2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 * Copyright (c) 2017 Facebook
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of version 2 of the GNU General Public
9 * License as published by the Free Software Foundation.
13 #include <asm/types.h>
14 #include <linux/types.h>
26 #include <sys/capability.h>
28 #include <linux/unistd.h>
29 #include <linux/filter.h>
30 #include <linux/bpf_perf_event.h>
31 #include <linux/bpf.h>
32 #include <linux/if_ether.h>
37 # include "autoconf.h"
39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
40 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
43 #include "bpf_rlimit.h"
45 #include "../../../include/linux/filter.h"
48 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
51 #define MAX_INSNS BPF_MAXINSNS
54 #define POINTER_VALUE 0xcafe4all
55 #define TEST_DATA_LEN 64
57 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
58 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
60 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
61 static bool unpriv_disabled = false;
65 struct bpf_insn insns[MAX_INSNS];
66 int fixup_map1[MAX_FIXUPS];
67 int fixup_map2[MAX_FIXUPS];
68 int fixup_map3[MAX_FIXUPS];
69 int fixup_map4[MAX_FIXUPS];
70 int fixup_prog1[MAX_FIXUPS];
71 int fixup_prog2[MAX_FIXUPS];
72 int fixup_map_in_map[MAX_FIXUPS];
74 const char *errstr_unpriv;
80 } result, result_unpriv;
81 enum bpf_prog_type prog_type;
83 __u8 data[TEST_DATA_LEN];
84 void (*fill_helper)(struct bpf_test *self);
87 /* Note we want this to be 64 bit aligned so that the end of our array is
88 * actually the end of the structure.
90 #define MAX_ENTRIES 11
102 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
104 /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
106 unsigned int len = BPF_MAXINSNS;
107 struct bpf_insn *insn = self->insns;
110 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
112 for (j = 0; j < PUSH_CNT; j++) {
113 insn[i++] = BPF_LD_ABS(BPF_B, 0);
114 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
116 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
117 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
118 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
119 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
120 BPF_FUNC_skb_vlan_push),
121 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
125 for (j = 0; j < PUSH_CNT; j++) {
126 insn[i++] = BPF_LD_ABS(BPF_B, 0);
127 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
129 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
130 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
131 BPF_FUNC_skb_vlan_pop),
132 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
138 for (; i < len - 1; i++)
139 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
140 insn[len - 1] = BPF_EXIT_INSN();
143 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
145 struct bpf_insn *insn = self->insns;
146 unsigned int len = BPF_MAXINSNS;
149 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
150 insn[i++] = BPF_LD_ABS(BPF_B, 0);
151 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
154 insn[i++] = BPF_LD_ABS(BPF_B, 1);
155 insn[i] = BPF_EXIT_INSN();
158 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
160 struct bpf_insn *insn = self->insns;
164 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
165 while (i < self->retval) {
166 uint64_t val = bpf_semi_rand_get();
167 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
172 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
174 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
175 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
176 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
177 insn[i] = BPF_EXIT_INSN();
179 self->retval = (uint32_t)res;
182 static struct bpf_test tests[] = {
186 BPF_MOV64_IMM(BPF_REG_1, 1),
187 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
188 BPF_MOV64_IMM(BPF_REG_2, 3),
189 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
190 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
191 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
192 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
199 "DIV32 by 0, zero check 1",
201 BPF_MOV32_IMM(BPF_REG_0, 42),
202 BPF_MOV32_IMM(BPF_REG_1, 0),
203 BPF_MOV32_IMM(BPF_REG_2, 1),
204 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
211 "DIV32 by 0, zero check 2",
213 BPF_MOV32_IMM(BPF_REG_0, 42),
214 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
215 BPF_MOV32_IMM(BPF_REG_2, 1),
216 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
223 "DIV64 by 0, zero check",
225 BPF_MOV32_IMM(BPF_REG_0, 42),
226 BPF_MOV32_IMM(BPF_REG_1, 0),
227 BPF_MOV32_IMM(BPF_REG_2, 1),
228 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
235 "MOD32 by 0, zero check 1",
237 BPF_MOV32_IMM(BPF_REG_0, 42),
238 BPF_MOV32_IMM(BPF_REG_1, 0),
239 BPF_MOV32_IMM(BPF_REG_2, 1),
240 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
247 "MOD32 by 0, zero check 2",
249 BPF_MOV32_IMM(BPF_REG_0, 42),
250 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
251 BPF_MOV32_IMM(BPF_REG_2, 1),
252 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
259 "MOD64 by 0, zero check",
261 BPF_MOV32_IMM(BPF_REG_0, 42),
262 BPF_MOV32_IMM(BPF_REG_1, 0),
263 BPF_MOV32_IMM(BPF_REG_2, 1),
264 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
271 "DIV32 by 0, zero check ok, cls",
273 BPF_MOV32_IMM(BPF_REG_0, 42),
274 BPF_MOV32_IMM(BPF_REG_1, 2),
275 BPF_MOV32_IMM(BPF_REG_2, 16),
276 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
277 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
280 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
285 "DIV32 by 0, zero check 1, cls",
287 BPF_MOV32_IMM(BPF_REG_1, 0),
288 BPF_MOV32_IMM(BPF_REG_0, 1),
289 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
292 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
297 "DIV32 by 0, zero check 2, cls",
299 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
300 BPF_MOV32_IMM(BPF_REG_0, 1),
301 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
304 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
309 "DIV64 by 0, zero check, cls",
311 BPF_MOV32_IMM(BPF_REG_1, 0),
312 BPF_MOV32_IMM(BPF_REG_0, 1),
313 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
316 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
321 "MOD32 by 0, zero check ok, cls",
323 BPF_MOV32_IMM(BPF_REG_0, 42),
324 BPF_MOV32_IMM(BPF_REG_1, 3),
325 BPF_MOV32_IMM(BPF_REG_2, 5),
326 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
327 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
330 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
335 "MOD32 by 0, zero check 1, cls",
337 BPF_MOV32_IMM(BPF_REG_1, 0),
338 BPF_MOV32_IMM(BPF_REG_0, 1),
339 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
342 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
347 "MOD32 by 0, zero check 2, cls",
349 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
350 BPF_MOV32_IMM(BPF_REG_0, 1),
351 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
354 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
359 "MOD64 by 0, zero check 1, cls",
361 BPF_MOV32_IMM(BPF_REG_1, 0),
362 BPF_MOV32_IMM(BPF_REG_0, 2),
363 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
366 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
371 "MOD64 by 0, zero check 2, cls",
373 BPF_MOV32_IMM(BPF_REG_1, 0),
374 BPF_MOV32_IMM(BPF_REG_0, -1),
375 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
378 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
382 /* Just make sure that JITs used udiv/umod as otherwise we get
383 * an exception from INT_MIN/-1 overflow similarly as with div
387 "DIV32 overflow, check 1",
389 BPF_MOV32_IMM(BPF_REG_1, -1),
390 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
391 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
394 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
399 "DIV32 overflow, check 2",
401 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
402 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
405 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
410 "DIV64 overflow, check 1",
412 BPF_MOV64_IMM(BPF_REG_1, -1),
413 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
414 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
417 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
422 "DIV64 overflow, check 2",
424 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
425 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
428 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
433 "MOD32 overflow, check 1",
435 BPF_MOV32_IMM(BPF_REG_1, -1),
436 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
437 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
440 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
445 "MOD32 overflow, check 2",
447 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
448 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
451 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
456 "MOD64 overflow, check 1",
458 BPF_MOV64_IMM(BPF_REG_1, -1),
459 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
460 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
461 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
462 BPF_MOV32_IMM(BPF_REG_0, 0),
463 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
464 BPF_MOV32_IMM(BPF_REG_0, 1),
467 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
472 "MOD64 overflow, check 2",
474 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
475 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
476 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
477 BPF_MOV32_IMM(BPF_REG_0, 0),
478 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
479 BPF_MOV32_IMM(BPF_REG_0, 1),
482 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
487 "xor32 zero extend check",
489 BPF_MOV32_IMM(BPF_REG_2, -1),
490 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
491 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
492 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
493 BPF_MOV32_IMM(BPF_REG_0, 2),
494 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
495 BPF_MOV32_IMM(BPF_REG_0, 1),
498 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
506 .errstr = "unknown opcode 00",
514 .errstr = "R0 !read_ok",
523 .errstr = "unreachable",
529 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
530 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
533 .errstr = "unreachable",
539 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
542 .errstr = "jump out of range",
546 "out of range jump2",
548 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
551 .errstr = "jump out of range",
557 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
558 BPF_LD_IMM64(BPF_REG_0, 0),
559 BPF_LD_IMM64(BPF_REG_0, 0),
560 BPF_LD_IMM64(BPF_REG_0, 1),
561 BPF_LD_IMM64(BPF_REG_0, 1),
562 BPF_MOV64_IMM(BPF_REG_0, 2),
565 .errstr = "invalid BPF_LD_IMM insn",
566 .errstr_unpriv = "R1 pointer comparison",
572 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
573 BPF_LD_IMM64(BPF_REG_0, 0),
574 BPF_LD_IMM64(BPF_REG_0, 0),
575 BPF_LD_IMM64(BPF_REG_0, 1),
576 BPF_LD_IMM64(BPF_REG_0, 1),
579 .errstr = "invalid BPF_LD_IMM insn",
580 .errstr_unpriv = "R1 pointer comparison",
586 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
587 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
588 BPF_LD_IMM64(BPF_REG_0, 0),
589 BPF_LD_IMM64(BPF_REG_0, 0),
590 BPF_LD_IMM64(BPF_REG_0, 1),
591 BPF_LD_IMM64(BPF_REG_0, 1),
594 .errstr = "invalid bpf_ld_imm64 insn",
600 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
603 .errstr = "invalid bpf_ld_imm64 insn",
609 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
611 .errstr = "invalid bpf_ld_imm64 insn",
617 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
618 BPF_RAW_INSN(0, 0, 0, 0, 0),
626 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
627 BPF_RAW_INSN(0, 0, 0, 0, 1),
636 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
637 BPF_RAW_INSN(0, 0, 0, 0, 1),
640 .errstr = "uses reserved fields",
646 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
647 BPF_RAW_INSN(0, 0, 0, 1, 1),
650 .errstr = "invalid bpf_ld_imm64 insn",
656 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
657 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
660 .errstr = "invalid bpf_ld_imm64 insn",
666 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
667 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
670 .errstr = "invalid bpf_ld_imm64 insn",
676 BPF_MOV64_IMM(BPF_REG_1, 0),
677 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
678 BPF_RAW_INSN(0, 0, 0, 0, 1),
681 .errstr = "not pointing to valid bpf_map",
687 BPF_MOV64_IMM(BPF_REG_1, 0),
688 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
689 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
692 .errstr = "invalid bpf_ld_imm64 insn",
698 BPF_MOV64_IMM(BPF_REG_0, 1),
699 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
703 .errstr = "unknown opcode c4",
708 BPF_MOV64_IMM(BPF_REG_0, 1),
709 BPF_MOV64_IMM(BPF_REG_1, 5),
710 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
714 .errstr = "unknown opcode cc",
719 BPF_MOV64_IMM(BPF_REG_0, 1),
720 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
728 BPF_MOV64_IMM(BPF_REG_0, 1),
729 BPF_MOV64_IMM(BPF_REG_1, 5),
730 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
738 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
740 .errstr = "not an exit",
746 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
749 .errstr = "back-edge",
755 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
756 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
757 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
758 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
761 .errstr = "back-edge",
767 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
768 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
769 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
773 .errstr = "back-edge",
777 "read uninitialized register",
779 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
782 .errstr = "R2 !read_ok",
786 "read invalid register",
788 BPF_MOV64_REG(BPF_REG_0, -1),
791 .errstr = "R15 is invalid",
795 "program doesn't init R0 before exit",
797 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
800 .errstr = "R0 !read_ok",
804 "program doesn't init R0 before exit in all branches",
806 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
807 BPF_MOV64_IMM(BPF_REG_0, 1),
808 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
811 .errstr = "R0 !read_ok",
812 .errstr_unpriv = "R1 pointer comparison",
816 "stack out of bounds",
818 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
821 .errstr = "invalid stack",
825 "invalid call insn1",
827 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
830 .errstr = "unknown opcode 8d",
834 "invalid call insn2",
836 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
839 .errstr = "BPF_CALL uses reserved",
843 "invalid function call",
845 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
848 .errstr = "invalid func unknown#1234567",
852 "uninitialized stack1",
854 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
855 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
856 BPF_LD_MAP_FD(BPF_REG_1, 0),
857 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
858 BPF_FUNC_map_lookup_elem),
862 .errstr = "invalid indirect read from stack",
866 "uninitialized stack2",
868 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
869 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
872 .errstr = "invalid read from stack",
876 "invalid fp arithmetic",
877 /* If this gets ever changed, make sure JITs can deal with it. */
879 BPF_MOV64_IMM(BPF_REG_0, 0),
880 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
881 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
882 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
885 .errstr = "R1 subtraction from stack pointer",
889 "non-invalid fp arithmetic",
891 BPF_MOV64_IMM(BPF_REG_0, 0),
892 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
898 "invalid argument register",
900 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
901 BPF_FUNC_get_cgroup_classid),
902 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
903 BPF_FUNC_get_cgroup_classid),
906 .errstr = "R1 !read_ok",
908 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
911 "non-invalid argument register",
913 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
914 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
915 BPF_FUNC_get_cgroup_classid),
916 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
917 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
918 BPF_FUNC_get_cgroup_classid),
922 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
925 "check valid spill/fill",
927 /* spill R1(ctx) into stack */
928 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
929 /* fill it back into R2 */
930 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
931 /* should be able to access R0 = *(R2 + 8) */
932 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
933 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
936 .errstr_unpriv = "R0 leaks addr",
938 .result_unpriv = REJECT,
939 .retval = POINTER_VALUE,
942 "check valid spill/fill, skb mark",
944 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
945 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
946 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
947 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
948 offsetof(struct __sk_buff, mark)),
952 .result_unpriv = ACCEPT,
955 "check corrupted spill/fill",
957 /* spill R1(ctx) into stack */
958 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
959 /* mess up with R1 pointer on stack */
960 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
961 /* fill back into R0 should fail */
962 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
965 .errstr_unpriv = "attempt to corrupt spilled",
966 .errstr = "corrupted spill",
970 "invalid src register in STX",
972 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
975 .errstr = "R15 is invalid",
979 "invalid dst register in STX",
981 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
984 .errstr = "R14 is invalid",
988 "invalid dst register in ST",
990 BPF_ST_MEM(BPF_B, 14, -1, -1),
993 .errstr = "R14 is invalid",
997 "invalid src register in LDX",
999 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1002 .errstr = "R12 is invalid",
1006 "invalid dst register in LDX",
1008 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1011 .errstr = "R11 is invalid",
1017 BPF_RAW_INSN(0, 0, 0, 0, 0),
1020 .errstr = "unknown opcode 00",
1026 BPF_RAW_INSN(1, 0, 0, 0, 0),
1029 .errstr = "BPF_LDX uses reserved fields",
1035 BPF_RAW_INSN(-1, 0, 0, 0, 0),
1038 .errstr = "unknown opcode ff",
1044 BPF_RAW_INSN(-1, -1, -1, -1, -1),
1047 .errstr = "unknown opcode ff",
1053 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1056 .errstr = "BPF_ALU uses reserved fields",
1060 "misaligned read from stack",
1062 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1063 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1066 .errstr = "misaligned stack access",
1070 "invalid map_fd for function call",
1072 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1073 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1074 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1075 BPF_LD_MAP_FD(BPF_REG_1, 0),
