "invalid bpf_context access",
1521 "valid access __sk_buff family",
1523 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1524 offsetof(struct __sk_buff, family)),
1528 .prog_type = BPF_PROG_TYPE_SK_SKB,
1531 "valid access __sk_buff remote_ip4",
1533 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1534 offsetof(struct __sk_buff, remote_ip4)),
1538 .prog_type = BPF_PROG_TYPE_SK_SKB,
1541 "valid access __sk_buff local_ip4",
1543 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1544 offsetof(struct __sk_buff, local_ip4)),
1548 .prog_type = BPF_PROG_TYPE_SK_SKB,
1551 "valid access __sk_buff remote_ip6",
1553 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1554 offsetof(struct __sk_buff, remote_ip6[0])),
1555 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1556 offsetof(struct __sk_buff, remote_ip6[1])),
1557 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1558 offsetof(struct __sk_buff, remote_ip6[2])),
1559 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1560 offsetof(struct __sk_buff, remote_ip6[3])),
1564 .prog_type = BPF_PROG_TYPE_SK_SKB,
1567 "valid access __sk_buff local_ip6",
1569 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1570 offsetof(struct __sk_buff, local_ip6[0])),
1571 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572 offsetof(struct __sk_buff, local_ip6[1])),
1573 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1574 offsetof(struct __sk_buff, local_ip6[2])),
1575 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1576 offsetof(struct __sk_buff, local_ip6[3])),
1580 .prog_type = BPF_PROG_TYPE_SK_SKB,
1583 "valid access __sk_buff remote_port",
1585 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1586 offsetof(struct __sk_buff, remote_port)),
1590 .prog_type = BPF_PROG_TYPE_SK_SKB,
1593 "valid access __sk_buff remote_port",
1595 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1596 offsetof(struct __sk_buff, local_port)),
1600 .prog_type = BPF_PROG_TYPE_SK_SKB,
1603 "invalid access of tc_classid for SK_SKB",
1605 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1606 offsetof(struct __sk_buff, tc_classid)),
1610 .prog_type = BPF_PROG_TYPE_SK_SKB,
1611 .errstr = "invalid bpf_context access",
1614 "invalid access of skb->mark for SK_SKB",
1616 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1617 offsetof(struct __sk_buff, mark)),
1621 .prog_type = BPF_PROG_TYPE_SK_SKB,
1622 .errstr = "invalid bpf_context access",
1625 "check skb->mark is not writeable by SK_SKB",
1627 BPF_MOV64_IMM(BPF_REG_0, 0),
1628 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1629 offsetof(struct __sk_buff, mark)),
1633 .prog_type = BPF_PROG_TYPE_SK_SKB,
1634 .errstr = "invalid bpf_context access",
1637 "check skb->tc_index is writeable by SK_SKB",
1639 BPF_MOV64_IMM(BPF_REG_0, 0),
1640 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1641 offsetof(struct __sk_buff, tc_index)),
1645 .prog_type = BPF_PROG_TYPE_SK_SKB,
1648 "check skb->priority is writeable by SK_SKB",
1650 BPF_MOV64_IMM(BPF_REG_0, 0),
1651 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1652 offsetof(struct __sk_buff, priority)),
1656 .prog_type = BPF_PROG_TYPE_SK_SKB,
1659 "direct packet read for SK_SKB",
1661 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1662 offsetof(struct __sk_buff, data)),
1663 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1664 offsetof(struct __sk_buff, data_end)),
1665 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1666 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1667 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1668 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1669 BPF_MOV64_IMM(BPF_REG_0, 0),
1673 .prog_type = BPF_PROG_TYPE_SK_SKB,
1676 "direct packet write for SK_SKB",
1678 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1679 offsetof(struct __sk_buff, data)),
1680 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1681 offsetof(struct __sk_buff, data_end)),
1682 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1683 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1684 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1685 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1686 BPF_MOV64_IMM(BPF_REG_0, 0),
1690 .prog_type = BPF_PROG_TYPE_SK_SKB,
1693 "overlapping checks for direct packet access SK_SKB",
1695 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1696 offsetof(struct __sk_buff, data)),
1697 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1698 offsetof(struct __sk_buff, data_end)),
1699 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1700 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1701 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1702 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1704 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1705 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1706 BPF_MOV64_IMM(BPF_REG_0, 0),
1710 .prog_type = BPF_PROG_TYPE_SK_SKB,
1713 "valid access family in SK_MSG",
1715 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1716 offsetof(struct sk_msg_md, family)),
1720 .prog_type = BPF_PROG_TYPE_SK_MSG,
1723 "valid access remote_ip4 in SK_MSG",
1725 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1726 offsetof(struct sk_msg_md, remote_ip4)),
1730 .prog_type = BPF_PROG_TYPE_SK_MSG,
1733 "valid access local_ip4 in SK_MSG",
1735 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1736 offsetof(struct sk_msg_md, local_ip4)),
1740 .prog_type = BPF_PROG_TYPE_SK_MSG,
1743 "valid access remote_port in SK_MSG",
1745 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746 offsetof(struct sk_msg_md, remote_port)),
1750 .prog_type = BPF_PROG_TYPE_SK_MSG,
1753 "valid access local_port in SK_MSG",
1755 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1756 offsetof(struct sk_msg_md, local_port)),
1760 .prog_type = BPF_PROG_TYPE_SK_MSG,
1763 "valid access remote_ip6 in SK_MSG",
1765 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1766 offsetof(struct sk_msg_md, remote_ip6[0])),
1767 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1768 offsetof(struct sk_msg_md, remote_ip6[1])),
1769 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1770 offsetof(struct sk_msg_md, remote_ip6[2])),
1771 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1772 offsetof(struct sk_msg_md, remote_ip6[3])),
1776 .prog_type = BPF_PROG_TYPE_SK_SKB,
1779 "valid access local_ip6 in SK_MSG",
1781 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1782 offsetof(struct sk_msg_md, local_ip6[0])),
1783 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1784 offsetof(struct sk_msg_md, local_ip6[1])),
1785 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1786 offsetof(struct sk_msg_md, local_ip6[2])),
1787 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1788 offsetof(struct sk_msg_md, local_ip6[3])),
1792 .prog_type = BPF_PROG_TYPE_SK_SKB,
1795 "invalid 64B read of family in SK_MSG",
1797 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1798 offsetof(struct sk_msg_md, family)),
1801 .errstr = "invalid bpf_context access",
1803 .prog_type = BPF_PROG_TYPE_SK_MSG,
1806 "invalid read past end of SK_MSG",
1808 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1809 offsetof(struct sk_msg_md, local_port) + 4),
1812 .errstr = "R0 !read_ok",
1814 .prog_type = BPF_PROG_TYPE_SK_MSG,
1817 "invalid read offset in SK_MSG",
1819 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1820 offsetof(struct sk_msg_md, family) + 1),
1823 .errstr = "invalid bpf_context access",
1825 .prog_type = BPF_PROG_TYPE_SK_MSG,
1828 "direct packet read for SK_MSG",
1830 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1831 offsetof(struct sk_msg_md, data)),
1832 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1833 offsetof(struct sk_msg_md, data_end)),
1834 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1835 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1836 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1837 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1838 BPF_MOV64_IMM(BPF_REG_0, 0),
1842 .prog_type = BPF_PROG_TYPE_SK_MSG,
1845 "direct packet write for SK_MSG",
1847 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1848 offsetof(struct sk_msg_md, data)),
1849 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1850 offsetof(struct sk_msg_md, data_end)),
1851 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1853 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1854 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1855 BPF_MOV64_IMM(BPF_REG_0, 0),
1859 .prog_type = BPF_PROG_TYPE_SK_MSG,
1862 "overlapping checks for direct packet access SK_MSG",
1864 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1865 offsetof(struct sk_msg_md, data)),
1866 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1867 offsetof(struct sk_msg_md, data_end)),
1868 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1870 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1871 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1873 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1874 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1875 BPF_MOV64_IMM(BPF_REG_0, 0),
1879 .prog_type = BPF_PROG_TYPE_SK_MSG,
1882 "check skb->mark is not writeable by sockets",
1884 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1885 offsetof(struct __sk_buff, mark)),
1888 .errstr = "invalid bpf_context access",
1889 .errstr_unpriv = "R1 leaks addr",
1893 "check skb->tc_index is not writeable by sockets",
1895 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1896 offsetof(struct __sk_buff, tc_index)),
1899 .errstr = "invalid bpf_context access",
1900 .errstr_unpriv = "R1 leaks addr",
1904 "check cb access: byte",
1906 BPF_MOV64_IMM(BPF_REG_0, 0),
1907 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1908 offsetof(struct __sk_buff, cb[0])),
1909 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1910 offsetof(struct __sk_buff, cb[0]) + 1),
1911 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1912 offsetof(struct __sk_buff, cb[0]) + 2),
1913 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1914 offsetof(struct __sk_buff, cb[0]) + 3),
1915 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1916 offsetof(struct __sk_buff, cb[1])),
1917 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1918 offsetof(struct __sk_buff, cb[1]) + 1),
1919 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1920 offsetof(struct __sk_buff, cb[1]) + 2),
1921 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1922 offsetof(struct __sk_buff, cb[1]) + 3),
1923 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1924 offsetof(struct __sk_buff, cb[2])),
1925 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1926 offsetof(struct __sk_buff, cb[2]) + 1),
1927 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1928 offsetof(struct __sk_buff, cb[2]) + 2),
1929 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1930 offsetof(struct __sk_buff, cb[2]) + 3),
1931 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1932 offsetof(struct __sk_buff, cb[3])),
1933 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1934 offsetof(struct __sk_buff, cb[3]) + 1),
1935 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1936 offsetof(struct __sk_buff, cb[3]) + 2),
1937 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1938 offsetof(struct __sk_buff, cb[3]) + 3),
1939 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1940 offsetof(struct __sk_buff, cb[4])),
1941 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1942 offsetof(struct __sk_buff, cb[4]) + 1),
1943 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1944 offsetof(struct __sk_buff, cb[4]) + 2),
1945 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1946 offsetof(struct __sk_buff, cb[4]) + 3),
1947 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1948 offsetof(struct __sk_buff, cb[0])),
1949 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1950 offsetof(struct __sk_buff, cb[0]) + 1),
1951 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1952 offsetof(struct __sk_buff, cb[0]) + 2),
1953 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1954 offsetof(struct __sk_buff, cb[0]) + 3),
1955 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1956 offsetof(struct __sk_buff, cb[1])),
1957 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1958 offsetof(struct __sk_buff, cb[1]) + 1),
1959 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1960 offsetof(struct __sk_buff, cb[1]) + 2),
1961 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1962 offsetof(struct __sk_buff, cb[1]) + 3),
1963 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1964 offsetof(struct __sk_buff, cb[2])),
1965 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1966 offsetof(struct __sk_buff, cb[2]) + 1),
1967 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1968 offsetof(struct __sk_buff, cb[2]) + 2),
1969 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1970 offsetof(struct __sk_buff, cb[2]) + 3),
1971 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1972 offsetof(struct __sk_buff, cb[3])),
1973 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1974 offsetof(struct __sk_buff, cb[3]) + 1),
1975 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1976 offsetof(struct __sk_buff, cb[3]) + 2),
1977 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1978 offsetof(struct __sk_buff, cb[3]) + 3),
1979 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1980 offsetof(struct __sk_buff, cb[4])),
1981 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1982 offsetof(struct __sk_buff, cb[4]) + 1),
1983 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1984 offsetof(struct __sk_buff, cb[4]) + 2),
1985 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1986 offsetof(struct __sk_buff, cb[4]) + 3),
1992 "__sk_buff->hash, offset 0, byte store not permitted",
1994 BPF_MOV64_IMM(BPF_REG_0, 0),
1995 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1996 offsetof(struct __sk_buff, hash)),
1999 .errstr = "invalid bpf_context access",
2003 "__sk_buff->tc_index, offset 3, byte store not permitted",
2005 BPF_MOV64_IMM(BPF_REG_0, 0),
2006 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2007 offsetof(struct __sk_buff, tc_index) + 3),
2010 .errstr = "invalid bpf_context access",
2014 "check skb->hash byte load permitted",
2016 BPF_MOV64_IMM(BPF_REG_0, 0),
2017 #if __BYTE_ORDER == __LITTLE_ENDIAN
2018 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2019 offsetof(struct __sk_buff, hash)),
2021 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2022 offsetof(struct __sk_buff, hash) + 3),
2029 "check skb->hash byte load not permitted 1",
2031 BPF_MOV64_IMM(BPF_REG_0, 0),
2032 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2033 offsetof(struct __sk_buff, hash) + 1),
2036 .errstr = "invalid bpf_context access",
2040 "check skb->hash byte load not permitted 2",
2042 BPF_MOV64_IMM(BPF_REG_0, 0),
2043 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2044 offsetof(struct __sk_buff, hash) + 2),
2047 .errstr = "invalid bpf_context access",
2051 "check skb->hash byte load not permitted 3",
2053 BPF_MOV64_IMM(BPF_REG_0, 0),
2054 #if __BYTE_ORDER == __LITTLE_ENDIAN
2055 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2056 offsetof(struct __sk_buff, hash) + 3),
2058 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2059 offsetof(struct __sk_buff, hash)),
2063 .errstr = "invalid bpf_context access",
2067 "check cb access: byte, wrong type",
2069 BPF_MOV64_IMM(BPF_REG_0, 0),
2070 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2071 offsetof(struct __sk_buff, cb[0])),
2074 .errstr = "invalid bpf_context access",
2076 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2079 "check cb access: half",
2081 BPF_MOV64_IMM(BPF_REG_0, 0),
2082 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2083 offsetof(struct __sk_buff, cb[0])),
2084 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2085 offsetof(struct __sk_buff, cb[0]) + 2),
2086 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2087 offsetof(struct __sk_buff, cb[1])),
2088 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2089 offsetof(struct __sk_buff, cb[1]) + 2),
2090 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2091 offsetof(struct __sk_buff, cb[2])),
2092 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2093 offsetof(struct __sk_buff, cb[2]) + 2),
2094 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2095 offsetof(struct __sk_buff, cb[3])),
2096 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2097 offsetof(struct __sk_buff, cb[3]) + 2),
2098 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2099 offsetof(struct __sk_buff, cb[4])),
2100 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2101 offsetof(struct __sk_buff, cb[4]) + 2),
2102 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2103 offsetof(struct __sk_buff, cb[0])),
2104 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2105 offsetof(struct __sk_buff, cb[0]) + 2),
2106 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2107 offsetof(struct __sk_buff, cb[1])),
2108 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2109 offsetof(struct __sk_buff, cb[1]) + 2),
2110 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2111 offsetof(struct __sk_buff, cb[2])),
2112 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2113 offsetof(struct __sk_buff, cb[2]) + 2),
2114 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2115 offsetof(struct __sk_buff, cb[3])),
2116 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2117 offsetof(struct __sk_buff, cb[3]) + 2),
2118 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2119 offsetof(struct __sk_buff, cb[4])),
2120 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2121 offsetof(struct __sk_buff, cb[4]) + 2),
2127 "check cb access: half, unaligned",
2129 BPF_MOV64_IMM(BPF_REG_0, 0),
2130 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2131 offsetof(struct __sk_buff, cb[0]) + 1),
2134 .errstr = "misaligned context access",
2136 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2139 "check __sk_buff->hash, offset 0, half store not permitted",
2141 BPF_MOV64_IMM(BPF_REG_0, 0),
2142 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2143 offsetof(struct __sk_buff, hash)),
2146 .errstr = "invalid bpf_context access",
2150 "check __sk_buff->tc_index, offset 2, half store not permitted",
2152 BPF_MOV64_IMM(BPF_REG_0, 0),
2153 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2154 offsetof(struct __sk_buff, tc_index) + 2),
2157 .errstr = "invalid bpf_context access",
2161 "check skb->hash half load permitted",
2163 BPF_MOV64_IMM(BPF_REG_0, 0),
2164 #if __BYTE_ORDER == __LITTLE_ENDIAN
2165 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2166 offsetof(struct __sk_buff, hash)),
2168 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2169 offsetof(struct __sk_buff, hash) + 2),
2176 "check skb->hash half load not permitted",
2178 BPF_MOV64_IMM(BPF_REG_0, 0),
2179 #if __BYTE_ORDER == __LITTLE_ENDIAN
2180 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2181 offsetof(struct __sk_buff, hash) + 2),
2183 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2184 offsetof(struct __sk_buff, hash)),
2188 .errstr = "invalid bpf_context access",
2192 "check cb access: half, wrong type",
2194 BPF_MOV64_IMM(BPF_REG_0, 0),
2195 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2196 offsetof(struct __sk_buff, cb[0])),
2199 .errstr = "invalid bpf_context access",
2201 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2204 "check cb access: word",
2206 BPF_MOV64_IMM(BPF_REG_0, 0),
2207 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2208 offsetof(struct __sk_buff, cb[0])),
2209 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2210 offsetof(struct __sk_buff, cb[1])),
2211 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2212 offsetof(struct __sk_buff, cb[2])),
2213 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2214 offsetof(struct __sk_buff, cb[3])),
2215 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2216 offsetof(struct __sk_buff, cb[4])),
2217 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2218 offsetof(struct __sk_buff, cb[0])),
2219 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2220 offsetof(struct __sk_buff, cb[1])),
2221 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2222 offsetof(struct __sk_buff, cb[2])),
2223 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2224 offsetof(struct __sk_buff, cb[3])),
2225 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2226 offsetof(struct __sk_buff, cb[4])),
2232 "check cb access: word, unaligned 1",
2234 BPF_MOV64_IMM(BPF_REG_0, 0),
2235 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2236 offsetof(struct __sk_buff, cb[0]) + 2),
2239 .errstr = "misaligned context access",
2241 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2244 "check cb access: word, unaligned 2",
2246 BPF_MOV64_IMM(BPF_REG_0, 0),
2247 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2248 offsetof(struct __sk_buff, cb[4]) + 1),
2251 .errstr = "misaligned context access",
2253 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2256 "check cb access: word, unaligned 3",
2258 BPF_MOV64_IMM(BPF_REG_0, 0),
2259 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2260 offsetof(struct __sk_buff, cb[4]) + 2),
2263 .errstr = "misaligned context access",
2265 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2268 "check cb access: word, unaligned 4",
2270 BPF_MOV64_IMM(BPF_REG_0, 0),
2271 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2272 offsetof(struct __sk_buff, cb[4]) + 3),
2275 .errstr = "misaligned context access",
2277 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2280 "check cb access: double",
2282 BPF_MOV64_IMM(BPF_REG_0, 0),
2283 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2284 offsetof(struct __sk_buff, cb[0])),
2285 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2286 offsetof(struct __sk_buff, cb[2])),
2287 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2288 offsetof(struct __sk_buff, cb[0])),
2289 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2290 offsetof(struct __sk_buff, cb[2])),
2296 "check cb access: double, unaligned 1",
2298 BPF_MOV64_IMM(BPF_REG_0, 0),
2299 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2300 offsetof(struct __sk_buff, cb[1])),
2303 .errstr = "misaligned context access",
2305 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2308 "check cb access: double, unaligned 2",
2310 BPF_MOV64_IMM(BPF_REG_0, 0),
2311 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2312 offsetof(struct __sk_buff, cb[3])),
2315 .errstr = "misaligned context access",
2317 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2320 "check cb access: double, oob 1",
2322 BPF_MOV64_IMM(BPF_REG_0, 0),
2323 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2324 offsetof(struct __sk_buff, cb[4])),
2327 .errstr = "invalid bpf_context access",
2331 "check cb access: double, oob 2",
2333 BPF_MOV64_IMM(BPF_REG_0, 0),
2334 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2335 offsetof(struct __sk_buff, cb[4])),
2338 .errstr = "invalid bpf_context access",
2342 "check __sk_buff->ifindex dw store not permitted",
2344 BPF_MOV64_IMM(BPF_REG_0, 0),
2345 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2346 offsetof(struct __sk_buff, ifindex)),
2349 .errstr = "invalid bpf_context access",
2353 "check __sk_buff->ifindex dw load not permitted",
2355 BPF_MOV64_IMM(BPF_REG_0, 0),
2356 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2357 offsetof(struct __sk_buff, ifindex)),
2360 .errstr = "invalid bpf_context access",
2364 "check cb access: double, wrong type",
2366 BPF_MOV64_IMM(BPF_REG_0, 0),
2367 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2368 offsetof(struct __sk_buff, cb[0])),
2371 .errstr = "invalid bpf_context access",
2373 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2376 "check out of range skb->cb access",
2378 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2379 offsetof(struct __sk_buff, cb[0]) + 256),
2382 .errstr = "invalid bpf_context access",
2383 .errstr_unpriv = "",
2385 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2388 "write skb fields from socket prog",
2390 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2391 offsetof(struct __sk_buff, cb[4])),
2392 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2393 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2394 offsetof(struct __sk_buff, mark)),
2395 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2396 offsetof(struct __sk_buff, tc_index)),
2397 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2398 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2399 offsetof(struct __sk_buff, cb[0])),
2400 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2401 offsetof(struct __sk_buff, cb[2])),
2405 .errstr_unpriv = "R1 leaks addr",
2406 .result_unpriv = REJECT,
2409 "write skb fields from tc_cls_act prog",
2411 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2412 offsetof(struct __sk_buff, cb[0])),
2413 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2414 offsetof(struct __sk_buff, mark)),
2415 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2416 offsetof(struct __sk_buff, tc_index)),
2417 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2418 offsetof(struct __sk_buff, tc_index)),
2419 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2420 offsetof(struct __sk_buff, cb[3])),
2423 .errstr_unpriv = "",
2424 .result_unpriv = REJECT,
2426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2429 "PTR_TO_STACK store/load",
2431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2433 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2434 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2438 .retval = 0xfaceb00c,
2441 "PTR_TO_STACK store/load - bad alignment on off",
2443 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2445 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2446 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2450 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2453 "PTR_TO_STACK store/load - bad alignment on reg",
2455 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2457 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2458 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2462 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2465 "PTR_TO_STACK store/load - out of bounds low",
2467 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2468 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2469 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2470 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2474 .errstr = "invalid stack off=-79992 size=8",
2477 "PTR_TO_STACK store/load - out of bounds high",
2479 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2481 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2482 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2486 .errstr = "invalid stack off=0 size=8",
2489 "unpriv: return pointer",
2491 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2495 .result_unpriv = REJECT,
2496 .errstr_unpriv = "R0 leaks addr",
2497 .retval = POINTER_VALUE,
2500 "unpriv: add const to pointer",
2502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2503 BPF_MOV64_IMM(BPF_REG_0, 0),
2509 "unpriv: add pointer to pointer",
2511 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2512 BPF_MOV64_IMM(BPF_REG_0, 0),
2516 .errstr = "R1 pointer += pointer",
2519 "unpriv: neg pointer",
2521 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2522 BPF_MOV64_IMM(BPF_REG_0, 0),
2526 .result_unpriv = REJECT,
2527 .errstr_unpriv = "R1 pointer arithmetic",
2530 "unpriv: cmp pointer with const",
2532 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2533 BPF_MOV64_IMM(BPF_REG_0, 0),
2537 .result_unpriv = REJECT,
2538 .errstr_unpriv = "R1 pointer comparison",
2541 "unpriv: cmp pointer with pointer",
2543 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2544 BPF_MOV64_IMM(BPF_REG_0, 0),
2548 .result_unpriv = REJECT,
2549 .errstr_unpriv = "R10 pointer comparison",
2552 "unpriv: check that printk is disallowed",
2554 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2555 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2557 BPF_MOV64_IMM(BPF_REG_2, 8),
2558 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2559 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2560 BPF_FUNC_trace_printk),
2561 BPF_MOV64_IMM(BPF_REG_0, 0),
2564 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2565 .result_unpriv = REJECT,
2569 "unpriv: pass pointer to helper function",
2571 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2572 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2573 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2574 BPF_LD_MAP_FD(BPF_REG_1, 0),
2575 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2576 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2577 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2578 BPF_FUNC_map_update_elem),
2579 BPF_MOV64_IMM(BPF_REG_0, 0),
2582 .fixup_map_hash_8b = { 3 },
2583 .errstr_unpriv = "R4 leaks addr",
2584 .result_unpriv = REJECT,
2588 "unpriv: indirectly pass pointer on stack to helper function",
2590 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2591 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2593 BPF_LD_MAP_FD(BPF_REG_1, 0),
2594 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2595 BPF_FUNC_map_lookup_elem),
2596 BPF_MOV64_IMM(BPF_REG_0, 0),
2599 .fixup_map_hash_8b = { 3 },
2600 .errstr = "invalid indirect read from stack off -8+0 size 8",
2604 "unpriv: mangle pointer on stack 1",
2606 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2607 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2608 BPF_MOV64_IMM(BPF_REG_0, 0),
2611 .errstr_unpriv = "attempt to corrupt spilled",
2612 .result_unpriv = REJECT,
2616 "unpriv: mangle pointer on stack 2",
2618 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2619 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2620 BPF_MOV64_IMM(BPF_REG_0, 0),
2623 .errstr_unpriv = "attempt to corrupt spilled",
2624 .result_unpriv = REJECT,
2628 "unpriv: read pointer from stack in small chunks",
2630 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2631 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2632 BPF_MOV64_IMM(BPF_REG_0, 0),
2635 .errstr = "invalid size",
2639 "unpriv: write pointer into ctx",
2641 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2642 BPF_MOV64_IMM(BPF_REG_0, 0),
2645 .errstr_unpriv = "R1 leaks addr",
2646 .result_unpriv = REJECT,
2647 .errstr = "invalid bpf_context access",
2651 "unpriv: spill/fill of ctx",
2653 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2654 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2655 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2656 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2657 BPF_MOV64_IMM(BPF_REG_0, 0),
2663 "unpriv: spill/fill of ctx 2",
2665 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2666 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2667 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2668 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2669 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2670 BPF_FUNC_get_hash_recalc),
2671 BPF_MOV64_IMM(BPF_REG_0, 0),
2675 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2678 "unpriv: spill/fill of ctx 3",
2680 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2681 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2682 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2683 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2684 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2685 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2686 BPF_FUNC_get_hash_recalc),
2690 .errstr = "R1 type=fp expected=ctx",
2691 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2694 "unpriv: spill/fill of ctx 4",
2696 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2697 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2698 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2699 BPF_MOV64_IMM(BPF_REG_0, 1),
2700 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2702 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2704 BPF_FUNC_get_hash_recalc),
2708 .errstr = "R1 type=inv expected=ctx",
2709 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2712 "unpriv: spill/fill of different pointers stx",
2714 BPF_MOV64_IMM(BPF_REG_3, 42),
2715 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2718 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2719 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2720 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2721 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2722 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2723 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2724 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2725 offsetof(struct __sk_buff, mark)),
2726 BPF_MOV64_IMM(BPF_REG_0, 0),
2730 .errstr = "same insn cannot be used with different pointers",
2731 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2734 "unpriv: spill/fill of different pointers stx - ctx and sock",
2736 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2737 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2739 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2741 /* void *target = &foo; */
2742 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2743 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2744 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2745 /* if (skb == NULL) *target = sock; */
2746 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2747 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2748 /* else *target = skb; */
2749 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2750 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2751 /* struct __sk_buff *skb = *target; */
2752 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2753 /* skb->mark = 42; */
2754 BPF_MOV64_IMM(BPF_REG_3, 42),
2755 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2756 offsetof(struct __sk_buff, mark)),
2757 /* if (sk) bpf_sk_release(sk) */
2758 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2759 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2760 BPF_MOV64_IMM(BPF_REG_0, 0),
2764 .errstr = "type=ctx expected=sock",
2765 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2768 "unpriv: spill/fill of different pointers stx - leak sock",
2770 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2771 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2773 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2775 /* void *target = &foo; */
2776 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2778 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2779 /* if (skb == NULL) *target = sock; */
2780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2781 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2782 /* else *target = skb; */
2783 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2784 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2785 /* struct __sk_buff *skb = *target; */
2786 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2787 /* skb->mark = 42; */
2788 BPF_MOV64_IMM(BPF_REG_3, 42),
2789 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2790 offsetof(struct __sk_buff, mark)),
2794 //.errstr = "same insn cannot be used with different pointers",
2795 .errstr = "Unreleased reference",
2796 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2799 "unpriv: spill/fill of different pointers stx - sock and ctx (read)",
2801 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2802 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2804 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2806 /* void *target = &foo; */
2807 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2808 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2809 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2810 /* if (skb) *target = skb */
2811 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2812 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2813 /* else *target = sock */
2814 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2815 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2816 /* struct bpf_sock *sk = *target; */
2817 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2818 /* if (sk) u32 foo = sk->mark; bpf_sk_release(sk); */
2819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
2820 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2821 offsetof(struct bpf_sock, mark)),
2822 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2823 BPF_MOV64_IMM(BPF_REG_0, 0),
2827 .errstr = "same insn cannot be used with different pointers",
2828 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2831 "unpriv: spill/fill of different pointers stx - sock and ctx (write)",
2833 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2834 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2838 /* void *target = &foo; */
2839 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2840 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2841 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2842 /* if (skb) *target = skb */
2843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2844 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2845 /* else *target = sock */
2846 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2847 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2848 /* struct bpf_sock *sk = *target; */
2849 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2850 /* if (sk) sk->mark = 42; bpf_sk_release(sk); */
2851 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2852 BPF_MOV64_IMM(BPF_REG_3, 42),
2853 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2854 offsetof(struct bpf_sock, mark)),
2855 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2856 BPF_MOV64_IMM(BPF_REG_0, 0),
2860 //.errstr = "same insn cannot be used with different pointers",
2861 .errstr = "cannot write into socket",
2862 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2865 "unpriv: spill/fill of different pointers ldx",
2867 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2869 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2870 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2871 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2872 -(__s32)offsetof(struct bpf_perf_event_data,
2873 sample_period) - 8),
2874 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2875 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2876 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2877 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2878 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2879 offsetof(struct bpf_perf_event_data,
2881 BPF_MOV64_IMM(BPF_REG_0, 0),
2885 .errstr = "same insn cannot be used with different pointers",
2886 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2889 "unpriv: write pointer into map elem value",
2891 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2892 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2893 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2894 BPF_LD_MAP_FD(BPF_REG_1, 0),
2895 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2896 BPF_FUNC_map_lookup_elem),
2897 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2898 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2901 .fixup_map_hash_8b = { 3 },
2902 .errstr_unpriv = "R0 leaks addr",
2903 .result_unpriv = REJECT,
2907 "unpriv: partial copy of pointer",
2909 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2910 BPF_MOV64_IMM(BPF_REG_0, 0),
2913 .errstr_unpriv = "R10 partial copy",
2914 .result_unpriv = REJECT,
2918 "unpriv: pass pointer to tail_call",
2920 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2921 BPF_LD_MAP_FD(BPF_REG_2, 0),
2922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2923 BPF_FUNC_tail_call),
2924 BPF_MOV64_IMM(BPF_REG_0, 0),
2927 .fixup_prog1 = { 1 },
2928 .errstr_unpriv = "R3 leaks addr into helper",
2929 .result_unpriv = REJECT,
2933 "unpriv: cmp map pointer with zero",
2935 BPF_MOV64_IMM(BPF_REG_1, 0),
2936 BPF_LD_MAP_FD(BPF_REG_1, 0),
2937 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2938 BPF_MOV64_IMM(BPF_REG_0, 0),
2941 .fixup_map_hash_8b = { 1 },
2942 .errstr_unpriv = "R1 pointer comparison",
2943 .result_unpriv = REJECT,
2947 "unpriv: write into frame pointer",
2949 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2950 BPF_MOV64_IMM(BPF_REG_0, 0),
2953 .errstr = "frame pointer is read only",
2957 "unpriv: spill/fill frame pointer",
2959 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2961 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2962 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2963 BPF_MOV64_IMM(BPF_REG_0, 0),
2966 .errstr = "frame pointer is read only",
2970 "unpriv: cmp of frame pointer",
2972 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2973 BPF_MOV64_IMM(BPF_REG_0, 0),
2976 .errstr_unpriv = "R10 pointer comparison",
2977 .result_unpriv = REJECT,
2981 "unpriv: adding of fp",
2983 BPF_MOV64_IMM(BPF_REG_0, 0),
2984 BPF_MOV64_IMM(BPF_REG_1, 0),
2985 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2986 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2992 "unpriv: cmp of stack pointer",
2994 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2995 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2996 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2997 BPF_MOV64_IMM(BPF_REG_0, 0),
3000 .errstr_unpriv = "R2 pointer comparison",
3001 .result_unpriv = REJECT,
3005 "runtime/jit: tail_call within bounds, prog once",
3007 BPF_MOV64_IMM(BPF_REG_3, 0),
3008 BPF_LD_MAP_FD(BPF_REG_2, 0),
3009 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3010 BPF_FUNC_tail_call),
3011 BPF_MOV64_IMM(BPF_REG_0, 1),
3014 .fixup_prog1 = { 1 },
3019 "runtime/jit: tail_call within bounds, prog loop",
3021 BPF_MOV64_IMM(BPF_REG_3, 1),
3022 BPF_LD_MAP_FD(BPF_REG_2, 0),
3023 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3024 BPF_FUNC_tail_call),
3025 BPF_MOV64_IMM(BPF_REG_0, 1),
3028 .fixup_prog1 = { 1 },
3033 "runtime/jit: tail_call within bounds, no prog",
3035 BPF_MOV64_IMM(BPF_REG_3, 2),
3036 BPF_LD_MAP_FD(BPF_REG_2, 0),
3037 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3038 BPF_FUNC_tail_call),
3039 BPF_MOV64_IMM(BPF_REG_0, 1),
3042 .fixup_prog1 = { 1 },
3047 "runtime/jit: tail_call out of bounds",
3049 BPF_MOV64_IMM(BPF_REG_3, 256),
3050 BPF_LD_MAP_FD(BPF_REG_2, 0),
3051 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3052 BPF_FUNC_tail_call),
3053 BPF_MOV64_IMM(BPF_REG_0, 2),
3056 .fixup_prog1 = { 1 },
3061 "runtime/jit: pass negative index to tail_call",
3063 BPF_MOV64_IMM(BPF_REG_3, -1),
3064 BPF_LD_MAP_FD(BPF_REG_2, 0),
3065 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3066 BPF_FUNC_tail_call),
3067 BPF_MOV64_IMM(BPF_REG_0, 2),
3070 .fixup_prog1 = { 1 },
3075 "runtime/jit: pass > 32bit index to tail_call",
3077 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
3078 BPF_LD_MAP_FD(BPF_REG_2, 0),
3079 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3080 BPF_FUNC_tail_call),
3081 BPF_MOV64_IMM(BPF_REG_0, 2),
3084 .fixup_prog1 = { 2 },
3089 "stack pointer arithmetic",
3091 BPF_MOV64_IMM(BPF_REG_1, 4),
3092 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
3093 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
3094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3096 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3097 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
3098 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3099 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3100 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3101 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3102 BPF_MOV64_IMM(BPF_REG_0, 0),
3108 "raw_stack: no skb_load_bytes",
3110 BPF_MOV64_IMM(BPF_REG_2, 4),
3111 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3112 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3113 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3114 BPF_MOV64_IMM(BPF_REG_4, 8),
3115 /* Call to skb_load_bytes() omitted. */
3116 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3120 .errstr = "invalid read from stack off -8+0 size 8",
3121 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3124 "raw_stack: skb_load_bytes, negative len",
3126 BPF_MOV64_IMM(BPF_REG_2, 4),
3127 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3128 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3129 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3130 BPF_MOV64_IMM(BPF_REG_4, -8),
3131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3132 BPF_FUNC_skb_load_bytes),
3133 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3137 .errstr = "R4 min value is negative",
3138 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3141 "raw_stack: skb_load_bytes, negative len 2",
3143 BPF_MOV64_IMM(BPF_REG_2, 4),
3144 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3145 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3146 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3147 BPF_MOV64_IMM(BPF_REG_4, ~0),
3148 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3149 BPF_FUNC_skb_load_bytes),
3150 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3154 .errstr = "R4 min value is negative",
3155 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3158 "raw_stack: skb_load_bytes, zero len",
3160 BPF_MOV64_IMM(BPF_REG_2, 4),
3161 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3162 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3163 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3164 BPF_MOV64_IMM(BPF_REG_4, 0),
3165 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3166 BPF_FUNC_skb_load_bytes),
3167 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3171 .errstr = "invalid stack type R3",
3172 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3175 "raw_stack: skb_load_bytes, no init",
3177 BPF_MOV64_IMM(BPF_REG_2, 4),
3178 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3180 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3181 BPF_MOV64_IMM(BPF_REG_4, 8),
3182 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3183 BPF_FUNC_skb_load_bytes),
3184 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3188 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3191 "raw_stack: skb_load_bytes, init",
3193 BPF_MOV64_IMM(BPF_REG_2, 4),
3194 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3196 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3197 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3198 BPF_MOV64_IMM(BPF_REG_4, 8),
3199 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3200 BPF_FUNC_skb_load_bytes),
3201 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3205 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3208 "raw_stack: skb_load_bytes, spilled regs around bounds",
3210 BPF_MOV64_IMM(BPF_REG_2, 4),
3211 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3213 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3214 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3215 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3216 BPF_MOV64_IMM(BPF_REG_4, 8),
3217 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3218 BPF_FUNC_skb_load_bytes),
3219 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3220 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3221 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3222 offsetof(struct __sk_buff, mark)),
3223 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3224 offsetof(struct __sk_buff, priority)),
3225 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3229 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3232 "raw_stack: skb_load_bytes, spilled regs corruption",
3234 BPF_MOV64_IMM(BPF_REG_2, 4),
3235 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3237 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3238 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3239 BPF_MOV64_IMM(BPF_REG_4, 8),
3240 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3241 BPF_FUNC_skb_load_bytes),
3242 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3243 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3244 offsetof(struct __sk_buff, mark)),
3248 .errstr = "R0 invalid mem access 'inv'",
3249 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3252 "raw_stack: skb_load_bytes, spilled regs corruption 2",
3254 BPF_MOV64_IMM(BPF_REG_2, 4),
3255 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3256 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3257 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3258 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3259 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3260 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3261 BPF_MOV64_IMM(BPF_REG_4, 8),
3262 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3263 BPF_FUNC_skb_load_bytes),
3264 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3265 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3266 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3267 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3268 offsetof(struct __sk_buff, mark)),
3269 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3270 offsetof(struct __sk_buff, priority)),
3271 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3272 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3273 offsetof(struct __sk_buff, pkt_type)),
3274 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3278 .errstr = "R3 invalid mem access 'inv'",
3279 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3282 "raw_stack: skb_load_bytes, spilled regs + data",
3284 BPF_MOV64_IMM(BPF_REG_2, 4),
3285 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3287 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3288 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3289 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3290 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3291 BPF_MOV64_IMM(BPF_REG_4, 8),
3292 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3293 BPF_FUNC_skb_load_bytes),
3294 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3295 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3296 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3297 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3298 offsetof(struct __sk_buff, mark)),
3299 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3300 offsetof(struct __sk_buff, priority)),
3301 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3302 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3306 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3309 "raw_stack: skb_load_bytes, invalid access 1",
3311 BPF_MOV64_IMM(BPF_REG_2, 4),
3312 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3313 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3314 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3315 BPF_MOV64_IMM(BPF_REG_4, 8),
3316 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3317 BPF_FUNC_skb_load_bytes),
3318 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3322 .errstr = "invalid stack type R3 off=-513 access_size=8",
3323 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3326 "raw_stack: skb_load_bytes, invalid access 2",
3328 BPF_MOV64_IMM(BPF_REG_2, 4),
3329 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3331 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3332 BPF_MOV64_IMM(BPF_REG_4, 8),
3333 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3334 BPF_FUNC_skb_load_bytes),
3335 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3339 .errstr = "invalid stack type R3 off=-1 access_size=8",
3340 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3343 "raw_stack: skb_load_bytes, invalid access 3",
3345 BPF_MOV64_IMM(BPF_REG_2, 4),
3346 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3348 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3349 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3350 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3351 BPF_FUNC_skb_load_bytes),
3352 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3356 .errstr = "R4 min value is negative",
3357 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3360 "raw_stack: skb_load_bytes, invalid access 4",
3362 BPF_MOV64_IMM(BPF_REG_2, 4),
3363 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3365 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3366 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3367 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3368 BPF_FUNC_skb_load_bytes),
3369 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3373 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3374 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3377 "raw_stack: skb_load_bytes, invalid access 5",
3379 BPF_MOV64_IMM(BPF_REG_2, 4),
3380 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3381 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3382 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3383 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3384 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3385 BPF_FUNC_skb_load_bytes),
3386 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3390 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3391 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3394 "raw_stack: skb_load_bytes, invalid access 6",
3396 BPF_MOV64_IMM(BPF_REG_2, 4),
3397 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3399 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3400 BPF_MOV64_IMM(BPF_REG_4, 0),
3401 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3402 BPF_FUNC_skb_load_bytes),
3403 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3407 .errstr = "invalid stack type R3 off=-512 access_size=0",
3408 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3411 "raw_stack: skb_load_bytes, large access",
3413 BPF_MOV64_IMM(BPF_REG_2, 4),
3414 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3416 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3417 BPF_MOV64_IMM(BPF_REG_4, 512),
3418 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3419 BPF_FUNC_skb_load_bytes),
3420 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3424 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3427 "context stores via ST",
3429 BPF_MOV64_IMM(BPF_REG_0, 0),
3430 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3433 .errstr = "BPF_ST stores into R1 ctx is not allowed",
3435 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3438 "context stores via XADD",
3440 BPF_MOV64_IMM(BPF_REG_0, 0),
3441 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3442 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3445 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
3447 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3450 "direct packet access: test1",
3452 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3453 offsetof(struct __sk_buff, data)),
3454 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3455 offsetof(struct __sk_buff, data_end)),
3456 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3457 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3458 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3459 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3460 BPF_MOV64_IMM(BPF_REG_0, 0),
3464 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3467 "direct packet access: test2",
3469 BPF_MOV64_IMM(BPF_REG_0, 1),
3470 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3471 offsetof(struct __sk_buff, data_end)),
3472 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3473 offsetof(struct __sk_buff, data)),
3474 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3475 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3476 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3477 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3478 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3479 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3480 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3481 offsetof(struct __sk_buff, data)),
3482 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3483 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3484 offsetof(struct __sk_buff, len)),
3485 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3486 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3487 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3488 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3489 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3490 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3491 offsetof(struct __sk_buff, data_end)),
3492 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3493 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3494 BPF_MOV64_IMM(BPF_REG_0, 0),
3498 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3501 "direct packet access: test3",
3503 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3504 offsetof(struct __sk_buff, data)),
3505 BPF_MOV64_IMM(BPF_REG_0, 0),
3508 .errstr = "invalid bpf_context access off=76",
3510 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3513 "direct packet access: test4 (write)",
3515 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3516 offsetof(struct __sk_buff, data)),
3517 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3518 offsetof(struct __sk_buff, data_end)),
3519 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3521 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3522 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3523 BPF_MOV64_IMM(BPF_REG_0, 0),
3527 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3530 "direct packet access: test5 (pkt_end >= reg, good access)",
3532 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3533 offsetof(struct __sk_buff, data)),
3534 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3535 offsetof(struct __sk_buff, data_end)),
3536 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3537 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3538 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3539 BPF_MOV64_IMM(BPF_REG_0, 1),
3541 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3542 BPF_MOV64_IMM(BPF_REG_0, 0),
3546 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3549 "direct packet access: test6 (pkt_end >= reg, bad access)",
3551 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3552 offsetof(struct __sk_buff, data)),
3553 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3554 offsetof(struct __sk_buff, data_end)),
3555 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3557 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3558 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3559 BPF_MOV64_IMM(BPF_REG_0, 1),
3561 BPF_MOV64_IMM(BPF_REG_0, 0),
3564 .errstr = "invalid access to packet",
3566 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3569 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3571 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3572 offsetof(struct __sk_buff, data)),
3573 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3574 offsetof(struct __sk_buff, data_end)),
3575 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3576 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3577 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3578 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3579 BPF_MOV64_IMM(BPF_REG_0, 1),
3581 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3582 BPF_MOV64_IMM(BPF_REG_0, 0),
3585 .errstr = "invalid access to packet",
3587 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3590 "direct packet access: test8 (double test, variant 1)",
3592 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3593 offsetof(struct __sk_buff, data)),
3594 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3595 offsetof(struct __sk_buff, data_end)),
3596 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3597 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3598 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3599 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3600 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3601 BPF_MOV64_IMM(BPF_REG_0, 1),
3603 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3604 BPF_MOV64_IMM(BPF_REG_0, 0),
3608 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3611 "direct packet access: test9 (double test, variant 2)",
3613 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3614 offsetof(struct __sk_buff, data)),
3615 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3616 offsetof(struct __sk_buff, data_end)),
3617 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3618 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3619 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3620 BPF_MOV64_IMM(BPF_REG_0, 1),
3622 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3623 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3624 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3625 BPF_MOV64_IMM(BPF_REG_0, 0),
3629 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3632 "direct packet access: test10 (write invalid)",
3634 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3635 offsetof(struct __sk_buff, data)),
3636 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3637 offsetof(struct __sk_buff, data_end)),
3638 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3639 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3640 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3641 BPF_MOV64_IMM(BPF_REG_0, 0),
3643 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3644 BPF_MOV64_IMM(BPF_REG_0, 0),
3647 .errstr = "invalid access to packet",
3649 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3652 "direct packet access: test11 (shift, good access)",
3654 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3655 offsetof(struct __sk_buff, data)),
3656 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3657 offsetof(struct __sk_buff, data_end)),
3658 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3660 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3661 BPF_MOV64_IMM(BPF_REG_3, 144),
3662 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3663 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3664 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3665 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3666 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3667 BPF_MOV64_IMM(BPF_REG_0, 1),
3669 BPF_MOV64_IMM(BPF_REG_0, 0),
3673 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3677 "direct packet access: test12 (and, good access)",
3679 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3680 offsetof(struct __sk_buff, data)),
3681 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3682 offsetof(struct __sk_buff, data_end)),
3683 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3684 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3685 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3686 BPF_MOV64_IMM(BPF_REG_3, 144),
3687 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3688 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3689 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3690 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3691 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3692 BPF_MOV64_IMM(BPF_REG_0, 1),
3694 BPF_MOV64_IMM(BPF_REG_0, 0),
3698 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3702 "direct packet access: test13 (branches, good access)",
3704 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3705 offsetof(struct __sk_buff, data)),
3706 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3707 offsetof(struct __sk_buff, data_end)),
3708 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3709 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3710 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3711 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3712 offsetof(struct __sk_buff, mark)),
3713 BPF_MOV64_IMM(BPF_REG_4, 1),
3714 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3715 BPF_MOV64_IMM(BPF_REG_3, 14),
3716 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3717 BPF_MOV64_IMM(BPF_REG_3, 24),
3718 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3719 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3720 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3721 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3722 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3723 BPF_MOV64_IMM(BPF_REG_0, 1),
3725 BPF_MOV64_IMM(BPF_REG_0, 0),
3729 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3733 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3735 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3736 offsetof(struct __sk_buff, data)),
3737 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3738 offsetof(struct __sk_buff, data_end)),
3739 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3740 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3741 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3742 BPF_MOV64_IMM(BPF_REG_5, 12),
3743 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3744 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3745 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3746 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3747 BPF_MOV64_IMM(BPF_REG_0, 1),
3749 BPF_MOV64_IMM(BPF_REG_0, 0),
3753 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3757 "direct packet access: test15 (spill with xadd)",
3759 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3760 offsetof(struct __sk_buff, data)),
3761 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3762 offsetof(struct __sk_buff, data_end)),
3763 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3764 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3765 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3766 BPF_MOV64_IMM(BPF_REG_5, 4096),
3767 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3768 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3769 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3770 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3771 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3772 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3773 BPF_MOV64_IMM(BPF_REG_0, 0),
3776 .errstr = "R2 invalid mem access 'inv'",
3778 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3781 "direct packet access: test16 (arith on data_end)",
3783 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3784 offsetof(struct __sk_buff, data)),
3785 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3786 offsetof(struct __sk_buff, data_end)),
3787 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3789 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3790 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3791 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3792 BPF_MOV64_IMM(BPF_REG_0, 0),
3795 .errstr = "R3 pointer arithmetic on pkt_end",
3797 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3800 "direct packet access: test17 (pruning, alignment)",
3802 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3803 offsetof(struct __sk_buff, data)),
3804 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3805 offsetof(struct __sk_buff, data_end)),
3806 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3807 offsetof(struct __sk_buff, mark)),
3808 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3809 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3810 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3811 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3812 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3813 BPF_MOV64_IMM(BPF_REG_0, 0),
3815 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3818 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3820 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3821 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3824 "direct packet access: test18 (imm += pkt_ptr, 1)",
3826 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3827 offsetof(struct __sk_buff, data)),
3828 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3829 offsetof(struct __sk_buff, data_end)),
3830 BPF_MOV64_IMM(BPF_REG_0, 8),
3831 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3832 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3833 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3834 BPF_MOV64_IMM(BPF_REG_0, 0),
3838 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3841 "direct packet access: test19 (imm += pkt_ptr, 2)",
3843 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3844 offsetof(struct __sk_buff, data)),
3845 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3846 offsetof(struct __sk_buff, data_end)),
3847 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3849 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3850 BPF_MOV64_IMM(BPF_REG_4, 4),
3851 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3852 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3853 BPF_MOV64_IMM(BPF_REG_0, 0),
3857 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3860 "direct packet access: test20 (x += pkt_ptr, 1)",
3862 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3863 offsetof(struct __sk_buff, data)),
3864 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3865 offsetof(struct __sk_buff, data_end)),
3866 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3867 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3868 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3869 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3870 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3871 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3872 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3873 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3874 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3875 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3876 BPF_MOV64_IMM(BPF_REG_0, 0),
3879 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3883 "direct packet access: test21 (x += pkt_ptr, 2)",
3885 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3886 offsetof(struct __sk_buff, data)),
3887 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3888 offsetof(struct __sk_buff, data_end)),
3889 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3891 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3892 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3893 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3894 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3895 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3896 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3897 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3898 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3899 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3900 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3901 BPF_MOV64_IMM(BPF_REG_0, 0),
3904 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3908 "direct packet access: test22 (x += pkt_ptr, 3)",
3910 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3911 offsetof(struct __sk_buff, data)),
3912 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3913 offsetof(struct __sk_buff, data_end)),
3914 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3916 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3917 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3918 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3919 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3920 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3921 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3922 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3923 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3924 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3925 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3926 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3928 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3929 BPF_MOV64_IMM(BPF_REG_2, 1),
3930 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3931 BPF_MOV64_IMM(BPF_REG_0, 0),
3934 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3938 "direct packet access: test23 (x += pkt_ptr, 4)",
3940 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3941 offsetof(struct __sk_buff, data)),
3942 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3943 offsetof(struct __sk_buff, data_end)),
3944 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3945 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3946 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3947 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3948 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3949 BPF_MOV64_IMM(BPF_REG_0, 31),
3950 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3951 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3952 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3953 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3954 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3955 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3956 BPF_MOV64_IMM(BPF_REG_0, 0),
3959 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3961 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3964 "direct packet access: test24 (x += pkt_ptr, 5)",
3966 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3967 offsetof(struct __sk_buff, data)),
3968 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3969 offsetof(struct __sk_buff, data_end)),
3970 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3971 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3972 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3973 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3974 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3975 BPF_MOV64_IMM(BPF_REG_0, 64),
3976 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3977 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3978 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3979 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3980 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3981 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3982 BPF_MOV64_IMM(BPF_REG_0, 0),
3985 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3989 "direct packet access: test25 (marking on <, good access)",
3991 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3992 offsetof(struct __sk_buff, data)),
3993 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3994 offsetof(struct __sk_buff, data_end)),
3995 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3996 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3997 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3998 BPF_MOV64_IMM(BPF_REG_0, 0),
4000 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4001 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4004 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4007 "direct packet access: test26 (marking on <, bad access)",
4009 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4010 offsetof(struct __sk_buff, data)),
4011 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4012 offsetof(struct __sk_buff, data_end)),
4013 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4014 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4015 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
4016 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4017 BPF_MOV64_IMM(BPF_REG_0, 0),
4019 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
4022 .errstr = "invalid access to packet",
4023 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4026 "direct packet access: test27 (marking on <=, good access)",
4028 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4029 offsetof(struct __sk_buff, data)),
4030 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4031 offsetof(struct __sk_buff, data_end)),
4032 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4034 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
4035 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4036 BPF_MOV64_IMM(BPF_REG_0, 1),
4040 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4044 "direct packet access: test28 (marking on <=, bad access)",
4046 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4047 offsetof(struct __sk_buff, data)),
4048 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4049 offsetof(struct __sk_buff, data_end)),
4050 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4051 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4052 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
4053 BPF_MOV64_IMM(BPF_REG_0, 1),
4055 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4056 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4059 .errstr = "invalid access to packet",
4060 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4063 "helper access to packet: test1, valid packet_ptr range",
4065 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4066 offsetof(struct xdp_md, data)),
4067 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4068 offsetof(struct xdp_md, data_end)),
4069 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4070 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4071 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4072 BPF_LD_MAP_FD(BPF_REG_1, 0),
4073 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4074 BPF_MOV64_IMM(BPF_REG_4, 0),
4075 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4076 BPF_FUNC_map_update_elem),
4077 BPF_MOV64_IMM(BPF_REG_0, 0),
4080 .fixup_map_hash_8b = { 5 },
4081 .result_unpriv = ACCEPT,
4083 .prog_type = BPF_PROG_TYPE_XDP,
4086 "helper access to packet: test2, unchecked packet_ptr",
4088 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4089 offsetof(struct xdp_md, data)),
4090 BPF_LD_MAP_FD(BPF_REG_1, 0),
4091 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4092 BPF_FUNC_map_lookup_elem),
4093 BPF_MOV64_IMM(BPF_REG_0, 0),
4096 .fixup_map_hash_8b = { 1 },
4098 .errstr = "invalid access to packet",
4099 .prog_type = BPF_PROG_TYPE_XDP,
4102 "helper access to packet: test3, variable add",
4104 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4105 offsetof(struct xdp_md, data)),
4106 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4107 offsetof(struct xdp_md, data_end)),
4108 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4109 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4110 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4111 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4112 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4113 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4114 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4116 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4117 BPF_LD_MAP_FD(BPF_REG_1, 0),
4118 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4119 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4120 BPF_FUNC_map_lookup_elem),
4121 BPF_MOV64_IMM(BPF_REG_0, 0),
4124 .fixup_map_hash_8b = { 11 },
4126 .prog_type = BPF_PROG_TYPE_XDP,
4129 "helper access to packet: test4, packet_ptr with bad range",
4131 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4132 offsetof(struct xdp_md, data)),
4133 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4134 offsetof(struct xdp_md, data_end)),
4135 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4136 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4137 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4138 BPF_MOV64_IMM(BPF_REG_0, 0),
4140 BPF_LD_MAP_FD(BPF_REG_1, 0),
4141 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4142 BPF_FUNC_map_lookup_elem),
4143 BPF_MOV64_IMM(BPF_REG_0, 0),
4146 .fixup_map_hash_8b = { 7 },
4148 .errstr = "invalid access to packet",
4149 .prog_type = BPF_PROG_TYPE_XDP,
4152 "helper access to packet: test5, packet_ptr with too short range",
4154 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4155 offsetof(struct xdp_md, data)),
4156 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4157 offsetof(struct xdp_md, data_end)),
4158 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4159 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4161 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4162 BPF_LD_MAP_FD(BPF_REG_1, 0),
4163 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4164 BPF_FUNC_map_lookup_elem),
4165 BPF_MOV64_IMM(BPF_REG_0, 0),
4168 .fixup_map_hash_8b = { 6 },
4170 .errstr = "invalid access to packet",
4171 .prog_type = BPF_PROG_TYPE_XDP,
4174 "helper access to packet: test6, cls valid packet_ptr range",
4176 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4177 offsetof(struct __sk_buff, data)),
4178 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4179 offsetof(struct __sk_buff, data_end)),
4180 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4182 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4183 BPF_LD_MAP_FD(BPF_REG_1, 0),
4184 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4185 BPF_MOV64_IMM(BPF_REG_4, 0),
4186 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4187 BPF_FUNC_map_update_elem),
4188 BPF_MOV64_IMM(BPF_REG_0, 0),
4191 .fixup_map_hash_8b = { 5 },
4193 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4196 "helper access to packet: test7, cls unchecked packet_ptr",
4198 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4199 offsetof(struct __sk_buff, data)),
4200 BPF_LD_MAP_FD(BPF_REG_1, 0),
4201 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4202 BPF_FUNC_map_lookup_elem),
4203 BPF_MOV64_IMM(BPF_REG_0, 0),
4206 .fixup_map_hash_8b = { 1 },
4208 .errstr = "invalid access to packet",
4209 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4212 "helper access to packet: test8, cls variable add",
4214 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4215 offsetof(struct __sk_buff, data)),
4216 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4217 offsetof(struct __sk_buff, data_end)),
4218 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4220 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4221 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4222 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4223 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4224 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4226 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4227 BPF_LD_MAP_FD(BPF_REG_1, 0),
4228 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4229 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4230 BPF_FUNC_map_lookup_elem),
4231 BPF_MOV64_IMM(BPF_REG_0, 0),
4234 .fixup_map_hash_8b = { 11 },
4236 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4239 "helper access to packet: test9, cls packet_ptr with bad range",
4241 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4242 offsetof(struct __sk_buff, data)),
4243 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4244 offsetof(struct __sk_buff, data_end)),
4245 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4247 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4248 BPF_MOV64_IMM(BPF_REG_0, 0),
4250 BPF_LD_MAP_FD(BPF_REG_1, 0),
4251 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4252 BPF_FUNC_map_lookup_elem),
4253 BPF_MOV64_IMM(BPF_REG_0, 0),
4256 .fixup_map_hash_8b = { 7 },
4258 .errstr = "invalid access to packet",
4259 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4262 "helper access to packet: test10, cls packet_ptr with too short range",
4264 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4265 offsetof(struct __sk_buff, data)),
4266 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4267 offsetof(struct __sk_buff, data_end)),
4268 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4269 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4271 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4272 BPF_LD_MAP_FD(BPF_REG_1, 0),
4273 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4274 BPF_FUNC_map_lookup_elem),
4275 BPF_MOV64_IMM(BPF_REG_0, 0),
4278 .fixup_map_hash_8b = { 6 },
4280 .errstr = "invalid access to packet",
4281 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4284 "helper access to packet: test11, cls unsuitable helper 1",
4286 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4287 offsetof(struct __sk_buff, data)),
4288 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4289 offsetof(struct __sk_buff, data_end)),
4290 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4291 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4292 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4293 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4294 BPF_MOV64_IMM(BPF_REG_2, 0),
4295 BPF_MOV64_IMM(BPF_REG_4, 42),
4296 BPF_MOV64_IMM(BPF_REG_5, 0),
4297 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4298 BPF_FUNC_skb_store_bytes),
4299 BPF_MOV64_IMM(BPF_REG_0, 0),
4303 .errstr = "helper access to the packet",
4304 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4307 "helper access to packet: test12, cls unsuitable helper 2",
4309 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4310 offsetof(struct __sk_buff, data)),
4311 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4312 offsetof(struct __sk_buff, data_end)),
4313 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4314 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4315 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4316 BPF_MOV64_IMM(BPF_REG_2, 0),
4317 BPF_MOV64_IMM(BPF_REG_4, 4),
4318 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4319 BPF_FUNC_skb_load_bytes),
4320 BPF_MOV64_IMM(BPF_REG_0, 0),
4324 .errstr = "helper access to the packet",
4325 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4328 "helper access to packet: test13, cls helper ok",
4330 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4331 offsetof(struct __sk_buff, data)),
4332 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4333 offsetof(struct __sk_buff, data_end)),
4334 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4335 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4337 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4339 BPF_MOV64_IMM(BPF_REG_2, 4),
4340 BPF_MOV64_IMM(BPF_REG_3, 0),
4341 BPF_MOV64_IMM(BPF_REG_4, 0),
4342 BPF_MOV64_IMM(BPF_REG_5, 0),
4343 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4344 BPF_FUNC_csum_diff),
4345 BPF_MOV64_IMM(BPF_REG_0, 0),
4349 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4352 "helper access to packet: test14, cls helper ok sub",
4354 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4355 offsetof(struct __sk_buff, data)),
4356 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4357 offsetof(struct __sk_buff, data_end)),
4358 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4359 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4361 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4362 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4363 BPF_MOV64_IMM(BPF_REG_2, 4),
4364 BPF_MOV64_IMM(BPF_REG_3, 0),
4365 BPF_MOV64_IMM(BPF_REG_4, 0),
4366 BPF_MOV64_IMM(BPF_REG_5, 0),
4367 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4368 BPF_FUNC_csum_diff),
4369 BPF_MOV64_IMM(BPF_REG_0, 0),
4373 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4376 "helper access to packet: test15, cls helper fail sub",
4378 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4379 offsetof(struct __sk_buff, data)),
4380 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4381 offsetof(struct __sk_buff, data_end)),
4382 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4383 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4384 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4385 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4386 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4387 BPF_MOV64_IMM(BPF_REG_2, 4),
4388 BPF_MOV64_IMM(BPF_REG_3, 0),
4389 BPF_MOV64_IMM(BPF_REG_4, 0),
4390 BPF_MOV64_IMM(BPF_REG_5, 0),
4391 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4392 BPF_FUNC_csum_diff),
4393 BPF_MOV64_IMM(BPF_REG_0, 0),
4397 .errstr = "invalid access to packet",
4398 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4401 "helper access to packet: test16, cls helper fail range 1",
4403 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4404 offsetof(struct __sk_buff, data)),
4405 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4406 offsetof(struct __sk_buff, data_end)),
4407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4408 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4410 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4411 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4412 BPF_MOV64_IMM(BPF_REG_2, 8),
4413 BPF_MOV64_IMM(BPF_REG_3, 0),
4414 BPF_MOV64_IMM(BPF_REG_4, 0),
4415 BPF_MOV64_IMM(BPF_REG_5, 0),
4416 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4417 BPF_FUNC_csum_diff),
4418 BPF_MOV64_IMM(BPF_REG_0, 0),
4422 .errstr = "invalid access to packet",
4423 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4426 "helper access to packet: test17, cls helper fail range 2",
4428 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4429 offsetof(struct __sk_buff, data)),
4430 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4431 offsetof(struct __sk_buff, data_end)),
4432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4433 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4435 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4436 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4437 BPF_MOV64_IMM(BPF_REG_2, -9),
4438 BPF_MOV64_IMM(BPF_REG_3, 0),
4439 BPF_MOV64_IMM(BPF_REG_4, 0),
4440 BPF_MOV64_IMM(BPF_REG_5, 0),
4441 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4442 BPF_FUNC_csum_diff),
4443 BPF_MOV64_IMM(BPF_REG_0, 0),
4447 .errstr = "R2 min value is negative",
4448 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4451 "helper access to packet: test18, cls helper fail range 3",
4453 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4454 offsetof(struct __sk_buff, data)),
4455 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4456 offsetof(struct __sk_buff, data_end)),
4457 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4458 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4460 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4461 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4462 BPF_MOV64_IMM(BPF_REG_2, ~0),
4463 BPF_MOV64_IMM(BPF_REG_3, 0),
4464 BPF_MOV64_IMM(BPF_REG_4, 0),
4465 BPF_MOV64_IMM(BPF_REG_5, 0),
4466 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4467 BPF_FUNC_csum_diff),
4468 BPF_MOV64_IMM(BPF_REG_0, 0),
4472 .errstr = "R2 min value is negative",
4473 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4476 "helper access to packet: test19, cls helper range zero",
4478 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4479 offsetof(struct __sk_buff, data)),
4480 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4481 offsetof(struct __sk_buff, data_end)),
4482 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4483 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4484 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4485 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4486 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4487 BPF_MOV64_IMM(BPF_REG_2, 0),
4488 BPF_MOV64_IMM(BPF_REG_3, 0),
4489 BPF_MOV64_IMM(BPF_REG_4, 0),
4490 BPF_MOV64_IMM(BPF_REG_5, 0),
4491 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4492 BPF_FUNC_csum_diff),
4493 BPF_MOV64_IMM(BPF_REG_0, 0),
4497 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4500 "helper access to packet: test20, pkt end as input",
4502 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4503 offsetof(struct __sk_buff, data)),
4504 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4505 offsetof(struct __sk_buff, data_end)),
4506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4507 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4508 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4509 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4510 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4511 BPF_MOV64_IMM(BPF_REG_2, 4),
4512 BPF_MOV64_IMM(BPF_REG_3, 0),
4513 BPF_MOV64_IMM(BPF_REG_4, 0),
4514 BPF_MOV64_IMM(BPF_REG_5, 0),
4515 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4516 BPF_FUNC_csum_diff),
4517 BPF_MOV64_IMM(BPF_REG_0, 0),
4521 .errstr = "R1 type=pkt_end expected=fp",
4522 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4525 "helper access to packet: test21, wrong reg",
4527 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4528 offsetof(struct __sk_buff, data)),
4529 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4530 offsetof(struct __sk_buff, data_end)),
4531 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4532 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4534 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4535 BPF_MOV64_IMM(BPF_REG_2, 4),
4536 BPF_MOV64_IMM(BPF_REG_3, 0),
4537 BPF_MOV64_IMM(BPF_REG_4, 0),
4538 BPF_MOV64_IMM(BPF_REG_5, 0),
4539 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4540 BPF_FUNC_csum_diff),
4541 BPF_MOV64_IMM(BPF_REG_0, 0),
4545 .errstr = "invalid access to packet",
4546 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4549 "prevent map lookup in sockmap",
4551 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4552 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4553 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4554 BPF_LD_MAP_FD(BPF_REG_1, 0),
4555 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4556 BPF_FUNC_map_lookup_elem),
4559 .fixup_map_sockmap = { 3 },
4561 .errstr = "cannot pass map_type 15 into func bpf_map_lookup_elem",
4562 .prog_type = BPF_PROG_TYPE_SOCK_OPS,
4565 "prevent map lookup in sockhash",
4567 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4568 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4570 BPF_LD_MAP_FD(BPF_REG_1, 0),
4571 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4572 BPF_FUNC_map_lookup_elem),
4575 .fixup_map_sockhash = { 3 },
4577 .errstr = "cannot pass map_type 18 into func bpf_map_lookup_elem",
4578 .prog_type = BPF_PROG_TYPE_SOCK_OPS,
4581 "prevent map lookup in xskmap",
4583 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4584 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4586 BPF_LD_MAP_FD(BPF_REG_1, 0),
4587 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4588 BPF_FUNC_map_lookup_elem),
4591 .fixup_map_xskmap = { 3 },
4593 .errstr = "cannot pass map_type 17 into func bpf_map_lookup_elem",
4594 .prog_type = BPF_PROG_TYPE_XDP,
4597 "prevent map lookup in stack trace",
4599 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4600 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4601 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4602 BPF_LD_MAP_FD(BPF_REG_1, 0),
4603 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4604 BPF_FUNC_map_lookup_elem),
4607 .fixup_map_stacktrace = { 3 },
4609 .errstr = "cannot pass map_type 7 into func bpf_map_lookup_elem",
4610 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
4613 "prevent map lookup in prog array",
4615 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4616 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4617 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4618 BPF_LD_MAP_FD(BPF_REG_1, 0),
4619 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4620 BPF_FUNC_map_lookup_elem),
4623 .fixup_prog2 = { 3 },
4625 .errstr = "cannot pass map_type 3 into func bpf_map_lookup_elem",
4628 "valid map access into an array with a constant",
4630 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4631 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4632 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4633 BPF_LD_MAP_FD(BPF_REG_1, 0),
4634 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4635 BPF_FUNC_map_lookup_elem),
4636 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4637 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4638 offsetof(struct test_val, foo)),
4641 .fixup_map_hash_48b = { 3 },
4642 .errstr_unpriv = "R0 leaks addr",
4643 .result_unpriv = REJECT,
4647 "valid map access into an array with a register",
4649 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4650 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4651 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4652 BPF_LD_MAP_FD(BPF_REG_1, 0),
4653 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4654 BPF_FUNC_map_lookup_elem),
4655 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4656 BPF_MOV64_IMM(BPF_REG_1, 4),
4657 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4658 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4659 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4660 offsetof(struct test_val, foo)),
4663 .fixup_map_hash_48b = { 3 },
4664 .errstr_unpriv = "R0 leaks addr",
4665 .result_unpriv = REJECT,
4667 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4670 "valid map access into an array with a variable",
4672 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4673 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4674 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4675 BPF_LD_MAP_FD(BPF_REG_1, 0),
4676 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4677 BPF_FUNC_map_lookup_elem),
4678 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4679 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4680 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4681 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4682 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4683 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4684 offsetof(struct test_val, foo)),
4687 .fixup_map_hash_48b = { 3 },
4688 .errstr_unpriv = "R0 leaks addr",
4689 .result_unpriv = REJECT,
4691 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4694 "valid map access into an array with a signed variable",
4696 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4697 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4698 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4699 BPF_LD_MAP_FD(BPF_REG_1, 0),
4700 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4701 BPF_FUNC_map_lookup_elem),
4702 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4703 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4704 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4705 BPF_MOV32_IMM(BPF_REG_1, 0),
4706 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4707 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4708 BPF_MOV32_IMM(BPF_REG_1, 0),
4709 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4710 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4711 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4712 offsetof(struct test_val, foo)),
4715 .fixup_map_hash_48b = { 3 },
4716 .errstr_unpriv = "R0 leaks addr",
4717 .result_unpriv = REJECT,
4719 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4722 "invalid map access into an array with a constant",
4724 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4725 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4727 BPF_LD_MAP_FD(BPF_REG_1, 0),
4728 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4729 BPF_FUNC_map_lookup_elem),
4730 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4731 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4732 offsetof(struct test_val, foo)),
4735 .fixup_map_hash_48b = { 3 },
4736 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4740 "invalid map access into an array with a register",
4742 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4743 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4745 BPF_LD_MAP_FD(BPF_REG_1, 0),
4746 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4747 BPF_FUNC_map_lookup_elem),
4748 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4749 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4750 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4751 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4752 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4753 offsetof(struct test_val, foo)),
4756 .fixup_map_hash_48b = { 3 },
4757 .errstr = "R0 min value is outside of the array range",
4759 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4762 "invalid map access into an array with a variable",
4764 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4765 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4766 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4767 BPF_LD_MAP_FD(BPF_REG_1, 0),
4768 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4769 BPF_FUNC_map_lookup_elem),