1076 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1077 BPF_FUNC_map_delete_elem),
1080 .errstr = "fd 0 is not pointing to valid bpf_map",
1084 "don't check return value before access",
1086 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1087 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1088 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1089 BPF_LD_MAP_FD(BPF_REG_1, 0),
1090 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1091 BPF_FUNC_map_lookup_elem),
1092 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1095 .fixup_map1 = { 3 },
1096 .errstr = "R0 invalid mem access 'map_value_or_null'",
1100 "access memory with incorrect alignment",
1102 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1103 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1105 BPF_LD_MAP_FD(BPF_REG_1, 0),
1106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1107 BPF_FUNC_map_lookup_elem),
1108 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1109 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1112 .fixup_map1 = { 3 },
1113 .errstr = "misaligned value access",
1115 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1118 "sometimes access memory with incorrect alignment",
1120 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1121 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1122 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1123 BPF_LD_MAP_FD(BPF_REG_1, 0),
1124 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1125 BPF_FUNC_map_lookup_elem),
1126 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1127 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1129 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1132 .fixup_map1 = { 3 },
1133 .errstr = "R0 invalid mem access",
1134 .errstr_unpriv = "R0 leaks addr",
1136 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1141 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1142 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1143 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1144 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1145 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1146 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1147 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1148 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1149 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1150 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1151 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1152 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1154 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1155 BPF_MOV64_IMM(BPF_REG_0, 0),
1158 .errstr_unpriv = "R1 pointer comparison",
1159 .result_unpriv = REJECT,
1165 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1166 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1167 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1168 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1169 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1170 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1171 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1172 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1173 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1174 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1175 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1176 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1177 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1178 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1179 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1180 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1181 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1182 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1183 BPF_MOV64_IMM(BPF_REG_0, 0),
1186 .errstr_unpriv = "R1 pointer comparison",
1187 .result_unpriv = REJECT,
1193 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1194 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1195 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1196 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1197 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1198 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1199 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1200 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1201 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1202 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1203 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1204 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1205 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1206 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1207 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1209 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1210 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1211 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1213 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1214 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1215 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1217 BPF_LD_MAP_FD(BPF_REG_1, 0),
1218 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1219 BPF_FUNC_map_delete_elem),
1222 .fixup_map1 = { 24 },
1223 .errstr_unpriv = "R1 pointer comparison",
1224 .result_unpriv = REJECT,
1231 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1233 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1234 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1235 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1237 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1238 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1239 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1240 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1241 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1242 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1243 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1244 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1245 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1246 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1247 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1248 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1250 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1251 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1252 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1257 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1259 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1260 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1261 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1262 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1266 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1269 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1270 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1271 BPF_MOV64_IMM(BPF_REG_0, 0),
1274 .errstr_unpriv = "R1 pointer comparison",
1275 .result_unpriv = REJECT,
1281 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1282 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1283 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1284 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1285 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1286 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1287 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1288 BPF_MOV64_IMM(BPF_REG_0, 0),
1289 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1290 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1291 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1292 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1293 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1294 BPF_MOV64_IMM(BPF_REG_0, 0),
1295 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1296 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1297 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1298 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1299 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1300 BPF_MOV64_IMM(BPF_REG_0, 0),
1301 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1302 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1303 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1304 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1305 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1306 BPF_MOV64_IMM(BPF_REG_0, 0),
1307 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1308 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1309 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1310 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1311 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1312 BPF_MOV64_IMM(BPF_REG_0, 0),
1315 .errstr_unpriv = "R1 pointer comparison",
1316 .result_unpriv = REJECT,
1320 "access skb fields ok",
1322 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1323 offsetof(struct __sk_buff, len)),
1324 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1325 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1326 offsetof(struct __sk_buff, mark)),
1327 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1328 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1329 offsetof(struct __sk_buff, pkt_type)),
1330 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1331 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1332 offsetof(struct __sk_buff, queue_mapping)),
1333 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1334 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1335 offsetof(struct __sk_buff, protocol)),
1336 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1337 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1338 offsetof(struct __sk_buff, vlan_present)),
1339 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1340 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1341 offsetof(struct __sk_buff, vlan_tci)),
1342 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1343 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1344 offsetof(struct __sk_buff, napi_id)),
1345 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1351 "access skb fields bad1",
1353 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1356 .errstr = "invalid bpf_context access",
1360 "access skb fields bad2",
1362 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1363 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1364 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1366 BPF_LD_MAP_FD(BPF_REG_1, 0),
1367 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1368 BPF_FUNC_map_lookup_elem),
1369 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1371 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1372 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1373 offsetof(struct __sk_buff, pkt_type)),
1376 .fixup_map1 = { 4 },
1377 .errstr = "different pointers",
1378 .errstr_unpriv = "R1 pointer comparison",
1382 "access skb fields bad3",
1384 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1385 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1386 offsetof(struct __sk_buff, pkt_type)),
1388 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1389 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1391 BPF_LD_MAP_FD(BPF_REG_1, 0),
1392 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1393 BPF_FUNC_map_lookup_elem),
1394 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1396 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1397 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1399 .fixup_map1 = { 6 },
1400 .errstr = "different pointers",
1401 .errstr_unpriv = "R1 pointer comparison",
1405 "access skb fields bad4",
1407 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1408 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1409 offsetof(struct __sk_buff, len)),
1410 BPF_MOV64_IMM(BPF_REG_0, 0),
1412 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1413 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1414 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1415 BPF_LD_MAP_FD(BPF_REG_1, 0),
1416 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1417 BPF_FUNC_map_lookup_elem),
1418 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1420 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1421 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1423 .fixup_map1 = { 7 },
1424 .errstr = "different pointers",
1425 .errstr_unpriv = "R1 pointer comparison",
1429 "invalid access __sk_buff family",
1431 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1432 offsetof(struct __sk_buff, family)),
1435 .errstr = "invalid bpf_context access",
1439 "invalid access __sk_buff remote_ip4",
1441 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1442 offsetof(struct __sk_buff, remote_ip4)),
1445 .errstr = "invalid bpf_context access",
1449 "invalid access __sk_buff local_ip4",
1451 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1452 offsetof(struct __sk_buff, local_ip4)),
1455 .errstr = "invalid bpf_context access",
1459 "invalid access __sk_buff remote_ip6",
1461 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1462 offsetof(struct __sk_buff, remote_ip6)),
1465 .errstr = "invalid bpf_context access",
1469 "invalid access __sk_buff local_ip6",
1471 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1472 offsetof(struct __sk_buff, local_ip6)),
1475 .errstr = "invalid bpf_context access",
1479 "invalid access __sk_buff remote_port",
1481 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1482 offsetof(struct __sk_buff, remote_port)),
1485 .errstr = "invalid bpf_context access",
1489 "invalid access __sk_buff remote_port",
1491 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1492 offsetof(struct __sk_buff, local_port)),
1495 .errstr = "invalid bpf_context access",
1499 "valid access __sk_buff family",
1501 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1502 offsetof(struct __sk_buff, family)),
1506 .prog_type = BPF_PROG_TYPE_SK_SKB,
1509 "valid access __sk_buff remote_ip4",
1511 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1512 offsetof(struct __sk_buff, remote_ip4)),
1516 .prog_type = BPF_PROG_TYPE_SK_SKB,
1519 "valid access __sk_buff local_ip4",
1521 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1522 offsetof(struct __sk_buff, local_ip4)),
1526 .prog_type = BPF_PROG_TYPE_SK_SKB,
1529 "valid access __sk_buff remote_ip6",
1531 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1532 offsetof(struct __sk_buff, remote_ip6[0])),
1533 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1534 offsetof(struct __sk_buff, remote_ip6[1])),
1535 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1536 offsetof(struct __sk_buff, remote_ip6[2])),
1537 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1538 offsetof(struct __sk_buff, remote_ip6[3])),
1542 .prog_type = BPF_PROG_TYPE_SK_SKB,
1545 "valid access __sk_buff local_ip6",
1547 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1548 offsetof(struct __sk_buff, local_ip6[0])),
1549 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1550 offsetof(struct __sk_buff, local_ip6[1])),
1551 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1552 offsetof(struct __sk_buff, local_ip6[2])),
1553 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1554 offsetof(struct __sk_buff, local_ip6[3])),
1558 .prog_type = BPF_PROG_TYPE_SK_SKB,
1561 "valid access __sk_buff remote_port",
1563 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1564 offsetof(struct __sk_buff, remote_port)),
1568 .prog_type = BPF_PROG_TYPE_SK_SKB,
1571 "valid access __sk_buff remote_port",
1573 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1574 offsetof(struct __sk_buff, local_port)),
1578 .prog_type = BPF_PROG_TYPE_SK_SKB,
1581 "invalid access of tc_classid for SK_SKB",
1583 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1584 offsetof(struct __sk_buff, tc_classid)),
1588 .prog_type = BPF_PROG_TYPE_SK_SKB,
1589 .errstr = "invalid bpf_context access",
1592 "invalid access of skb->mark for SK_SKB",
1594 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1595 offsetof(struct __sk_buff, mark)),
1599 .prog_type = BPF_PROG_TYPE_SK_SKB,
1600 .errstr = "invalid bpf_context access",
1603 "check skb->mark is not writeable by SK_SKB",
1605 BPF_MOV64_IMM(BPF_REG_0, 0),
1606 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1607 offsetof(struct __sk_buff, mark)),
1611 .prog_type = BPF_PROG_TYPE_SK_SKB,
1612 .errstr = "invalid bpf_context access",
1615 "check skb->tc_index is writeable by SK_SKB",
1617 BPF_MOV64_IMM(BPF_REG_0, 0),
1618 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1619 offsetof(struct __sk_buff, tc_index)),
1623 .prog_type = BPF_PROG_TYPE_SK_SKB,
1626 "check skb->priority is writeable by SK_SKB",
1628 BPF_MOV64_IMM(BPF_REG_0, 0),
1629 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1630 offsetof(struct __sk_buff, priority)),
1634 .prog_type = BPF_PROG_TYPE_SK_SKB,
1637 "direct packet read for SK_SKB",
1639 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1640 offsetof(struct __sk_buff, data)),
1641 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1642 offsetof(struct __sk_buff, data_end)),
1643 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1644 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1645 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1646 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1647 BPF_MOV64_IMM(BPF_REG_0, 0),
1651 .prog_type = BPF_PROG_TYPE_SK_SKB,
1654 "direct packet write for SK_SKB",
1656 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1657 offsetof(struct __sk_buff, data)),
1658 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1659 offsetof(struct __sk_buff, data_end)),
1660 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1662 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1663 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1664 BPF_MOV64_IMM(BPF_REG_0, 0),
1668 .prog_type = BPF_PROG_TYPE_SK_SKB,
1671 "overlapping checks for direct packet access SK_SKB",
1673 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1674 offsetof(struct __sk_buff, data)),
1675 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1676 offsetof(struct __sk_buff, data_end)),
1677 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1678 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1679 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1680 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1681 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1682 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1683 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1684 BPF_MOV64_IMM(BPF_REG_0, 0),
1688 .prog_type = BPF_PROG_TYPE_SK_SKB,
1691 "valid access family in SK_MSG",
1693 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1694 offsetof(struct sk_msg_md, family)),
1698 .prog_type = BPF_PROG_TYPE_SK_MSG,
1701 "valid access remote_ip4 in SK_MSG",
1703 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1704 offsetof(struct sk_msg_md, remote_ip4)),
1708 .prog_type = BPF_PROG_TYPE_SK_MSG,
1711 "valid access local_ip4 in SK_MSG",
1713 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1714 offsetof(struct sk_msg_md, local_ip4)),
1718 .prog_type = BPF_PROG_TYPE_SK_MSG,
1721 "valid access remote_port in SK_MSG",
1723 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1724 offsetof(struct sk_msg_md, remote_port)),
1728 .prog_type = BPF_PROG_TYPE_SK_MSG,
1731 "valid access local_port in SK_MSG",
1733 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1734 offsetof(struct sk_msg_md, local_port)),