4770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4771 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4772 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4773 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4774 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4775 offsetof(struct test_val, foo)),
4778 .fixup_map_hash_48b = { 3 },
4779 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4781 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4784 "invalid map access into an array with no floor check",
4786 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4787 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4789 BPF_LD_MAP_FD(BPF_REG_1, 0),
4790 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4791 BPF_FUNC_map_lookup_elem),
4792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4793 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4794 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4795 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4796 BPF_MOV32_IMM(BPF_REG_1, 0),
4797 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4798 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4799 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4800 offsetof(struct test_val, foo)),
4803 .fixup_map_hash_48b = { 3 },
4804 .errstr_unpriv = "R0 leaks addr",
4805 .errstr = "R0 unbounded memory access",
4806 .result_unpriv = REJECT,
4808 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4811 "invalid map access into an array with a invalid max check",
4813 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4814 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4815 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4816 BPF_LD_MAP_FD(BPF_REG_1, 0),
4817 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4818 BPF_FUNC_map_lookup_elem),
4819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4820 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4821 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4822 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4823 BPF_MOV32_IMM(BPF_REG_1, 0),
4824 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4825 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4826 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4827 offsetof(struct test_val, foo)),
4830 .fixup_map_hash_48b = { 3 },
4831 .errstr_unpriv = "R0 leaks addr",
4832 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
4833 .result_unpriv = REJECT,
4835 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4838 "invalid map access into an array with a invalid max check",
4840 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4841 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4843 BPF_LD_MAP_FD(BPF_REG_1, 0),
4844 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4845 BPF_FUNC_map_lookup_elem),
4846 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4847 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4848 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4849 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4851 BPF_LD_MAP_FD(BPF_REG_1, 0),
4852 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4853 BPF_FUNC_map_lookup_elem),
4854 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4855 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4856 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4857 offsetof(struct test_val, foo)),
4860 .fixup_map_hash_48b = { 3, 11 },
4861 .errstr = "R0 pointer += pointer",
4863 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4866 "direct packet read test#1 for CGROUP_SKB",
4868 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4869 offsetof(struct __sk_buff, data)),
4870 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4871 offsetof(struct __sk_buff, data_end)),
4872 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4873 offsetof(struct __sk_buff, len)),
4874 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4875 offsetof(struct __sk_buff, pkt_type)),
4876 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4877 offsetof(struct __sk_buff, mark)),
4878 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4879 offsetof(struct __sk_buff, mark)),
4880 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4881 offsetof(struct __sk_buff, queue_mapping)),
4882 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4883 offsetof(struct __sk_buff, protocol)),
4884 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4885 offsetof(struct __sk_buff, vlan_present)),
4886 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4887 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4888 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4889 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4890 BPF_MOV64_IMM(BPF_REG_0, 0),
4894 .result_unpriv = REJECT,
4895 .errstr_unpriv = "invalid bpf_context access off=76 size=4",
4896 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4899 "direct packet read test#2 for CGROUP_SKB",
4901 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4902 offsetof(struct __sk_buff, vlan_tci)),
4903 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4904 offsetof(struct __sk_buff, vlan_proto)),
4905 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4906 offsetof(struct __sk_buff, priority)),
4907 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4908 offsetof(struct __sk_buff, priority)),
4909 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4910 offsetof(struct __sk_buff,
4912 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4913 offsetof(struct __sk_buff, tc_index)),
4914 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4915 offsetof(struct __sk_buff, hash)),
4916 BPF_MOV64_IMM(BPF_REG_0, 0),
4920 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4923 "direct packet read test#3 for CGROUP_SKB",
4925 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4926 offsetof(struct __sk_buff, cb[0])),
4927 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4928 offsetof(struct __sk_buff, cb[1])),
4929 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4930 offsetof(struct __sk_buff, cb[2])),
4931 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4932 offsetof(struct __sk_buff, cb[3])),
4933 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4934 offsetof(struct __sk_buff, cb[4])),
4935 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4936 offsetof(struct __sk_buff, napi_id)),
4937 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_4,
4938 offsetof(struct __sk_buff, cb[0])),
4939 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_5,
4940 offsetof(struct __sk_buff, cb[1])),
4941 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4942 offsetof(struct __sk_buff, cb[2])),
4943 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_7,
4944 offsetof(struct __sk_buff, cb[3])),
4945 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_8,
4946 offsetof(struct __sk_buff, cb[4])),
4947 BPF_MOV64_IMM(BPF_REG_0, 0),
4951 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4954 "direct packet read test#4 for CGROUP_SKB",
4956 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4957 offsetof(struct __sk_buff, family)),
4958 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4959 offsetof(struct __sk_buff, remote_ip4)),
4960 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4961 offsetof(struct __sk_buff, local_ip4)),
4962 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4963 offsetof(struct __sk_buff, remote_ip6[0])),
4964 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4965 offsetof(struct __sk_buff, remote_ip6[1])),
4966 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4967 offsetof(struct __sk_buff, remote_ip6[2])),
4968 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4969 offsetof(struct __sk_buff, remote_ip6[3])),
4970 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4971 offsetof(struct __sk_buff, local_ip6[0])),
4972 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4973 offsetof(struct __sk_buff, local_ip6[1])),
4974 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4975 offsetof(struct __sk_buff, local_ip6[2])),
4976 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4977 offsetof(struct __sk_buff, local_ip6[3])),
4978 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4979 offsetof(struct __sk_buff, remote_port)),
4980 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4981 offsetof(struct __sk_buff, local_port)),
4982 BPF_MOV64_IMM(BPF_REG_0, 0),
4986 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4989 "invalid access of tc_classid for CGROUP_SKB",
4991 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4992 offsetof(struct __sk_buff, tc_classid)),
4993 BPF_MOV64_IMM(BPF_REG_0, 0),
4997 .errstr = "invalid bpf_context access",
4998 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5001 "invalid access of data_meta for CGROUP_SKB",
5003 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5004 offsetof(struct __sk_buff, data_meta)),
5005 BPF_MOV64_IMM(BPF_REG_0, 0),
5009 .errstr = "invalid bpf_context access",
5010 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5013 "invalid access of flow_keys for CGROUP_SKB",
5015 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5016 offsetof(struct __sk_buff, flow_keys)),
5017 BPF_MOV64_IMM(BPF_REG_0, 0),
5021 .errstr = "invalid bpf_context access",
5022 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5025 "invalid write access to napi_id for CGROUP_SKB",
5027 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5028 offsetof(struct __sk_buff, napi_id)),
5029 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_9,
5030 offsetof(struct __sk_buff, napi_id)),
5031 BPF_MOV64_IMM(BPF_REG_0, 0),
5035 .errstr = "invalid bpf_context access",
5036 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5039 "valid cgroup storage access",
5041 BPF_MOV64_IMM(BPF_REG_2, 0),
5042 BPF_LD_MAP_FD(BPF_REG_1, 0),
5043 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5044 BPF_FUNC_get_local_storage),
5045 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5046 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5047 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5050 .fixup_cgroup_storage = { 1 },
5052 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5055 "invalid cgroup storage access 1",
5057 BPF_MOV64_IMM(BPF_REG_2, 0),
5058 BPF_LD_MAP_FD(BPF_REG_1, 0),
5059 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5060 BPF_FUNC_get_local_storage),
5061 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5062 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5063 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5066 .fixup_map_hash_8b = { 1 },
5068 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5069 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5072 "invalid cgroup storage access 2",
5074 BPF_MOV64_IMM(BPF_REG_2, 0),
5075 BPF_LD_MAP_FD(BPF_REG_1, 1),
5076 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5077 BPF_FUNC_get_local_storage),
5078 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5082 .errstr = "fd 1 is not pointing to valid bpf_map",
5083 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5086 "invalid cgroup storage access 3",
5088 BPF_MOV64_IMM(BPF_REG_2, 0),
5089 BPF_LD_MAP_FD(BPF_REG_1, 0),
5090 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5091 BPF_FUNC_get_local_storage),
5092 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5093 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5094 BPF_MOV64_IMM(BPF_REG_0, 0),
5097 .fixup_cgroup_storage = { 1 },
5099 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
5100 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5103 "invalid cgroup storage access 4",
5105 BPF_MOV64_IMM(BPF_REG_2, 0),
5106 BPF_LD_MAP_FD(BPF_REG_1, 0),
5107 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5108 BPF_FUNC_get_local_storage),
5109 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5110 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5114 .fixup_cgroup_storage = { 1 },
5116 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5117 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5120 "invalid cgroup storage access 5",
5122 BPF_MOV64_IMM(BPF_REG_2, 7),
5123 BPF_LD_MAP_FD(BPF_REG_1, 0),
5124 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5125 BPF_FUNC_get_local_storage),
5126 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5127 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5128 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5131 .fixup_cgroup_storage = { 1 },
5133 .errstr = "get_local_storage() doesn't support non-zero flags",
5134 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5137 "invalid cgroup storage access 6",
5139 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5140 BPF_LD_MAP_FD(BPF_REG_1, 0),
5141 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5142 BPF_FUNC_get_local_storage),
5143 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5144 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5145 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5148 .fixup_cgroup_storage = { 1 },
5150 .errstr = "get_local_storage() doesn't support non-zero flags",
5151 .errstr_unpriv = "R2 leaks addr into helper function",
5152 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5155 "valid per-cpu cgroup storage access",
5157 BPF_MOV64_IMM(BPF_REG_2, 0),
5158 BPF_LD_MAP_FD(BPF_REG_1, 0),
5159 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5160 BPF_FUNC_get_local_storage),
5161 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5162 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5163 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5166 .fixup_percpu_cgroup_storage = { 1 },
5168 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5171 "invalid per-cpu cgroup storage access 1",
5173 BPF_MOV64_IMM(BPF_REG_2, 0),
5174 BPF_LD_MAP_FD(BPF_REG_1, 0),
5175 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5176 BPF_FUNC_get_local_storage),
5177 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5178 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5179 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5182 .fixup_map_hash_8b = { 1 },
5184 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5185 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5188 "invalid per-cpu cgroup storage access 2",
5190 BPF_MOV64_IMM(BPF_REG_2, 0),
5191 BPF_LD_MAP_FD(BPF_REG_1, 1),
5192 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5193 BPF_FUNC_get_local_storage),
5194 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5198 .errstr = "fd 1 is not pointing to valid bpf_map",
5199 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5202 "invalid per-cpu cgroup storage access 3",
5204 BPF_MOV64_IMM(BPF_REG_2, 0),
5205 BPF_LD_MAP_FD(BPF_REG_1, 0),
5206 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5207 BPF_FUNC_get_local_storage),
5208 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5210 BPF_MOV64_IMM(BPF_REG_0, 0),
5213 .fixup_percpu_cgroup_storage = { 1 },
5215 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
5216 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5219 "invalid per-cpu cgroup storage access 4",
5221 BPF_MOV64_IMM(BPF_REG_2, 0),
5222 BPF_LD_MAP_FD(BPF_REG_1, 0),
5223 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5224 BPF_FUNC_get_local_storage),
5225 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5226 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5227 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5230 .fixup_cgroup_storage = { 1 },
5232 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5233 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5236 "invalid per-cpu cgroup storage access 5",
5238 BPF_MOV64_IMM(BPF_REG_2, 7),
5239 BPF_LD_MAP_FD(BPF_REG_1, 0),
5240 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5241 BPF_FUNC_get_local_storage),
5242 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5243 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5244 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5247 .fixup_percpu_cgroup_storage = { 1 },
5249 .errstr = "get_local_storage() doesn't support non-zero flags",
5250 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5253 "invalid per-cpu cgroup storage access 6",
5255 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5256 BPF_LD_MAP_FD(BPF_REG_1, 0),
5257 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5258 BPF_FUNC_get_local_storage),
5259 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5260 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5261 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5264 .fixup_percpu_cgroup_storage = { 1 },
5266 .errstr = "get_local_storage() doesn't support non-zero flags",
5267 .errstr_unpriv = "R2 leaks addr into helper function",
5268 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5271 "multiple registers share map_lookup_elem result",
5273 BPF_MOV64_IMM(BPF_REG_1, 10),
5274 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5275 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5276 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5277 BPF_LD_MAP_FD(BPF_REG_1, 0),
5278 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5279 BPF_FUNC_map_lookup_elem),
5280 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5281 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5282 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5285 .fixup_map_hash_8b = { 4 },
5287 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5290 "alu ops on ptr_to_map_value_or_null, 1",
5292 BPF_MOV64_IMM(BPF_REG_1, 10),
5293 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5294 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5295 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5296 BPF_LD_MAP_FD(BPF_REG_1, 0),
5297 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5298 BPF_FUNC_map_lookup_elem),
5299 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5300 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
5301 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
5302 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5303 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5306 .fixup_map_hash_8b = { 4 },
5307 .errstr = "R4 pointer arithmetic on map_value_or_null",
5309 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5312 "alu ops on ptr_to_map_value_or_null, 2",
5314 BPF_MOV64_IMM(BPF_REG_1, 10),
5315 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5316 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5318 BPF_LD_MAP_FD(BPF_REG_1, 0),
5319 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5320 BPF_FUNC_map_lookup_elem),
5321 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5322 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
5323 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5324 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5327 .fixup_map_hash_8b = { 4 },
5328 .errstr = "R4 pointer arithmetic on map_value_or_null",
5330 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5333 "alu ops on ptr_to_map_value_or_null, 3",
5335 BPF_MOV64_IMM(BPF_REG_1, 10),
5336 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5337 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5339 BPF_LD_MAP_FD(BPF_REG_1, 0),
5340 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5341 BPF_FUNC_map_lookup_elem),
5342 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5343 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
5344 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5345 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5348 .fixup_map_hash_8b = { 4 },
5349 .errstr = "R4 pointer arithmetic on map_value_or_null",
5351 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5354 "invalid memory access with multiple map_lookup_elem calls",
5356 BPF_MOV64_IMM(BPF_REG_1, 10),
5357 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5358 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5360 BPF_LD_MAP_FD(BPF_REG_1, 0),
5361 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5362 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5363 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5364 BPF_FUNC_map_lookup_elem),
5365 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5366 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5367 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5368 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5369 BPF_FUNC_map_lookup_elem),
5370 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5371 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5374 .fixup_map_hash_8b = { 4 },
5376 .errstr = "R4 !read_ok",
5377 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5380 "valid indirect map_lookup_elem access with 2nd lookup in branch",
5382 BPF_MOV64_IMM(BPF_REG_1, 10),
5383 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5384 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5386 BPF_LD_MAP_FD(BPF_REG_1, 0),
5387 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5388 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5389 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5390 BPF_FUNC_map_lookup_elem),
5391 BPF_MOV64_IMM(BPF_REG_2, 10),
5392 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
5393 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5394 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5395 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5396 BPF_FUNC_map_lookup_elem),
5397 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5398 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5399 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5402 .fixup_map_hash_8b = { 4 },
5404 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5407 "invalid map access from else condition",
5409 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5410 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5411 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5412 BPF_LD_MAP_FD(BPF_REG_1, 0),
5413 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
5414 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5415 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5416 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
5417 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5418 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5419 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5420 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
5423 .fixup_map_hash_48b = { 3 },
5424 .errstr = "R0 unbounded memory access",
5426 .errstr_unpriv = "R0 leaks addr",
5427 .result_unpriv = REJECT,
5428 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5431 "constant register |= constant should keep constant type",
5433 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5435 BPF_MOV64_IMM(BPF_REG_2, 34),
5436 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
5437 BPF_MOV64_IMM(BPF_REG_3, 0),
5438 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5442 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5445 "constant register |= constant should not bypass stack boundary checks",
5447 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5449 BPF_MOV64_IMM(BPF_REG_2, 34),
5450 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
5451 BPF_MOV64_IMM(BPF_REG_3, 0),
5452 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5455 .errstr = "invalid stack type R1 off=-48 access_size=58",
5457 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5460 "constant register |= constant register should keep constant type",
5462 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5463 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5464 BPF_MOV64_IMM(BPF_REG_2, 34),
5465 BPF_MOV64_IMM(BPF_REG_4, 13),
5466 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5467 BPF_MOV64_IMM(BPF_REG_3, 0),
5468 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5472 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5475 "constant register |= constant register should not bypass stack boundary checks",
5477 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5479 BPF_MOV64_IMM(BPF_REG_2, 34),
5480 BPF_MOV64_IMM(BPF_REG_4, 24),
5481 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5482 BPF_MOV64_IMM(BPF_REG_3, 0),
5483 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5486 .errstr = "invalid stack type R1 off=-48 access_size=58",
5488 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5491 "invalid direct packet write for LWT_IN",
5493 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5494 offsetof(struct __sk_buff, data)),
5495 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5496 offsetof(struct __sk_buff, data_end)),
5497 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5498 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5499 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5500 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5501 BPF_MOV64_IMM(BPF_REG_0, 0),
5504 .errstr = "cannot write into packet",
5506 .prog_type = BPF_PROG_TYPE_LWT_IN,
5509 "invalid direct packet write for LWT_OUT",
5511 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5512 offsetof(struct __sk_buff, data)),
5513 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5514 offsetof(struct __sk_buff, data_end)),
5515 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5516 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5517 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5518 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5519 BPF_MOV64_IMM(BPF_REG_0, 0),
5522 .errstr = "cannot write into packet",
5524 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5527 "direct packet write for LWT_XMIT",
5529 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5530 offsetof(struct __sk_buff, data)),
5531 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5532 offsetof(struct __sk_buff, data_end)),
5533 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5535 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5536 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5537 BPF_MOV64_IMM(BPF_REG_0, 0),
5541 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5544 "direct packet read for LWT_IN",
5546 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5547 offsetof(struct __sk_buff, data)),
5548 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5549 offsetof(struct __sk_buff, data_end)),
5550 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5551 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5552 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5553 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5554 BPF_MOV64_IMM(BPF_REG_0, 0),
5558 .prog_type = BPF_PROG_TYPE_LWT_IN,
5561 "direct packet read for LWT_OUT",
5563 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5564 offsetof(struct __sk_buff, data)),
5565 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5566 offsetof(struct __sk_buff, data_end)),
5567 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5569 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5570 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5571 BPF_MOV64_IMM(BPF_REG_0, 0),
5575 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5578 "direct packet read for LWT_XMIT",
5580 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5581 offsetof(struct __sk_buff, data)),
5582 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5583 offsetof(struct __sk_buff, data_end)),
5584 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5586 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5587 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5588 BPF_MOV64_IMM(BPF_REG_0, 0),
5592 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5595 "overlapping checks for direct packet access",
5597 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5598 offsetof(struct __sk_buff, data)),
5599 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5600 offsetof(struct __sk_buff, data_end)),
5601 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5603 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
5604 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
5605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
5606 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
5607 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
5608 BPF_MOV64_IMM(BPF_REG_0, 0),
5612 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5615 "make headroom for LWT_XMIT",
5617 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5618 BPF_MOV64_IMM(BPF_REG_2, 34),
5619 BPF_MOV64_IMM(BPF_REG_3, 0),
5620 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5621 /* split for s390 to succeed */
5622 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5623 BPF_MOV64_IMM(BPF_REG_2, 42),
5624 BPF_MOV64_IMM(BPF_REG_3, 0),
5625 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5626 BPF_MOV64_IMM(BPF_REG_0, 0),
5630 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5633 "invalid access of tc_classid for LWT_IN",
5635 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5636 offsetof(struct __sk_buff, tc_classid)),
5640 .errstr = "invalid bpf_context access",
5643 "invalid access of tc_classid for LWT_OUT",
5645 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5646 offsetof(struct __sk_buff, tc_classid)),
5650 .errstr = "invalid bpf_context access",
5653 "invalid access of tc_classid for LWT_XMIT",
5655 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5656 offsetof(struct __sk_buff, tc_classid)),
5660 .errstr = "invalid bpf_context access",
5663 "leak pointer into ctx 1",
5665 BPF_MOV64_IMM(BPF_REG_0, 0),
5666 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5667 offsetof(struct __sk_buff, cb[0])),
5668 BPF_LD_MAP_FD(BPF_REG_2, 0),
5669 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
5670 offsetof(struct __sk_buff, cb[0])),
5673 .fixup_map_hash_8b = { 2 },
5674 .errstr_unpriv = "R2 leaks addr into mem",
5675 .result_unpriv = REJECT,
5677 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
5680 "leak pointer into ctx 2",
5682 BPF_MOV64_IMM(BPF_REG_0, 0),
5683 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5684 offsetof(struct __sk_buff, cb[0])),
5685 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
5686 offsetof(struct __sk_buff, cb[0])),
5689 .errstr_unpriv = "R10 leaks addr into mem",
5690 .result_unpriv = REJECT,
5692 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
5695 "leak pointer into ctx 3",
5697 BPF_MOV64_IMM(BPF_REG_0, 0),
5698 BPF_LD_MAP_FD(BPF_REG_2, 0),
5699 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
5700 offsetof(struct __sk_buff, cb[0])),
5703 .fixup_map_hash_8b = { 1 },
5704 .errstr_unpriv = "R2 leaks addr into ctx",
5705 .result_unpriv = REJECT,
5709 "leak pointer into map val",
5711 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5712 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5713 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5714 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5715 BPF_LD_MAP_FD(BPF_REG_1, 0),
5716 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5717 BPF_FUNC_map_lookup_elem),
5718 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5719 BPF_MOV64_IMM(BPF_REG_3, 0),
5720 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
5721 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
5722 BPF_MOV64_IMM(BPF_REG_0, 0),
5725 .fixup_map_hash_8b = { 4 },
5726 .errstr_unpriv = "R6 leaks addr into mem",
5727 .result_unpriv = REJECT,
5731 "helper access to map: full range",
5733 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5734 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5735 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5736 BPF_LD_MAP_FD(BPF_REG_1, 0),
5737 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5738 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5739 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5740 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5741 BPF_MOV64_IMM(BPF_REG_3, 0),
5742 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5745 .fixup_map_hash_48b = { 3 },
5747 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5750 "helper access to map: partial range",
5752 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5754 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5755 BPF_LD_MAP_FD(BPF_REG_1, 0),
5756 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5757 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5758 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5759 BPF_MOV64_IMM(BPF_REG_2, 8),
5760 BPF_MOV64_IMM(BPF_REG_3, 0),
5761 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5764 .fixup_map_hash_48b = { 3 },
5766 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5769 "helper access to map: empty range",
5771 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5772 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5773 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5774 BPF_LD_MAP_FD(BPF_REG_1, 0),
5775 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5777 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5778 BPF_MOV64_IMM(BPF_REG_2, 0),
5779 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5782 .fixup_map_hash_48b = { 3 },
5783 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
5785 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5788 "helper access to map: out-of-bound range",
5790 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5792 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5793 BPF_LD_MAP_FD(BPF_REG_1, 0),
5794 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5796 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5797 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5798 BPF_MOV64_IMM(BPF_REG_3, 0),
5799 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5802 .fixup_map_hash_48b = { 3 },
5803 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
5805 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5808 "helper access to map: negative range",
5810 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5812 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5813 BPF_LD_MAP_FD(BPF_REG_1, 0),
5814 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5815 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5816 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5817 BPF_MOV64_IMM(BPF_REG_2, -8),
5818 BPF_MOV64_IMM(BPF_REG_3, 0),
5819 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5822 .fixup_map_hash_48b = { 3 },
5823 .errstr = "R2 min value is negative",
5825 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5828 "helper access to adjusted map (via const imm): full range",
5830 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5832 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5833 BPF_LD_MAP_FD(BPF_REG_1, 0),
5834 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5835 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5836 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5838 offsetof(struct test_val, foo)),
5839 BPF_MOV64_IMM(BPF_REG_2,
5840 sizeof(struct test_val) -
5841 offsetof(struct test_val, foo)),
5842 BPF_MOV64_IMM(BPF_REG_3, 0),
5843 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5846 .fixup_map_hash_48b = { 3 },
5848 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5851 "helper access to adjusted map (via const imm): partial range",
5853 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5854 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5855 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5856 BPF_LD_MAP_FD(BPF_REG_1, 0),
5857 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5858 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5859 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5860 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5861 offsetof(struct test_val, foo)),
5862 BPF_MOV64_IMM(BPF_REG_2, 8),
5863 BPF_MOV64_IMM(BPF_REG_3, 0),
5864 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5867 .fixup_map_hash_48b = { 3 },
5869 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5872 "helper access to adjusted map (via const imm): empty range",
5874 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5875 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5876 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5877 BPF_LD_MAP_FD(BPF_REG_1, 0),
5878 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5879 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5880 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5881 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5882 offsetof(struct test_val, foo)),
5883 BPF_MOV64_IMM(BPF_REG_2, 0),
5884 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5887 .fixup_map_hash_48b = { 3 },
5888 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5890 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5893 "helper access to adjusted map (via const imm): out-of-bound range",
5895 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5897 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5898 BPF_LD_MAP_FD(BPF_REG_1, 0),
5899 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5900 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5901 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5902 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5903 offsetof(struct test_val, foo)),
5904 BPF_MOV64_IMM(BPF_REG_2,
5905 sizeof(struct test_val) -
5906 offsetof(struct test_val, foo) + 8),
5907 BPF_MOV64_IMM(BPF_REG_3, 0),
5908 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5911 .fixup_map_hash_48b = { 3 },
5912 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5914 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5917 "helper access to adjusted map (via const imm): negative range (> adjustment)",
5919 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5920 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5921 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5922 BPF_LD_MAP_FD(BPF_REG_1, 0),
5923 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5924 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5925 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5926 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5927 offsetof(struct test_val, foo)),
5928 BPF_MOV64_IMM(BPF_REG_2, -8),
5929 BPF_MOV64_IMM(BPF_REG_3, 0),
5930 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5933 .fixup_map_hash_48b = { 3 },
5934 .errstr = "R2 min value is negative",
5936 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5939 "helper access to adjusted map (via const imm): negative range (< adjustment)",
5941 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5943 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5944 BPF_LD_MAP_FD(BPF_REG_1, 0),
5945 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5946 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5947 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5948 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5949 offsetof(struct test_val, foo)),
5950 BPF_MOV64_IMM(BPF_REG_2, -1),
5951 BPF_MOV64_IMM(BPF_REG_3, 0),
5952 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5955 .fixup_map_hash_48b = { 3 },
5956 .errstr = "R2 min value is negative",
5958 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5961 "helper access to adjusted map (via const reg): full range",
5963 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5964 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5965 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5966 BPF_LD_MAP_FD(BPF_REG_1, 0),
5967 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5968 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5969 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5970 BPF_MOV64_IMM(BPF_REG_3,
5971 offsetof(struct test_val, foo)),
5972 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5973 BPF_MOV64_IMM(BPF_REG_2,
5974 sizeof(struct test_val) -
5975 offsetof(struct test_val, foo)),
5976 BPF_MOV64_IMM(BPF_REG_3, 0),
5977 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5980 .fixup_map_hash_48b = { 3 },
5982 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5985 "helper access to adjusted map (via const reg): partial range",
5987 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5989 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5990 BPF_LD_MAP_FD(BPF_REG_1, 0),
5991 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5992 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5993 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5994 BPF_MOV64_IMM(BPF_REG_3,
5995 offsetof(struct test_val, foo)),
5996 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5997 BPF_MOV64_IMM(BPF_REG_2, 8),
5998 BPF_MOV64_IMM(BPF_REG_3, 0),
5999 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6002 .fixup_map_hash_48b = { 3 },
6004 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6007 "helper access to adjusted map (via const reg): empty range",
6009 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6010 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6011 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6012 BPF_LD_MAP_FD(BPF_REG_1, 0),
6013 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6014 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6015 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6016 BPF_MOV64_IMM(BPF_REG_3, 0),
6017 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6018 BPF_MOV64_IMM(BPF_REG_2, 0),
6019 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6022 .fixup_map_hash_48b = { 3 },
6023 .errstr = "R1 min value is outside of the array range",
6025 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6028 "helper access to adjusted map (via const reg): out-of-bound range",
6030 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6032 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6033 BPF_LD_MAP_FD(BPF_REG_1, 0),
6034 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6035 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6036 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6037 BPF_MOV64_IMM(BPF_REG_3,
6038 offsetof(struct test_val, foo)),
6039 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6040 BPF_MOV64_IMM(BPF_REG_2,
6041 sizeof(struct test_val) -
6042 offsetof(struct test_val, foo) + 8),
6043 BPF_MOV64_IMM(BPF_REG_3, 0),
6044 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6047 .fixup_map_hash_48b = { 3 },
6048 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
6050 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6053 "helper access to adjusted map (via const reg): negative range (> adjustment)",
6055 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6056 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6057 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6058 BPF_LD_MAP_FD(BPF_REG_1, 0),
6059 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6060 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6061 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6062 BPF_MOV64_IMM(BPF_REG_3,
6063 offsetof(struct test_val, foo)),
6064 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6065 BPF_MOV64_IMM(BPF_REG_2, -8),
6066 BPF_MOV64_IMM(BPF_REG_3, 0),
6067 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6070 .fixup_map_hash_48b = { 3 },
6071 .errstr = "R2 min value is negative",
6073 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6076 "helper access to adjusted map (via const reg): negative range (< adjustment)",
6078 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6079 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6080 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6081 BPF_LD_MAP_FD(BPF_REG_1, 0),
6082 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6083 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6084 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6085 BPF_MOV64_IMM(BPF_REG_3,
6086 offsetof(struct test_val, foo)),
6087 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6088 BPF_MOV64_IMM(BPF_REG_2, -1),
6089 BPF_MOV64_IMM(BPF_REG_3, 0),
6090 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6093 .fixup_map_hash_48b = { 3 },
6094 .errstr = "R2 min value is negative",
6096 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6099 "helper access to adjusted map (via variable): full range",
6101 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6103 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6104 BPF_LD_MAP_FD(BPF_REG_1, 0),
6105 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6106 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6107 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6108 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6109 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6110 offsetof(struct test_val, foo), 4),
6111 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6112 BPF_MOV64_IMM(BPF_REG_2,
6113 sizeof(struct test_val) -
6114 offsetof(struct test_val, foo)),
6115 BPF_MOV64_IMM(BPF_REG_3, 0),
6116 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6119 .fixup_map_hash_48b = { 3 },
6121 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6124 "helper access to adjusted map (via variable): partial range",
6126 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6127 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6128 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6129 BPF_LD_MAP_FD(BPF_REG_1, 0),
6130 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6131 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6132 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6133 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6134 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6135 offsetof(struct test_val, foo), 4),
6136 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6137 BPF_MOV64_IMM(BPF_REG_2, 8),
6138 BPF_MOV64_IMM(BPF_REG_3, 0),
6139 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6142 .fixup_map_hash_48b = { 3 },
6144 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6147 "helper access to adjusted map (via variable): empty range",
6149 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6150 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6151 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6152 BPF_LD_MAP_FD(BPF_REG_1, 0),
6153 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6154 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6155 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6156 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6157 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6158 offsetof(struct test_val, foo), 3),
6159 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6160 BPF_MOV64_IMM(BPF_REG_2, 0),
6161 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6164 .fixup_map_hash_48b = { 3 },
6165 .errstr = "R1 min value is outside of the array range",
6167 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6170 "helper access to adjusted map (via variable): no max check",
6172 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6174 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6175 BPF_LD_MAP_FD(BPF_REG_1, 0),
6176 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6177 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6178 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6179 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6180 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6181 BPF_MOV64_IMM(BPF_REG_2, 1),
6182 BPF_MOV64_IMM(BPF_REG_3, 0),
6183 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6186 .fixup_map_hash_48b = { 3 },
6187 .errstr = "R1 unbounded memory access",
6189 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6192 "helper access to adjusted map (via variable): wrong max check",
6194 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6196 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6197 BPF_LD_MAP_FD(BPF_REG_1, 0),
6198 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6199 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6200 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6201 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6202 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6203 offsetof(struct test_val, foo), 4),
6204 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6205 BPF_MOV64_IMM(BPF_REG_2,
6206 sizeof(struct test_val) -
6207 offsetof(struct test_val, foo) + 1),
6208 BPF_MOV64_IMM(BPF_REG_3, 0),
6209 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6212 .fixup_map_hash_48b = { 3 },
6213 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
6215 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6218 "helper access to map: bounds check using <, good access",
6220 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6221 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6222 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6223 BPF_LD_MAP_FD(BPF_REG_1, 0),
6224 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6225 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6226 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6227 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6228 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
6229 BPF_MOV64_IMM(BPF_REG_0, 0),
6231 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6232 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6233 BPF_MOV64_IMM(BPF_REG_0, 0),
6236 .fixup_map_hash_48b = { 3 },
6238 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6241 "helper access to map: bounds check using <, bad access",
6243 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6244 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6245 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6246 BPF_LD_MAP_FD(BPF_REG_1, 0),
6247 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6248 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6249 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6250 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6251 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
6252 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6253 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6254 BPF_MOV64_IMM(BPF_REG_0, 0),
6256 BPF_MOV64_IMM(BPF_REG_0, 0),
6259 .fixup_map_hash_48b = { 3 },
6261 .errstr = "R1 unbounded memory access",
6262 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6265 "helper access to map: bounds check using <=, good access",
6267 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6268 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6269 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6270 BPF_LD_MAP_FD(BPF_REG_1, 0),
6271 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6272 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6273 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6274 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6275 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
6276 BPF_MOV64_IMM(BPF_REG_0, 0),
6278 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6279 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6280 BPF_MOV64_IMM(BPF_REG_0, 0),
6283 .fixup_map_hash_48b = { 3 },
6285 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6288 "helper access to map: bounds check using <=, bad access",
6290 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6292 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6293 BPF_LD_MAP_FD(BPF_REG_1, 0),
6294 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6295 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6296 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6297 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6298 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
6299 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6300 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6301 BPF_MOV64_IMM(BPF_REG_0, 0),
6303 BPF_MOV64_IMM(BPF_REG_0, 0),
6306 .fixup_map_hash_48b = { 3 },
6308 .errstr = "R1 unbounded memory access",
6309 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6312 "helper access to map: bounds check using s<, good access",
6314 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6316 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6317 BPF_LD_MAP_FD(BPF_REG_1, 0),
6318 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6319 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6320 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6321 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6322 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6323 BPF_MOV64_IMM(BPF_REG_0, 0),
6325 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
6326 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6327 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6328 BPF_MOV64_IMM(BPF_REG_0, 0),
6331 .fixup_map_hash_48b = { 3 },
6333 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6336 "helper access to map: bounds check using s<, good access 2",
6338 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6340 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6341 BPF_LD_MAP_FD(BPF_REG_1, 0),
6342 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6343 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6344 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6345 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6346 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6347 BPF_MOV64_IMM(BPF_REG_0, 0),
6349 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6350 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6351 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6352 BPF_MOV64_IMM(BPF_REG_0, 0),
6355 .fixup_map_hash_48b = { 3 },
6357 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6360 "helper access to map: bounds check using s<, bad access",
6362 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6364 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6365 BPF_LD_MAP_FD(BPF_REG_1, 0),
6366 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6367 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6368 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6369 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6370 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6371 BPF_MOV64_IMM(BPF_REG_0, 0),
6373 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6374 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6375 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6376 BPF_MOV64_IMM(BPF_REG_0, 0),
6379 .fixup_map_hash_48b = { 3 },
6381 .errstr = "R1 min value is negative",
6382 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6385 "helper access to map: bounds check using s<=, good access",
6387 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6389 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6390 BPF_LD_MAP_FD(BPF_REG_1, 0),
6391 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6392 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6393 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6394 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6395 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6396 BPF_MOV64_IMM(BPF_REG_0, 0),
6398 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
6399 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6400 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6401 BPF_MOV64_IMM(BPF_REG_0, 0),
6404 .fixup_map_hash_48b = { 3 },
6406 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6409 "helper access to map: bounds check using s<=, good access 2",
6411 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6413 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6414 BPF_LD_MAP_FD(BPF_REG_1, 0),
6415 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6416 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6417 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6418 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6419 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6420 BPF_MOV64_IMM(BPF_REG_0, 0),
6422 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6423 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6424 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6425 BPF_MOV64_IMM(BPF_REG_0, 0),
6428 .fixup_map_hash_48b = { 3 },
6430 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6433 "helper access to map: bounds check using s<=, bad access",
6435 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6437 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6438 BPF_LD_MAP_FD(BPF_REG_1, 0),
6439 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6440 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6441 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6442 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6443 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6444 BPF_MOV64_IMM(BPF_REG_0, 0),
6446 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6447 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6448 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6449 BPF_MOV64_IMM(BPF_REG_0, 0),
6452 .fixup_map_hash_48b = { 3 },
6454 .errstr = "R1 min value is negative",
6455 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6458 "map lookup helper access to map",
6460 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6462 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6463 BPF_LD_MAP_FD(BPF_REG_1, 0),
6464 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6465 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6466 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6467 BPF_LD_MAP_FD(BPF_REG_1, 0),
6468 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6471 .fixup_map_hash_16b = { 3, 8 },
6473 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6476 "map update helper access to map",
6478 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6480 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6481 BPF_LD_MAP_FD(BPF_REG_1, 0),
6482 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6483 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6484 BPF_MOV64_IMM(BPF_REG_4, 0),
6485 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
6486 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6487 BPF_LD_MAP_FD(BPF_REG_1, 0),
6488 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
6491 .fixup_map_hash_16b = { 3, 10 },
6493 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6496 "map update helper access to map: wrong size",
6498 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6499 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6500 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6501 BPF_LD_MAP_FD(BPF_REG_1, 0),
6502 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6503 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6504 BPF_MOV64_IMM(BPF_REG_4, 0),
6505 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
6506 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6507 BPF_LD_MAP_FD(BPF_REG_1, 0),
6508 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
6511 .fixup_map_hash_8b = { 3 },
6512 .fixup_map_hash_16b = { 10 },
6514 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
6515 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6518 "map helper access to adjusted map (via const imm)",
6520 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6522 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6523 BPF_LD_MAP_FD(BPF_REG_1, 0),
6524 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6525 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6526 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6527 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6528 offsetof(struct other_val, bar)),
6529 BPF_LD_MAP_FD(BPF_REG_1, 0),
6530 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6533 .fixup_map_hash_16b = { 3, 9 },
6535 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6538 "map helper access to adjusted map (via const imm): out-of-bound 1",
6540 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6541 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6542 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6543 BPF_LD_MAP_FD(BPF_REG_1, 0),
6544 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6545 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6546 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6547 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6548 sizeof(struct other_val) - 4),
6549 BPF_LD_MAP_FD(BPF_REG_1, 0),
6550 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6553 .fixup_map_hash_16b = { 3, 9 },
6555 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6556 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6559 "map helper access to adjusted map (via const imm): out-of-bound 2",
6561 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6562 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6563 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6564 BPF_LD_MAP_FD(BPF_REG_1, 0),
6565 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6566 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6567 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6569 BPF_LD_MAP_FD(BPF_REG_1, 0),
6570 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6573 .fixup_map_hash_16b = { 3, 9 },
6575 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6576 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6579 "map helper access to adjusted map (via const reg)",
6581 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6583 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6584 BPF_LD_MAP_FD(BPF_REG_1, 0),
6585 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6586 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6587 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6588 BPF_MOV64_IMM(BPF_REG_3,
6589 offsetof(struct other_val, bar)),
6590 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6591 BPF_LD_MAP_FD(BPF_REG_1, 0),
6592 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6595 .fixup_map_hash_16b = { 3, 10 },
6597 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6600 "map helper access to adjusted map (via const reg): out-of-bound 1",
6602 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6604 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6605 BPF_LD_MAP_FD(BPF_REG_1, 0),
6606 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6607 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6608 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6609 BPF_MOV64_IMM(BPF_REG_3,
6610 sizeof(struct other_val) - 4),
6611 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6612 BPF_LD_MAP_FD(BPF_REG_1, 0),
6613 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6616 .fixup_map_hash_16b = { 3, 10 },
6618 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6619 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6622 "map helper access to adjusted map (via const reg): out-of-bound 2",
6624 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6625 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6626 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6627 BPF_LD_MAP_FD(BPF_REG_1, 0),
6628 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6629 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6630 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6631 BPF_MOV64_IMM(BPF_REG_3, -4),
6632 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6633 BPF_LD_MAP_FD(BPF_REG_1, 0),
6634 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6637 .fixup_map_hash_16b = { 3, 10 },
6639 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6640 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6643 "map helper access to adjusted map (via variable)",
6645 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6646 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6647 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6648 BPF_LD_MAP_FD(BPF_REG_1, 0),
6649 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6650 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6651 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6652 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6653 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6654 offsetof(struct other_val, bar), 4),
6655 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6656 BPF_LD_MAP_FD(BPF_REG_1, 0),
6657 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6660 .fixup_map_hash_16b = { 3, 11 },
6662 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6665 "map helper access to adjusted map (via variable): no max check",
6667 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6668 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6669 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6670 BPF_LD_MAP_FD(BPF_REG_1, 0),
6671 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6672 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6673 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6674 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6675 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6676 BPF_LD_MAP_FD(BPF_REG_1, 0),
6677 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6680 .fixup_map_hash_16b = { 3, 10 },
6682 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
6683 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6686 "map helper access to adjusted map (via variable): wrong max check",
6688 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6689 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6690 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6691 BPF_LD_MAP_FD(BPF_REG_1, 0),
6692 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6693 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6694 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6695 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6696 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6697 offsetof(struct other_val, bar) + 1, 4),
6698 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6699 BPF_LD_MAP_FD(BPF_REG_1, 0),
6700 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6703 .fixup_map_hash_16b = { 3, 11 },
6705 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
6706 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6709 "map element value is preserved across register spilling",
6711 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6712 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6713 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6714 BPF_LD_MAP_FD(BPF_REG_1, 0),
6715 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6716 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6717 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6718 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6719 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6720 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6721 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6722 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6725 .fixup_map_hash_48b = { 3 },
6726 .errstr_unpriv = "R0 leaks addr",
6728 .result_unpriv = REJECT,
6731 "map element value or null is marked on register spilling",
6733 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6734 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6735 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6736 BPF_LD_MAP_FD(BPF_REG_1, 0),
6737 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6738 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6739 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
6740 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6741 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6742 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6743 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6746 .fixup_map_hash_48b = { 3 },
6747 .errstr_unpriv = "R0 leaks addr",
6749 .result_unpriv = REJECT,
6752 "map element value store of cleared call register",
6754 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6756 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6757 BPF_LD_MAP_FD(BPF_REG_1, 0),
6758 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6759 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
6760 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
6763 .fixup_map_hash_48b = { 3 },
6764 .errstr_unpriv = "R1 !read_ok",
6765 .errstr = "R1 !read_ok",
6767 .result_unpriv = REJECT,
6770 "map element value with unaligned store",
6772 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6773 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6774 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6775 BPF_LD_MAP_FD(BPF_REG_1, 0),
6776 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
6778 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6779 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6780 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
6781 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
6782 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6783 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
6784 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
6785 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
6786 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
6787 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
6788 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
6789 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
6790 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
6791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
6792 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
6793 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
6794 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
6797 .fixup_map_hash_48b = { 3 },
6798 .errstr_unpriv = "R0 leaks addr",
6800 .result_unpriv = REJECT,
6801 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6804 "map element value with unaligned load",
6806 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6807 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6808 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6809 BPF_LD_MAP_FD(BPF_REG_1, 0),
6810 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6811 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6812 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6813 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
6814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6815 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6816 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
6817 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6818 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
6819 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
6820 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
6821 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6822 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
6825 .fixup_map_hash_48b = { 3 },
6826 .errstr_unpriv = "R0 leaks addr",
6828 .result_unpriv = REJECT,
6829 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6832 "map element value illegal alu op, 1",
6834 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6835 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6836 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6837 BPF_LD_MAP_FD(BPF_REG_1, 0),
6838 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6839 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6840 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
6841 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6844 .fixup_map_hash_48b = { 3 },
6845 .errstr = "R0 bitwise operator &= on pointer",
6849 "map element value illegal alu op, 2",
6851 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6853 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6854 BPF_LD_MAP_FD(BPF_REG_1, 0),
6855 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6856 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6857 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
6858 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6861 .fixup_map_hash_48b = { 3 },
6862 .errstr = "R0 32-bit pointer arithmetic prohibited",
6866 "map element value illegal alu op, 3",
6868 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6870 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6871 BPF_LD_MAP_FD(BPF_REG_1, 0),
6872 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6873 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6874 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
6875 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6878 .fixup_map_hash_48b = { 3 },
6879 .errstr = "R0 pointer arithmetic with /= operator",
6883 "map element value illegal alu op, 4",
6885 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6886 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6887 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6888 BPF_LD_MAP_FD(BPF_REG_1, 0),
6889 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6890 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6891 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
6892 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6895 .fixup_map_hash_48b = { 3 },
6896 .errstr_unpriv = "R0 pointer arithmetic prohibited",
6897 .errstr = "invalid mem access 'inv'",
6899 .result_unpriv = REJECT,
6902 "map element value illegal alu op, 5",
6904 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6905 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6906 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6907 BPF_LD_MAP_FD(BPF_REG_1, 0),
6908 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6909 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6910 BPF_MOV64_IMM(BPF_REG_3, 4096),
6911 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6912 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6913 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6914 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
6915 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
6916 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6919 .fixup_map_hash_48b = { 3 },
6920 .errstr = "R0 invalid mem access 'inv'",
6924 "map element value is preserved across register spilling",
6926 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6928 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6929 BPF_LD_MAP_FD(BPF_REG_1, 0),
6930 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6931 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6932 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
6933 offsetof(struct test_val, foo)),
6934 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6935 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6936 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6937 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6938 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6939 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6942 .fixup_map_hash_48b = { 3 },
6943 .errstr_unpriv = "R0 leaks addr",
6945 .result_unpriv = REJECT,
6946 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6949 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
6951 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6952 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6953 BPF_MOV64_IMM(BPF_REG_0, 0),
6954 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6955 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6956 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6957 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6958 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6959 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6960 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6961 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6962 BPF_MOV64_IMM(BPF_REG_2, 16),
6963 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6964 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6965 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6966 BPF_MOV64_IMM(BPF_REG_4, 0),
6967 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6968 BPF_MOV64_IMM(BPF_REG_3, 0),
6969 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6970 BPF_MOV64_IMM(BPF_REG_0, 0),
6974 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6977 "helper access to variable memory: stack, bitwise AND, zero included",
6979 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6980 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6981 BPF_MOV64_IMM(BPF_REG_2, 16),
6982 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6983 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6984 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6985 BPF_MOV64_IMM(BPF_REG_3, 0),
6986 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6989 .errstr = "invalid indirect read from stack off -64+0 size 64",
6991 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6994 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
6996 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6997 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6998 BPF_MOV64_IMM(BPF_REG_2, 16),
6999 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7000 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7001 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
7002 BPF_MOV64_IMM(BPF_REG_4, 0),
7003 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7004 BPF_MOV64_IMM(BPF_REG_3, 0),
7005 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7006 BPF_MOV64_IMM(BPF_REG_0, 0),
7009 .errstr = "invalid stack type R1 off=-64 access_size=65",
7011 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7014 "helper access to variable memory: stack, JMP, correct bounds",
7016 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7018 BPF_MOV64_IMM(BPF_REG_0, 0),
7019 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7020 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7021 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7022 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7023 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7024 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7025 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7026 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7027 BPF_MOV64_IMM(BPF_REG_2, 16),
7028 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7029 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7030 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
7031 BPF_MOV64_IMM(BPF_REG_4, 0),
7032 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7033 BPF_MOV64_IMM(BPF_REG_3, 0),
7034 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7035 BPF_MOV64_IMM(BPF_REG_0, 0),
7039 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7042 "helper access to variable memory: stack, JMP (signed), correct bounds",
7044 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7045 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7046 BPF_MOV64_IMM(BPF_REG_0, 0),
7047 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7048 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7049 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7050 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7051 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7052 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7053 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7054 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7055 BPF_MOV64_IMM(BPF_REG_2, 16),
7056 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7057 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7058 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
7059 BPF_MOV64_IMM(BPF_REG_4, 0),
7060 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7061 BPF_MOV64_IMM(BPF_REG_3, 0),
7062 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7063 BPF_MOV64_IMM(BPF_REG_0, 0),
7067 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7070 "helper access to variable memory: stack, JMP, bounds + offset",
7072 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7073 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7074 BPF_MOV64_IMM(BPF_REG_2, 16),
7075 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7076 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7077 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
7078 BPF_MOV64_IMM(BPF_REG_4, 0),
7079 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
7080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7081 BPF_MOV64_IMM(BPF_REG_3, 0),
7082 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7083 BPF_MOV64_IMM(BPF_REG_0, 0),
7086 .errstr = "invalid stack type R1 off=-64 access_size=65",
7088 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7091 "helper access to variable memory: stack, JMP, wrong max",
7093 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7095 BPF_MOV64_IMM(BPF_REG_2, 16),
7096 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7097 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7098 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
7099 BPF_MOV64_IMM(BPF_REG_4, 0),
7100 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7101 BPF_MOV64_IMM(BPF_REG_3, 0),
7102 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7103 BPF_MOV64_IMM(BPF_REG_0, 0),
7106 .errstr = "invalid stack type R1 off=-64 access_size=65",
7108 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7111 "helper access to variable memory: stack, JMP, no max check",
7113 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7115 BPF_MOV64_IMM(BPF_REG_2, 16),
7116 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7117 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7118 BPF_MOV64_IMM(BPF_REG_4, 0),
7119 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7120 BPF_MOV64_IMM(BPF_REG_3, 0),
7121 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7122 BPF_MOV64_IMM(BPF_REG_0, 0),
7125 /* because max wasn't checked, signed min is negative */
7126 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
7128 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7131 "helper access to variable memory: stack, JMP, no min check",
7133 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7134 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7135 BPF_MOV64_IMM(BPF_REG_2, 16),
7136 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7137 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7138 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
7139 BPF_MOV64_IMM(BPF_REG_3, 0),
7140 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7141 BPF_MOV64_IMM(BPF_REG_0, 0),
7144 .errstr = "invalid indirect read from stack off -64+0 size 64",
7146 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7149 "helper access to variable memory: stack, JMP (signed), no min check",
7151 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7153 BPF_MOV64_IMM(BPF_REG_2, 16),
7154 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7155 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7156 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
7157 BPF_MOV64_IMM(BPF_REG_3, 0),
7158 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7159 BPF_MOV64_IMM(BPF_REG_0, 0),
7162 .errstr = "R2 min value is negative",
7164 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7167 "helper access to variable memory: map, JMP, correct bounds",
7169 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7170 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7171 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7172 BPF_LD_MAP_FD(BPF_REG_1, 0),
7173 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7174 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7175 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7176 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7177 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7178 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7179 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7180 sizeof(struct test_val), 4),
7181 BPF_MOV64_IMM(BPF_REG_4, 0),
7182 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7183 BPF_MOV64_IMM(BPF_REG_3, 0),
7184 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7185 BPF_MOV64_IMM(BPF_REG_0, 0),
7188 .fixup_map_hash_48b = { 3 },
7190 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7193 "helper access to variable memory: map, JMP, wrong max",
7195 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7196 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7197 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7198 BPF_LD_MAP_FD(BPF_REG_1, 0),
7199 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7200 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7201 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7202 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7203 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7204 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7205 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7206 sizeof(struct test_val) + 1, 4),
7207 BPF_MOV64_IMM(BPF_REG_4, 0),
7208 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7209 BPF_MOV64_IMM(BPF_REG_3, 0),
7210 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7211 BPF_MOV64_IMM(BPF_REG_0, 0),
7214 .fixup_map_hash_48b = { 3 },
7215 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
7217 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7220 "helper access to variable memory: map adjusted, JMP, correct bounds",
7222 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7224 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7225 BPF_LD_MAP_FD(BPF_REG_1, 0),
7226 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7227 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
7230 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7231 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7232 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7233 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7234 sizeof(struct test_val) - 20, 4),
7235 BPF_MOV64_IMM(BPF_REG_4, 0),
7236 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7237 BPF_MOV64_IMM(BPF_REG_3, 0),
7238 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7239 BPF_MOV64_IMM(BPF_REG_0, 0),
7242 .fixup_map_hash_48b = { 3 },
7244 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7247 "helper access to variable memory: map adjusted, JMP, wrong max",
7249 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7251 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7252 BPF_LD_MAP_FD(BPF_REG_1, 0),
7253 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7255 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7256 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
7257 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7258 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7259 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7260 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7261 sizeof(struct test_val) - 19, 4),
7262 BPF_MOV64_IMM(BPF_REG_4, 0),
7263 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7264 BPF_MOV64_IMM(BPF_REG_3, 0),
7265 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7266 BPF_MOV64_IMM(BPF_REG_0, 0),
7269 .fixup_map_hash_48b = { 3 },
7270 .errstr = "R1 min value is outside of the array range",
7272 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7275 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
7277 BPF_MOV64_IMM(BPF_REG_1, 0),
7278 BPF_MOV64_IMM(BPF_REG_2, 0),
7279 BPF_MOV64_IMM(BPF_REG_3, 0),
7280 BPF_MOV64_IMM(BPF_REG_4, 0),
7281 BPF_MOV64_IMM(BPF_REG_5, 0),
7282 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7286 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7289 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
7291 BPF_MOV64_IMM(BPF_REG_1, 0),
7292 BPF_MOV64_IMM(BPF_REG_2, 1),
7293 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7294 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7295 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
7296 BPF_MOV64_IMM(BPF_REG_3, 0),
7297 BPF_MOV64_IMM(BPF_REG_4, 0),
7298 BPF_MOV64_IMM(BPF_REG_5, 0),
7299 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7302 .errstr = "R1 type=inv expected=fp",
7304 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7307 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
7309 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7310 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7311 BPF_MOV64_IMM(BPF_REG_2, 0),
7312 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
7313 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
7314 BPF_MOV64_IMM(BPF_REG_3, 0),
7315 BPF_MOV64_IMM(BPF_REG_4, 0),
7316 BPF_MOV64_IMM(BPF_REG_5, 0),
7317 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7321 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7324 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
7326 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7327 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7329 BPF_LD_MAP_FD(BPF_REG_1, 0),
7330 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7331 BPF_FUNC_map_lookup_elem),
7332 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7333 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7334 BPF_MOV64_IMM(BPF_REG_2, 0),
7335 BPF_MOV64_IMM(BPF_REG_3, 0),
7336 BPF_MOV64_IMM(BPF_REG_4, 0),
7337 BPF_MOV64_IMM(BPF_REG_5, 0),
7338 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7341 .fixup_map_hash_8b = { 3 },
7343 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7346 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
7348 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7349 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7350 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7351 BPF_LD_MAP_FD(BPF_REG_1, 0),
7352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7353 BPF_FUNC_map_lookup_elem),
7354 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7355 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7356 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
7357 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7358 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7359 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
7360 BPF_MOV64_IMM(BPF_REG_3, 0),
7361 BPF_MOV64_IMM(BPF_REG_4, 0),
7362 BPF_MOV64_IMM(BPF_REG_5, 0),
7363 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7366 .fixup_map_hash_8b = { 3 },
7368 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7371 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
7373 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7374 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7375 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7376 BPF_LD_MAP_FD(BPF_REG_1, 0),
7377 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7378 BPF_FUNC_map_lookup_elem),
7379 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7380 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7381 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7382 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7383 BPF_MOV64_IMM(BPF_REG_3, 0),
7384 BPF_MOV64_IMM(BPF_REG_4, 0),
7385 BPF_MOV64_IMM(BPF_REG_5, 0),
7386 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7389 .fixup_map_hash_8b = { 3 },
7391 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7394 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
7396 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7397 offsetof(struct __sk_buff, data)),
7398 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7399 offsetof(struct __sk_buff, data_end)),
7400 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
7401 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7402 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
7403 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
7404 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
7405 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7406 BPF_MOV64_IMM(BPF_REG_3, 0),
7407 BPF_MOV64_IMM(BPF_REG_4, 0),
7408 BPF_MOV64_IMM(BPF_REG_5, 0),
7409 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7413 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7414 .retval = 0 /* csum_diff of 64-byte packet */,
7417 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
7419 BPF_MOV64_IMM(BPF_REG_1, 0),
7420 BPF_MOV64_IMM(BPF_REG_2, 0),
7421 BPF_MOV64_IMM(BPF_REG_3, 0),
7422 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7425 .errstr = "R1 type=inv expected=fp",
7427 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7430 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
7432 BPF_MOV64_IMM(BPF_REG_1, 0),
7433 BPF_MOV64_IMM(BPF_REG_2, 1),
7434 BPF_MOV64_IMM(BPF_REG_3, 0),
7435 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7438 .errstr = "R1 type=inv expected=fp",
7440 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7443 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7445 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7446 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7447 BPF_MOV64_IMM(BPF_REG_2, 0),
7448 BPF_MOV64_IMM(BPF_REG_3, 0),
7449 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7453 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7456 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7458 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7459 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7461 BPF_LD_MAP_FD(BPF_REG_1, 0),
7462 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7463 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7464 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7465 BPF_MOV64_IMM(BPF_REG_2, 0),
7466 BPF_MOV64_IMM(BPF_REG_3, 0),
7467 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7470 .fixup_map_hash_8b = { 3 },
7472 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7475 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7477 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7478 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7480 BPF_LD_MAP_FD(BPF_REG_1, 0),
7481 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7482 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7483 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7484 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7485 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7487 BPF_MOV64_IMM(BPF_REG_3, 0),
7488 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7491 .fixup_map_hash_8b = { 3 },
7493 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7496 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7498 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7499 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7501 BPF_LD_MAP_FD(BPF_REG_1, 0),
7502 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7503 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7504 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7505 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7506 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
7507 BPF_MOV64_IMM(BPF_REG_3, 0),
7508 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7511 .fixup_map_hash_8b = { 3 },
7513 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7516 "helper access to variable memory: 8 bytes leak",
7518 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7519 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7520 BPF_MOV64_IMM(BPF_REG_0, 0),
7521 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7522 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7523 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7524 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7525 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7526 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7527 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7528 BPF_MOV64_IMM(BPF_REG_2, 1),
7529 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7530 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7531 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
7532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7533 BPF_MOV64_IMM(BPF_REG_3, 0),
7534 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7535 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7538 .errstr = "invalid indirect read from stack off -64+32 size 64",
7540 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7543 "helper access to variable memory: 8 bytes no leak (init memory)",
7545 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7546 BPF_MOV64_IMM(BPF_REG_0, 0),
7547 BPF_MOV64_IMM(BPF_REG_0, 0),
7548 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7549 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7550 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7551 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7552 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7553 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7554 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7555 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7557 BPF_MOV64_IMM(BPF_REG_2, 0),
7558 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
7559 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
7560 BPF_MOV64_IMM(BPF_REG_3, 0),
7561 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7562 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7566 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7569 "invalid and of negative number",
7571 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7572 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7573 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7574 BPF_LD_MAP_FD(BPF_REG_1, 0),
7575 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7576 BPF_FUNC_map_lookup_elem),
7577 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7578 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7579 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
7580 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
7581 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7582 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7583 offsetof(struct test_val, foo)),
7586 .fixup_map_hash_48b = { 3 },
7587 .errstr = "R0 max value is outside of the array range",
7589 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7592 "invalid range check",
7594 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7595 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7596 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7597 BPF_LD_MAP_FD(BPF_REG_1, 0),
7598 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7599 BPF_FUNC_map_lookup_elem),
7600 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
7601 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7602 BPF_MOV64_IMM(BPF_REG_9, 1),
7603 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
7604 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
7605 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
7606 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
7607 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
7608 BPF_MOV32_IMM(BPF_REG_3, 1),
7609 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
7610 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
7611 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
7612 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
7613 BPF_MOV64_REG(BPF_REG_0, 0),
7616 .fixup_map_hash_48b = { 3 },
7617 .errstr = "R0 max value is outside of the array range",
7619 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7622 "map in map access",
7624 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7625 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7627 BPF_LD_MAP_FD(BPF_REG_1, 0),
7628 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7629 BPF_FUNC_map_lookup_elem),
7630 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7631 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7632 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7633 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7634 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7635 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7636 BPF_FUNC_map_lookup_elem),
7637 BPF_MOV64_IMM(BPF_REG_0, 0),
7640 .fixup_map_in_map = { 3 },
7644 "invalid inner map pointer",
7646 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7647 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7649 BPF_LD_MAP_FD(BPF_REG_1, 0),
7650 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7651 BPF_FUNC_map_lookup_elem),
7652 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7653 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7654 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7655 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7656 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7657 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7658 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7659 BPF_FUNC_map_lookup_elem),
7660 BPF_MOV64_IMM(BPF_REG_0, 0),
7663 .fixup_map_in_map = { 3 },