1738 .prog_type = BPF_PROG_TYPE_SK_MSG,
1741 "valid access remote_ip6 in SK_MSG",
1743 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1744 offsetof(struct sk_msg_md, remote_ip6[0])),
1745 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746 offsetof(struct sk_msg_md, remote_ip6[1])),
1747 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1748 offsetof(struct sk_msg_md, remote_ip6[2])),
1749 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1750 offsetof(struct sk_msg_md, remote_ip6[3])),
1754 .prog_type = BPF_PROG_TYPE_SK_SKB,
1757 "valid access local_ip6 in SK_MSG",
1759 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1760 offsetof(struct sk_msg_md, local_ip6[0])),
1761 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1762 offsetof(struct sk_msg_md, local_ip6[1])),
1763 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1764 offsetof(struct sk_msg_md, local_ip6[2])),
1765 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1766 offsetof(struct sk_msg_md, local_ip6[3])),
1770 .prog_type = BPF_PROG_TYPE_SK_SKB,
1773 "invalid 64B read of family in SK_MSG",
1775 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1776 offsetof(struct sk_msg_md, family)),
1779 .errstr = "invalid bpf_context access",
1781 .prog_type = BPF_PROG_TYPE_SK_MSG,
1784 "invalid read past end of SK_MSG",
1786 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1787 offsetof(struct sk_msg_md, local_port) + 4),
1790 .errstr = "R0 !read_ok",
1792 .prog_type = BPF_PROG_TYPE_SK_MSG,
1795 "invalid read offset in SK_MSG",
1797 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1798 offsetof(struct sk_msg_md, family) + 1),
1801 .errstr = "invalid bpf_context access",
1803 .prog_type = BPF_PROG_TYPE_SK_MSG,
1806 "direct packet read for SK_MSG",
1808 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1809 offsetof(struct sk_msg_md, data)),
1810 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1811 offsetof(struct sk_msg_md, data_end)),
1812 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1813 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1814 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1815 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1816 BPF_MOV64_IMM(BPF_REG_0, 0),
1820 .prog_type = BPF_PROG_TYPE_SK_MSG,
1823 "direct packet write for SK_MSG",
1825 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1826 offsetof(struct sk_msg_md, data)),
1827 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1828 offsetof(struct sk_msg_md, data_end)),
1829 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1831 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1832 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1833 BPF_MOV64_IMM(BPF_REG_0, 0),
1837 .prog_type = BPF_PROG_TYPE_SK_MSG,
1840 "overlapping checks for direct packet access SK_MSG",
1842 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1843 offsetof(struct sk_msg_md, data)),
1844 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1845 offsetof(struct sk_msg_md, data_end)),
1846 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1848 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1849 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1851 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1852 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1853 BPF_MOV64_IMM(BPF_REG_0, 0),
1857 .prog_type = BPF_PROG_TYPE_SK_MSG,
1860 "check skb->mark is not writeable by sockets",
1862 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1863 offsetof(struct __sk_buff, mark)),
1866 .errstr = "invalid bpf_context access",
1867 .errstr_unpriv = "R1 leaks addr",
1871 "check skb->tc_index is not writeable by sockets",
1873 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1874 offsetof(struct __sk_buff, tc_index)),
1877 .errstr = "invalid bpf_context access",
1878 .errstr_unpriv = "R1 leaks addr",
1882 "check cb access: byte",
1884 BPF_MOV64_IMM(BPF_REG_0, 0),
1885 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1886 offsetof(struct __sk_buff, cb[0])),
1887 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1888 offsetof(struct __sk_buff, cb[0]) + 1),
1889 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1890 offsetof(struct __sk_buff, cb[0]) + 2),
1891 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1892 offsetof(struct __sk_buff, cb[0]) + 3),
1893 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1894 offsetof(struct __sk_buff, cb[1])),
1895 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1896 offsetof(struct __sk_buff, cb[1]) + 1),
1897 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1898 offsetof(struct __sk_buff, cb[1]) + 2),
1899 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1900 offsetof(struct __sk_buff, cb[1]) + 3),
1901 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1902 offsetof(struct __sk_buff, cb[2])),
1903 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1904 offsetof(struct __sk_buff, cb[2]) + 1),
1905 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1906 offsetof(struct __sk_buff, cb[2]) + 2),
1907 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1908 offsetof(struct __sk_buff, cb[2]) + 3),
1909 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1910 offsetof(struct __sk_buff, cb[3])),
1911 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1912 offsetof(struct __sk_buff, cb[3]) + 1),
1913 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1914 offsetof(struct __sk_buff, cb[3]) + 2),
1915 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1916 offsetof(struct __sk_buff, cb[3]) + 3),
1917 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1918 offsetof(struct __sk_buff, cb[4])),
1919 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1920 offsetof(struct __sk_buff, cb[4]) + 1),
1921 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1922 offsetof(struct __sk_buff, cb[4]) + 2),
1923 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1924 offsetof(struct __sk_buff, cb[4]) + 3),
1925 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1926 offsetof(struct __sk_buff, cb[0])),
1927 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1928 offsetof(struct __sk_buff, cb[0]) + 1),
1929 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1930 offsetof(struct __sk_buff, cb[0]) + 2),
1931 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1932 offsetof(struct __sk_buff, cb[0]) + 3),
1933 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1934 offsetof(struct __sk_buff, cb[1])),
1935 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1936 offsetof(struct __sk_buff, cb[1]) + 1),
1937 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1938 offsetof(struct __sk_buff, cb[1]) + 2),
1939 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1940 offsetof(struct __sk_buff, cb[1]) + 3),
1941 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1942 offsetof(struct __sk_buff, cb[2])),
1943 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1944 offsetof(struct __sk_buff, cb[2]) + 1),
1945 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1946 offsetof(struct __sk_buff, cb[2]) + 2),
1947 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1948 offsetof(struct __sk_buff, cb[2]) + 3),
1949 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1950 offsetof(struct __sk_buff, cb[3])),
1951 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1952 offsetof(struct __sk_buff, cb[3]) + 1),
1953 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1954 offsetof(struct __sk_buff, cb[3]) + 2),
1955 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1956 offsetof(struct __sk_buff, cb[3]) + 3),
1957 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1958 offsetof(struct __sk_buff, cb[4])),
1959 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1960 offsetof(struct __sk_buff, cb[4]) + 1),
1961 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1962 offsetof(struct __sk_buff, cb[4]) + 2),
1963 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1964 offsetof(struct __sk_buff, cb[4]) + 3),
1970 "__sk_buff->hash, offset 0, byte store not permitted",
1972 BPF_MOV64_IMM(BPF_REG_0, 0),
1973 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1974 offsetof(struct __sk_buff, hash)),
1977 .errstr = "invalid bpf_context access",
1981 "__sk_buff->tc_index, offset 3, byte store not permitted",
1983 BPF_MOV64_IMM(BPF_REG_0, 0),
1984 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1985 offsetof(struct __sk_buff, tc_index) + 3),
1988 .errstr = "invalid bpf_context access",
1992 "check skb->hash byte load permitted",
1994 BPF_MOV64_IMM(BPF_REG_0, 0),
1995 #if __BYTE_ORDER == __LITTLE_ENDIAN
1996 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1997 offsetof(struct __sk_buff, hash)),
1999 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2000 offsetof(struct __sk_buff, hash) + 3),
2007 "check skb->hash byte load not permitted 1",
2009 BPF_MOV64_IMM(BPF_REG_0, 0),
2010 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2011 offsetof(struct __sk_buff, hash) + 1),
2014 .errstr = "invalid bpf_context access",
2018 "check skb->hash byte load not permitted 2",
2020 BPF_MOV64_IMM(BPF_REG_0, 0),
2021 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2022 offsetof(struct __sk_buff, hash) + 2),
2025 .errstr = "invalid bpf_context access",
2029 "check skb->hash byte load not permitted 3",
2031 BPF_MOV64_IMM(BPF_REG_0, 0),
2032 #if __BYTE_ORDER == __LITTLE_ENDIAN
2033 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2034 offsetof(struct __sk_buff, hash) + 3),
2036 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2037 offsetof(struct __sk_buff, hash)),
2041 .errstr = "invalid bpf_context access",
2045 "check cb access: byte, wrong type",
2047 BPF_MOV64_IMM(BPF_REG_0, 0),
2048 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2049 offsetof(struct __sk_buff, cb[0])),
2052 .errstr = "invalid bpf_context access",
2054 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2057 "check cb access: half",
2059 BPF_MOV64_IMM(BPF_REG_0, 0),
2060 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2061 offsetof(struct __sk_buff, cb[0])),
2062 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2063 offsetof(struct __sk_buff, cb[0]) + 2),
2064 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2065 offsetof(struct __sk_buff, cb[1])),
2066 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2067 offsetof(struct __sk_buff, cb[1]) + 2),
2068 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2069 offsetof(struct __sk_buff, cb[2])),
2070 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2071 offsetof(struct __sk_buff, cb[2]) + 2),
2072 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2073 offsetof(struct __sk_buff, cb[3])),
2074 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2075 offsetof(struct __sk_buff, cb[3]) + 2),
2076 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2077 offsetof(struct __sk_buff, cb[4])),
2078 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2079 offsetof(struct __sk_buff, cb[4]) + 2),
2080 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2081 offsetof(struct __sk_buff, cb[0])),
2082 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2083 offsetof(struct __sk_buff, cb[0]) + 2),
2084 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2085 offsetof(struct __sk_buff, cb[1])),
2086 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2087 offsetof(struct __sk_buff, cb[1]) + 2),
2088 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2089 offsetof(struct __sk_buff, cb[2])),
2090 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2091 offsetof(struct __sk_buff, cb[2]) + 2),
2092 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2093 offsetof(struct __sk_buff, cb[3])),
2094 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2095 offsetof(struct __sk_buff, cb[3]) + 2),
2096 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2097 offsetof(struct __sk_buff, cb[4])),
2098 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2099 offsetof(struct __sk_buff, cb[4]) + 2),
2105 "check cb access: half, unaligned",
2107 BPF_MOV64_IMM(BPF_REG_0, 0),
2108 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2109 offsetof(struct __sk_buff, cb[0]) + 1),
2112 .errstr = "misaligned context access",
2114 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2117 "check __sk_buff->hash, offset 0, half store not permitted",
2119 BPF_MOV64_IMM(BPF_REG_0, 0),
2120 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2121 offsetof(struct __sk_buff, hash)),
2124 .errstr = "invalid bpf_context access",
2128 "check __sk_buff->tc_index, offset 2, half store not permitted",
2130 BPF_MOV64_IMM(BPF_REG_0, 0),
2131 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2132 offsetof(struct __sk_buff, tc_index) + 2),
2135 .errstr = "invalid bpf_context access",
2139 "check skb->hash half load permitted",
2141 BPF_MOV64_IMM(BPF_REG_0, 0),
2142 #if __BYTE_ORDER == __LITTLE_ENDIAN
2143 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2144 offsetof(struct __sk_buff, hash)),
2146 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2147 offsetof(struct __sk_buff, hash) + 2),
2154 "check skb->hash half load not permitted",
2156 BPF_MOV64_IMM(BPF_REG_0, 0),
2157 #if __BYTE_ORDER == __LITTLE_ENDIAN
2158 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2159 offsetof(struct __sk_buff, hash) + 2),
2161 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2162 offsetof(struct __sk_buff, hash)),
2166 .errstr = "invalid bpf_context access",
2170 "check cb access: half, wrong type",
2172 BPF_MOV64_IMM(BPF_REG_0, 0),
2173 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2174 offsetof(struct __sk_buff, cb[0])),
2177 .errstr = "invalid bpf_context access",
2179 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2182 "check cb access: word",
2184 BPF_MOV64_IMM(BPF_REG_0, 0),
2185 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2186 offsetof(struct __sk_buff, cb[0])),
2187 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2188 offsetof(struct __sk_buff, cb[1])),
2189 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2190 offsetof(struct __sk_buff, cb[2])),
2191 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2192 offsetof(struct __sk_buff, cb[3])),
2193 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2194 offsetof(struct __sk_buff, cb[4])),
2195 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2196 offsetof(struct __sk_buff, cb[0])),
2197 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2198 offsetof(struct __sk_buff, cb[1])),
2199 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2200 offsetof(struct __sk_buff, cb[2])),
2201 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2202 offsetof(struct __sk_buff, cb[3])),
2203 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2204 offsetof(struct __sk_buff, cb[4])),
2210 "check cb access: word, unaligned 1",
2212 BPF_MOV64_IMM(BPF_REG_0, 0),
2213 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2214 offsetof(struct __sk_buff, cb[0]) + 2),
2217 .errstr = "misaligned context access",
2219 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2222 "check cb access: word, unaligned 2",
2224 BPF_MOV64_IMM(BPF_REG_0, 0),
2225 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2226 offsetof(struct __sk_buff, cb[4]) + 1),
2229 .errstr = "misaligned context access",
2231 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2234 "check cb access: word, unaligned 3",
2236 BPF_MOV64_IMM(BPF_REG_0, 0),
2237 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2238 offsetof(struct __sk_buff, cb[4]) + 2),
2241 .errstr = "misaligned context access",
2243 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2246 "check cb access: word, unaligned 4",
2248 BPF_MOV64_IMM(BPF_REG_0, 0),
2249 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2250 offsetof(struct __sk_buff, cb[4]) + 3),
2253 .errstr = "misaligned context access",
2255 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2258 "check cb access: double",
2260 BPF_MOV64_IMM(BPF_REG_0, 0),
2261 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2262 offsetof(struct __sk_buff, cb[0])),
2263 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2264 offsetof(struct __sk_buff, cb[2])),
2265 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2266 offsetof(struct __sk_buff, cb[0])),
2267 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2268 offsetof(struct __sk_buff, cb[2])),
2274 "check cb access: double, unaligned 1",
2276 BPF_MOV64_IMM(BPF_REG_0, 0),
2277 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2278 offsetof(struct __sk_buff, cb[1])),
2281 .errstr = "misaligned context access",
2283 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2286 "check cb access: double, unaligned 2",
2288 BPF_MOV64_IMM(BPF_REG_0, 0),
2289 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2290 offsetof(struct __sk_buff, cb[3])),
2293 .errstr = "misaligned context access",
2295 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2298 "check cb access: double, oob 1",
2300 BPF_MOV64_IMM(BPF_REG_0, 0),
2301 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2302 offsetof(struct __sk_buff, cb[4])),
2305 .errstr = "invalid bpf_context access",
2309 "check cb access: double, oob 2",
2311 BPF_MOV64_IMM(BPF_REG_0, 0),
2312 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2313 offsetof(struct __sk_buff, cb[4])),
2316 .errstr = "invalid bpf_context access",
2320 "check __sk_buff->ifindex dw store not permitted",
2322 BPF_MOV64_IMM(BPF_REG_0, 0),
2323 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2324 offsetof(struct __sk_buff, ifindex)),
2327 .errstr = "invalid bpf_context access",
2331 "check __sk_buff->ifindex dw load not permitted",
2333 BPF_MOV64_IMM(BPF_REG_0, 0),
2334 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2335 offsetof(struct __sk_buff, ifindex)),
2338 .errstr = "invalid bpf_context access",
2342 "check cb access: double, wrong type",
2344 BPF_MOV64_IMM(BPF_REG_0, 0),
2345 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2346 offsetof(struct __sk_buff, cb[0])),
2349 .errstr = "invalid bpf_context access",
2351 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2354 "check out of range skb->cb access",
2356 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2357 offsetof(struct __sk_buff, cb[0]) + 256),
2360 .errstr = "invalid bpf_context access",
2361 .errstr_unpriv = "",
2363 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2366 "write skb fields from socket prog",
2368 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2369 offsetof(struct __sk_buff, cb[4])),
2370 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2371 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2372 offsetof(struct __sk_buff, mark)),
2373 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2374 offsetof(struct __sk_buff, tc_index)),
2375 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2376 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2377 offsetof(struct __sk_buff, cb[0])),
2378 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2379 offsetof(struct __sk_buff, cb[2])),
2383 .errstr_unpriv = "R1 leaks addr",
2384 .result_unpriv = REJECT,
2387 "write skb fields from tc_cls_act prog",
2389 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2390 offsetof(struct __sk_buff, cb[0])),
2391 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2392 offsetof(struct __sk_buff, mark)),
2393 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2394 offsetof(struct __sk_buff, tc_index)),
2395 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2396 offsetof(struct __sk_buff, tc_index)),
2397 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2398 offsetof(struct __sk_buff, cb[3])),
2401 .errstr_unpriv = "",
2402 .result_unpriv = REJECT,
2404 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2407 "PTR_TO_STACK store/load",
2409 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2410 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2411 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2412 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2416 .retval = 0xfaceb00c,
2419 "PTR_TO_STACK store/load - bad alignment on off",
2421 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2422 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2423 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2424 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2428 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2431 "PTR_TO_STACK store/load - bad alignment on reg",
2433 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2435 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2436 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2440 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2443 "PTR_TO_STACK store/load - out of bounds low",
2445 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2446 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2447 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2448 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2452 .errstr = "invalid stack off=-79992 size=8",
2455 "PTR_TO_STACK store/load - out of bounds high",
2457 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2459 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2460 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2464 .errstr = "invalid stack off=0 size=8",
2467 "unpriv: return pointer",
2469 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2473 .result_unpriv = REJECT,
2474 .errstr_unpriv = "R0 leaks addr",
2475 .retval = POINTER_VALUE,
2478 "unpriv: add const to pointer",
2480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2481 BPF_MOV64_IMM(BPF_REG_0, 0),
2487 "unpriv: add pointer to pointer",
2489 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2490 BPF_MOV64_IMM(BPF_REG_0, 0),
2494 .errstr = "R1 pointer += pointer",
2497 "unpriv: neg pointer",
2499 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2500 BPF_MOV64_IMM(BPF_REG_0, 0),
2504 .result_unpriv = REJECT,
2505 .errstr_unpriv = "R1 pointer arithmetic",
2508 "unpriv: cmp pointer with const",
2510 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2511 BPF_MOV64_IMM(BPF_REG_0, 0),
2515 .result_unpriv = REJECT,
2516 .errstr_unpriv = "R1 pointer comparison",
2519 "unpriv: cmp pointer with pointer",
2521 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2522 BPF_MOV64_IMM(BPF_REG_0, 0),
2526 .result_unpriv = REJECT,
2527 .errstr_unpriv = "R10 pointer comparison",
2530 "unpriv: check that printk is disallowed",
2532 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2533 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2535 BPF_MOV64_IMM(BPF_REG_2, 8),
2536 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2537 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2538 BPF_FUNC_trace_printk),
2539 BPF_MOV64_IMM(BPF_REG_0, 0),
2542 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2543 .result_unpriv = REJECT,
2547 "unpriv: pass pointer to helper function",
2549 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2550 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2551 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2552 BPF_LD_MAP_FD(BPF_REG_1, 0),
2553 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2554 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2555 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2556 BPF_FUNC_map_update_elem),
2557 BPF_MOV64_IMM(BPF_REG_0, 0),
2560 .fixup_map1 = { 3 },
2561 .errstr_unpriv = "R4 leaks addr",
2562 .result_unpriv = REJECT,
2566 "unpriv: indirectly pass pointer on stack to helper function",
2568 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2569 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2570 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2571 BPF_LD_MAP_FD(BPF_REG_1, 0),
2572 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2573 BPF_FUNC_map_lookup_elem),
2574 BPF_MOV64_IMM(BPF_REG_0, 0),
2577 .fixup_map1 = { 3 },
2578 .errstr = "invalid indirect read from stack off -8+0 size 8",
2582 "unpriv: mangle pointer on stack 1",
2584 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2585 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2586 BPF_MOV64_IMM(BPF_REG_0, 0),
2589 .errstr_unpriv = "attempt to corrupt spilled",
2590 .result_unpriv = REJECT,
2594 "unpriv: mangle pointer on stack 2",
2596 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2597 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2598 BPF_MOV64_IMM(BPF_REG_0, 0),
2601 .errstr_unpriv = "attempt to corrupt spilled",
2602 .result_unpriv = REJECT,
2606 "unpriv: read pointer from stack in small chunks",
2608 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2609 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2610 BPF_MOV64_IMM(BPF_REG_0, 0),
2613 .errstr = "invalid size",
2617 "unpriv: write pointer into ctx",
2619 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2620 BPF_MOV64_IMM(BPF_REG_0, 0),
2623 .errstr_unpriv = "R1 leaks addr",
2624 .result_unpriv = REJECT,
2625 .errstr = "invalid bpf_context access",
2629 "unpriv: spill/fill of ctx",
2631 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2632 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2633 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2634 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2635 BPF_MOV64_IMM(BPF_REG_0, 0),
2641 "unpriv: spill/fill of ctx 2",
2643 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2644 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2645 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2646 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2647 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2648 BPF_FUNC_get_hash_recalc),
2649 BPF_MOV64_IMM(BPF_REG_0, 0),
2653 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2656 "unpriv: spill/fill of ctx 3",
2658 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2660 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2661 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2662 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2663 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2664 BPF_FUNC_get_hash_recalc),
2668 .errstr = "R1 type=fp expected=ctx",
2669 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2672 "unpriv: spill/fill of ctx 4",
2674 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2676 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2677 BPF_MOV64_IMM(BPF_REG_0, 1),
2678 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2680 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2681 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2682 BPF_FUNC_get_hash_recalc),
2686 .errstr = "R1 type=inv expected=ctx",
2687 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2690 "unpriv: spill/fill of different pointers stx",
2692 BPF_MOV64_IMM(BPF_REG_3, 42),
2693 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2694 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2695 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2696 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2697 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2698 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2699 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2700 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2701 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2702 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2703 offsetof(struct __sk_buff, mark)),
2704 BPF_MOV64_IMM(BPF_REG_0, 0),
2708 .errstr = "same insn cannot be used with different pointers",
2709 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2712 "unpriv: spill/fill of different pointers ldx",
2714 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2715 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2716 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2717 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2718 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2719 -(__s32)offsetof(struct bpf_perf_event_data,
2720 sample_period) - 8),
2721 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2722 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2723 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2724 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2725 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2726 offsetof(struct bpf_perf_event_data,
2728 BPF_MOV64_IMM(BPF_REG_0, 0),
2732 .errstr = "same insn cannot be used with different pointers",
2733 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2736 "unpriv: write pointer into map elem value",
2738 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2739 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2740 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2741 BPF_LD_MAP_FD(BPF_REG_1, 0),
2742 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2743 BPF_FUNC_map_lookup_elem),
2744 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2745 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2748 .fixup_map1 = { 3 },
2749 .errstr_unpriv = "R0 leaks addr",
2750 .result_unpriv = REJECT,
2754 "unpriv: partial copy of pointer",
2756 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2757 BPF_MOV64_IMM(BPF_REG_0, 0),
2760 .errstr_unpriv = "R10 partial copy",
2761 .result_unpriv = REJECT,
2765 "unpriv: pass pointer to tail_call",
2767 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2768 BPF_LD_MAP_FD(BPF_REG_2, 0),
2769 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2770 BPF_FUNC_tail_call),
2771 BPF_MOV64_IMM(BPF_REG_0, 0),
2774 .fixup_prog1 = { 1 },
2775 .errstr_unpriv = "R3 leaks addr into helper",
2776 .result_unpriv = REJECT,
2780 "unpriv: cmp map pointer with zero",
2782 BPF_MOV64_IMM(BPF_REG_1, 0),
2783 BPF_LD_MAP_FD(BPF_REG_1, 0),
2784 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2785 BPF_MOV64_IMM(BPF_REG_0, 0),
2788 .fixup_map1 = { 1 },
2789 .errstr_unpriv = "R1 pointer comparison",
2790 .result_unpriv = REJECT,
2794 "unpriv: write into frame pointer",
2796 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2797 BPF_MOV64_IMM(BPF_REG_0, 0),
2800 .errstr = "frame pointer is read only",
2804 "unpriv: spill/fill frame pointer",
2806 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2807 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2808 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2809 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2810 BPF_MOV64_IMM(BPF_REG_0, 0),
2813 .errstr = "frame pointer is read only",
2817 "unpriv: cmp of frame pointer",
2819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2820 BPF_MOV64_IMM(BPF_REG_0, 0),
2823 .errstr_unpriv = "R10 pointer comparison",
2824 .result_unpriv = REJECT,
2828 "unpriv: adding of fp",
2830 BPF_MOV64_IMM(BPF_REG_0, 0),
2831 BPF_MOV64_IMM(BPF_REG_1, 0),
2832 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2833 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2839 "unpriv: cmp of stack pointer",
2841 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2844 BPF_MOV64_IMM(BPF_REG_0, 0),
2847 .errstr_unpriv = "R2 pointer comparison",
2848 .result_unpriv = REJECT,
2852 "runtime/jit: tail_call within bounds, prog once",
2854 BPF_MOV64_IMM(BPF_REG_3, 0),
2855 BPF_LD_MAP_FD(BPF_REG_2, 0),
2856 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2857 BPF_FUNC_tail_call),
2858 BPF_MOV64_IMM(BPF_REG_0, 1),
2861 .fixup_prog1 = { 1 },
2866 "runtime/jit: tail_call within bounds, prog loop",
2868 BPF_MOV64_IMM(BPF_REG_3, 1),
2869 BPF_LD_MAP_FD(BPF_REG_2, 0),
2870 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2871 BPF_FUNC_tail_call),
2872 BPF_MOV64_IMM(BPF_REG_0, 1),
2875 .fixup_prog1 = { 1 },
2880 "runtime/jit: tail_call within bounds, no prog",
2882 BPF_MOV64_IMM(BPF_REG_3, 2),
2883 BPF_LD_MAP_FD(BPF_REG_2, 0),
2884 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2885 BPF_FUNC_tail_call),
2886 BPF_MOV64_IMM(BPF_REG_0, 1),
2889 .fixup_prog1 = { 1 },
2894 "runtime/jit: tail_call out of bounds",
2896 BPF_MOV64_IMM(BPF_REG_3, 256),
2897 BPF_LD_MAP_FD(BPF_REG_2, 0),
2898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2899 BPF_FUNC_tail_call),
2900 BPF_MOV64_IMM(BPF_REG_0, 2),
2903 .fixup_prog1 = { 1 },
2908 "runtime/jit: pass negative index to tail_call",
2910 BPF_MOV64_IMM(BPF_REG_3, -1),
2911 BPF_LD_MAP_FD(BPF_REG_2, 0),
2912 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2913 BPF_FUNC_tail_call),
2914 BPF_MOV64_IMM(BPF_REG_0, 2),
2917 .fixup_prog1 = { 1 },
2922 "runtime/jit: pass > 32bit index to tail_call",
2924 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2925 BPF_LD_MAP_FD(BPF_REG_2, 0),
2926 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2927 BPF_FUNC_tail_call),
2928 BPF_MOV64_IMM(BPF_REG_0, 2),
2931 .fixup_prog1 = { 2 },
2936 "stack pointer arithmetic",
2938 BPF_MOV64_IMM(BPF_REG_1, 4),
2939 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2940 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2943 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2944 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2945 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2946 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2947 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2948 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2949 BPF_MOV64_IMM(BPF_REG_0, 0),
2955 "raw_stack: no skb_load_bytes",
2957 BPF_MOV64_IMM(BPF_REG_2, 4),
2958 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2959 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2960 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2961 BPF_MOV64_IMM(BPF_REG_4, 8),
2962 /* Call to skb_load_bytes() omitted. */
2963 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2967 .errstr = "invalid read from stack off -8+0 size 8",
2968 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2971 "raw_stack: skb_load_bytes, negative len",
2973 BPF_MOV64_IMM(BPF_REG_2, 4),
2974 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2976 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2977 BPF_MOV64_IMM(BPF_REG_4, -8),
2978 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2979 BPF_FUNC_skb_load_bytes),
2980 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2984 .errstr = "R4 min value is negative",
2985 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2988 "raw_stack: skb_load_bytes, negative len 2",
2990 BPF_MOV64_IMM(BPF_REG_2, 4),
2991 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2992 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2993 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2994 BPF_MOV64_IMM(BPF_REG_4, ~0),
2995 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2996 BPF_FUNC_skb_load_bytes),
2997 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3001 .errstr = "R4 min value is negative",
3002 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3005 "raw_stack: skb_load_bytes, zero len",
3007 BPF_MOV64_IMM(BPF_REG_2, 4),
3008 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3009 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3010 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3011 BPF_MOV64_IMM(BPF_REG_4, 0),
3012 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3013 BPF_FUNC_skb_load_bytes),
3014 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3018 .errstr = "invalid stack type R3",
3019 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3022 "raw_stack: skb_load_bytes, no init",
3024 BPF_MOV64_IMM(BPF_REG_2, 4),
3025 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3026 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3027 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3028 BPF_MOV64_IMM(BPF_REG_4, 8),
3029 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3030 BPF_FUNC_skb_load_bytes),
3031 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3035 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3038 "raw_stack: skb_load_bytes, init",
3040 BPF_MOV64_IMM(BPF_REG_2, 4),
3041 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3042 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3043 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3044 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3045 BPF_MOV64_IMM(BPF_REG_4, 8),
3046 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3047 BPF_FUNC_skb_load_bytes),
3048 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3052 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3055 "raw_stack: skb_load_bytes, spilled regs around bounds",
3057 BPF_MOV64_IMM(BPF_REG_2, 4),
3058 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3059 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3060 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3061 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3062 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3063 BPF_MOV64_IMM(BPF_REG_4, 8),
3064 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3065 BPF_FUNC_skb_load_bytes),
3066 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3067 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3068 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3069 offsetof(struct __sk_buff, mark)),
3070 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3071 offsetof(struct __sk_buff, priority)),
3072 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3076 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3079 "raw_stack: skb_load_bytes, spilled regs corruption",
3081 BPF_MOV64_IMM(BPF_REG_2, 4),
3082 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3084 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3085 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3086 BPF_MOV64_IMM(BPF_REG_4, 8),
3087 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3088 BPF_FUNC_skb_load_bytes),
3089 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3090 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3091 offsetof(struct __sk_buff, mark)),
3095 .errstr = "R0 invalid mem access 'inv'",
3096 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3099 "raw_stack: skb_load_bytes, spilled regs corruption 2",
3101 BPF_MOV64_IMM(BPF_REG_2, 4),
3102 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3104 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3105 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3106 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3107 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3108 BPF_MOV64_IMM(BPF_REG_4, 8),
3109 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3110 BPF_FUNC_skb_load_bytes),
3111 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3112 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3113 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3114 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3115 offsetof(struct __sk_buff, mark)),
3116 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3117 offsetof(struct __sk_buff, priority)),
3118 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3119 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3120 offsetof(struct __sk_buff, pkt_type)),