7664 .errstr = "R1 pointer arithmetic on map_ptr prohibited",
7668 "forgot null checking on the inner map pointer",
7670 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7671 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7672 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7673 BPF_LD_MAP_FD(BPF_REG_1, 0),
7674 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7675 BPF_FUNC_map_lookup_elem),
7676 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7677 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7678 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7679 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7680 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7681 BPF_FUNC_map_lookup_elem),
7682 BPF_MOV64_IMM(BPF_REG_0, 0),
7685 .fixup_map_in_map = { 3 },
7686 .errstr = "R1 type=map_value_or_null expected=map_ptr",
7690 "ld_abs: check calling conv, r1",
7692 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7693 BPF_MOV64_IMM(BPF_REG_1, 0),
7694 BPF_LD_ABS(BPF_W, -0x200000),
7695 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7698 .errstr = "R1 !read_ok",
7702 "ld_abs: check calling conv, r2",
7704 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7705 BPF_MOV64_IMM(BPF_REG_2, 0),
7706 BPF_LD_ABS(BPF_W, -0x200000),
7707 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7710 .errstr = "R2 !read_ok",
7714 "ld_abs: check calling conv, r3",
7716 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7717 BPF_MOV64_IMM(BPF_REG_3, 0),
7718 BPF_LD_ABS(BPF_W, -0x200000),
7719 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7722 .errstr = "R3 !read_ok",
7726 "ld_abs: check calling conv, r4",
7728 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7729 BPF_MOV64_IMM(BPF_REG_4, 0),
7730 BPF_LD_ABS(BPF_W, -0x200000),
7731 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7734 .errstr = "R4 !read_ok",
7738 "ld_abs: check calling conv, r5",
7740 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7741 BPF_MOV64_IMM(BPF_REG_5, 0),
7742 BPF_LD_ABS(BPF_W, -0x200000),
7743 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7746 .errstr = "R5 !read_ok",
7750 "ld_abs: check calling conv, r7",
7752 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7753 BPF_MOV64_IMM(BPF_REG_7, 0),
7754 BPF_LD_ABS(BPF_W, -0x200000),
7755 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7761 "ld_abs: tests on r6 and skb data reload helper",
7763 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7764 BPF_LD_ABS(BPF_B, 0),
7765 BPF_LD_ABS(BPF_H, 0),
7766 BPF_LD_ABS(BPF_W, 0),
7767 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
7768 BPF_MOV64_IMM(BPF_REG_6, 0),
7769 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
7770 BPF_MOV64_IMM(BPF_REG_2, 1),
7771 BPF_MOV64_IMM(BPF_REG_3, 2),
7772 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7773 BPF_FUNC_skb_vlan_push),
7774 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
7775 BPF_LD_ABS(BPF_B, 0),
7776 BPF_LD_ABS(BPF_H, 0),
7777 BPF_LD_ABS(BPF_W, 0),
7778 BPF_MOV64_IMM(BPF_REG_0, 42),
7781 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7783 .retval = 42 /* ultimate return value */,
7786 "ld_ind: check calling conv, r1",
7788 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7789 BPF_MOV64_IMM(BPF_REG_1, 1),
7790 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
7791 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7794 .errstr = "R1 !read_ok",
7798 "ld_ind: check calling conv, r2",
7800 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7801 BPF_MOV64_IMM(BPF_REG_2, 1),
7802 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
7803 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7806 .errstr = "R2 !read_ok",
7810 "ld_ind: check calling conv, r3",
7812 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7813 BPF_MOV64_IMM(BPF_REG_3, 1),
7814 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
7815 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7818 .errstr = "R3 !read_ok",
7822 "ld_ind: check calling conv, r4",
7824 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7825 BPF_MOV64_IMM(BPF_REG_4, 1),
7826 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
7827 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7830 .errstr = "R4 !read_ok",
7834 "ld_ind: check calling conv, r5",
7836 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7837 BPF_MOV64_IMM(BPF_REG_5, 1),
7838 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
7839 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7842 .errstr = "R5 !read_ok",
7846 "ld_ind: check calling conv, r7",
7848 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7849 BPF_MOV64_IMM(BPF_REG_7, 1),
7850 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
7851 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7858 "check bpf_perf_event_data->sample_period byte load permitted",
7860 BPF_MOV64_IMM(BPF_REG_0, 0),
7861 #if __BYTE_ORDER == __LITTLE_ENDIAN
7862 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7863 offsetof(struct bpf_perf_event_data, sample_period)),
7865 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7866 offsetof(struct bpf_perf_event_data, sample_period) + 7),
7871 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7874 "check bpf_perf_event_data->sample_period half load permitted",
7876 BPF_MOV64_IMM(BPF_REG_0, 0),
7877 #if __BYTE_ORDER == __LITTLE_ENDIAN
7878 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7879 offsetof(struct bpf_perf_event_data, sample_period)),
7881 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7882 offsetof(struct bpf_perf_event_data, sample_period) + 6),
7887 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7890 "check bpf_perf_event_data->sample_period word load permitted",
7892 BPF_MOV64_IMM(BPF_REG_0, 0),
7893 #if __BYTE_ORDER == __LITTLE_ENDIAN
7894 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7895 offsetof(struct bpf_perf_event_data, sample_period)),
7897 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7898 offsetof(struct bpf_perf_event_data, sample_period) + 4),
7903 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7906 "check bpf_perf_event_data->sample_period dword load permitted",
7908 BPF_MOV64_IMM(BPF_REG_0, 0),
7909 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
7910 offsetof(struct bpf_perf_event_data, sample_period)),
7914 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7917 "check skb->data half load not permitted",
7919 BPF_MOV64_IMM(BPF_REG_0, 0),
7920 #if __BYTE_ORDER == __LITTLE_ENDIAN
7921 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7922 offsetof(struct __sk_buff, data)),
7924 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7925 offsetof(struct __sk_buff, data) + 2),
7930 .errstr = "invalid bpf_context access",
7933 "check skb->tc_classid half load not permitted for lwt prog",
7935 BPF_MOV64_IMM(BPF_REG_0, 0),
7936 #if __BYTE_ORDER == __LITTLE_ENDIAN
7937 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7938 offsetof(struct __sk_buff, tc_classid)),
7940 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7941 offsetof(struct __sk_buff, tc_classid) + 2),
7946 .errstr = "invalid bpf_context access",
7947 .prog_type = BPF_PROG_TYPE_LWT_IN,
7950 "bounds checks mixing signed and unsigned, positive bounds",
7952 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7953 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7954 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7955 BPF_LD_MAP_FD(BPF_REG_1, 0),
7956 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7957 BPF_FUNC_map_lookup_elem),
7958 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7959 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7960 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7961 BPF_MOV64_IMM(BPF_REG_2, 2),
7962 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
7963 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
7964 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7965 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7966 BPF_MOV64_IMM(BPF_REG_0, 0),
7969 .fixup_map_hash_8b = { 3 },
7970 .errstr = "unbounded min value",
7974 "bounds checks mixing signed and unsigned",
7976 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7977 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7978 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7979 BPF_LD_MAP_FD(BPF_REG_1, 0),
7980 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7981 BPF_FUNC_map_lookup_elem),
7982 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7983 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7984 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7985 BPF_MOV64_IMM(BPF_REG_2, -1),
7986 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7987 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7988 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7989 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7990 BPF_MOV64_IMM(BPF_REG_0, 0),
7993 .fixup_map_hash_8b = { 3 },
7994 .errstr = "unbounded min value",
7998 "bounds checks mixing signed and unsigned, variant 2",
8000 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8001 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8003 BPF_LD_MAP_FD(BPF_REG_1, 0),
8004 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8005 BPF_FUNC_map_lookup_elem),
8006 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8007 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8008 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8009 BPF_MOV64_IMM(BPF_REG_2, -1),
8010 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
8011 BPF_MOV64_IMM(BPF_REG_8, 0),
8012 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
8013 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
8014 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
8015 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
8016 BPF_MOV64_IMM(BPF_REG_0, 0),
8019 .fixup_map_hash_8b = { 3 },
8020 .errstr = "unbounded min value",
8024 "bounds checks mixing signed and unsigned, variant 3",
8026 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8027 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8028 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8029 BPF_LD_MAP_FD(BPF_REG_1, 0),
8030 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8031 BPF_FUNC_map_lookup_elem),
8032 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8033 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8034 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8035 BPF_MOV64_IMM(BPF_REG_2, -1),
8036 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
8037 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
8038 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
8039 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
8040 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
8041 BPF_MOV64_IMM(BPF_REG_0, 0),
8044 .fixup_map_hash_8b = { 3 },
8045 .errstr = "unbounded min value",
8049 "bounds checks mixing signed and unsigned, variant 4",
8051 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8052 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8053 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8054 BPF_LD_MAP_FD(BPF_REG_1, 0),
8055 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8056 BPF_FUNC_map_lookup_elem),
8057 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8058 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8059 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8060 BPF_MOV64_IMM(BPF_REG_2, 1),
8061 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
8062 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8063 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8064 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8065 BPF_MOV64_IMM(BPF_REG_0, 0),
8068 .fixup_map_hash_8b = { 3 },
8072 "bounds checks mixing signed and unsigned, variant 5",
8074 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8075 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8076 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8077 BPF_LD_MAP_FD(BPF_REG_1, 0),
8078 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8079 BPF_FUNC_map_lookup_elem),
8080 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8081 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8082 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8083 BPF_MOV64_IMM(BPF_REG_2, -1),
8084 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
8085 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
8086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
8087 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
8088 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8089 BPF_MOV64_IMM(BPF_REG_0, 0),
8092 .fixup_map_hash_8b = { 3 },
8093 .errstr = "unbounded min value",
8097 "bounds checks mixing signed and unsigned, variant 6",
8099 BPF_MOV64_IMM(BPF_REG_2, 0),
8100 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
8101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
8102 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8103 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
8104 BPF_MOV64_IMM(BPF_REG_6, -1),
8105 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
8106 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
8107 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8108 BPF_MOV64_IMM(BPF_REG_5, 0),
8109 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
8110 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8111 BPF_FUNC_skb_load_bytes),
8112 BPF_MOV64_IMM(BPF_REG_0, 0),
8115 .errstr = "R4 min value is negative, either use unsigned",
8119 "bounds checks mixing signed and unsigned, variant 7",
8121 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8122 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8123 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8124 BPF_LD_MAP_FD(BPF_REG_1, 0),
8125 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8126 BPF_FUNC_map_lookup_elem),
8127 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8128 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8129 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8130 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
8131 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
8132 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8133 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8134 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8135 BPF_MOV64_IMM(BPF_REG_0, 0),
8138 .fixup_map_hash_8b = { 3 },
8142 "bounds checks mixing signed and unsigned, variant 8",
8144 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8145 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8146 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8147 BPF_LD_MAP_FD(BPF_REG_1, 0),
8148 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8149 BPF_FUNC_map_lookup_elem),
8150 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8151 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8152 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8153 BPF_MOV64_IMM(BPF_REG_2, -1),
8154 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8155 BPF_MOV64_IMM(BPF_REG_0, 0),
8157 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8158 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8159 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8160 BPF_MOV64_IMM(BPF_REG_0, 0),
8163 .fixup_map_hash_8b = { 3 },
8164 .errstr = "unbounded min value",
8168 "bounds checks mixing signed and unsigned, variant 9",
8170 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8171 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8172 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8173 BPF_LD_MAP_FD(BPF_REG_1, 0),
8174 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8175 BPF_FUNC_map_lookup_elem),
8176 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
8177 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8178 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8179 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
8180 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8181 BPF_MOV64_IMM(BPF_REG_0, 0),
8183 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8184 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8185 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8186 BPF_MOV64_IMM(BPF_REG_0, 0),
8189 .fixup_map_hash_8b = { 3 },
8193 "bounds checks mixing signed and unsigned, variant 10",
8195 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8196 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8198 BPF_LD_MAP_FD(BPF_REG_1, 0),
8199 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8200 BPF_FUNC_map_lookup_elem),
8201 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8202 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8203 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8204 BPF_MOV64_IMM(BPF_REG_2, 0),
8205 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8206 BPF_MOV64_IMM(BPF_REG_0, 0),
8208 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8209 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8210 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8211 BPF_MOV64_IMM(BPF_REG_0, 0),
8214 .fixup_map_hash_8b = { 3 },
8215 .errstr = "unbounded min value",
8219 "bounds checks mixing signed and unsigned, variant 11",
8221 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8222 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8224 BPF_LD_MAP_FD(BPF_REG_1, 0),
8225 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8226 BPF_FUNC_map_lookup_elem),
8227 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8228 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8229 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8230 BPF_MOV64_IMM(BPF_REG_2, -1),
8231 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8233 BPF_MOV64_IMM(BPF_REG_0, 0),
8235 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8236 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8237 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8238 BPF_MOV64_IMM(BPF_REG_0, 0),
8241 .fixup_map_hash_8b = { 3 },
8242 .errstr = "unbounded min value",
8246 "bounds checks mixing signed and unsigned, variant 12",
8248 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8249 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8251 BPF_LD_MAP_FD(BPF_REG_1, 0),
8252 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8253 BPF_FUNC_map_lookup_elem),
8254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8255 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8256 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8257 BPF_MOV64_IMM(BPF_REG_2, -6),
8258 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8259 BPF_MOV64_IMM(BPF_REG_0, 0),
8261 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8262 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8263 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8264 BPF_MOV64_IMM(BPF_REG_0, 0),
8267 .fixup_map_hash_8b = { 3 },
8268 .errstr = "unbounded min value",
8272 "bounds checks mixing signed and unsigned, variant 13",
8274 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8275 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8276 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8277 BPF_LD_MAP_FD(BPF_REG_1, 0),
8278 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8279 BPF_FUNC_map_lookup_elem),
8280 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8281 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8282 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8283 BPF_MOV64_IMM(BPF_REG_2, 2),
8284 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8285 BPF_MOV64_IMM(BPF_REG_7, 1),
8286 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
8287 BPF_MOV64_IMM(BPF_REG_0, 0),
8289 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
8290 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
8291 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
8292 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8293 BPF_MOV64_IMM(BPF_REG_0, 0),
8296 .fixup_map_hash_8b = { 3 },
8297 .errstr = "unbounded min value",
8301 "bounds checks mixing signed and unsigned, variant 14",
8303 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
8304 offsetof(struct __sk_buff, mark)),
8305 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8306 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8308 BPF_LD_MAP_FD(BPF_REG_1, 0),
8309 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8310 BPF_FUNC_map_lookup_elem),
8311 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8312 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8313 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8314 BPF_MOV64_IMM(BPF_REG_2, -1),
8315 BPF_MOV64_IMM(BPF_REG_8, 2),
8316 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
8317 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
8318 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8319 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8320 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8321 BPF_MOV64_IMM(BPF_REG_0, 0),
8323 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
8324 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
8326 .fixup_map_hash_8b = { 4 },
8327 .errstr = "R0 invalid mem access 'inv'",
8331 "bounds checks mixing signed and unsigned, variant 15",
8333 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8334 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8335 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8336 BPF_LD_MAP_FD(BPF_REG_1, 0),
8337 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8338 BPF_FUNC_map_lookup_elem),
8339 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8340 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8341 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8342 BPF_MOV64_IMM(BPF_REG_2, -6),
8343 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8344 BPF_MOV64_IMM(BPF_REG_0, 0),
8346 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8347 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
8348 BPF_MOV64_IMM(BPF_REG_0, 0),
8350 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8351 BPF_MOV64_IMM(BPF_REG_0, 0),
8354 .fixup_map_hash_8b = { 3 },
8355 .errstr = "unbounded min value",
8357 .result_unpriv = REJECT,
8360 "subtraction bounds (map value) variant 1",
8362 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8363 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8365 BPF_LD_MAP_FD(BPF_REG_1, 0),
8366 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8367 BPF_FUNC_map_lookup_elem),
8368 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8369 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8370 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
8371 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
8372 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
8373 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
8374 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
8375 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8376 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8378 BPF_MOV64_IMM(BPF_REG_0, 0),
8381 .fixup_map_hash_8b = { 3 },
8382 .errstr = "R0 max value is outside of the array range",
8386 "subtraction bounds (map value) variant 2",
8388 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8389 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8391 BPF_LD_MAP_FD(BPF_REG_1, 0),
8392 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8393 BPF_FUNC_map_lookup_elem),
8394 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8395 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8396 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
8397 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
8398 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
8399 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
8400 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8401 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8403 BPF_MOV64_IMM(BPF_REG_0, 0),
8406 .fixup_map_hash_8b = { 3 },
8407 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
8411 "bounds check based on zero-extended MOV",
8413 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8414 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8416 BPF_LD_MAP_FD(BPF_REG_1, 0),
8417 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8418 BPF_FUNC_map_lookup_elem),
8419 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8420 /* r2 = 0x0000'0000'ffff'ffff */
8421 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
8423 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
8425 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8426 /* access at offset 0 */
8427 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8429 BPF_MOV64_IMM(BPF_REG_0, 0),
8432 .fixup_map_hash_8b = { 3 },
8436 "bounds check based on sign-extended MOV. test1",
8438 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8439 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8441 BPF_LD_MAP_FD(BPF_REG_1, 0),
8442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8443 BPF_FUNC_map_lookup_elem),
8444 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8445 /* r2 = 0xffff'ffff'ffff'ffff */
8446 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
8447 /* r2 = 0xffff'ffff */
8448 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
8449 /* r0 = <oob pointer> */
8450 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8451 /* access to OOB pointer */
8452 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8454 BPF_MOV64_IMM(BPF_REG_0, 0),
8457 .fixup_map_hash_8b = { 3 },
8458 .errstr = "map_value pointer and 4294967295",
8462 "bounds check based on sign-extended MOV. test2",
8464 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8465 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8466 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8467 BPF_LD_MAP_FD(BPF_REG_1, 0),
8468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8469 BPF_FUNC_map_lookup_elem),
8470 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8471 /* r2 = 0xffff'ffff'ffff'ffff */
8472 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
8473 /* r2 = 0xfff'ffff */
8474 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
8475 /* r0 = <oob pointer> */
8476 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8477 /* access to OOB pointer */
8478 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8480 BPF_MOV64_IMM(BPF_REG_0, 0),
8483 .fixup_map_hash_8b = { 3 },
8484 .errstr = "R0 min value is outside of the array range",
8488 "bounds check based on reg_off + var_off + insn_off. test1",
8490 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8491 offsetof(struct __sk_buff, mark)),
8492 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8493 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8494 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8495 BPF_LD_MAP_FD(BPF_REG_1, 0),
8496 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8497 BPF_FUNC_map_lookup_elem),
8498 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8499 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
8501 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8503 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8504 BPF_MOV64_IMM(BPF_REG_0, 0),
8507 .fixup_map_hash_8b = { 4 },
8508 .errstr = "value_size=8 off=1073741825",
8510 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8513 "bounds check based on reg_off + var_off + insn_off. test2",
8515 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8516 offsetof(struct __sk_buff, mark)),
8517 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8518 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8519 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8520 BPF_LD_MAP_FD(BPF_REG_1, 0),
8521 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8522 BPF_FUNC_map_lookup_elem),
8523 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8524 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8525 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
8526 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8527 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8528 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8529 BPF_MOV64_IMM(BPF_REG_0, 0),
8532 .fixup_map_hash_8b = { 4 },
8533 .errstr = "value 1073741823",
8535 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8538 "bounds check after truncation of non-boundary-crossing range",
8540 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8541 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8543 BPF_LD_MAP_FD(BPF_REG_1, 0),
8544 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8545 BPF_FUNC_map_lookup_elem),
8546 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8547 /* r1 = [0x00, 0xff] */
8548 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8549 BPF_MOV64_IMM(BPF_REG_2, 1),
8550 /* r2 = 0x10'0000'0000 */
8551 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
8552 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
8553 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8554 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
8555 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8556 /* r1 = [0x00, 0xff] */
8557 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
8559 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8561 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8562 /* access at offset 0 */
8563 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8565 BPF_MOV64_IMM(BPF_REG_0, 0),
8568 .fixup_map_hash_8b = { 3 },
8572 "bounds check after truncation of boundary-crossing range (1)",
8574 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8575 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8576 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8577 BPF_LD_MAP_FD(BPF_REG_1, 0),
8578 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8579 BPF_FUNC_map_lookup_elem),
8580 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8581 /* r1 = [0x00, 0xff] */
8582 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8584 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8586 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8587 * [0x0000'0000, 0x0000'007f]
8589 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
8590 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8591 /* r1 = [0x00, 0xff] or
8592 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8594 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8596 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8598 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8599 /* no-op or OOB pointer computation */
8600 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8601 /* potentially OOB access */
8602 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8604 BPF_MOV64_IMM(BPF_REG_0, 0),
8607 .fixup_map_hash_8b = { 3 },
8608 /* not actually fully unbounded, but the bound is very high */
8609 .errstr = "R0 unbounded memory access",
8613 "bounds check after truncation of boundary-crossing range (2)",
8615 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8616 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8617 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8618 BPF_LD_MAP_FD(BPF_REG_1, 0),
8619 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8620 BPF_FUNC_map_lookup_elem),
8621 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8622 /* r1 = [0x00, 0xff] */
8623 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8624 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8625 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8627 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8628 * [0x0000'0000, 0x0000'007f]
8629 * difference to previous test: truncation via MOV32
8632 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
8633 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8634 /* r1 = [0x00, 0xff] or
8635 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8637 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8639 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8641 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8642 /* no-op or OOB pointer computation */
8643 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8644 /* potentially OOB access */
8645 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8647 BPF_MOV64_IMM(BPF_REG_0, 0),
8650 .fixup_map_hash_8b = { 3 },
8651 /* not actually fully unbounded, but the bound is very high */
8652 .errstr = "R0 unbounded memory access",
8656 "bounds check after wrapping 32-bit addition",
8658 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8659 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8661 BPF_LD_MAP_FD(BPF_REG_1, 0),
8662 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8663 BPF_FUNC_map_lookup_elem),
8664 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8665 /* r1 = 0x7fff'ffff */
8666 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
8667 /* r1 = 0xffff'fffe */
8668 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8670 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
8672 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8673 /* access at offset 0 */
8674 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8676 BPF_MOV64_IMM(BPF_REG_0, 0),
8679 .fixup_map_hash_8b = { 3 },
8683 "bounds check after shift with oversized count operand",
8685 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8686 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8688 BPF_LD_MAP_FD(BPF_REG_1, 0),
8689 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8690 BPF_FUNC_map_lookup_elem),
8691 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8692 BPF_MOV64_IMM(BPF_REG_2, 32),
8693 BPF_MOV64_IMM(BPF_REG_1, 1),
8694 /* r1 = (u32)1 << (u32)32 = ? */
8695 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
8696 /* r1 = [0x0000, 0xffff] */
8697 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
8698 /* computes unknown pointer, potentially OOB */
8699 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8700 /* potentially OOB access */
8701 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8703 BPF_MOV64_IMM(BPF_REG_0, 0),
8706 .fixup_map_hash_8b = { 3 },
8707 .errstr = "R0 max value is outside of the array range",
8711 "bounds check after right shift of maybe-negative number",
8713 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8714 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8715 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8716 BPF_LD_MAP_FD(BPF_REG_1, 0),
8717 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8718 BPF_FUNC_map_lookup_elem),
8719 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8720 /* r1 = [0x00, 0xff] */
8721 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8722 /* r1 = [-0x01, 0xfe] */
8723 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
8724 /* r1 = 0 or 0xff'ffff'ffff'ffff */
8725 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8726 /* r1 = 0 or 0xffff'ffff'ffff */
8727 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8728 /* computes unknown pointer, potentially OOB */
8729 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8730 /* potentially OOB access */
8731 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8733 BPF_MOV64_IMM(BPF_REG_0, 0),
8736 .fixup_map_hash_8b = { 3 },
8737 .errstr = "R0 unbounded memory access",
8741 "bounds check map access with off+size signed 32bit overflow. test1",
8743 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8744 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8745 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8746 BPF_LD_MAP_FD(BPF_REG_1, 0),
8747 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8748 BPF_FUNC_map_lookup_elem),
8749 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
8752 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8756 .fixup_map_hash_8b = { 3 },
8757 .errstr = "map_value pointer and 2147483646",
8761 "bounds check map access with off+size signed 32bit overflow. test2",
8763 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8764 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8765 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8766 BPF_LD_MAP_FD(BPF_REG_1, 0),
8767 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8768 BPF_FUNC_map_lookup_elem),
8769 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8771 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8772 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8773 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8774 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8778 .fixup_map_hash_8b = { 3 },
8779 .errstr = "pointer offset 1073741822",
8783 "bounds check map access with off+size signed 32bit overflow. test3",
8785 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8786 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8788 BPF_LD_MAP_FD(BPF_REG_1, 0),
8789 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8790 BPF_FUNC_map_lookup_elem),
8791 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8793 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8794 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8795 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8799 .fixup_map_hash_8b = { 3 },
8800 .errstr = "pointer offset -1073741822",
8804 "bounds check map access with off+size signed 32bit overflow. test4",
8806 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8807 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8808 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8809 BPF_LD_MAP_FD(BPF_REG_1, 0),
8810 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8811 BPF_FUNC_map_lookup_elem),
8812 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8814 BPF_MOV64_IMM(BPF_REG_1, 1000000),
8815 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
8816 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8817 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8821 .fixup_map_hash_8b = { 3 },
8822 .errstr = "map_value pointer and 1000000000000",
8826 "pointer/scalar confusion in state equality check (way 1)",
8828 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8829 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8831 BPF_LD_MAP_FD(BPF_REG_1, 0),
8832 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8833 BPF_FUNC_map_lookup_elem),
8834 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8835 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8837 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8841 .fixup_map_hash_8b = { 3 },
8843 .retval = POINTER_VALUE,
8844 .result_unpriv = REJECT,
8845 .errstr_unpriv = "R0 leaks addr as return value"
8848 "pointer/scalar confusion in state equality check (way 2)",
8850 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8851 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8853 BPF_LD_MAP_FD(BPF_REG_1, 0),
8854 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8855 BPF_FUNC_map_lookup_elem),
8856 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
8857 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8859 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8862 .fixup_map_hash_8b = { 3 },
8864 .retval = POINTER_VALUE,
8865 .result_unpriv = REJECT,
8866 .errstr_unpriv = "R0 leaks addr as return value"
8869 "variable-offset ctx access",
8871 /* Get an unknown value */
8872 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8873 /* Make it small and 4-byte aligned */
8874 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8875 /* add it to skb. We now have either &skb->len or
8876 * &skb->pkt_type, but we don't know which
8878 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8879 /* dereference it */
8880 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8883 .errstr = "variable ctx access var_off=(0x0; 0x4)",
8885 .prog_type = BPF_PROG_TYPE_LWT_IN,
8888 "variable-offset stack access",
8890 /* Fill the top 8 bytes of the stack */
8891 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8892 /* Get an unknown value */
8893 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8894 /* Make it small and 4-byte aligned */
8895 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8896 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8897 /* add it to fp. We now have either fp-4 or fp-8, but
8898 * we don't know which
8900 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8901 /* dereference it */
8902 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
8905 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
8907 .prog_type = BPF_PROG_TYPE_LWT_IN,
8910 "indirect variable-offset stack access",
8912 /* Fill the top 8 bytes of the stack */
8913 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8914 /* Get an unknown value */
8915 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8916 /* Make it small and 4-byte aligned */
8917 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8918 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8919 /* add it to fp. We now have either fp-4 or fp-8, but
8920 * we don't know which
8922 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8923 /* dereference it indirectly */
8924 BPF_LD_MAP_FD(BPF_REG_1, 0),
8925 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8926 BPF_FUNC_map_lookup_elem),
8927 BPF_MOV64_IMM(BPF_REG_0, 0),
8930 .fixup_map_hash_8b = { 5 },
8931 .errstr = "variable stack read R2",
8933 .prog_type = BPF_PROG_TYPE_LWT_IN,
8936 "direct stack access with 32-bit wraparound. test1",
8938 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8939 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8941 BPF_MOV32_IMM(BPF_REG_0, 0),
8942 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8945 .errstr = "fp pointer and 2147483647",
8949 "direct stack access with 32-bit wraparound. test2",
8951 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8952 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8953 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8954 BPF_MOV32_IMM(BPF_REG_0, 0),
8955 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8958 .errstr = "fp pointer and 1073741823",
8962 "direct stack access with 32-bit wraparound. test3",
8964 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8966 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8967 BPF_MOV32_IMM(BPF_REG_0, 0),
8968 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8971 .errstr = "fp pointer offset 1073741822",
8975 "liveness pruning and write screening",
8977 /* Get an unknown value */
8978 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8979 /* branch conditions teach us nothing about R2 */
8980 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8981 BPF_MOV64_IMM(BPF_REG_0, 0),
8982 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8983 BPF_MOV64_IMM(BPF_REG_0, 0),
8986 .errstr = "R0 !read_ok",
8988 .prog_type = BPF_PROG_TYPE_LWT_IN,
8991 "varlen_map_value_access pruning",
8993 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8994 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8995 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8996 BPF_LD_MAP_FD(BPF_REG_1, 0),
8997 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8998 BPF_FUNC_map_lookup_elem),
8999 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
9000 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
9001 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
9002 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
9003 BPF_MOV32_IMM(BPF_REG_1, 0),
9004 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
9005 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9006 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
9007 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
9008 offsetof(struct test_val, foo)),
9011 .fixup_map_hash_48b = { 3 },
9012 .errstr_unpriv = "R0 leaks addr",
9013 .errstr = "R0 unbounded memory access",
9014 .result_unpriv = REJECT,
9016 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9019 "invalid 64-bit BPF_END",
9021 BPF_MOV32_IMM(BPF_REG_0, 0),
9023 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
9024 .dst_reg = BPF_REG_0,
9031 .errstr = "unknown opcode d7",
9035 "XDP, using ifindex from netdev",
9037 BPF_MOV64_IMM(BPF_REG_0, 0),
9038 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9039 offsetof(struct xdp_md, ingress_ifindex)),
9040 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
9041 BPF_MOV64_IMM(BPF_REG_0, 1),
9045 .prog_type = BPF_PROG_TYPE_XDP,
9049 "meta access, test1",
9051 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9052 offsetof(struct xdp_md, data_meta)),
9053 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9054 offsetof(struct xdp_md, data)),
9055 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9056 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9057 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9058 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9059 BPF_MOV64_IMM(BPF_REG_0, 0),
9063 .prog_type = BPF_PROG_TYPE_XDP,
9066 "meta access, test2",
9068 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9069 offsetof(struct xdp_md, data_meta)),
9070 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9071 offsetof(struct xdp_md, data)),
9072 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9073 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
9074 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9075 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9076 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9077 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9078 BPF_MOV64_IMM(BPF_REG_0, 0),
9082 .errstr = "invalid access to packet, off=-8",
9083 .prog_type = BPF_PROG_TYPE_XDP,
9086 "meta access, test3",
9088 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9089 offsetof(struct xdp_md, data_meta)),
9090 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9091 offsetof(struct xdp_md, data_end)),
9092 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9093 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9094 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9095 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9096 BPF_MOV64_IMM(BPF_REG_0, 0),
9100 .errstr = "invalid access to packet",
9101 .prog_type = BPF_PROG_TYPE_XDP,
9104 "meta access, test4",
9106 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9107 offsetof(struct xdp_md, data_meta)),
9108 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9109 offsetof(struct xdp_md, data_end)),
9110 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9111 offsetof(struct xdp_md, data)),
9112 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
9113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9114 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9115 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9116 BPF_MOV64_IMM(BPF_REG_0, 0),
9120 .errstr = "invalid access to packet",
9121 .prog_type = BPF_PROG_TYPE_XDP,
9124 "meta access, test5",
9126 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9127 offsetof(struct xdp_md, data_meta)),
9128 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9129 offsetof(struct xdp_md, data)),
9130 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9132 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
9133 BPF_MOV64_IMM(BPF_REG_2, -8),
9134 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9135 BPF_FUNC_xdp_adjust_meta),
9136 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
9137 BPF_MOV64_IMM(BPF_REG_0, 0),
9141 .errstr = "R3 !read_ok",
9142 .prog_type = BPF_PROG_TYPE_XDP,
9145 "meta access, test6",
9147 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9148 offsetof(struct xdp_md, data_meta)),
9149 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9150 offsetof(struct xdp_md, data)),
9151 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9153 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9154 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9155 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
9156 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9157 BPF_MOV64_IMM(BPF_REG_0, 0),
9161 .errstr = "invalid access to packet",
9162 .prog_type = BPF_PROG_TYPE_XDP,
9165 "meta access, test7",
9167 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9168 offsetof(struct xdp_md, data_meta)),
9169 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9170 offsetof(struct xdp_md, data)),
9171 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9172 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9173 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9174 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9175 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9176 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9177 BPF_MOV64_IMM(BPF_REG_0, 0),
9181 .prog_type = BPF_PROG_TYPE_XDP,
9184 "meta access, test8",
9186 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9187 offsetof(struct xdp_md, data_meta)),
9188 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9189 offsetof(struct xdp_md, data)),
9190 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9191 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
9192 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9193 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9194 BPF_MOV64_IMM(BPF_REG_0, 0),
9198 .prog_type = BPF_PROG_TYPE_XDP,
9201 "meta access, test9",
9203 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9204 offsetof(struct xdp_md, data_meta)),
9205 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9206 offsetof(struct xdp_md, data)),
9207 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
9209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
9210 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9211 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9212 BPF_MOV64_IMM(BPF_REG_0, 0),
9216 .errstr = "invalid access to packet",
9217 .prog_type = BPF_PROG_TYPE_XDP,
9220 "meta access, test10",
9222 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9223 offsetof(struct xdp_md, data_meta)),
9224 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9225 offsetof(struct xdp_md, data)),
9226 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9227 offsetof(struct xdp_md, data_end)),
9228 BPF_MOV64_IMM(BPF_REG_5, 42),
9229 BPF_MOV64_IMM(BPF_REG_6, 24),
9230 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
9231 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
9232 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