3121 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3125 .errstr = "R3 invalid mem access 'inv'",
3126 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3129 "raw_stack: skb_load_bytes, spilled regs + data",
3131 BPF_MOV64_IMM(BPF_REG_2, 4),
3132 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3134 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3135 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3136 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3137 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3138 BPF_MOV64_IMM(BPF_REG_4, 8),
3139 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3140 BPF_FUNC_skb_load_bytes),
3141 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3142 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3143 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3144 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3145 offsetof(struct __sk_buff, mark)),
3146 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3147 offsetof(struct __sk_buff, priority)),
3148 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3149 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3153 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3156 "raw_stack: skb_load_bytes, invalid access 1",
3158 BPF_MOV64_IMM(BPF_REG_2, 4),
3159 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3161 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3162 BPF_MOV64_IMM(BPF_REG_4, 8),
3163 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3164 BPF_FUNC_skb_load_bytes),
3165 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3169 .errstr = "invalid stack type R3 off=-513 access_size=8",
3170 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3173 "raw_stack: skb_load_bytes, invalid access 2",
3175 BPF_MOV64_IMM(BPF_REG_2, 4),
3176 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3177 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3178 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3179 BPF_MOV64_IMM(BPF_REG_4, 8),
3180 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3181 BPF_FUNC_skb_load_bytes),
3182 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3186 .errstr = "invalid stack type R3 off=-1 access_size=8",
3187 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3190 "raw_stack: skb_load_bytes, invalid access 3",
3192 BPF_MOV64_IMM(BPF_REG_2, 4),
3193 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3195 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3196 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3197 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3198 BPF_FUNC_skb_load_bytes),
3199 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3203 .errstr = "R4 min value is negative",
3204 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3207 "raw_stack: skb_load_bytes, invalid access 4",
3209 BPF_MOV64_IMM(BPF_REG_2, 4),
3210 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3212 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3213 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3214 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3215 BPF_FUNC_skb_load_bytes),
3216 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3220 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3221 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3224 "raw_stack: skb_load_bytes, invalid access 5",
3226 BPF_MOV64_IMM(BPF_REG_2, 4),
3227 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3228 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3229 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3230 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3231 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3232 BPF_FUNC_skb_load_bytes),
3233 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3237 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3238 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3241 "raw_stack: skb_load_bytes, invalid access 6",
3243 BPF_MOV64_IMM(BPF_REG_2, 4),
3244 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3245 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3246 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3247 BPF_MOV64_IMM(BPF_REG_4, 0),
3248 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3249 BPF_FUNC_skb_load_bytes),
3250 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3254 .errstr = "invalid stack type R3 off=-512 access_size=0",
3255 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3258 "raw_stack: skb_load_bytes, large access",
3260 BPF_MOV64_IMM(BPF_REG_2, 4),
3261 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3263 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3264 BPF_MOV64_IMM(BPF_REG_4, 512),
3265 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3266 BPF_FUNC_skb_load_bytes),
3267 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3271 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3274 "context stores via ST",
3276 BPF_MOV64_IMM(BPF_REG_0, 0),
3277 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3280 .errstr = "BPF_ST stores into R1 context is not allowed",
3282 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3285 "context stores via XADD",
3287 BPF_MOV64_IMM(BPF_REG_0, 0),
3288 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3289 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3292 .errstr = "BPF_XADD stores into R1 context is not allowed",
3294 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3297 "direct packet access: test1",
3299 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3300 offsetof(struct __sk_buff, data)),
3301 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3302 offsetof(struct __sk_buff, data_end)),
3303 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3305 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3306 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3307 BPF_MOV64_IMM(BPF_REG_0, 0),
3311 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3314 "direct packet access: test2",
3316 BPF_MOV64_IMM(BPF_REG_0, 1),
3317 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3318 offsetof(struct __sk_buff, data_end)),
3319 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3320 offsetof(struct __sk_buff, data)),
3321 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3322 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3323 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3324 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3325 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3326 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3327 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3328 offsetof(struct __sk_buff, data)),
3329 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3330 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3331 offsetof(struct __sk_buff, len)),
3332 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3333 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3334 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3335 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3337 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3338 offsetof(struct __sk_buff, data_end)),
3339 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3340 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3341 BPF_MOV64_IMM(BPF_REG_0, 0),
3345 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3348 "direct packet access: test3",
3350 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3351 offsetof(struct __sk_buff, data)),
3352 BPF_MOV64_IMM(BPF_REG_0, 0),
3355 .errstr = "invalid bpf_context access off=76",
3357 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3360 "direct packet access: test4 (write)",
3362 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3363 offsetof(struct __sk_buff, data)),
3364 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3365 offsetof(struct __sk_buff, data_end)),
3366 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3367 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3368 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3369 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3370 BPF_MOV64_IMM(BPF_REG_0, 0),
3374 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3377 "direct packet access: test5 (pkt_end >= reg, good access)",
3379 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3380 offsetof(struct __sk_buff, data)),
3381 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3382 offsetof(struct __sk_buff, data_end)),
3383 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3384 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3385 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3386 BPF_MOV64_IMM(BPF_REG_0, 1),
3388 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3389 BPF_MOV64_IMM(BPF_REG_0, 0),
3393 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3396 "direct packet access: test6 (pkt_end >= reg, bad access)",
3398 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3399 offsetof(struct __sk_buff, data)),
3400 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3401 offsetof(struct __sk_buff, data_end)),
3402 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3403 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3404 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3405 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3406 BPF_MOV64_IMM(BPF_REG_0, 1),
3408 BPF_MOV64_IMM(BPF_REG_0, 0),
3411 .errstr = "invalid access to packet",
3413 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3416 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3418 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3419 offsetof(struct __sk_buff, data)),
3420 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3421 offsetof(struct __sk_buff, data_end)),
3422 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3423 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3424 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3425 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3426 BPF_MOV64_IMM(BPF_REG_0, 1),
3428 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3429 BPF_MOV64_IMM(BPF_REG_0, 0),
3432 .errstr = "invalid access to packet",
3434 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3437 "direct packet access: test8 (double test, variant 1)",
3439 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3440 offsetof(struct __sk_buff, data)),
3441 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3442 offsetof(struct __sk_buff, data_end)),
3443 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3445 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3446 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3447 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3448 BPF_MOV64_IMM(BPF_REG_0, 1),
3450 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3451 BPF_MOV64_IMM(BPF_REG_0, 0),
3455 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3458 "direct packet access: test9 (double test, variant 2)",
3460 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3461 offsetof(struct __sk_buff, data)),
3462 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3463 offsetof(struct __sk_buff, data_end)),
3464 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3465 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3466 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3467 BPF_MOV64_IMM(BPF_REG_0, 1),
3469 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3470 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3471 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3472 BPF_MOV64_IMM(BPF_REG_0, 0),
3476 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3479 "direct packet access: test10 (write invalid)",
3481 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3482 offsetof(struct __sk_buff, data)),
3483 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3484 offsetof(struct __sk_buff, data_end)),
3485 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3487 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3488 BPF_MOV64_IMM(BPF_REG_0, 0),
3490 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3491 BPF_MOV64_IMM(BPF_REG_0, 0),
3494 .errstr = "invalid access to packet",
3496 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3499 "direct packet access: test11 (shift, good access)",
3501 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3502 offsetof(struct __sk_buff, data)),
3503 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3504 offsetof(struct __sk_buff, data_end)),
3505 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3507 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3508 BPF_MOV64_IMM(BPF_REG_3, 144),
3509 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3511 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3512 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3513 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3514 BPF_MOV64_IMM(BPF_REG_0, 1),
3516 BPF_MOV64_IMM(BPF_REG_0, 0),
3520 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3524 "direct packet access: test12 (and, good access)",
3526 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3527 offsetof(struct __sk_buff, data)),
3528 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3529 offsetof(struct __sk_buff, data_end)),
3530 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3531 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3532 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3533 BPF_MOV64_IMM(BPF_REG_3, 144),
3534 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3536 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3537 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3538 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3539 BPF_MOV64_IMM(BPF_REG_0, 1),
3541 BPF_MOV64_IMM(BPF_REG_0, 0),
3545 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3549 "direct packet access: test13 (branches, good access)",
3551 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3552 offsetof(struct __sk_buff, data)),
3553 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3554 offsetof(struct __sk_buff, data_end)),
3555 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3557 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3558 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3559 offsetof(struct __sk_buff, mark)),
3560 BPF_MOV64_IMM(BPF_REG_4, 1),
3561 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3562 BPF_MOV64_IMM(BPF_REG_3, 14),
3563 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3564 BPF_MOV64_IMM(BPF_REG_3, 24),
3565 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3566 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3567 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3568 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3569 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3570 BPF_MOV64_IMM(BPF_REG_0, 1),
3572 BPF_MOV64_IMM(BPF_REG_0, 0),
3576 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3580 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3582 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3583 offsetof(struct __sk_buff, data)),
3584 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3585 offsetof(struct __sk_buff, data_end)),
3586 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3588 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3589 BPF_MOV64_IMM(BPF_REG_5, 12),
3590 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3591 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3592 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3593 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3594 BPF_MOV64_IMM(BPF_REG_0, 1),
3596 BPF_MOV64_IMM(BPF_REG_0, 0),
3600 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3604 "direct packet access: test15 (spill with xadd)",
3606 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3607 offsetof(struct __sk_buff, data)),
3608 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3609 offsetof(struct __sk_buff, data_end)),
3610 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3611 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3612 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3613 BPF_MOV64_IMM(BPF_REG_5, 4096),
3614 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3616 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3617 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3618 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3619 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3620 BPF_MOV64_IMM(BPF_REG_0, 0),
3623 .errstr = "R2 invalid mem access 'inv'",
3625 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3628 "direct packet access: test16 (arith on data_end)",
3630 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3631 offsetof(struct __sk_buff, data)),
3632 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3633 offsetof(struct __sk_buff, data_end)),
3634 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3635 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3636 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3637 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3638 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3639 BPF_MOV64_IMM(BPF_REG_0, 0),
3642 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3644 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3647 "direct packet access: test17 (pruning, alignment)",
3649 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3650 offsetof(struct __sk_buff, data)),
3651 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3652 offsetof(struct __sk_buff, data_end)),
3653 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3654 offsetof(struct __sk_buff, mark)),
3655 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3656 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3657 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3658 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3659 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3660 BPF_MOV64_IMM(BPF_REG_0, 0),
3662 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3665 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3667 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3668 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3671 "direct packet access: test18 (imm += pkt_ptr, 1)",
3673 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3674 offsetof(struct __sk_buff, data)),
3675 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3676 offsetof(struct __sk_buff, data_end)),
3677 BPF_MOV64_IMM(BPF_REG_0, 8),
3678 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3679 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3680 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3681 BPF_MOV64_IMM(BPF_REG_0, 0),
3685 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3688 "direct packet access: test19 (imm += pkt_ptr, 2)",
3690 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3691 offsetof(struct __sk_buff, data)),
3692 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3693 offsetof(struct __sk_buff, data_end)),
3694 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3696 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3697 BPF_MOV64_IMM(BPF_REG_4, 4),
3698 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3699 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3700 BPF_MOV64_IMM(BPF_REG_0, 0),
3704 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3707 "direct packet access: test20 (x += pkt_ptr, 1)",
3709 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3710 offsetof(struct __sk_buff, data)),
3711 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3712 offsetof(struct __sk_buff, data_end)),
3713 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3714 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3715 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3716 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3717 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3718 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3719 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3720 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3721 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3722 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3723 BPF_MOV64_IMM(BPF_REG_0, 0),
3726 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3730 "direct packet access: test21 (x += pkt_ptr, 2)",
3732 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3733 offsetof(struct __sk_buff, data)),
3734 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3735 offsetof(struct __sk_buff, data_end)),
3736 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3737 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3738 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3739 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3740 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3741 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3742 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3743 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3744 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3745 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3746 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3747 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3748 BPF_MOV64_IMM(BPF_REG_0, 0),
3751 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3755 "direct packet access: test22 (x += pkt_ptr, 3)",
3757 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3758 offsetof(struct __sk_buff, data)),
3759 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3760 offsetof(struct __sk_buff, data_end)),
3761 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3762 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3763 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3764 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3765 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3766 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3767 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3768 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3769 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3770 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3771 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3772 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3773 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3775 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3776 BPF_MOV64_IMM(BPF_REG_2, 1),
3777 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3778 BPF_MOV64_IMM(BPF_REG_0, 0),
3781 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3785 "direct packet access: test23 (x += pkt_ptr, 4)",
3787 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3788 offsetof(struct __sk_buff, data)),
3789 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3790 offsetof(struct __sk_buff, data_end)),
3791 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3792 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3793 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3794 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3795 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3796 BPF_MOV64_IMM(BPF_REG_0, 31),
3797 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3798 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3799 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3800 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3801 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3802 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3803 BPF_MOV64_IMM(BPF_REG_0, 0),
3806 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3808 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3811 "direct packet access: test24 (x += pkt_ptr, 5)",
3813 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3814 offsetof(struct __sk_buff, data)),
3815 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3816 offsetof(struct __sk_buff, data_end)),
3817 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3818 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3819 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3820 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3821 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3822 BPF_MOV64_IMM(BPF_REG_0, 64),
3823 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3824 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3825 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3827 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3828 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3829 BPF_MOV64_IMM(BPF_REG_0, 0),
3832 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3836 "direct packet access: test25 (marking on <, good access)",
3838 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3839 offsetof(struct __sk_buff, data)),
3840 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3841 offsetof(struct __sk_buff, data_end)),
3842 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3844 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3845 BPF_MOV64_IMM(BPF_REG_0, 0),
3847 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3848 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3851 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3854 "direct packet access: test26 (marking on <, bad access)",
3856 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3857 offsetof(struct __sk_buff, data)),
3858 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3859 offsetof(struct __sk_buff, data_end)),
3860 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3861 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3862 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3863 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3864 BPF_MOV64_IMM(BPF_REG_0, 0),
3866 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3869 .errstr = "invalid access to packet",
3870 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3873 "direct packet access: test27 (marking on <=, good access)",
3875 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3876 offsetof(struct __sk_buff, data)),
3877 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3878 offsetof(struct __sk_buff, data_end)),
3879 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3881 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3882 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3883 BPF_MOV64_IMM(BPF_REG_0, 1),
3887 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3891 "direct packet access: test28 (marking on <=, bad access)",
3893 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3894 offsetof(struct __sk_buff, data)),
3895 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3896 offsetof(struct __sk_buff, data_end)),
3897 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3898 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3899 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3900 BPF_MOV64_IMM(BPF_REG_0, 1),
3902 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3903 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3906 .errstr = "invalid access to packet",
3907 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3910 "helper access to packet: test1, valid packet_ptr range",
3912 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3913 offsetof(struct xdp_md, data)),
3914 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3915 offsetof(struct xdp_md, data_end)),
3916 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3918 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3919 BPF_LD_MAP_FD(BPF_REG_1, 0),
3920 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3921 BPF_MOV64_IMM(BPF_REG_4, 0),
3922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3923 BPF_FUNC_map_update_elem),
3924 BPF_MOV64_IMM(BPF_REG_0, 0),
3927 .fixup_map1 = { 5 },
3928 .result_unpriv = ACCEPT,
3930 .prog_type = BPF_PROG_TYPE_XDP,
3933 "helper access to packet: test2, unchecked packet_ptr",
3935 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3936 offsetof(struct xdp_md, data)),
3937 BPF_LD_MAP_FD(BPF_REG_1, 0),
3938 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3939 BPF_FUNC_map_lookup_elem),
3940 BPF_MOV64_IMM(BPF_REG_0, 0),
3943 .fixup_map1 = { 1 },
3945 .errstr = "invalid access to packet",
3946 .prog_type = BPF_PROG_TYPE_XDP,
3949 "helper access to packet: test3, variable add",
3951 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3952 offsetof(struct xdp_md, data)),
3953 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3954 offsetof(struct xdp_md, data_end)),
3955 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3956 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3957 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3958 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3959 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3960 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3961 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3962 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3963 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3964 BPF_LD_MAP_FD(BPF_REG_1, 0),
3965 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3966 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3967 BPF_FUNC_map_lookup_elem),
3968 BPF_MOV64_IMM(BPF_REG_0, 0),
3971 .fixup_map1 = { 11 },
3973 .prog_type = BPF_PROG_TYPE_XDP,
3976 "helper access to packet: test4, packet_ptr with bad range",
3978 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3979 offsetof(struct xdp_md, data)),
3980 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3981 offsetof(struct xdp_md, data_end)),
3982 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3984 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3985 BPF_MOV64_IMM(BPF_REG_0, 0),
3987 BPF_LD_MAP_FD(BPF_REG_1, 0),
3988 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3989 BPF_FUNC_map_lookup_elem),
3990 BPF_MOV64_IMM(BPF_REG_0, 0),
3993 .fixup_map1 = { 7 },
3995 .errstr = "invalid access to packet",
3996 .prog_type = BPF_PROG_TYPE_XDP,
3999 "helper access to packet: test5, packet_ptr with too short range",
4001 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4002 offsetof(struct xdp_md, data)),
4003 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4004 offsetof(struct xdp_md, data_end)),
4005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4006 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4007 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4008 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4009 BPF_LD_MAP_FD(BPF_REG_1, 0),
4010 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4011 BPF_FUNC_map_lookup_elem),
4012 BPF_MOV64_IMM(BPF_REG_0, 0),
4015 .fixup_map1 = { 6 },
4017 .errstr = "invalid access to packet",
4018 .prog_type = BPF_PROG_TYPE_XDP,
4021 "helper access to packet: test6, cls valid packet_ptr range",
4023 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4024 offsetof(struct __sk_buff, data)),
4025 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4026 offsetof(struct __sk_buff, data_end)),
4027 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4028 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4029 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4030 BPF_LD_MAP_FD(BPF_REG_1, 0),
4031 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4032 BPF_MOV64_IMM(BPF_REG_4, 0),
4033 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4034 BPF_FUNC_map_update_elem),
4035 BPF_MOV64_IMM(BPF_REG_0, 0),
4038 .fixup_map1 = { 5 },
4040 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4043 "helper access to packet: test7, cls unchecked packet_ptr",
4045 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4046 offsetof(struct __sk_buff, data)),
4047 BPF_LD_MAP_FD(BPF_REG_1, 0),
4048 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4049 BPF_FUNC_map_lookup_elem),
4050 BPF_MOV64_IMM(BPF_REG_0, 0),
4053 .fixup_map1 = { 1 },
4055 .errstr = "invalid access to packet",
4056 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4059 "helper access to packet: test8, cls variable add",
4061 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4062 offsetof(struct __sk_buff, data)),
4063 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4064 offsetof(struct __sk_buff, data_end)),
4065 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4067 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4068 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4069 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4070 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4071 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4073 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4074 BPF_LD_MAP_FD(BPF_REG_1, 0),
4075 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4076 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4077 BPF_FUNC_map_lookup_elem),
4078 BPF_MOV64_IMM(BPF_REG_0, 0),
4081 .fixup_map1 = { 11 },
4083 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4086 "helper access to packet: test9, cls packet_ptr with bad range",
4088 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4089 offsetof(struct __sk_buff, data)),
4090 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4091 offsetof(struct __sk_buff, data_end)),
4092 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4093 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4094 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4095 BPF_MOV64_IMM(BPF_REG_0, 0),
4097 BPF_LD_MAP_FD(BPF_REG_1, 0),
4098 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4099 BPF_FUNC_map_lookup_elem),
4100 BPF_MOV64_IMM(BPF_REG_0, 0),
4103 .fixup_map1 = { 7 },
4105 .errstr = "invalid access to packet",
4106 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4109 "helper access to packet: test10, cls packet_ptr with too short range",
4111 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4112 offsetof(struct __sk_buff, data)),
4113 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4114 offsetof(struct __sk_buff, data_end)),
4115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4116 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4118 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4119 BPF_LD_MAP_FD(BPF_REG_1, 0),
4120 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4121 BPF_FUNC_map_lookup_elem),
4122 BPF_MOV64_IMM(BPF_REG_0, 0),
4125 .fixup_map1 = { 6 },
4127 .errstr = "invalid access to packet",
4128 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4131 "helper access to packet: test11, cls unsuitable helper 1",
4133 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4134 offsetof(struct __sk_buff, data)),
4135 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4136 offsetof(struct __sk_buff, data_end)),
4137 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4138 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4139 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4140 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4141 BPF_MOV64_IMM(BPF_REG_2, 0),
4142 BPF_MOV64_IMM(BPF_REG_4, 42),
4143 BPF_MOV64_IMM(BPF_REG_5, 0),
4144 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4145 BPF_FUNC_skb_store_bytes),
4146 BPF_MOV64_IMM(BPF_REG_0, 0),
4150 .errstr = "helper access to the packet",
4151 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4154 "helper access to packet: test12, cls unsuitable helper 2",
4156 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4157 offsetof(struct __sk_buff, data)),
4158 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4159 offsetof(struct __sk_buff, data_end)),
4160 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4161 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4162 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4163 BPF_MOV64_IMM(BPF_REG_2, 0),
4164 BPF_MOV64_IMM(BPF_REG_4, 4),
4165 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4166 BPF_FUNC_skb_load_bytes),
4167 BPF_MOV64_IMM(BPF_REG_0, 0),
4171 .errstr = "helper access to the packet",
4172 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4175 "helper access to packet: test13, cls helper ok",
4177 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4178 offsetof(struct __sk_buff, data)),
4179 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4180 offsetof(struct __sk_buff, data_end)),
4181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4182 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4183 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4184 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4185 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4186 BPF_MOV64_IMM(BPF_REG_2, 4),
4187 BPF_MOV64_IMM(BPF_REG_3, 0),
4188 BPF_MOV64_IMM(BPF_REG_4, 0),
4189 BPF_MOV64_IMM(BPF_REG_5, 0),
4190 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4191 BPF_FUNC_csum_diff),
4192 BPF_MOV64_IMM(BPF_REG_0, 0),
4196 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4199 "helper access to packet: test14, cls helper ok sub",
4201 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4202 offsetof(struct __sk_buff, data)),
4203 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4204 offsetof(struct __sk_buff, data_end)),
4205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4206 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4207 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4208 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4209 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4210 BPF_MOV64_IMM(BPF_REG_2, 4),
4211 BPF_MOV64_IMM(BPF_REG_3, 0),
4212 BPF_MOV64_IMM(BPF_REG_4, 0),
4213 BPF_MOV64_IMM(BPF_REG_5, 0),
4214 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4215 BPF_FUNC_csum_diff),
4216 BPF_MOV64_IMM(BPF_REG_0, 0),
4220 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4223 "helper access to packet: test15, cls helper fail sub",
4225 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4226 offsetof(struct __sk_buff, data)),
4227 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4228 offsetof(struct __sk_buff, data_end)),
4229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4230 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4231 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4232 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4233 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4234 BPF_MOV64_IMM(BPF_REG_2, 4),
4235 BPF_MOV64_IMM(BPF_REG_3, 0),
4236 BPF_MOV64_IMM(BPF_REG_4, 0),
4237 BPF_MOV64_IMM(BPF_REG_5, 0),
4238 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4239 BPF_FUNC_csum_diff),
4240 BPF_MOV64_IMM(BPF_REG_0, 0),
4244 .errstr = "invalid access to packet",
4245 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4248 "helper access to packet: test16, cls helper fail range 1",
4250 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4251 offsetof(struct __sk_buff, data)),
4252 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4253 offsetof(struct __sk_buff, data_end)),