9233 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
9234 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
9235 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
9236 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
9237 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
9238 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
9239 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
9240 BPF_MOV64_IMM(BPF_REG_0, 0),
9244 .errstr = "invalid access to packet",
9245 .prog_type = BPF_PROG_TYPE_XDP,
9248 "meta access, test11",
9250 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9251 offsetof(struct xdp_md, data_meta)),
9252 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9253 offsetof(struct xdp_md, data)),
9254 BPF_MOV64_IMM(BPF_REG_5, 42),
9255 BPF_MOV64_IMM(BPF_REG_6, 24),
9256 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
9257 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
9258 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
9259 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
9260 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
9261 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
9262 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
9263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
9264 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
9265 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
9266 BPF_MOV64_IMM(BPF_REG_0, 0),
9270 .prog_type = BPF_PROG_TYPE_XDP,
9273 "meta access, test12",
9275 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9276 offsetof(struct xdp_md, data_meta)),
9277 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9278 offsetof(struct xdp_md, data)),
9279 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9280 offsetof(struct xdp_md, data_end)),
9281 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
9282 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
9283 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
9284 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
9285 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
9286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
9287 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
9288 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9289 BPF_MOV64_IMM(BPF_REG_0, 0),
9293 .prog_type = BPF_PROG_TYPE_XDP,
9296 "arithmetic ops make PTR_TO_CTX unusable",
9298 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
9299 offsetof(struct __sk_buff, data) -
9300 offsetof(struct __sk_buff, mark)),
9301 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9302 offsetof(struct __sk_buff, mark)),
9305 .errstr = "dereference of modified ctx ptr",
9307 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9310 "pkt_end - pkt_start is allowed",
9312 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9313 offsetof(struct __sk_buff, data_end)),
9314 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9315 offsetof(struct __sk_buff, data)),
9316 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
9320 .retval = TEST_DATA_LEN,
9321 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9324 "XDP pkt read, pkt_end mangling, bad access 1",
9326 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9327 offsetof(struct xdp_md, data)),
9328 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9329 offsetof(struct xdp_md, data_end)),
9330 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
9333 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9334 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9335 BPF_MOV64_IMM(BPF_REG_0, 0),
9338 .errstr = "R3 pointer arithmetic on pkt_end",
9340 .prog_type = BPF_PROG_TYPE_XDP,
9343 "XDP pkt read, pkt_end mangling, bad access 2",
9345 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9346 offsetof(struct xdp_md, data)),
9347 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9348 offsetof(struct xdp_md, data_end)),
9349 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9350 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9351 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
9352 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9353 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9354 BPF_MOV64_IMM(BPF_REG_0, 0),
9357 .errstr = "R3 pointer arithmetic on pkt_end",
9359 .prog_type = BPF_PROG_TYPE_XDP,
9362 "XDP pkt read, pkt_data' > pkt_end, good access",
9364 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9365 offsetof(struct xdp_md, data)),
9366 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9367 offsetof(struct xdp_md, data_end)),
9368 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9369 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9370 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9371 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9372 BPF_MOV64_IMM(BPF_REG_0, 0),
9376 .prog_type = BPF_PROG_TYPE_XDP,
9379 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
9381 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9382 offsetof(struct xdp_md, data)),
9383 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9384 offsetof(struct xdp_md, data_end)),
9385 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9387 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9388 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9389 BPF_MOV64_IMM(BPF_REG_0, 0),
9392 .errstr = "R1 offset is outside of the packet",
9394 .prog_type = BPF_PROG_TYPE_XDP,
9395 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9398 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
9400 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9401 offsetof(struct xdp_md, data)),
9402 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9403 offsetof(struct xdp_md, data_end)),
9404 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9405 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9406 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9407 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9408 BPF_MOV64_IMM(BPF_REG_0, 0),
9411 .errstr = "R1 offset is outside of the packet",
9413 .prog_type = BPF_PROG_TYPE_XDP,
9416 "XDP pkt read, pkt_end > pkt_data', good access",
9418 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9419 offsetof(struct xdp_md, data)),
9420 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9421 offsetof(struct xdp_md, data_end)),
9422 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9423 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9424 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9425 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9426 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9427 BPF_MOV64_IMM(BPF_REG_0, 0),
9431 .prog_type = BPF_PROG_TYPE_XDP,
9432 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9435 "XDP pkt read, pkt_end > pkt_data', bad access 1",
9437 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9438 offsetof(struct xdp_md, data)),
9439 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9440 offsetof(struct xdp_md, data_end)),
9441 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9443 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9444 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9445 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9446 BPF_MOV64_IMM(BPF_REG_0, 0),
9449 .errstr = "R1 offset is outside of the packet",
9451 .prog_type = BPF_PROG_TYPE_XDP,
9454 "XDP pkt read, pkt_end > pkt_data', bad access 2",
9456 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9457 offsetof(struct xdp_md, data)),
9458 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9459 offsetof(struct xdp_md, data_end)),
9460 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9462 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9463 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9464 BPF_MOV64_IMM(BPF_REG_0, 0),
9467 .errstr = "R1 offset is outside of the packet",
9469 .prog_type = BPF_PROG_TYPE_XDP,
9472 "XDP pkt read, pkt_data' < pkt_end, good access",
9474 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9475 offsetof(struct xdp_md, data)),
9476 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9477 offsetof(struct xdp_md, data_end)),
9478 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9480 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9481 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9482 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9483 BPF_MOV64_IMM(BPF_REG_0, 0),
9487 .prog_type = BPF_PROG_TYPE_XDP,
9488 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9491 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
9493 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9494 offsetof(struct xdp_md, data)),
9495 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9496 offsetof(struct xdp_md, data_end)),
9497 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9498 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9499 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9500 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9501 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9502 BPF_MOV64_IMM(BPF_REG_0, 0),
9505 .errstr = "R1 offset is outside of the packet",
9507 .prog_type = BPF_PROG_TYPE_XDP,
9510 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
9512 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9513 offsetof(struct xdp_md, data)),
9514 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9515 offsetof(struct xdp_md, data_end)),
9516 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9518 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9519 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9520 BPF_MOV64_IMM(BPF_REG_0, 0),
9523 .errstr = "R1 offset is outside of the packet",
9525 .prog_type = BPF_PROG_TYPE_XDP,
9528 "XDP pkt read, pkt_end < pkt_data', good access",
9530 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9531 offsetof(struct xdp_md, data)),
9532 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9533 offsetof(struct xdp_md, data_end)),
9534 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9536 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9537 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9538 BPF_MOV64_IMM(BPF_REG_0, 0),
9542 .prog_type = BPF_PROG_TYPE_XDP,
9545 "XDP pkt read, pkt_end < pkt_data', bad access 1",
9547 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9548 offsetof(struct xdp_md, data)),
9549 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9550 offsetof(struct xdp_md, data_end)),
9551 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9552 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9553 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9554 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9555 BPF_MOV64_IMM(BPF_REG_0, 0),
9558 .errstr = "R1 offset is outside of the packet",
9560 .prog_type = BPF_PROG_TYPE_XDP,
9561 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9564 "XDP pkt read, pkt_end < pkt_data', bad access 2",
9566 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9567 offsetof(struct xdp_md, data)),
9568 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9569 offsetof(struct xdp_md, data_end)),
9570 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9571 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9572 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9573 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9574 BPF_MOV64_IMM(BPF_REG_0, 0),
9577 .errstr = "R1 offset is outside of the packet",
9579 .prog_type = BPF_PROG_TYPE_XDP,
9582 "XDP pkt read, pkt_data' >= pkt_end, good access",
9584 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9585 offsetof(struct xdp_md, data)),
9586 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9587 offsetof(struct xdp_md, data_end)),
9588 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9589 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9590 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9591 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9592 BPF_MOV64_IMM(BPF_REG_0, 0),
9596 .prog_type = BPF_PROG_TYPE_XDP,
9597 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9600 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
9602 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9603 offsetof(struct xdp_md, data)),
9604 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9605 offsetof(struct xdp_md, data_end)),
9606 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9608 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9609 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9610 BPF_MOV64_IMM(BPF_REG_0, 0),
9613 .errstr = "R1 offset is outside of the packet",
9615 .prog_type = BPF_PROG_TYPE_XDP,
9618 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
9620 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9621 offsetof(struct xdp_md, data)),
9622 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9623 offsetof(struct xdp_md, data_end)),
9624 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9625 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9626 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9627 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9628 BPF_MOV64_IMM(BPF_REG_0, 0),
9631 .errstr = "R1 offset is outside of the packet",
9633 .prog_type = BPF_PROG_TYPE_XDP,
9634 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9637 "XDP pkt read, pkt_end >= pkt_data', good access",
9639 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9640 offsetof(struct xdp_md, data)),
9641 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9642 offsetof(struct xdp_md, data_end)),
9643 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9644 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9645 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9646 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9647 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9648 BPF_MOV64_IMM(BPF_REG_0, 0),
9652 .prog_type = BPF_PROG_TYPE_XDP,
9655 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
9657 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9658 offsetof(struct xdp_md, data)),
9659 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9660 offsetof(struct xdp_md, data_end)),
9661 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9662 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9663 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9664 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9665 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9666 BPF_MOV64_IMM(BPF_REG_0, 0),
9669 .errstr = "R1 offset is outside of the packet",
9671 .prog_type = BPF_PROG_TYPE_XDP,
9672 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9675 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
9677 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9678 offsetof(struct xdp_md, data)),
9679 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9680 offsetof(struct xdp_md, data_end)),
9681 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9682 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9683 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9684 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9685 BPF_MOV64_IMM(BPF_REG_0, 0),
9688 .errstr = "R1 offset is outside of the packet",
9690 .prog_type = BPF_PROG_TYPE_XDP,
9693 "XDP pkt read, pkt_data' <= pkt_end, good access",
9695 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9696 offsetof(struct xdp_md, data)),
9697 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9698 offsetof(struct xdp_md, data_end)),
9699 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9700 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9701 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9702 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9703 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9704 BPF_MOV64_IMM(BPF_REG_0, 0),
9708 .prog_type = BPF_PROG_TYPE_XDP,
9711 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
9713 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9714 offsetof(struct xdp_md, data)),
9715 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9716 offsetof(struct xdp_md, data_end)),
9717 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9718 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9719 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9720 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9721 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9722 BPF_MOV64_IMM(BPF_REG_0, 0),
9725 .errstr = "R1 offset is outside of the packet",
9727 .prog_type = BPF_PROG_TYPE_XDP,
9728 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9731 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
9733 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9734 offsetof(struct xdp_md, data)),
9735 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9736 offsetof(struct xdp_md, data_end)),
9737 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9739 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9740 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9741 BPF_MOV64_IMM(BPF_REG_0, 0),
9744 .errstr = "R1 offset is outside of the packet",
9746 .prog_type = BPF_PROG_TYPE_XDP,
9749 "XDP pkt read, pkt_end <= pkt_data', good access",
9751 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9752 offsetof(struct xdp_md, data)),
9753 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9754 offsetof(struct xdp_md, data_end)),
9755 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9756 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9757 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9758 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9759 BPF_MOV64_IMM(BPF_REG_0, 0),
9763 .prog_type = BPF_PROG_TYPE_XDP,
9764 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9767 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
9769 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9770 offsetof(struct xdp_md, data)),
9771 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9772 offsetof(struct xdp_md, data_end)),
9773 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9775 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9776 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9777 BPF_MOV64_IMM(BPF_REG_0, 0),
9780 .errstr = "R1 offset is outside of the packet",
9782 .prog_type = BPF_PROG_TYPE_XDP,
9785 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
9787 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9788 offsetof(struct xdp_md, data)),
9789 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9790 offsetof(struct xdp_md, data_end)),
9791 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9792 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9793 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9794 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9795 BPF_MOV64_IMM(BPF_REG_0, 0),
9798 .errstr = "R1 offset is outside of the packet",
9800 .prog_type = BPF_PROG_TYPE_XDP,
9801 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9804 "XDP pkt read, pkt_meta' > pkt_data, good access",
9806 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9807 offsetof(struct xdp_md, data_meta)),
9808 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9809 offsetof(struct xdp_md, data)),
9810 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9812 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9813 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9814 BPF_MOV64_IMM(BPF_REG_0, 0),
9818 .prog_type = BPF_PROG_TYPE_XDP,
9821 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
9823 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9824 offsetof(struct xdp_md, data_meta)),
9825 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9826 offsetof(struct xdp_md, data)),
9827 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9829 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9830 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9831 BPF_MOV64_IMM(BPF_REG_0, 0),
9834 .errstr = "R1 offset is outside of the packet",
9836 .prog_type = BPF_PROG_TYPE_XDP,
9837 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9840 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
9842 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9843 offsetof(struct xdp_md, data_meta)),
9844 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9845 offsetof(struct xdp_md, data)),
9846 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9848 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9849 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9850 BPF_MOV64_IMM(BPF_REG_0, 0),
9853 .errstr = "R1 offset is outside of the packet",
9855 .prog_type = BPF_PROG_TYPE_XDP,
9858 "XDP pkt read, pkt_data > pkt_meta', good access",
9860 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9861 offsetof(struct xdp_md, data_meta)),
9862 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9863 offsetof(struct xdp_md, data)),
9864 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9865 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9866 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9867 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9868 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9869 BPF_MOV64_IMM(BPF_REG_0, 0),
9873 .prog_type = BPF_PROG_TYPE_XDP,
9874 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9877 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
9879 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9880 offsetof(struct xdp_md, data_meta)),
9881 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9882 offsetof(struct xdp_md, data)),
9883 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9884 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9885 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9886 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9887 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9888 BPF_MOV64_IMM(BPF_REG_0, 0),
9891 .errstr = "R1 offset is outside of the packet",
9893 .prog_type = BPF_PROG_TYPE_XDP,
9896 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
9898 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9899 offsetof(struct xdp_md, data_meta)),
9900 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9901 offsetof(struct xdp_md, data)),
9902 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9903 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9904 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9905 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9906 BPF_MOV64_IMM(BPF_REG_0, 0),
9909 .errstr = "R1 offset is outside of the packet",
9911 .prog_type = BPF_PROG_TYPE_XDP,
9914 "XDP pkt read, pkt_meta' < pkt_data, good access",
9916 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9917 offsetof(struct xdp_md, data_meta)),
9918 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9919 offsetof(struct xdp_md, data)),
9920 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9921 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9922 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9923 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9924 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9925 BPF_MOV64_IMM(BPF_REG_0, 0),
9929 .prog_type = BPF_PROG_TYPE_XDP,
9930 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9933 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
9935 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9936 offsetof(struct xdp_md, data_meta)),
9937 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9938 offsetof(struct xdp_md, data)),
9939 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9941 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9942 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9943 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9944 BPF_MOV64_IMM(BPF_REG_0, 0),
9947 .errstr = "R1 offset is outside of the packet",
9949 .prog_type = BPF_PROG_TYPE_XDP,
9952 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
9954 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9955 offsetof(struct xdp_md, data_meta)),
9956 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9957 offsetof(struct xdp_md, data)),
9958 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9959 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9960 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9961 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9962 BPF_MOV64_IMM(BPF_REG_0, 0),
9965 .errstr = "R1 offset is outside of the packet",
9967 .prog_type = BPF_PROG_TYPE_XDP,
9970 "XDP pkt read, pkt_data < pkt_meta', good access",
9972 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9973 offsetof(struct xdp_md, data_meta)),
9974 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9975 offsetof(struct xdp_md, data)),
9976 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9977 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9978 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9979 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9980 BPF_MOV64_IMM(BPF_REG_0, 0),
9984 .prog_type = BPF_PROG_TYPE_XDP,
9987 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
9989 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9990 offsetof(struct xdp_md, data_meta)),
9991 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9992 offsetof(struct xdp_md, data)),
9993 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9994 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9995 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9996 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9997 BPF_MOV64_IMM(BPF_REG_0, 0),
10000 .errstr = "R1 offset is outside of the packet",
10002 .prog_type = BPF_PROG_TYPE_XDP,
10003 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10006 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
10008 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10009 offsetof(struct xdp_md, data_meta)),
10010 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10011 offsetof(struct xdp_md, data)),
10012 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10014 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
10015 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10016 BPF_MOV64_IMM(BPF_REG_0, 0),
10019 .errstr = "R1 offset is outside of the packet",
10021 .prog_type = BPF_PROG_TYPE_XDP,
10024 "XDP pkt read, pkt_meta' >= pkt_data, good access",
10026 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10027 offsetof(struct xdp_md, data_meta)),
10028 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10029 offsetof(struct xdp_md, data)),
10030 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10032 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10033 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10034 BPF_MOV64_IMM(BPF_REG_0, 0),
10038 .prog_type = BPF_PROG_TYPE_XDP,
10039 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10042 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
10044 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10045 offsetof(struct xdp_md, data_meta)),
10046 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10047 offsetof(struct xdp_md, data)),
10048 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10049 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10050 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10051 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10052 BPF_MOV64_IMM(BPF_REG_0, 0),
10055 .errstr = "R1 offset is outside of the packet",
10057 .prog_type = BPF_PROG_TYPE_XDP,
10060 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
10062 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10063 offsetof(struct xdp_md, data_meta)),
10064 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10065 offsetof(struct xdp_md, data)),
10066 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10067 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10068 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
10069 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10070 BPF_MOV64_IMM(BPF_REG_0, 0),
10073 .errstr = "R1 offset is outside of the packet",
10075 .prog_type = BPF_PROG_TYPE_XDP,
10076 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10079 "XDP pkt read, pkt_data >= pkt_meta', good access",
10081 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10082 offsetof(struct xdp_md, data_meta)),
10083 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10084 offsetof(struct xdp_md, data)),
10085 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10087 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10088 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10089 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10090 BPF_MOV64_IMM(BPF_REG_0, 0),
10094 .prog_type = BPF_PROG_TYPE_XDP,
10097 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
10099 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10100 offsetof(struct xdp_md, data_meta)),
10101 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10102 offsetof(struct xdp_md, data)),
10103 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10105 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10106 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10107 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10108 BPF_MOV64_IMM(BPF_REG_0, 0),
10111 .errstr = "R1 offset is outside of the packet",
10113 .prog_type = BPF_PROG_TYPE_XDP,
10114 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10117 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
10119 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10120 offsetof(struct xdp_md, data_meta)),
10121 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10122 offsetof(struct xdp_md, data)),
10123 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10124 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10125 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10126 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10127 BPF_MOV64_IMM(BPF_REG_0, 0),
10130 .errstr = "R1 offset is outside of the packet",
10132 .prog_type = BPF_PROG_TYPE_XDP,
10135 "XDP pkt read, pkt_meta' <= pkt_data, good access",
10137 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10138 offsetof(struct xdp_md, data_meta)),
10139 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10140 offsetof(struct xdp_md, data)),
10141 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10142 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10143 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10144 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10145 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10146 BPF_MOV64_IMM(BPF_REG_0, 0),
10150 .prog_type = BPF_PROG_TYPE_XDP,
10153 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
10155 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10156 offsetof(struct xdp_md, data_meta)),
10157 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10158 offsetof(struct xdp_md, data)),
10159 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10161 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10162 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10163 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10164 BPF_MOV64_IMM(BPF_REG_0, 0),
10167 .errstr = "R1 offset is outside of the packet",
10169 .prog_type = BPF_PROG_TYPE_XDP,
10170 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10173 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
10175 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10176 offsetof(struct xdp_md, data_meta)),
10177 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10178 offsetof(struct xdp_md, data)),
10179 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10180 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10181 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10182 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10183 BPF_MOV64_IMM(BPF_REG_0, 0),
10186 .errstr = "R1 offset is outside of the packet",
10188 .prog_type = BPF_PROG_TYPE_XDP,
10191 "XDP pkt read, pkt_data <= pkt_meta', good access",
10193 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10194 offsetof(struct xdp_md, data_meta)),
10195 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10196 offsetof(struct xdp_md, data)),
10197 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10199 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10200 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10201 BPF_MOV64_IMM(BPF_REG_0, 0),
10205 .prog_type = BPF_PROG_TYPE_XDP,
10206 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10209 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
10211 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10212 offsetof(struct xdp_md, data_meta)),
10213 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10214 offsetof(struct xdp_md, data)),
10215 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10217 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10218 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10219 BPF_MOV64_IMM(BPF_REG_0, 0),
10222 .errstr = "R1 offset is outside of the packet",
10224 .prog_type = BPF_PROG_TYPE_XDP,
10227 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
10229 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10230 offsetof(struct xdp_md, data_meta)),
10231 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10232 offsetof(struct xdp_md, data)),
10233 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10234 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10235 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
10236 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10237 BPF_MOV64_IMM(BPF_REG_0, 0),
10240 .errstr = "R1 offset is outside of the packet",
10242 .prog_type = BPF_PROG_TYPE_XDP,
10243 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10246 "check deducing bounds from const, 1",
10248 BPF_MOV64_IMM(BPF_REG_0, 1),
10249 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
10250 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10254 .errstr = "R0 tried to subtract pointer from scalar",
10257 "check deducing bounds from const, 2",
10259 BPF_MOV64_IMM(BPF_REG_0, 1),
10260 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
10262 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
10264 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10271 "check deducing bounds from const, 3",
10273 BPF_MOV64_IMM(BPF_REG_0, 0),
10274 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
10275 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10279 .errstr = "R0 tried to subtract pointer from scalar",
10282 "check deducing bounds from const, 4",
10284 BPF_MOV64_IMM(BPF_REG_0, 0),
10285 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
10287 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10289 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10295 "check deducing bounds from const, 5",
10297 BPF_MOV64_IMM(BPF_REG_0, 0),
10298 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10299 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10303 .errstr = "R0 tried to subtract pointer from scalar",
10306 "check deducing bounds from const, 6",
10308 BPF_MOV64_IMM(BPF_REG_0, 0),
10309 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10311 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10315 .errstr = "R0 tried to subtract pointer from scalar",
10318 "check deducing bounds from const, 7",
10320 BPF_MOV64_IMM(BPF_REG_0, ~0),
10321 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
10322 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10323 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10324 offsetof(struct __sk_buff, mark)),
10328 .errstr = "dereference of modified ctx ptr",
10331 "check deducing bounds from const, 8",
10333 BPF_MOV64_IMM(BPF_REG_0, ~0),
10334 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10335 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
10336 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10337 offsetof(struct __sk_buff, mark)),
10341 .errstr = "dereference of modified ctx ptr",
10344 "check deducing bounds from const, 9",
10346 BPF_MOV64_IMM(BPF_REG_0, 0),
10347 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
10348 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10352 .errstr = "R0 tried to subtract pointer from scalar",
10355 "check deducing bounds from const, 10",
10357 BPF_MOV64_IMM(BPF_REG_0, 0),
10358 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
10359 /* Marks reg as unknown. */
10360 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
10361 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10365 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
10368 "bpf_exit with invalid return code. test1",
10370 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10373 .errstr = "R0 has value (0x0; 0xffffffff)",
10375 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10378 "bpf_exit with invalid return code. test2",
10380 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10381 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
10385 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10388 "bpf_exit with invalid return code. test3",
10390 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10391 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
10394 .errstr = "R0 has value (0x0; 0x3)",
10396 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10399 "bpf_exit with invalid return code. test4",
10401 BPF_MOV64_IMM(BPF_REG_0, 1),
10405 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10408 "bpf_exit with invalid return code. test5",
10410 BPF_MOV64_IMM(BPF_REG_0, 2),
10413 .errstr = "R0 has value (0x2; 0x0)",
10415 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10418 "bpf_exit with invalid return code. test6",
10420 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10423 .errstr = "R0 is not a known value (ctx)",
10425 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10428 "bpf_exit with invalid return code. test7",
10430 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10431 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
10432 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
10435 .errstr = "R0 has unknown scalar value",
10437 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10440 "calls: basic sanity",
10442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10443 BPF_MOV64_IMM(BPF_REG_0, 1),
10445 BPF_MOV64_IMM(BPF_REG_0, 2),
10448 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10452 "calls: not on unpriviledged",
10454 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10455 BPF_MOV64_IMM(BPF_REG_0, 1),
10457 BPF_MOV64_IMM(BPF_REG_0, 2),
10460 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
10461 .result_unpriv = REJECT,
10466 "calls: div by 0 in subprog",
10468 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10469 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10470 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10471 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10472 offsetof(struct __sk_buff, data_end)),
10473 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10474 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10475 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10476 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10477 BPF_MOV64_IMM(BPF_REG_0, 1),
10479 BPF_MOV32_IMM(BPF_REG_2, 0),
10480 BPF_MOV32_IMM(BPF_REG_3, 1),
10481 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
10482 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10483 offsetof(struct __sk_buff, data)),
10486 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10491 "calls: multiple ret types in subprog 1",
10493 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10494 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10495 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10496 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10497 offsetof(struct __sk_buff, data_end)),
10498 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10499 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10500 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10501 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10502 BPF_MOV64_IMM(BPF_REG_0, 1),
10504 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10505 offsetof(struct __sk_buff, data)),
10506 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10507 BPF_MOV32_IMM(BPF_REG_0, 42),
10510 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10512 .errstr = "R0 invalid mem access 'inv'",
10515 "calls: multiple ret types in subprog 2",
10517 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10518 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10519 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10520 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10521 offsetof(struct __sk_buff, data_end)),
10522 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10523 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10524 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10525 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10526 BPF_MOV64_IMM(BPF_REG_0, 1),
10528 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10529 offsetof(struct __sk_buff, data)),
10530 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10531 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
10532 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10533 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10535 BPF_LD_MAP_FD(BPF_REG_1, 0),
10536 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10537 BPF_FUNC_map_lookup_elem),
10538 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10539 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
10540 offsetof(struct __sk_buff, data)),
10541 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
10544 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10545 .fixup_map_hash_8b = { 16 },
10547 .errstr = "R0 min value is outside of the array range",
10550 "calls: overlapping caller/callee",
10552 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
10553 BPF_MOV64_IMM(BPF_REG_0, 1),
10556 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10557 .errstr = "last insn is not an exit or jmp",
10561 "calls: wrong recursive calls",
10563 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10564 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10565 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10566 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10567 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10568 BPF_MOV64_IMM(BPF_REG_0, 1),
10571 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10572 .errstr = "jump out of range",
10576 "calls: wrong src reg",
10578 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
10579 BPF_MOV64_IMM(BPF_REG_0, 1),
10582 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10583 .errstr = "BPF_CALL uses reserved fields",
10587 "calls: wrong off value",
10589 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
10590 BPF_MOV64_IMM(BPF_REG_0, 1),
10592 BPF_MOV64_IMM(BPF_REG_0, 2),
10595 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10596 .errstr = "BPF_CALL uses reserved fields",
10600 "calls: jump back loop",
10602 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10603 BPF_MOV64_IMM(BPF_REG_0, 1),
10606 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10607 .errstr = "back-edge from insn 0 to 0",
10611 "calls: conditional call",
10613 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10614 offsetof(struct __sk_buff, mark)),
10615 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10616 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10617 BPF_MOV64_IMM(BPF_REG_0, 1),
10619 BPF_MOV64_IMM(BPF_REG_0, 2),
10622 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10623 .errstr = "jump out of range",
10627 "calls: conditional call 2",
10629 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10630 offsetof(struct __sk_buff, mark)),
10631 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10632 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10633 BPF_MOV64_IMM(BPF_REG_0, 1),
10635 BPF_MOV64_IMM(BPF_REG_0, 2),
10637 BPF_MOV64_IMM(BPF_REG_0, 3),
10640 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10644 "calls: conditional call 3",
10646 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10647 offsetof(struct __sk_buff, mark)),
10648 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10649 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10650 BPF_MOV64_IMM(BPF_REG_0, 1),
10652 BPF_MOV64_IMM(BPF_REG_0, 1),
10653 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10654 BPF_MOV64_IMM(BPF_REG_0, 3),
10655 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10657 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10658 .errstr = "back-edge from insn",
10662 "calls: conditional call 4",
10664 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10665 offsetof(struct __sk_buff, mark)),
10666 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10667 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10668 BPF_MOV64_IMM(BPF_REG_0, 1),
10670 BPF_MOV64_IMM(BPF_REG_0, 1),
10671 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
10672 BPF_MOV64_IMM(BPF_REG_0, 3),
10675 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10679 "calls: conditional call 5",
10681 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10682 offsetof(struct __sk_buff, mark)),
10683 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10684 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10685 BPF_MOV64_IMM(BPF_REG_0, 1),
10687 BPF_MOV64_IMM(BPF_REG_0, 1),
10688 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10689 BPF_MOV64_IMM(BPF_REG_0, 3),
10692 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10693 .errstr = "back-edge from insn",
10697 "calls: conditional call 6",
10699 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10700 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
10702 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10703 offsetof(struct __sk_buff, mark)),
10706 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10707 .errstr = "back-edge from insn",
10711 "calls: using r0 returned by callee",
10713 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10715 BPF_MOV64_IMM(BPF_REG_0, 2),
10718 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10722 "calls: using uninit r0 from callee",
10724 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10728 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10729 .errstr = "!read_ok",
10733 "calls: callee is using r1",
10735 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10737 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10738 offsetof(struct __sk_buff, len)),
10741 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
10743 .retval = TEST_DATA_LEN,
10746 "calls: callee using args1",
10748 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10750 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10753 .errstr_unpriv = "allowed for root only",
10754 .result_unpriv = REJECT,
10756 .retval = POINTER_VALUE,
10759 "calls: callee using wrong args2",
10761 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10763 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10766 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10767 .errstr = "R2 !read_ok",
10771 "calls: callee using two args",
10773 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10774 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
10775 offsetof(struct __sk_buff, len)),
10776 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
10777 offsetof(struct __sk_buff, len)),
10778 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10780 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10781 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
10784 .errstr_unpriv = "allowed for root only",
10785 .result_unpriv = REJECT,
10787 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
10790 "calls: callee changing pkt pointers",
10792 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
10793 offsetof(struct xdp_md, data)),
10794 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
10795 offsetof(struct xdp_md, data_end)),
10796 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
10797 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
10798 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
10799 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10800 /* clear_all_pkt_pointers() has to walk all frames
10801 * to make sure that pkt pointers in the caller
10802 * are cleared when callee is calling a helper that
10803 * adjusts packet size
10805 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10806 BPF_MOV32_IMM(BPF_REG_0, 0),
10808 BPF_MOV64_IMM(BPF_REG_2, 0),
10809 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10810 BPF_FUNC_xdp_adjust_head),
10814 .errstr = "R6 invalid mem access 'inv'",
10815 .prog_type = BPF_PROG_TYPE_XDP,
10818 "calls: two calls with args",
10820 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10822 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10823 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10824 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10825 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10826 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10827 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10828 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10830 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10831 offsetof(struct __sk_buff, len)),
10834 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10836 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
10839 "calls: calls with stack arith",
10841 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10843 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10846 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10849 BPF_MOV64_IMM(BPF_REG_0, 42),
10850 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10853 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10858 "calls: calls with misaligned stack access",
10860 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10861 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10862 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10864 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
10865 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10867 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10868 BPF_MOV64_IMM(BPF_REG_0, 42),