4254 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4255 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4256 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4257 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4258 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4259 BPF_MOV64_IMM(BPF_REG_2, 8),
4260 BPF_MOV64_IMM(BPF_REG_3, 0),
4261 BPF_MOV64_IMM(BPF_REG_4, 0),
4262 BPF_MOV64_IMM(BPF_REG_5, 0),
4263 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4264 BPF_FUNC_csum_diff),
4265 BPF_MOV64_IMM(BPF_REG_0, 0),
4269 .errstr = "invalid access to packet",
4270 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4273 "helper access to packet: test17, cls helper fail range 2",
4275 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4276 offsetof(struct __sk_buff, data)),
4277 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4278 offsetof(struct __sk_buff, data_end)),
4279 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4282 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4283 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4284 BPF_MOV64_IMM(BPF_REG_2, -9),
4285 BPF_MOV64_IMM(BPF_REG_3, 0),
4286 BPF_MOV64_IMM(BPF_REG_4, 0),
4287 BPF_MOV64_IMM(BPF_REG_5, 0),
4288 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4289 BPF_FUNC_csum_diff),
4290 BPF_MOV64_IMM(BPF_REG_0, 0),
4294 .errstr = "R2 min value is negative",
4295 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4298 "helper access to packet: test18, cls helper fail range 3",
4300 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4301 offsetof(struct __sk_buff, data)),
4302 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4303 offsetof(struct __sk_buff, data_end)),
4304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4305 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4306 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4307 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4308 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4309 BPF_MOV64_IMM(BPF_REG_2, ~0),
4310 BPF_MOV64_IMM(BPF_REG_3, 0),
4311 BPF_MOV64_IMM(BPF_REG_4, 0),
4312 BPF_MOV64_IMM(BPF_REG_5, 0),
4313 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4314 BPF_FUNC_csum_diff),
4315 BPF_MOV64_IMM(BPF_REG_0, 0),
4319 .errstr = "R2 min value is negative",
4320 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4323 "helper access to packet: test19, cls helper range zero",
4325 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4326 offsetof(struct __sk_buff, data)),
4327 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4328 offsetof(struct __sk_buff, data_end)),
4329 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4330 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4332 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4333 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4334 BPF_MOV64_IMM(BPF_REG_2, 0),
4335 BPF_MOV64_IMM(BPF_REG_3, 0),
4336 BPF_MOV64_IMM(BPF_REG_4, 0),
4337 BPF_MOV64_IMM(BPF_REG_5, 0),
4338 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4339 BPF_FUNC_csum_diff),
4340 BPF_MOV64_IMM(BPF_REG_0, 0),
4344 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4347 "helper access to packet: test20, pkt end as input",
4349 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4350 offsetof(struct __sk_buff, data)),
4351 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4352 offsetof(struct __sk_buff, data_end)),
4353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4354 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4355 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4356 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4357 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4358 BPF_MOV64_IMM(BPF_REG_2, 4),
4359 BPF_MOV64_IMM(BPF_REG_3, 0),
4360 BPF_MOV64_IMM(BPF_REG_4, 0),
4361 BPF_MOV64_IMM(BPF_REG_5, 0),
4362 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4363 BPF_FUNC_csum_diff),
4364 BPF_MOV64_IMM(BPF_REG_0, 0),
4368 .errstr = "R1 type=pkt_end expected=fp",
4369 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4372 "helper access to packet: test21, wrong reg",
4374 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4375 offsetof(struct __sk_buff, data)),
4376 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4377 offsetof(struct __sk_buff, data_end)),
4378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4379 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4380 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4381 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4382 BPF_MOV64_IMM(BPF_REG_2, 4),
4383 BPF_MOV64_IMM(BPF_REG_3, 0),
4384 BPF_MOV64_IMM(BPF_REG_4, 0),
4385 BPF_MOV64_IMM(BPF_REG_5, 0),
4386 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4387 BPF_FUNC_csum_diff),
4388 BPF_MOV64_IMM(BPF_REG_0, 0),
4392 .errstr = "invalid access to packet",
4393 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4396 "valid map access into an array with a constant",
4398 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4399 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4401 BPF_LD_MAP_FD(BPF_REG_1, 0),
4402 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4403 BPF_FUNC_map_lookup_elem),
4404 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4405 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4406 offsetof(struct test_val, foo)),
4409 .fixup_map2 = { 3 },
4410 .errstr_unpriv = "R0 leaks addr",
4411 .result_unpriv = REJECT,
4415 "valid map access into an array with a register",
4417 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4418 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4420 BPF_LD_MAP_FD(BPF_REG_1, 0),
4421 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4422 BPF_FUNC_map_lookup_elem),
4423 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4424 BPF_MOV64_IMM(BPF_REG_1, 4),
4425 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4426 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4427 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4428 offsetof(struct test_val, foo)),
4431 .fixup_map2 = { 3 },
4432 .errstr_unpriv = "R0 leaks addr",
4433 .result_unpriv = REJECT,
4435 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4438 "valid map access into an array with a variable",
4440 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4441 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4443 BPF_LD_MAP_FD(BPF_REG_1, 0),
4444 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4445 BPF_FUNC_map_lookup_elem),
4446 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4447 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4448 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4449 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4450 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4451 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4452 offsetof(struct test_val, foo)),
4455 .fixup_map2 = { 3 },
4456 .errstr_unpriv = "R0 leaks addr",
4457 .result_unpriv = REJECT,
4459 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4462 "valid map access into an array with a signed variable",
4464 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4465 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4466 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4467 BPF_LD_MAP_FD(BPF_REG_1, 0),
4468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4469 BPF_FUNC_map_lookup_elem),
4470 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4471 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4472 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4473 BPF_MOV32_IMM(BPF_REG_1, 0),
4474 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4475 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4476 BPF_MOV32_IMM(BPF_REG_1, 0),
4477 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4478 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4479 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4480 offsetof(struct test_val, foo)),
4483 .fixup_map2 = { 3 },
4484 .errstr_unpriv = "R0 leaks addr",
4485 .result_unpriv = REJECT,
4487 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4490 "invalid map access into an array with a constant",
4492 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4493 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4494 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4495 BPF_LD_MAP_FD(BPF_REG_1, 0),
4496 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4497 BPF_FUNC_map_lookup_elem),
4498 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4499 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4500 offsetof(struct test_val, foo)),
4503 .fixup_map2 = { 3 },
4504 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4508 "invalid map access into an array with a register",
4510 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4511 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4512 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4513 BPF_LD_MAP_FD(BPF_REG_1, 0),
4514 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4515 BPF_FUNC_map_lookup_elem),
4516 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4517 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4518 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4519 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4520 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4521 offsetof(struct test_val, foo)),
4524 .fixup_map2 = { 3 },
4525 .errstr = "R0 min value is outside of the array range",
4527 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4530 "invalid map access into an array with a variable",
4532 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4533 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4535 BPF_LD_MAP_FD(BPF_REG_1, 0),
4536 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4537 BPF_FUNC_map_lookup_elem),
4538 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4539 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4540 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4541 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4542 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4543 offsetof(struct test_val, foo)),
4546 .fixup_map2 = { 3 },
4547 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4549 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4552 "invalid map access into an array with no floor check",
4554 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4555 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4557 BPF_LD_MAP_FD(BPF_REG_1, 0),
4558 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4559 BPF_FUNC_map_lookup_elem),
4560 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4561 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4562 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4563 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4564 BPF_MOV32_IMM(BPF_REG_1, 0),
4565 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4566 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4567 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4568 offsetof(struct test_val, foo)),
4571 .fixup_map2 = { 3 },
4572 .errstr_unpriv = "R0 leaks addr",
4573 .errstr = "R0 unbounded memory access",
4574 .result_unpriv = REJECT,
4576 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4579 "invalid map access into an array with a invalid max check",
4581 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4582 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4584 BPF_LD_MAP_FD(BPF_REG_1, 0),
4585 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4586 BPF_FUNC_map_lookup_elem),
4587 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4588 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4589 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4590 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4591 BPF_MOV32_IMM(BPF_REG_1, 0),
4592 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4593 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4594 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4595 offsetof(struct test_val, foo)),
4598 .fixup_map2 = { 3 },
4599 .errstr_unpriv = "R0 leaks addr",
4600 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
4601 .result_unpriv = REJECT,
4603 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4606 "invalid map access into an array with a invalid max check",
4608 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4609 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4610 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4611 BPF_LD_MAP_FD(BPF_REG_1, 0),
4612 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4613 BPF_FUNC_map_lookup_elem),
4614 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4615 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4616 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4617 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4618 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4619 BPF_LD_MAP_FD(BPF_REG_1, 0),
4620 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4621 BPF_FUNC_map_lookup_elem),
4622 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4623 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4624 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4625 offsetof(struct test_val, foo)),
4628 .fixup_map2 = { 3, 11 },
4629 .errstr = "R0 pointer += pointer",
4631 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4634 "multiple registers share map_lookup_elem result",
4636 BPF_MOV64_IMM(BPF_REG_1, 10),
4637 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4638 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4639 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4640 BPF_LD_MAP_FD(BPF_REG_1, 0),
4641 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4642 BPF_FUNC_map_lookup_elem),
4643 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4644 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4645 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4648 .fixup_map1 = { 4 },
4650 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4653 "alu ops on ptr_to_map_value_or_null, 1",
4655 BPF_MOV64_IMM(BPF_REG_1, 10),
4656 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4657 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4658 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4659 BPF_LD_MAP_FD(BPF_REG_1, 0),
4660 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4661 BPF_FUNC_map_lookup_elem),
4662 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4663 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4665 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4666 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4669 .fixup_map1 = { 4 },
4670 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4672 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4675 "alu ops on ptr_to_map_value_or_null, 2",
4677 BPF_MOV64_IMM(BPF_REG_1, 10),
4678 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4679 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4680 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4681 BPF_LD_MAP_FD(BPF_REG_1, 0),
4682 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4683 BPF_FUNC_map_lookup_elem),
4684 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4685 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4686 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4687 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4690 .fixup_map1 = { 4 },
4691 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4693 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4696 "alu ops on ptr_to_map_value_or_null, 3",
4698 BPF_MOV64_IMM(BPF_REG_1, 10),
4699 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4700 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4702 BPF_LD_MAP_FD(BPF_REG_1, 0),
4703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4704 BPF_FUNC_map_lookup_elem),
4705 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4706 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4707 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4708 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4711 .fixup_map1 = { 4 },
4712 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4714 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4717 "invalid memory access with multiple map_lookup_elem calls",
4719 BPF_MOV64_IMM(BPF_REG_1, 10),
4720 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4721 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4722 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4723 BPF_LD_MAP_FD(BPF_REG_1, 0),
4724 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4725 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4726 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4727 BPF_FUNC_map_lookup_elem),
4728 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4729 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4730 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4731 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4732 BPF_FUNC_map_lookup_elem),
4733 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4734 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4737 .fixup_map1 = { 4 },
4739 .errstr = "R4 !read_ok",
4740 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4743 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4745 BPF_MOV64_IMM(BPF_REG_1, 10),
4746 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4747 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4748 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4749 BPF_LD_MAP_FD(BPF_REG_1, 0),
4750 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4751 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4752 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4753 BPF_FUNC_map_lookup_elem),
4754 BPF_MOV64_IMM(BPF_REG_2, 10),
4755 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4756 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4757 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4758 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4759 BPF_FUNC_map_lookup_elem),
4760 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4761 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4762 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4765 .fixup_map1 = { 4 },
4767 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4770 "invalid map access from else condition",
4772 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4773 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4775 BPF_LD_MAP_FD(BPF_REG_1, 0),
4776 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4778 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4779 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4780 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4781 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4782 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4783 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4786 .fixup_map2 = { 3 },
4787 .errstr = "R0 unbounded memory access",
4789 .errstr_unpriv = "R0 leaks addr",
4790 .result_unpriv = REJECT,
4791 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4794 "constant register |= constant should keep constant type",
4796 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4797 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4798 BPF_MOV64_IMM(BPF_REG_2, 34),
4799 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4800 BPF_MOV64_IMM(BPF_REG_3, 0),
4801 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4805 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4808 "constant register |= constant should not bypass stack boundary checks",