10869 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10872 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10873 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
10874 .errstr = "misaligned stack access",
10878 "calls: calls control flow, jump test",
10880 BPF_MOV64_IMM(BPF_REG_0, 42),
10881 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10882 BPF_MOV64_IMM(BPF_REG_0, 43),
10883 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10884 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10887 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10892 "calls: calls control flow, jump test 2",
10894 BPF_MOV64_IMM(BPF_REG_0, 42),
10895 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10896 BPF_MOV64_IMM(BPF_REG_0, 43),
10897 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10901 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10902 .errstr = "jump out of range from insn 1 to 4",
10906 "calls: two calls with bad jump",
10908 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10910 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10911 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10912 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10913 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10914 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10915 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10916 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10918 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10919 offsetof(struct __sk_buff, len)),
10920 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
10923 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10924 .errstr = "jump out of range from insn 11 to 9",
10928 "calls: recursive call. test1",
10930 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10932 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10935 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10936 .errstr = "back-edge",
10940 "calls: recursive call. test2",
10942 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10944 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10947 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10948 .errstr = "back-edge",
10952 "calls: unreachable code",
10954 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10956 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10958 BPF_MOV64_IMM(BPF_REG_0, 0),
10960 BPF_MOV64_IMM(BPF_REG_0, 0),
10963 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10964 .errstr = "unreachable insn 6",
10968 "calls: invalid call",
10970 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10972 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
10975 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10976 .errstr = "invalid destination",
10980 "calls: invalid call 2",
10982 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10984 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
10987 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10988 .errstr = "invalid destination",
10992 "calls: jumping across function bodies. test1",
10994 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10995 BPF_MOV64_IMM(BPF_REG_0, 0),
10997 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
11000 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11001 .errstr = "jump out of range",
11005 "calls: jumping across function bodies. test2",
11007 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
11008 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11009 BPF_MOV64_IMM(BPF_REG_0, 0),
11013 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11014 .errstr = "jump out of range",
11018 "calls: call without exit",
11020 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11022 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11024 BPF_MOV64_IMM(BPF_REG_0, 0),
11025 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
11027 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11028 .errstr = "not an exit",
11032 "calls: call into middle of ld_imm64",
11034 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11035 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11036 BPF_MOV64_IMM(BPF_REG_0, 0),
11038 BPF_LD_IMM64(BPF_REG_0, 0),
11041 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11042 .errstr = "last insn",
11046 "calls: call into middle of other call",
11048 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11049 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11050 BPF_MOV64_IMM(BPF_REG_0, 0),
11052 BPF_MOV64_IMM(BPF_REG_0, 0),
11053 BPF_MOV64_IMM(BPF_REG_0, 0),
11056 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11057 .errstr = "last insn",
11061 "calls: ld_abs with changing ctx data in callee",
11063 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11064 BPF_LD_ABS(BPF_B, 0),
11065 BPF_LD_ABS(BPF_H, 0),
11066 BPF_LD_ABS(BPF_W, 0),
11067 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
11068 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
11069 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
11070 BPF_LD_ABS(BPF_B, 0),
11071 BPF_LD_ABS(BPF_H, 0),
11072 BPF_LD_ABS(BPF_W, 0),
11074 BPF_MOV64_IMM(BPF_REG_2, 1),
11075 BPF_MOV64_IMM(BPF_REG_3, 2),
11076 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11077 BPF_FUNC_skb_vlan_push),
11080 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11081 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
11085 "calls: two calls with bad fallthrough",
11087 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11089 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11090 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11091 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11092 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11093 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11094 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11095 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11096 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
11097 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11098 offsetof(struct __sk_buff, len)),
11101 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11102 .errstr = "not an exit",
11106 "calls: two calls with stack read",
11108 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11109 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11111 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11113 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11114 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11115 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11116 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11117 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11118 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11119 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11121 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11124 .prog_type = BPF_PROG_TYPE_XDP,
11128 "calls: two calls with stack write",
11131 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11132 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11134 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11135 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11136 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11137 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11141 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11142 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11143 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
11144 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
11145 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11146 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11147 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
11148 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
11149 /* write into stack frame of main prog */
11150 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11154 /* read from stack frame of main prog */
11155 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11158 .prog_type = BPF_PROG_TYPE_XDP,
11162 "calls: stack overflow using two frames (pre-call access)",
11165 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11166 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
11170 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11171 BPF_MOV64_IMM(BPF_REG_0, 0),
11174 .prog_type = BPF_PROG_TYPE_XDP,
11175 .errstr = "combined stack size",
11179 "calls: stack overflow using two frames (post-call access)",
11182 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
11183 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11187 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11188 BPF_MOV64_IMM(BPF_REG_0, 0),
11191 .prog_type = BPF_PROG_TYPE_XDP,
11192 .errstr = "combined stack size",
11196 "calls: stack depth check using three frames. test1",
11199 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11200 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
11201 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
11202 BPF_MOV64_IMM(BPF_REG_0, 0),
11205 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11208 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
11209 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11212 .prog_type = BPF_PROG_TYPE_XDP,
11213 /* stack_main=32, stack_A=256, stack_B=64
11214 * and max(main+A, main+A+B) < 512
11219 "calls: stack depth check using three frames. test2",
11222 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11223 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
11224 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
11225 BPF_MOV64_IMM(BPF_REG_0, 0),
11228 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11231 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
11232 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11235 .prog_type = BPF_PROG_TYPE_XDP,
11236 /* stack_main=32, stack_A=64, stack_B=256
11237 * and max(main+A, main+A+B) < 512
11242 "calls: stack depth check using three frames. test3",
11245 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11246 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
11247 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11248 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
11249 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
11250 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11251 BPF_MOV64_IMM(BPF_REG_0, 0),
11254 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
11256 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
11257 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
11259 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
11260 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
11261 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11264 .prog_type = BPF_PROG_TYPE_XDP,
11265 /* stack_main=64, stack_A=224, stack_B=256
11266 * and max(main+A, main+A+B) > 512
11268 .errstr = "combined stack",
11272 "calls: stack depth check using three frames. test4",
11273 /* void main(void) {
11278 * void func1(int alloc_or_recurse) {
11279 * if (alloc_or_recurse) {
11280 * frame_pointer[-300] = 1;
11282 * func2(alloc_or_recurse);
11285 * void func2(int alloc_or_recurse) {
11286 * if (alloc_or_recurse) {
11287 * frame_pointer[-300] = 1;
11293 BPF_MOV64_IMM(BPF_REG_1, 0),
11294 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
11295 BPF_MOV64_IMM(BPF_REG_1, 1),
11296 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11297 BPF_MOV64_IMM(BPF_REG_1, 1),
11298 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
11299 BPF_MOV64_IMM(BPF_REG_0, 0),
11302 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
11303 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11305 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
11308 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
11309 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11312 .prog_type = BPF_PROG_TYPE_XDP,
11314 .errstr = "combined stack",
11317 "calls: stack depth check using three frames. test5",
11320 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
11323 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
11326 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
11329 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
11332 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
11335 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
11338 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
11341 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
11344 BPF_MOV64_IMM(BPF_REG_0, 0),
11347 .prog_type = BPF_PROG_TYPE_XDP,
11348 .errstr = "call stack",
11352 "calls: spill into caller stack frame",
11354 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11355 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11356 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11357 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11359 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
11360 BPF_MOV64_IMM(BPF_REG_0, 0),
11363 .prog_type = BPF_PROG_TYPE_XDP,
11364 .errstr = "cannot spill",
11368 "calls: write into caller stack frame",
11370 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11371 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11372 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11373 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11374 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11376 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
11377 BPF_MOV64_IMM(BPF_REG_0, 0),
11380 .prog_type = BPF_PROG_TYPE_XDP,
11385 "calls: write into callee stack frame",
11387 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11388 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
11390 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
11391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
11394 .prog_type = BPF_PROG_TYPE_XDP,
11395 .errstr = "cannot return stack pointer",
11399 "calls: two calls with stack write and void return",
11402 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11403 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11405 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11406 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11407 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11408 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11412 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11413 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11414 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11415 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11416 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11420 /* write into stack frame of main prog */
11421 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
11422 BPF_EXIT_INSN(), /* void return */
11424 .prog_type = BPF_PROG_TYPE_XDP,
11428 "calls: ambiguous return value",
11430 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11431 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
11432 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11433 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11434 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11435 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11437 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
11438 BPF_MOV64_IMM(BPF_REG_0, 0),
11441 .errstr_unpriv = "allowed for root only",
11442 .result_unpriv = REJECT,
11443 .errstr = "R0 !read_ok",
11447 "calls: two calls that return map_value",
11450 /* pass fp-16, fp-8 into a function */
11451 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11452 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11453 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11454 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11455 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11457 /* fetch map_value_ptr from the stack of this function */
11458 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11459 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11460 /* write into map value */
11461 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11462 /* fetch secound map_value_ptr from the stack */
11463 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11464 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11465 /* write into map value */
11466 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11467 BPF_MOV64_IMM(BPF_REG_0, 0),
11471 /* call 3rd function twice */
11472 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11473 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11474 /* first time with fp-8 */
11475 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11476 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11477 /* second time with fp-16 */
11478 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11482 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11483 /* lookup from map */
11484 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11485 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11487 BPF_LD_MAP_FD(BPF_REG_1, 0),
11488 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11489 BPF_FUNC_map_lookup_elem),
11490 /* write map_value_ptr into stack frame of main prog */
11491 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11492 BPF_MOV64_IMM(BPF_REG_0, 0),
11493 BPF_EXIT_INSN(), /* return 0 */
11495 .prog_type = BPF_PROG_TYPE_XDP,
11496 .fixup_map_hash_8b = { 23 },
11500 "calls: two calls that return map_value with bool condition",
11503 /* pass fp-16, fp-8 into a function */
11504 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11506 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11507 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11508 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11509 BPF_MOV64_IMM(BPF_REG_0, 0),
11513 /* call 3rd function twice */
11514 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11515 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11516 /* first time with fp-8 */
11517 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11518 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11519 /* fetch map_value_ptr from the stack of this function */
11520 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11521 /* write into map value */
11522 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11523 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11524 /* second time with fp-16 */
11525 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11526 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11527 /* fetch secound map_value_ptr from the stack */
11528 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11529 /* write into map value */
11530 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11534 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11535 /* lookup from map */
11536 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11537 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11539 BPF_LD_MAP_FD(BPF_REG_1, 0),
11540 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11541 BPF_FUNC_map_lookup_elem),
11542 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11543 BPF_MOV64_IMM(BPF_REG_0, 0),
11544 BPF_EXIT_INSN(), /* return 0 */
11545 /* write map_value_ptr into stack frame of main prog */
11546 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11547 BPF_MOV64_IMM(BPF_REG_0, 1),
11548 BPF_EXIT_INSN(), /* return 1 */
11550 .prog_type = BPF_PROG_TYPE_XDP,
11551 .fixup_map_hash_8b = { 23 },
11555 "calls: two calls that return map_value with incorrect bool check",
11558 /* pass fp-16, fp-8 into a function */
11559 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11560 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11561 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11562 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11563 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11564 BPF_MOV64_IMM(BPF_REG_0, 0),
11568 /* call 3rd function twice */
11569 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11570 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11571 /* first time with fp-8 */
11572 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11573 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11574 /* fetch map_value_ptr from the stack of this function */
11575 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11576 /* write into map value */
11577 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11578 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11579 /* second time with fp-16 */
11580 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11581 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11582 /* fetch secound map_value_ptr from the stack */
11583 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11584 /* write into map value */
11585 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11589 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11590 /* lookup from map */
11591 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11592 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11593 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11594 BPF_LD_MAP_FD(BPF_REG_1, 0),
11595 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11596 BPF_FUNC_map_lookup_elem),
11597 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11598 BPF_MOV64_IMM(BPF_REG_0, 0),
11599 BPF_EXIT_INSN(), /* return 0 */
11600 /* write map_value_ptr into stack frame of main prog */
11601 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11602 BPF_MOV64_IMM(BPF_REG_0, 1),
11603 BPF_EXIT_INSN(), /* return 1 */
11605 .prog_type = BPF_PROG_TYPE_XDP,
11606 .fixup_map_hash_8b = { 23 },
11608 .errstr = "invalid read from stack off -16+0 size 8",
11611 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
11614 /* pass fp-16, fp-8 into a function */
11615 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11616 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11617 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11618 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11619 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11620 BPF_MOV64_IMM(BPF_REG_0, 0),
11624 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11625 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11626 /* 1st lookup from map */
11627 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11628 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11629 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11630 BPF_LD_MAP_FD(BPF_REG_1, 0),
11631 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11632 BPF_FUNC_map_lookup_elem),
11633 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11634 BPF_MOV64_IMM(BPF_REG_8, 0),
11635 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11636 /* write map_value_ptr into stack frame of main prog at fp-8 */
11637 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11638 BPF_MOV64_IMM(BPF_REG_8, 1),
11640 /* 2nd lookup from map */
11641 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11642 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11643 BPF_LD_MAP_FD(BPF_REG_1, 0),
11644 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11645 BPF_FUNC_map_lookup_elem),
11646 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11647 BPF_MOV64_IMM(BPF_REG_9, 0),
11648 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11649 /* write map_value_ptr into stack frame of main prog at fp-16 */
11650 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11651 BPF_MOV64_IMM(BPF_REG_9, 1),
11653 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11654 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11655 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11656 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11657 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11658 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11662 /* if arg2 == 1 do *arg1 = 0 */
11663 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11664 /* fetch map_value_ptr from the stack of this function */
11665 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11666 /* write into map value */
11667 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11669 /* if arg4 == 1 do *arg3 = 0 */
11670 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11671 /* fetch map_value_ptr from the stack of this function */
11672 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11673 /* write into map value */
11674 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11677 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11678 .fixup_map_hash_8b = { 12, 22 },
11680 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11683 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
11686 /* pass fp-16, fp-8 into a function */
11687 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11688 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11689 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11690 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11691 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11692 BPF_MOV64_IMM(BPF_REG_0, 0),
11696 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11697 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11698 /* 1st lookup from map */
11699 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11700 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11702 BPF_LD_MAP_FD(BPF_REG_1, 0),
11703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11704 BPF_FUNC_map_lookup_elem),
11705 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11706 BPF_MOV64_IMM(BPF_REG_8, 0),
11707 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11708 /* write map_value_ptr into stack frame of main prog at fp-8 */
11709 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11710 BPF_MOV64_IMM(BPF_REG_8, 1),
11712 /* 2nd lookup from map */
11713 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11714 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11715 BPF_LD_MAP_FD(BPF_REG_1, 0),
11716 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11717 BPF_FUNC_map_lookup_elem),
11718 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11719 BPF_MOV64_IMM(BPF_REG_9, 0),
11720 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11721 /* write map_value_ptr into stack frame of main prog at fp-16 */
11722 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11723 BPF_MOV64_IMM(BPF_REG_9, 1),
11725 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11726 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11727 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11728 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11729 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11730 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11734 /* if arg2 == 1 do *arg1 = 0 */
11735 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11736 /* fetch map_value_ptr from the stack of this function */
11737 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11738 /* write into map value */
11739 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11741 /* if arg4 == 1 do *arg3 = 0 */
11742 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11743 /* fetch map_value_ptr from the stack of this function */
11744 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11745 /* write into map value */
11746 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11749 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11750 .fixup_map_hash_8b = { 12, 22 },
11754 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
11757 /* pass fp-16, fp-8 into a function */
11758 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11759 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11760 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11762 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11763 BPF_MOV64_IMM(BPF_REG_0, 0),
11767 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11768 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11769 /* 1st lookup from map */
11770 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
11771 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11772 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11773 BPF_LD_MAP_FD(BPF_REG_1, 0),
11774 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11775 BPF_FUNC_map_lookup_elem),
11776 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11777 BPF_MOV64_IMM(BPF_REG_8, 0),
11778 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11779 /* write map_value_ptr into stack frame of main prog at fp-8 */
11780 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11781 BPF_MOV64_IMM(BPF_REG_8, 1),
11783 /* 2nd lookup from map */
11784 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11785 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11786 BPF_LD_MAP_FD(BPF_REG_1, 0),
11787 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11788 BPF_FUNC_map_lookup_elem),
11789 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11790 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
11791 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11792 /* write map_value_ptr into stack frame of main prog at fp-16 */
11793 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11794 BPF_MOV64_IMM(BPF_REG_9, 1),
11796 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11797 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
11798 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11799 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11800 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11801 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
11802 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
11805 /* if arg2 == 1 do *arg1 = 0 */
11806 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11807 /* fetch map_value_ptr from the stack of this function */
11808 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11809 /* write into map value */
11810 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11812 /* if arg4 == 1 do *arg3 = 0 */
11813 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11814 /* fetch map_value_ptr from the stack of this function */
11815 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11816 /* write into map value */
11817 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11818 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
11820 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11821 .fixup_map_hash_8b = { 12, 22 },
11823 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11826 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
11829 /* pass fp-16, fp-8 into a function */
11830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11832 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11833 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11834 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11835 BPF_MOV64_IMM(BPF_REG_0, 0),
11839 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11840 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11841 /* 1st lookup from map */
11842 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11843 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11845 BPF_LD_MAP_FD(BPF_REG_1, 0),
11846 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11847 BPF_FUNC_map_lookup_elem),
11848 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11849 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11850 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11851 BPF_MOV64_IMM(BPF_REG_8, 0),
11852 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11853 BPF_MOV64_IMM(BPF_REG_8, 1),
11855 /* 2nd lookup from map */
11856 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11857 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11858 BPF_LD_MAP_FD(BPF_REG_1, 0),
11859 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11860 BPF_FUNC_map_lookup_elem),
11861 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11862 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11863 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11864 BPF_MOV64_IMM(BPF_REG_9, 0),
11865 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11866 BPF_MOV64_IMM(BPF_REG_9, 1),
11868 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11869 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11870 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11871 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11872 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11873 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11877 /* if arg2 == 1 do *arg1 = 0 */
11878 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11879 /* fetch map_value_ptr from the stack of this function */
11880 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11881 /* write into map value */
11882 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11884 /* if arg4 == 1 do *arg3 = 0 */
11885 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11886 /* fetch map_value_ptr from the stack of this function */
11887 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11888 /* write into map value */
11889 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11892 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11893 .fixup_map_hash_8b = { 12, 22 },
11897 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
11900 /* pass fp-16, fp-8 into a function */
11901 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11902 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11903 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11904 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11905 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11906 BPF_MOV64_IMM(BPF_REG_0, 0),
11910 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11911 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11912 /* 1st lookup from map */
11913 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11914 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11916 BPF_LD_MAP_FD(BPF_REG_1, 0),
11917 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11918 BPF_FUNC_map_lookup_elem),
11919 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11920 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11921 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11922 BPF_MOV64_IMM(BPF_REG_8, 0),
11923 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11924 BPF_MOV64_IMM(BPF_REG_8, 1),
11926 /* 2nd lookup from map */
11927 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11929 BPF_LD_MAP_FD(BPF_REG_1, 0),
11930 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11931 BPF_FUNC_map_lookup_elem),
11932 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11933 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11934 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11935 BPF_MOV64_IMM(BPF_REG_9, 0),
11936 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11937 BPF_MOV64_IMM(BPF_REG_9, 1),
11939 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11940 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11941 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11942 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11943 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11944 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11948 /* if arg2 == 1 do *arg1 = 0 */
11949 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11950 /* fetch map_value_ptr from the stack of this function */
11951 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11952 /* write into map value */
11953 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11955 /* if arg4 == 0 do *arg3 = 0 */
11956 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
11957 /* fetch map_value_ptr from the stack of this function */
11958 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11959 /* write into map value */
11960 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11963 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11964 .fixup_map_hash_8b = { 12, 22 },
11966 .errstr = "R0 invalid mem access 'inv'",
11969 "calls: pkt_ptr spill into caller stack",
11971 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11972 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11973 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11977 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11978 offsetof(struct __sk_buff, data)),
11979 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11980 offsetof(struct __sk_buff, data_end)),
11981 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11982 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11983 /* spill unchecked pkt_ptr into stack of caller */
11984 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11985 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11986 /* now the pkt range is verified, read pkt_ptr from stack */
11987 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11988 /* write 4 bytes into packet */
11989 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11993 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11994 .retval = POINTER_VALUE,
11997 "calls: pkt_ptr spill into caller stack 2",
11999 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12001 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12002 /* Marking is still kept, but not in all cases safe. */
12003 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12004 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12008 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12009 offsetof(struct __sk_buff, data)),
12010 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12011 offsetof(struct __sk_buff, data_end)),
12012 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12014 /* spill unchecked pkt_ptr into stack of caller */
12015 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12016 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12017 /* now the pkt range is verified, read pkt_ptr from stack */
12018 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
12019 /* write 4 bytes into packet */
12020 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12023 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12024 .errstr = "invalid access to packet",
12028 "calls: pkt_ptr spill into caller stack 3",
12030 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12032 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12033 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12034 /* Marking is still kept and safe here. */
12035 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12036 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12040 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12041 offsetof(struct __sk_buff, data)),
12042 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12043 offsetof(struct __sk_buff, data_end)),
12044 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12045 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12046 /* spill unchecked pkt_ptr into stack of caller */
12047 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12048 BPF_MOV64_IMM(BPF_REG_5, 0),
12049 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12050 BPF_MOV64_IMM(BPF_REG_5, 1),
12051 /* now the pkt range is verified, read pkt_ptr from stack */
12052 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
12053 /* write 4 bytes into packet */
12054 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12055 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12058 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12063 "calls: pkt_ptr spill into caller stack 4",
12065 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12067 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12068 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12069 /* Check marking propagated. */
12070 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12071 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12075 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12076 offsetof(struct __sk_buff, data)),
12077 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12078 offsetof(struct __sk_buff, data_end)),
12079 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12081 /* spill unchecked pkt_ptr into stack of caller */
12082 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12083 BPF_MOV64_IMM(BPF_REG_5, 0),
12084 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12085 BPF_MOV64_IMM(BPF_REG_5, 1),
12086 /* don't read back pkt_ptr from stack here */
12087 /* write 4 bytes into packet */
12088 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12089 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12092 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12097 "calls: pkt_ptr spill into caller stack 5",
12099 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12100 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12101 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
12102 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12103 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12104 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12108 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12109 offsetof(struct __sk_buff, data)),
12110 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12111 offsetof(struct __sk_buff, data_end)),
12112 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12114 BPF_MOV64_IMM(BPF_REG_5, 0),
12115 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12116 /* spill checked pkt_ptr into stack of caller */
12117 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12118 BPF_MOV64_IMM(BPF_REG_5, 1),
12119 /* don't read back pkt_ptr from stack here */
12120 /* write 4 bytes into packet */
12121 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12122 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12125 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12126 .errstr = "same insn cannot be used with different",
12130 "calls: pkt_ptr spill into caller stack 6",
12132 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12133 offsetof(struct __sk_buff, data_end)),
12134 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12135 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12136 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12137 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12138 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12139 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12143 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12144 offsetof(struct __sk_buff, data)),
12145 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12146 offsetof(struct __sk_buff, data_end)),
12147 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12148 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12149 BPF_MOV64_IMM(BPF_REG_5, 0),
12150 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12151 /* spill checked pkt_ptr into stack of caller */
12152 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12153 BPF_MOV64_IMM(BPF_REG_5, 1),
12154 /* don't read back pkt_ptr from stack here */
12155 /* write 4 bytes into packet */
12156 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12157 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12160 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12161 .errstr = "R4 invalid mem access",
12165 "calls: pkt_ptr spill into caller stack 7",
12167 BPF_MOV64_IMM(BPF_REG_2, 0),
12168 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12169 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12170 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12171 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12172 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12173 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12177 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12178 offsetof(struct __sk_buff, data)),
12179 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12180 offsetof(struct __sk_buff, data_end)),
12181 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12183 BPF_MOV64_IMM(BPF_REG_5, 0),
12184 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12185 /* spill checked pkt_ptr into stack of caller */
12186 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12187 BPF_MOV64_IMM(BPF_REG_5, 1),
12188 /* don't read back pkt_ptr from stack here */
12189 /* write 4 bytes into packet */
12190 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12191 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12194 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12195 .errstr = "R4 invalid mem access",
12199 "calls: pkt_ptr spill into caller stack 8",
12201 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12202 offsetof(struct __sk_buff, data)),
12203 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12204 offsetof(struct __sk_buff, data_end)),
12205 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12207 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
12209 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12211 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12212 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12213 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12214 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12218 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12219 offsetof(struct __sk_buff, data)),
12220 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12221 offsetof(struct __sk_buff, data_end)),
12222 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12224 BPF_MOV64_IMM(BPF_REG_5, 0),
12225 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12226 /* spill checked pkt_ptr into stack of caller */
12227 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12228 BPF_MOV64_IMM(BPF_REG_5, 1),
12229 /* don't read back pkt_ptr from stack here */
12230 /* write 4 bytes into packet */
12231 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12232 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12235 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12239 "calls: pkt_ptr spill into caller stack 9",
12241 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12242 offsetof(struct __sk_buff, data)),
12243 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12244 offsetof(struct __sk_buff, data_end)),
12245 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12247 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
12249 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12251 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12252 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12253 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12254 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12258 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12259 offsetof(struct __sk_buff, data)),
12260 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12261 offsetof(struct __sk_buff, data_end)),
12262 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12264 BPF_MOV64_IMM(BPF_REG_5, 0),
12265 /* spill unchecked pkt_ptr into stack of caller */
12266 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12267 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12268 BPF_MOV64_IMM(BPF_REG_5, 1),
12269 /* don't read back pkt_ptr from stack here */
12270 /* write 4 bytes into packet */
12271 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12272 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12275 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12276 .errstr = "invalid access to packet",
12280 "calls: caller stack init to zero or map_value_or_null",
12282 BPF_MOV64_IMM(BPF_REG_0, 0),
12283 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12284 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12285 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12286 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12287 /* fetch map_value_or_null or const_zero from stack */
12288 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12289 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
12290 /* store into map_value */
12291 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
12295 /* if (ctx == 0) return; */
12296 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
12297 /* else bpf_map_lookup() and *(fp - 8) = r0 */
12298 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
12299 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12300 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12301 BPF_LD_MAP_FD(BPF_REG_1, 0),
12302 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12303 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12304 BPF_FUNC_map_lookup_elem),
12305 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
12306 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12309 .fixup_map_hash_8b = { 13 },
12311 .prog_type = BPF_PROG_TYPE_XDP,
12314 "calls: stack init to zero and pruning",
12316 /* first make allocated_stack 16 byte */
12317 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
12318 /* now fork the execution such that the false branch
12319 * of JGT insn will be verified second and it skisp zero
12320 * init of fp-8 stack slot. If stack liveness marking
12321 * is missing live_read marks from call map_lookup
12322 * processing then pruning will incorrectly assume
12323 * that fp-8 stack slot was unused in the fall-through
12324 * branch and will accept the program incorrectly
12326 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
12327 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12328 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
12329 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12331 BPF_LD_MAP_FD(BPF_REG_1, 0),
12332 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12333 BPF_FUNC_map_lookup_elem),
12336 .fixup_map_hash_48b = { 6 },
12337 .errstr = "invalid indirect read from stack off -8+0 size 8",
12339 .prog_type = BPF_PROG_TYPE_XDP,
12342 "calls: two calls returning different map pointers for lookup (hash, array)",
12345 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12347 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12349 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12350 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12351 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12352 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12353 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12354 BPF_FUNC_map_lookup_elem),
12355 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12356 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
12357 offsetof(struct test_val, foo)),
12358 BPF_MOV64_IMM(BPF_REG_0, 1),
12361 BPF_LD_MAP_FD(BPF_REG_0, 0),
12364 BPF_LD_MAP_FD(BPF_REG_0, 0),
12367 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12368 .fixup_map_hash_48b = { 13 },
12369 .fixup_map_array_48b = { 16 },
12374 "calls: two calls returning different map pointers for lookup (hash, map in map)",
12377 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12379 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12381 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12382 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12383 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12384 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12385 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12386 BPF_FUNC_map_lookup_elem),
12387 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12388 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
12389 offsetof(struct test_val, foo)),
12390 BPF_MOV64_IMM(BPF_REG_0, 1),
12393 BPF_LD_MAP_FD(BPF_REG_0, 0),
12396 BPF_LD_MAP_FD(BPF_REG_0, 0),
12399 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12400 .fixup_map_in_map = { 16 },
12401 .fixup_map_array_48b = { 13 },
12403 .errstr = "R0 invalid mem access 'map_ptr'",
12406 "cond: two branches returning different map pointers for lookup (tail, tail)",
12408 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12409 offsetof(struct __sk_buff, mark)),
12410 BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
12411 BPF_LD_MAP_FD(BPF_REG_2, 0),
12412 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12413 BPF_LD_MAP_FD(BPF_REG_2, 0),
12414 BPF_MOV64_IMM(BPF_REG_3, 7),
12415 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12416 BPF_FUNC_tail_call),
12417 BPF_MOV64_IMM(BPF_REG_0, 1),
12420 .fixup_prog1 = { 5 },
12421 .fixup_prog2 = { 2 },
12422 .result_unpriv = REJECT,
12423 .errstr_unpriv = "tail_call abusing map_ptr",
12428 "cond: two branches returning same map pointers for lookup (tail, tail)",
12430 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12431 offsetof(struct __sk_buff, mark)),
12432 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
12433 BPF_LD_MAP_FD(BPF_REG_2, 0),
12434 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12435 BPF_LD_MAP_FD(BPF_REG_2, 0),
12436 BPF_MOV64_IMM(BPF_REG_3, 7),
12437 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12438 BPF_FUNC_tail_call),
12439 BPF_MOV64_IMM(BPF_REG_0, 1),
12442 .fixup_prog2 = { 2, 5 },
12443 .result_unpriv = ACCEPT,
12448 "search pruning: all branches should be verified (nop operation)",
12450 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12451 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12452 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
12453 BPF_LD_MAP_FD(BPF_REG_1, 0),
12454 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
12455 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
12456 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
12457 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
12458 BPF_MOV64_IMM(BPF_REG_4, 0),
12460 BPF_MOV64_IMM(BPF_REG_4, 1),
12461 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
12462 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
12463 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
12464 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
12465 BPF_MOV64_IMM(BPF_REG_6, 0),
12466 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
12469 .fixup_map_hash_8b = { 3 },
12470 .errstr = "R6 invalid mem access 'inv'",
12472 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12475 "search pruning: all branches should be verified (invalid stack access)",
12477 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12479 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
12480 BPF_LD_MAP_FD(BPF_REG_1, 0),
12481 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
12482 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
12483 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
12484 BPF_MOV64_IMM(BPF_REG_4, 0),
12485 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
12486 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
12488 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
12489 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
12490 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
12493 .fixup_map_hash_8b = { 3 },
12494 .errstr = "invalid read from stack off -16+0 size 8",
12496 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12499 "jit: lsh, rsh, arsh by 1",
12501 BPF_MOV64_IMM(BPF_REG_0, 1),
12502 BPF_MOV64_IMM(BPF_REG_1, 0xff),
12503 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
12504 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
12505 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
12507 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
12508 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
12509 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
12511 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
12512 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
12514 BPF_MOV64_IMM(BPF_REG_0, 2),
12521 "jit: mov32 for ldimm64, 1",
12523 BPF_MOV64_IMM(BPF_REG_0, 2),
12524 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
12525 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
12526 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
12527 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12528 BPF_MOV64_IMM(BPF_REG_0, 1),
12535 "jit: mov32 for ldimm64, 2",
12537 BPF_MOV64_IMM(BPF_REG_0, 1),
12538 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
12539 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
12540 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12541 BPF_MOV64_IMM(BPF_REG_0, 2),
12548 "jit: various mul tests",
12550 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12551 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12552 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
12553 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12554 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12555 BPF_MOV64_IMM(BPF_REG_0, 1),
12557 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12558 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12559 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12560 BPF_MOV64_IMM(BPF_REG_0, 1),
12562 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
12563 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12564 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12565 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12566 BPF_MOV64_IMM(BPF_REG_0, 1),
12568 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12569 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12570 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12571 BPF_MOV64_IMM(BPF_REG_0, 1),
12573 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
12574 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
12575 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12576 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
12577 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
12578 BPF_MOV64_IMM(BPF_REG_0, 1),
12580 BPF_MOV64_IMM(BPF_REG_0, 2),
12587 "xadd/w check unaligned stack",
12589 BPF_MOV64_IMM(BPF_REG_0, 1),
12590 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12591 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
12592 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12596 .errstr = "misaligned stack access off",
12597 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12600 "xadd/w check unaligned map",
12602 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12603 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12604 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12605 BPF_LD_MAP_FD(BPF_REG_1, 0),
12606 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12607 BPF_FUNC_map_lookup_elem),
12608 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
12610 BPF_MOV64_IMM(BPF_REG_1, 1),
12611 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
12612 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
12615 .fixup_map_hash_8b = { 3 },
12617 .errstr = "misaligned value access off",
12618 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12621 "xadd/w check unaligned pkt",
12623 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12624 offsetof(struct xdp_md, data)),
12625 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12626 offsetof(struct xdp_md, data_end)),
12627 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
12628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
12629 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
12630 BPF_MOV64_IMM(BPF_REG_0, 99),
12631 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
12632 BPF_MOV64_IMM(BPF_REG_0, 1),
12633 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12634 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
12635 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
12636 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
12637 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
12641 .errstr = "BPF_XADD stores into R2 pkt is not allowed",
12642 .prog_type = BPF_PROG_TYPE_XDP,
12645 "xadd/w check whether src/dst got mangled, 1",
12647 BPF_MOV64_IMM(BPF_REG_0, 1),
12648 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12649 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12650 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12651 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12652 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12653 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12654 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12655 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12657 BPF_MOV64_IMM(BPF_REG_0, 42),
12661 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12665 "xadd/w check whether src/dst got mangled, 2",
12667 BPF_MOV64_IMM(BPF_REG_0, 1),
12668 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12669 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12670 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12671 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12672 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12673 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12674 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12675 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
12677 BPF_MOV64_IMM(BPF_REG_0, 42),
12681 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12685 "bpf_get_stack return R0 within range",
12687 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12688 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12689 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12690 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12691 BPF_LD_MAP_FD(BPF_REG_1, 0),
12692 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12693 BPF_FUNC_map_lookup_elem),
12694 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
12695 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12696 BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
12697 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12698 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12699 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
12700 BPF_MOV64_IMM(BPF_REG_4, 256),
12701 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12702 BPF_MOV64_IMM(BPF_REG_1, 0),
12703 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
12704 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
12705 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
12706 BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
12707 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
12708 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12709 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
12710 BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
12711 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
12712 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
12713 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
12714 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
12715 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12716 BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
12717 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
12718 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
12719 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12720 BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
12721 BPF_MOV64_IMM(BPF_REG_4, 0),
12722 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12725 .fixup_map_hash_48b = { 4 },
12727 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12730 "ld_abs: invalid op 1",
12732 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12733 BPF_LD_ABS(BPF_DW, 0),
12736 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12738 .errstr = "unknown opcode",
12741 "ld_abs: invalid op 2",
12743 BPF_MOV32_IMM(BPF_REG_0, 256),
12744 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12745 BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
12748 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12750 .errstr = "unknown opcode",
12753 "ld_abs: nmap reduced",
12755 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12756 BPF_LD_ABS(BPF_H, 12),
12757 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
12758 BPF_LD_ABS(BPF_H, 12),
12759 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
12760 BPF_MOV32_IMM(BPF_REG_0, 18),
12761 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
12762 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
12763 BPF_LD_IND(BPF_W, BPF_REG_7, 14),
12764 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
12765 BPF_MOV32_IMM(BPF_REG_0, 280971478),
12766 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12767 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12768 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
12769 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12770 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
12771 BPF_LD_ABS(BPF_H, 12),
12772 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
12773 BPF_MOV32_IMM(BPF_REG_0, 22),
12774 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12775 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12776 BPF_LD_IND(BPF_H, BPF_REG_7, 14),
12777 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
12778 BPF_MOV32_IMM(BPF_REG_0, 17366),
12779 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
12780 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
12781 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
12782 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12783 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12784 BPF_MOV32_IMM(BPF_REG_0, 256),
12786 BPF_MOV32_IMM(BPF_REG_0, 0),
12790 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
12791 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
12792 0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
12794 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12799 "ld_abs: div + abs, test 1",
12801 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12802 BPF_LD_ABS(BPF_B, 3),
12803 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12804 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12805 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12806 BPF_LD_ABS(BPF_B, 4),
12807 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12808 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12812 10, 20, 30, 40, 50,
12814 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12819 "ld_abs: div + abs, test 2",
12821 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12822 BPF_LD_ABS(BPF_B, 3),
12823 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12824 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12825 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12826 BPF_LD_ABS(BPF_B, 128),
12827 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12828 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12832 10, 20, 30, 40, 50,
12834 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12839 "ld_abs: div + abs, test 3",
12841 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12842 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12843 BPF_LD_ABS(BPF_B, 3),
12844 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12848 10, 20, 30, 40, 50,
12850 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12855 "ld_abs: div + abs, test 4",
12857 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12858 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12859 BPF_LD_ABS(BPF_B, 256),
12860 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12864 10, 20, 30, 40, 50,
12866 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12871 "ld_abs: vlan + abs, test 1",
12876 .fill_helper = bpf_fill_ld_abs_vlan_push_pop,
12877 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12882 "ld_abs: vlan + abs, test 2",
12884 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12885 BPF_LD_ABS(BPF_B, 0),
12886 BPF_LD_ABS(BPF_H, 0),
12887 BPF_LD_ABS(BPF_W, 0),
12888 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
12889 BPF_MOV64_IMM(BPF_REG_6, 0),
12890 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12891 BPF_MOV64_IMM(BPF_REG_2, 1),
12892 BPF_MOV64_IMM(BPF_REG_3, 2),
12893 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12894 BPF_FUNC_skb_vlan_push),
12895 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
12896 BPF_LD_ABS(BPF_B, 0),
12897 BPF_LD_ABS(BPF_H, 0),
12898 BPF_LD_ABS(BPF_W, 0),
12899 BPF_MOV64_IMM(BPF_REG_0, 42),
12905 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12910 "ld_abs: jump around ld_abs",
12915 .fill_helper = bpf_fill_jump_around_ld_abs,
12916 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12921 "ld_dw: xor semi-random 64 bit imms, test 1",
12924 .fill_helper = bpf_fill_rand_ld_dw,
12925 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12930 "ld_dw: xor semi-random 64 bit imms, test 2",
12933 .fill_helper = bpf_fill_rand_ld_dw,
12934 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12939 "ld_dw: xor semi-random 64 bit imms, test 3",
12942 .fill_helper = bpf_fill_rand_ld_dw,
12943 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12948 "ld_dw: xor semi-random 64 bit imms, test 4",
12951 .fill_helper = bpf_fill_rand_ld_dw,
12952 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12957 "pass unmodified ctx pointer to helper",
12959 BPF_MOV64_IMM(BPF_REG_2, 0),
12960 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12961 BPF_FUNC_csum_update),
12962 BPF_MOV64_IMM(BPF_REG_0, 0),
12965 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12969 "reference tracking: leak potential reference",
12972 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), /* leak reference */
12975 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12976 .errstr = "Unreleased reference",
12980 "reference tracking: leak potential reference on stack",
12983 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12984 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12985 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
12986 BPF_MOV64_IMM(BPF_REG_0, 0),
12989 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12990 .errstr = "Unreleased reference",
12994 "reference tracking: leak potential reference on stack 2",
12997 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12998 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12999 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13000 BPF_MOV64_IMM(BPF_REG_0, 0),
13001 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
13004 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13005 .errstr = "Unreleased reference",
13009 "reference tracking: zero potential reference",
13012 BPF_MOV64_IMM(BPF_REG_0, 0), /* leak reference */
13015 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13016 .errstr = "Unreleased reference",
13020 "reference tracking: copy and zero potential references",
13023 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
13024 BPF_MOV64_IMM(BPF_REG_0, 0),
13025 BPF_MOV64_IMM(BPF_REG_7, 0), /* leak reference */
13028 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13029 .errstr = "Unreleased reference",
13033 "reference tracking: release reference without check",
13036 /* reference in r0 may be NULL */
13037 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13038 BPF_MOV64_IMM(BPF_REG_2, 0),
13039 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13042 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13043 .errstr = "type=sock_or_null expected=sock",
13047 "reference tracking: release reference",
13050 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13051 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13052 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13055 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13059 "reference tracking: release reference 2",
13062 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13063 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
13065 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13068 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13072 "reference tracking: release reference twice",
13075 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13076 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13077 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13078 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13079 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13080 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13083 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13084 .errstr = "type=inv expected=sock",
13088 "reference tracking: release reference twice inside branch",
13091 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13092 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13093 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), /* goto end */
13094 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13095 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13096 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13099 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13100 .errstr = "type=inv expected=sock",
13104 "reference tracking: alloc, check, free in one subbranch",
13106 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13107 offsetof(struct __sk_buff, data)),
13108 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13109 offsetof(struct __sk_buff, data_end)),
13110 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
13112 /* if (offsetof(skb, mark) > data_len) exit; */
13113 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13115 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
13116 offsetof(struct __sk_buff, mark)),
13118 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 1), /* mark == 0? */
13119 /* Leak reference in R0 */
13121 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13122 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13123 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13126 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13127 .errstr = "Unreleased reference",
13131 "reference tracking: alloc, check, free in both subbranches",
13133 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13134 offsetof(struct __sk_buff, data)),
13135 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13136 offsetof(struct __sk_buff, data_end)),
13137 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
13139 /* if (offsetof(skb, mark) > data_len) exit; */
13140 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13142 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
13143 offsetof(struct __sk_buff, mark)),
13145 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 4), /* mark == 0? */
13146 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13147 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13148 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13150 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13151 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13152 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13155 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13159 "reference tracking in call: free reference in subprog",
13162 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
13163 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13164 BPF_MOV64_IMM(BPF_REG_0, 0),
13168 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
13169 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
13170 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13173 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13177 "pass modified ctx pointer to helper, 1",
13179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
13180 BPF_MOV64_IMM(BPF_REG_2, 0),
13181 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13182 BPF_FUNC_csum_update),
13183 BPF_MOV64_IMM(BPF_REG_0, 0),
13186 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13188 .errstr = "dereference of modified ctx ptr",
13191 "pass modified ctx pointer to helper, 2",
13193 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
13194 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13195 BPF_FUNC_get_socket_cookie),
13196 BPF_MOV64_IMM(BPF_REG_0, 0),
13199 .result_unpriv = REJECT,
13201 .errstr_unpriv = "dereference of modified ctx ptr",
13202 .errstr = "dereference of modified ctx ptr",
13205 "pass modified ctx pointer to helper, 3",
13207 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
13208 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
13209 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
13210 BPF_MOV64_IMM(BPF_REG_2, 0),
13211 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13212 BPF_FUNC_csum_update),
13213 BPF_MOV64_IMM(BPF_REG_0, 0),
13216 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13218 .errstr = "variable ctx access var_off=(0x0; 0x4)",
13221 "mov64 src == dst",
13223 BPF_MOV64_IMM(BPF_REG_2, 0),
13224 BPF_MOV64_REG(BPF_REG_2, BPF_REG_2),
13225 // Check bounds are OK
13226 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
13227 BPF_MOV64_IMM(BPF_REG_0, 0),
13230 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13234 "mov64 src != dst",
13236 BPF_MOV64_IMM(BPF_REG_3, 0),
13237 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
13238 // Check bounds are OK
13239 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
13240 BPF_MOV64_IMM(BPF_REG_0, 0),
13243 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13247 "reference tracking in call: free reference in subprog and outside",
13250 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
13251 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13252 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13253 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13254 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13258 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
13259 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
13260 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13263 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13264 .errstr = "type=inv expected=sock",
13268 "reference tracking in call: alloc & leak reference in subprog",
13270 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13271 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13272 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13273 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13274 BPF_MOV64_IMM(BPF_REG_0, 0),
13278 BPF_MOV64_REG(BPF_REG_6, BPF_REG_4),
13280 /* spill unchecked sk_ptr into stack of caller */
13281 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13282 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13285 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13286 .errstr = "Unreleased reference",
13290 "reference tracking in call: alloc in subprog, release outside",
13292 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13293 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
13294 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13295 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13296 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13301 BPF_EXIT_INSN(), /* return sk */
13303 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13304 .retval = POINTER_VALUE,
13308 "reference tracking in call: sk_ptr leak into caller stack",
13310 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13312 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13313 BPF_MOV64_IMM(BPF_REG_0, 0),
13317 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13318 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13319 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
13320 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
13321 /* spill unchecked sk_ptr into stack of caller */
13322 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13323 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13324 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
13325 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13332 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13333 .errstr = "Unreleased reference",
13337 "reference tracking in call: sk_ptr spill into caller stack",
13339 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13340 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13341 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13342 BPF_MOV64_IMM(BPF_REG_0, 0),
13346 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13348 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
13349 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
13350 /* spill unchecked sk_ptr into stack of caller */
13351 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13352 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13353 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
13354 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13355 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13356 /* now the sk_ptr is verified, free the reference */
13357 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_4, 0),
13358 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13365 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13369 "reference tracking: allow LD_ABS",
13371 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13373 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13374 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13375 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13376 BPF_LD_ABS(BPF_B, 0),
13377 BPF_LD_ABS(BPF_H, 0),
13378 BPF_LD_ABS(BPF_W, 0),
13381 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13385 "reference tracking: forbid LD_ABS while holding reference",
13387 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13389 BPF_LD_ABS(BPF_B, 0),
13390 BPF_LD_ABS(BPF_H, 0),
13391 BPF_LD_ABS(BPF_W, 0),
13392 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13393 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13394 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13397 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13398 .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
13402 "reference tracking: allow LD_IND",
13404 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13406 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13407 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13408 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13409 BPF_MOV64_IMM(BPF_REG_7, 1),
13410 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
13411 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
13414 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13419 "reference tracking: forbid LD_IND while holding reference",
13421 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13423 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
13424 BPF_MOV64_IMM(BPF_REG_7, 1),
13425 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
13426 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
13427 BPF_MOV64_REG(BPF_REG_1, BPF_REG_4),
13428 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13429 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13432 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13433 .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
13437 "reference tracking: check reference or tail call",
13439 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13441 /* if (sk) bpf_sk_release() */
13442 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13443 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 7),
13444 /* bpf_tail_call() */
13445 BPF_MOV64_IMM(BPF_REG_3, 2),
13446 BPF_LD_MAP_FD(BPF_REG_2, 0),
13447 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13448 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13449 BPF_FUNC_tail_call),
13450 BPF_MOV64_IMM(BPF_REG_0, 0),
13452 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13455 .fixup_prog1 = { 17 },
13456 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13460 "reference tracking: release reference then tail call",
13462 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13464 /* if (sk) bpf_sk_release() */
13465 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13466 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13467 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13468 /* bpf_tail_call() */
13469 BPF_MOV64_IMM(BPF_REG_3, 2),
13470 BPF_LD_MAP_FD(BPF_REG_2, 0),
13471 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13472 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13473 BPF_FUNC_tail_call),
13474 BPF_MOV64_IMM(BPF_REG_0, 0),
13477 .fixup_prog1 = { 18 },
13478 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13482 "reference tracking: leak possible reference over tail call",
13484 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13485 /* Look up socket and store in REG_6 */
13487 /* bpf_tail_call() */
13488 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13489 BPF_MOV64_IMM(BPF_REG_3, 2),
13490 BPF_LD_MAP_FD(BPF_REG_2, 0),
13491 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13492 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13493 BPF_FUNC_tail_call),
13494 BPF_MOV64_IMM(BPF_REG_0, 0),
13495 /* if (sk) bpf_sk_release() */
13496 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13497 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13498 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13501 .fixup_prog1 = { 16 },
13502 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13503 .errstr = "tail_call would lead to reference leak",
13507 "reference tracking: leak checked reference over tail call",
13509 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13510 /* Look up socket and store in REG_6 */
13512 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13513 /* if (!sk) goto end */
13514 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
13515 /* bpf_tail_call() */
13516 BPF_MOV64_IMM(BPF_REG_3, 0),
13517 BPF_LD_MAP_FD(BPF_REG_2, 0),
13518 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13519 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13520 BPF_FUNC_tail_call),
13521 BPF_MOV64_IMM(BPF_REG_0, 0),
13522 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13523 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13526 .fixup_prog1 = { 17 },
13527 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13528 .errstr = "tail_call would lead to reference leak",
13532 "reference tracking: mangle and release sock_or_null",
13535 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13536 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
13537 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13538 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13541 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13542 .errstr = "R1 pointer arithmetic on sock_or_null prohibited",
13546 "reference tracking: mangle and release sock",
13549 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13550 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13551 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
13552 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13555 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13556 .errstr = "R1 pointer arithmetic on sock prohibited",
13560 "reference tracking: access member",
13563 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13564 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
13565 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
13566 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13567 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13570 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13574 "reference tracking: write to member",
13577 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13578 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
13579 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13580 BPF_LD_IMM64(BPF_REG_2, 42),
13581 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_2,
13582 offsetof(struct bpf_sock, mark)),
13583 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13584 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13585 BPF_LD_IMM64(BPF_REG_0, 0),
13588 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13589 .errstr = "cannot write into socket",
13593 "reference tracking: invalid 64-bit access of member",
13596 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13597 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
13598 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
13599 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13600 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13603 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13604 .errstr = "invalid bpf_sock access off=0 size=8",
13608 "reference tracking: access after release",
13611 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13612 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13613 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13614 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
13617 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13618 .errstr = "!read_ok",
13622 "reference tracking: direct access for lookup",
13624 /* Check that the packet is at least 64B long */
13625 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13626 offsetof(struct __sk_buff, data)),
13627 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13628 offsetof(struct __sk_buff, data_end)),
13629 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13630 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
13631 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
13632 /* sk = sk_lookup_tcp(ctx, skb->data, ...) */
13633 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)),
13634 BPF_MOV64_IMM(BPF_REG_4, 0),
13635 BPF_MOV64_IMM(BPF_REG_5, 0),
13636 BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp),
13637 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13638 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
13639 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
13640 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13641 BPF_EMIT_CALL(BPF_FUNC_sk_release),
13644 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13649 static int probe_filter_length(const struct bpf_insn *fp)
13653 for (len = MAX_INSNS - 1; len > 0; --len)
13654 if (fp[len].code != 0 || fp[len].imm != 0)
13659 static int create_map(uint32_t type, uint32_t size_key,
13660 uint32_t size_value, uint32_t max_elem)
13664 fd = bpf_create_map(type, size_key, size_value, max_elem,
13665 type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
13667 printf("Failed to create hash map '%s'!\n", strerror(errno));
13672 static int create_prog_dummy1(enum bpf_map_type prog_type)
13674 struct bpf_insn prog[] = {
13675 BPF_MOV64_IMM(BPF_REG_0, 42),
13679 return bpf_load_program(prog_type, prog,
13680 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
13683 static int create_prog_dummy2(enum bpf_map_type prog_type, int mfd, int idx)
13685 struct bpf_insn prog[] = {
13686 BPF_MOV64_IMM(BPF_REG_3, idx),
13687 BPF_LD_MAP_FD(BPF_REG_2, mfd),
13688 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13689 BPF_FUNC_tail_call),
13690 BPF_MOV64_IMM(BPF_REG_0, 41),
13694 return bpf_load_program(prog_type, prog,
13695 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
13698 static int create_prog_array(enum bpf_map_type prog_type, uint32_t max_elem,
13702 int mfd, p1fd, p2fd;
13704 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
13705 sizeof(int), max_elem, 0);
13707 printf("Failed to create prog array '%s'!\n", strerror(errno));
13711 p1fd = create_prog_dummy1(prog_type);
13712 p2fd = create_prog_dummy2(prog_type, mfd, p2key);
13713 if (p1fd < 0 || p2fd < 0)
13715 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
13717 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
13730 static int create_map_in_map(void)
13732 int inner_map_fd, outer_map_fd;
13734 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
13735 sizeof(int), 1, 0);
13736 if (inner_map_fd < 0) {
13737 printf("Failed to create array '%s'!\n", strerror(errno));
13738 return inner_map_fd;
13741 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
13742 sizeof(int), inner_map_fd, 1, 0);
13743 if (outer_map_fd < 0)
13744 printf("Failed to create array of maps '%s'!\n",
13747 close(inner_map_fd);
13749 return outer_map_fd;
13752 static int create_cgroup_storage(bool percpu)
13754 enum bpf_map_type type = percpu ? BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE :
13755 BPF_MAP_TYPE_CGROUP_STORAGE;
13758 fd = bpf_create_map(type, sizeof(struct bpf_cgroup_storage_key),
13759 TEST_DATA_LEN, 0, 0);
13761 printf("Failed to create cgroup storage '%s'!\n",
13767 static char bpf_vlog[UINT_MAX >> 8];
13769 static void do_test_fixup(struct bpf_test *test, enum bpf_map_type prog_type,
13770 struct bpf_insn *prog, int *map_fds)
13772 int *fixup_map_hash_8b = test->fixup_map_hash_8b;
13773 int *fixup_map_hash_48b = test->fixup_map_hash_48b;
13774 int *fixup_map_hash_16b = test->fixup_map_hash_16b;
13775 int *fixup_map_array_48b = test->fixup_map_array_48b;
13776 int *fixup_map_sockmap = test->fixup_map_sockmap;
13777 int *fixup_map_sockhash = test->fixup_map_sockhash;
13778 int *fixup_map_xskmap = test->fixup_map_xskmap;
13779 int *fixup_map_stacktrace = test->fixup_map_stacktrace;
13780 int *fixup_prog1 = test->fixup_prog1;
13781 int *fixup_prog2 = test->fixup_prog2;
13782 int *fixup_map_in_map = test->fixup_map_in_map;
13783 int *fixup_cgroup_storage = test->fixup_cgroup_storage;
13784 int *fixup_percpu_cgroup_storage = test->fixup_percpu_cgroup_storage;
13786 if (test->fill_helper)
13787 test->fill_helper(test);
13789 /* Allocating HTs with 1 elem is fine here, since we only test
13790 * for verifier and not do a runtime lookup, so the only thing
13791 * that really matters is value size in this case.
13793 if (*fixup_map_hash_8b) {
13794 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
13795 sizeof(long long), 1);
13797 prog[*fixup_map_hash_8b].imm = map_fds[0];
13798 fixup_map_hash_8b++;
13799 } while (*fixup_map_hash_8b);
13802 if (*fixup_map_hash_48b) {
13803 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
13804 sizeof(struct test_val), 1);
13806 prog[*fixup_map_hash_48b].imm = map_fds[1];
13807 fixup_map_hash_48b++;
13808 } while (*fixup_map_hash_48b);
13811 if (*fixup_map_hash_16b) {
13812 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
13813 sizeof(struct other_val), 1);
13815 prog[*fixup_map_hash_16b].imm = map_fds[2];
13816 fixup_map_hash_16b++;
13817 } while (*fixup_map_hash_16b);
13820 if (*fixup_map_array_48b) {
13821 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
13822 sizeof(struct test_val), 1);
13824 prog[*fixup_map_array_48b].imm = map_fds[3];
13825 fixup_map_array_48b++;
13826 } while (*fixup_map_array_48b);
13829 if (*fixup_prog1) {
13830 map_fds[4] = create_prog_array(prog_type, 4, 0);
13832 prog[*fixup_prog1].imm = map_fds[4];
13834 } while (*fixup_prog1);
13837 if (*fixup_prog2) {
13838 map_fds[5] = create_prog_array(prog_type, 8, 7);
13840 prog[*fixup_prog2].imm = map_fds[5];
13842 } while (*fixup_prog2);
13845 if (*fixup_map_in_map) {
13846 map_fds[6] = create_map_in_map();
13848 prog[*fixup_map_in_map].imm = map_fds[6];
13849 fixup_map_in_map++;
13850 } while (*fixup_map_in_map);
13853 if (*fixup_cgroup_storage) {
13854 map_fds[7] = create_cgroup_storage(false);
13856 prog[*fixup_cgroup_storage].imm = map_fds[7];
13857 fixup_cgroup_storage++;
13858 } while (*fixup_cgroup_storage);
13861 if (*fixup_percpu_cgroup_storage) {
13862 map_fds[8] = create_cgroup_storage(true);
13864 prog[*fixup_percpu_cgroup_storage].imm = map_fds[8];
13865 fixup_percpu_cgroup_storage++;
13866 } while (*fixup_percpu_cgroup_storage);
13868 if (*fixup_map_sockmap) {
13869 map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int),
13872 prog[*fixup_map_sockmap].imm = map_fds[9];
13873 fixup_map_sockmap++;
13874 } while (*fixup_map_sockmap);
13876 if (*fixup_map_sockhash) {
13877 map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int),
13880 prog[*fixup_map_sockhash].imm = map_fds[10];
13881 fixup_map_sockhash++;
13882 } while (*fixup_map_sockhash);
13884 if (*fixup_map_xskmap) {
13885 map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int),
13888 prog[*fixup_map_xskmap].imm = map_fds[11];
13889 fixup_map_xskmap++;
13890 } while (*fixup_map_xskmap);
13892 if (*fixup_map_stacktrace) {
13893 map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32),
13896 prog[*fixup_map_stacktrace].imm = map_fds[12];
13897 fixup_map_stacktrace++;
13898 } while (fixup_map_stacktrace);
13902 static void do_test_single(struct bpf_test *test, bool unpriv,
13903 int *passes, int *errors)
13905 int fd_prog, expected_ret, reject_from_alignment;
13906 int prog_len, prog_type = test->prog_type;
13907 struct bpf_insn *prog = test->insns;
13908 int map_fds[MAX_NR_MAPS];
13909 const char *expected_err;
13913 for (i = 0; i < MAX_NR_MAPS; i++)
13917 prog_type = BPF_PROG_TYPE_SOCKET_FILTER;
13918 do_test_fixup(test, prog_type, prog, map_fds);
13919 prog_len = probe_filter_length(prog);
13921 fd_prog = bpf_verify_program(prog_type, prog, prog_len,
13922 test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
13923 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
13925 expected_ret = unpriv && test->result_unpriv != UNDEF ?
13926 test->result_unpriv : test->result;
13927 expected_err = unpriv && test->errstr_unpriv ?
13928 test->errstr_unpriv : test->errstr;
13930 reject_from_alignment = fd_prog < 0 &&
13931 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
13932 strstr(bpf_vlog, "Unknown alignment.");
13933 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
13934 if (reject_from_alignment) {
13935 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
13940 if (expected_ret == ACCEPT) {
13941 if (fd_prog < 0 && !reject_from_alignment) {
13942 printf("FAIL\nFailed to load prog '%s'!\n",
13947 if (fd_prog >= 0) {
13948 printf("FAIL\nUnexpected success to load!\n");
13951 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
13952 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
13953 expected_err, bpf_vlog);
13958 if (fd_prog >= 0) {
13959 __u8 tmp[TEST_DATA_LEN << 2];
13960 __u32 size_tmp = sizeof(tmp);
13962 err = bpf_prog_test_run(fd_prog, 1, test->data,
13963 sizeof(test->data), tmp, &size_tmp,
13965 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
13966 printf("Unexpected bpf_prog_test_run error\n");
13969 if (!err && retval != test->retval &&
13970 test->retval != POINTER_VALUE) {
13971 printf("FAIL retval %d != %d\n", retval, test->retval);
13976 printf("OK%s\n", reject_from_alignment ?
13977 " (NOTE: reject due to unknown alignment)" : "");
13980 for (i = 0; i < MAX_NR_MAPS; i++)
13986 printf("%s", bpf_vlog);
13990 static bool is_admin(void)
13993 cap_flag_value_t sysadmin = CAP_CLEAR;
13994 const cap_value_t cap_val = CAP_SYS_ADMIN;
13996 #ifdef CAP_IS_SUPPORTED
13997 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
13998 perror("cap_get_flag");
14002 caps = cap_get_proc();
14004 perror("cap_get_proc");
14007 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
14008 perror("cap_get_flag");
14009 if (cap_free(caps))
14010 perror("cap_free");
14011 return (sysadmin == CAP_SET);
14014 static int set_admin(bool admin)
14017 const cap_value_t cap_val = CAP_SYS_ADMIN;
14020 caps = cap_get_proc();
14022 perror("cap_get_proc");
14025 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
14026 admin ? CAP_SET : CAP_CLEAR)) {
14027 perror("cap_set_flag");
14030 if (cap_set_proc(caps)) {
14031 perror("cap_set_proc");
14036 if (cap_free(caps))
14037 perror("cap_free");
14041 static void get_unpriv_disabled()
14046 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
14048 perror("fopen /proc/sys/"UNPRIV_SYSCTL);
14049 unpriv_disabled = true;
14052 if (fgets(buf, 2, fd) == buf && atoi(buf))
14053 unpriv_disabled = true;
14057 static bool test_as_unpriv(struct bpf_test *test)
14059 return !test->prog_type ||
14060 test->prog_type == BPF_PROG_TYPE_SOCKET_FILTER ||
14061 test->prog_type == BPF_PROG_TYPE_CGROUP_SKB;
14064 static int do_test(bool unpriv, unsigned int from, unsigned int to)
14066 int i, passes = 0, errors = 0, skips = 0;
14068 for (i = from; i < to; i++) {
14069 struct bpf_test *test = &tests[i];
14071 /* Program types that are not supported by non-root we
14074 if (test_as_unpriv(test) && unpriv_disabled) {
14075 printf("#%d/u %s SKIP\n", i, test->descr);
14077 } else if (test_as_unpriv(test)) {
14080 printf("#%d/u %s ", i, test->descr);
14081 do_test_single(test, true, &passes, &errors);
14087 printf("#%d/p %s SKIP\n", i, test->descr);
14090 printf("#%d/p %s ", i, test->descr);
14091 do_test_single(test, false, &passes, &errors);
14095 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
14097 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
14100 int main(int argc, char **argv)
14102 unsigned int from = 0, to = ARRAY_SIZE(tests);
14103 bool unpriv = !is_admin();
14106 unsigned int l = atoi(argv[argc - 2]);
14107 unsigned int u = atoi(argv[argc - 1]);
14109 if (l < to && u < to) {
14113 } else if (argc == 2) {
14114 unsigned int t = atoi(argv[argc - 1]);
14122 get_unpriv_disabled();
14123 if (unpriv && unpriv_disabled) {
14124 printf("Cannot run as unprivileged user with sysctl %s.\n",
14126 return EXIT_FAILURE;
14129 bpf_semi_rand_init();
14130 return do_test(unpriv, from, to);
git.samba.org / sfrench / cifs-2.6.git / blob