4810 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4812 BPF_MOV64_IMM(BPF_REG_2, 34),
4813 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4814 BPF_MOV64_IMM(BPF_REG_3, 0),
4815 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4818 .errstr = "invalid stack type R1 off=-48 access_size=58",
4820 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4823 "constant register |= constant register should keep constant type",
4825 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4827 BPF_MOV64_IMM(BPF_REG_2, 34),
4828 BPF_MOV64_IMM(BPF_REG_4, 13),
4829 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4830 BPF_MOV64_IMM(BPF_REG_3, 0),
4831 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4835 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4838 "constant register |= constant register should not bypass stack boundary checks",
4840 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4841 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4842 BPF_MOV64_IMM(BPF_REG_2, 34),
4843 BPF_MOV64_IMM(BPF_REG_4, 24),
4844 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4845 BPF_MOV64_IMM(BPF_REG_3, 0),
4846 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4849 .errstr = "invalid stack type R1 off=-48 access_size=58",
4851 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4854 "invalid direct packet write for LWT_IN",
4856 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4857 offsetof(struct __sk_buff, data)),
4858 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4859 offsetof(struct __sk_buff, data_end)),
4860 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4861 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4862 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4863 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4864 BPF_MOV64_IMM(BPF_REG_0, 0),
4867 .errstr = "cannot write into packet",
4869 .prog_type = BPF_PROG_TYPE_LWT_IN,
4872 "invalid direct packet write for LWT_OUT",
4874 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4875 offsetof(struct __sk_buff, data)),
4876 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4877 offsetof(struct __sk_buff, data_end)),
4878 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4879 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4880 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4881 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4882 BPF_MOV64_IMM(BPF_REG_0, 0),
4885 .errstr = "cannot write into packet",
4887 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4890 "direct packet write for LWT_XMIT",
4892 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4893 offsetof(struct __sk_buff, data)),
4894 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4895 offsetof(struct __sk_buff, data_end)),
4896 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4898 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4899 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4900 BPF_MOV64_IMM(BPF_REG_0, 0),
4904 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4907 "direct packet read for LWT_IN",
4909 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4910 offsetof(struct __sk_buff, data)),
4911 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4912 offsetof(struct __sk_buff, data_end)),
4913 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4914 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4915 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4916 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4917 BPF_MOV64_IMM(BPF_REG_0, 0),
4921 .prog_type = BPF_PROG_TYPE_LWT_IN,
4924 "direct packet read for LWT_OUT",
4926 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4927 offsetof(struct __sk_buff, data)),
4928 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4929 offsetof(struct __sk_buff, data_end)),
4930 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4932 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4933 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4934 BPF_MOV64_IMM(BPF_REG_0, 0),
4938 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4941 "direct packet read for LWT_XMIT",
4943 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4944 offsetof(struct __sk_buff, data)),
4945 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4946 offsetof(struct __sk_buff, data_end)),
4947 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4948 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4949 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4950 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4951 BPF_MOV64_IMM(BPF_REG_0, 0),
4955 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4958 "overlapping checks for direct packet access",
4960 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4961 offsetof(struct __sk_buff, data)),
4962 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4963 offsetof(struct __sk_buff, data_end)),
4964 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4966 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4967 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4968 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4969 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4970 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4971 BPF_MOV64_IMM(BPF_REG_0, 0),
4975 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4978 "invalid access of tc_classid for LWT_IN",
4980 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4981 offsetof(struct __sk_buff, tc_classid)),
4985 .errstr = "invalid bpf_context access",
4988 "invalid access of tc_classid for LWT_OUT",
4990 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4991 offsetof(struct __sk_buff, tc_classid)),
4995 .errstr = "invalid bpf_context access",
4998 "invalid access of tc_classid for LWT_XMIT",
5000 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5001 offsetof(struct __sk_buff, tc_classid)),
5005 .errstr = "invalid bpf_context access",
5008 "leak pointer into ctx 1",
5010 BPF_MOV64_IMM(BPF_REG_0, 0),
5011 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5012 offsetof(struct __sk_buff, cb[0])),
5013 BPF_LD_MAP_FD(BPF_REG_2, 0),
5014 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
5015 offsetof(struct __sk_buff, cb[0])),
5018 .fixup_map1 = { 2 },
5019 .errstr_unpriv = "R2 leaks addr into mem",
5020 .result_unpriv = REJECT,
5022 .errstr = "BPF_XADD stores into R1 context is not allowed",
5025 "leak pointer into ctx 2",
5027 BPF_MOV64_IMM(BPF_REG_0, 0),
5028 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5029 offsetof(struct __sk_buff, cb[0])),
5030 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
5031 offsetof(struct __sk_buff, cb[0])),
5034 .errstr_unpriv = "R10 leaks addr into mem",
5035 .result_unpriv = REJECT,
5037 .errstr = "BPF_XADD stores into R1 context is not allowed",
5040 "leak pointer into ctx 3",
5042 BPF_MOV64_IMM(BPF_REG_0, 0),
5043 BPF_LD_MAP_FD(BPF_REG_2, 0),
5044 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
5045 offsetof(struct __sk_buff, cb[0])),
5048 .fixup_map1 = { 1 },
5049 .errstr_unpriv = "R2 leaks addr into ctx",
5050 .result_unpriv = REJECT,
5054 "leak pointer into map val",
5056 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5057 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5058 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5059 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5060 BPF_LD_MAP_FD(BPF_REG_1, 0),
5061 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5062 BPF_FUNC_map_lookup_elem),
5063 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5064 BPF_MOV64_IMM(BPF_REG_3, 0),
5065 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
5066 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
5067 BPF_MOV64_IMM(BPF_REG_0, 0),
5070 .fixup_map1 = { 4 },
5071 .errstr_unpriv = "R6 leaks addr into mem",
5072 .result_unpriv = REJECT,
5076 "helper access to map: full range",
5078 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5079 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5080 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5081 BPF_LD_MAP_FD(BPF_REG_1, 0),
5082 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5083 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5084 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5085 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5086 BPF_MOV64_IMM(BPF_REG_3, 0),
5087 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5090 .fixup_map2 = { 3 },
5092 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5095 "helper access to map: partial range",
5097 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5098 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5099 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5100 BPF_LD_MAP_FD(BPF_REG_1, 0),
5101 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5102 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5103 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5104 BPF_MOV64_IMM(BPF_REG_2, 8),
5105 BPF_MOV64_IMM(BPF_REG_3, 0),
5106 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5109 .fixup_map2 = { 3 },
5111 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5114 "helper access to map: empty range",
5116 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5118 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5119 BPF_LD_MAP_FD(BPF_REG_1, 0),
5120 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5121 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5122 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5123 BPF_MOV64_IMM(BPF_REG_2, 0),
5124 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5127 .fixup_map2 = { 3 },
5128 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
5130 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5133 "helper access to map: out-of-bound range",
5135 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5136 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5137 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5138 BPF_LD_MAP_FD(BPF_REG_1, 0),
5139 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5140 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5141 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5142 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5143 BPF_MOV64_IMM(BPF_REG_3, 0),
5144 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5147 .fixup_map2 = { 3 },
5148 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
5150 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5153 "helper access to map: negative range",
5155 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5156 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5157 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5158 BPF_LD_MAP_FD(BPF_REG_1, 0),
5159 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5160 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5161 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5162 BPF_MOV64_IMM(BPF_REG_2, -8),
5163 BPF_MOV64_IMM(BPF_REG_3, 0),
5164 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5167 .fixup_map2 = { 3 },
5168 .errstr = "R2 min value is negative",
5170 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5173 "helper access to adjusted map (via const imm): full range",
5175 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5177 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5178 BPF_LD_MAP_FD(BPF_REG_1, 0),
5179 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5180 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5181 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5183 offsetof(struct test_val, foo)),
5184 BPF_MOV64_IMM(BPF_REG_2,
5185 sizeof(struct test_val) -
5186 offsetof(struct test_val, foo)),
5187 BPF_MOV64_IMM(BPF_REG_3, 0),
5188 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5191 .fixup_map2 = { 3 },
5193 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5196 "helper access to adjusted map (via const imm): partial range",
5198 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5199 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5200 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5201 BPF_LD_MAP_FD(BPF_REG_1, 0),
5202 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5203 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5204 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5206 offsetof(struct test_val, foo)),
5207 BPF_MOV64_IMM(BPF_REG_2, 8),
5208 BPF_MOV64_IMM(BPF_REG_3, 0),
5209 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5212 .fixup_map2 = { 3 },
5214 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5217 "helper access to adjusted map (via const imm): empty range",
5219 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5220 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5221 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5222 BPF_LD_MAP_FD(BPF_REG_1, 0),
5223 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5224 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5225 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5227 offsetof(struct test_val, foo)),
5228 BPF_MOV64_IMM(BPF_REG_2, 0),
5229 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5232 .fixup_map2 = { 3 },
5233 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5235 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5238 "helper access to adjusted map (via const imm): out-of-bound range",
5240 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5241 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5242 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5243 BPF_LD_MAP_FD(BPF_REG_1, 0),
5244 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5245 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5246 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5248 offsetof(struct test_val, foo)),
5249 BPF_MOV64_IMM(BPF_REG_2,
5250 sizeof(struct test_val) -
5251 offsetof(struct test_val, foo) + 8),
5252 BPF_MOV64_IMM(BPF_REG_3, 0),
5253 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5256 .fixup_map2 = { 3 },
5257 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5259 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5262 "helper access to adjusted map (via const imm): negative range (> adjustment)",
5264 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5265 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5266 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5267 BPF_LD_MAP_FD(BPF_REG_1, 0),
5268 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5269 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5270 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5271 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5272 offsetof(struct test_val, foo)),
5273 BPF_MOV64_IMM(BPF_REG_2, -8),
5274 BPF_MOV64_IMM(BPF_REG_3, 0),
5275 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5278 .fixup_map2 = { 3 },
5279 .errstr = "R2 min value is negative",
5281 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5284 "helper access to adjusted map (via const imm): negative range (< adjustment)",
5286 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5287 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5288 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5289 BPF_LD_MAP_FD(BPF_REG_1, 0),
5290 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5291 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5292 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5293 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5294 offsetof(struct test_val, foo)),
5295 BPF_MOV64_IMM(BPF_REG_2, -1),
5296 BPF_MOV64_IMM(BPF_REG_3, 0),
5297 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5300 .fixup_map2 = { 3 },
5301 .errstr = "R2 min value is negative",
5303 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5306 "helper access to adjusted map (via const reg): full range",
5308 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5309 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5310 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5311 BPF_LD_MAP_FD(BPF_REG_1, 0),
5312 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5313 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5314 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5315 BPF_MOV64_IMM(BPF_REG_3,
5316 offsetof(struct test_val, foo)),
5317 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5318 BPF_MOV64_IMM(BPF_REG_2,
5319 sizeof(struct test_val) -
5320 offsetof(struct test_val, foo)),
5321 BPF_MOV64_IMM(BPF_REG_3, 0),
5322 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5325 .fixup_map2 = { 3 },
5327 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5330 "helper access to adjusted map (via const reg): partial range",
5332 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5333 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5334 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5335 BPF_LD_MAP_FD(BPF_REG_1, 0),
5336 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5337 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5339 BPF_MOV64_IMM(BPF_REG_3,
5340 offsetof(struct test_val, foo)),
5341 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5342 BPF_MOV64_IMM(BPF_REG_2, 8),
5343 BPF_MOV64_IMM(BPF_REG_3, 0),
5344 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5347 .fixup_map2 = { 3 },
5349 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5352 "helper access to adjusted map (via const reg): empty range",
5354 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5355 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5356 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5357 BPF_LD_MAP_FD(BPF_REG_1, 0),
5358 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5359 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5360 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5361 BPF_MOV64_IMM(BPF_REG_3, 0),
5362 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5363 BPF_MOV64_IMM(BPF_REG_2, 0),
5364 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5367 .fixup_map2 = { 3 },
5368 .errstr = "R1 min value is outside of the array range",
5370 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5373 "helper access to adjusted map (via const reg): out-of-bound range",
5375 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5377 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5378 BPF_LD_MAP_FD(BPF_REG_1, 0),
5379 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5380 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5381 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5382 BPF_MOV64_IMM(BPF_REG_3,
5383 offsetof(struct test_val, foo)),
5384 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5385 BPF_MOV64_IMM(BPF_REG_2,
5386 sizeof(struct test_val) -
5387 offsetof(struct test_val, foo) + 8),
5388 BPF_MOV64_IMM(BPF_REG_3, 0),
5389 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5392 .fixup_map2 = { 3 },
5393 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5395 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5398 "helper access to adjusted map (via const reg): negative range (> adjustment)",
5400 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5401 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5402 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5403 BPF_LD_MAP_FD(BPF_REG_1, 0),
5404 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5405 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5406 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5407 BPF_MOV64_IMM(BPF_REG_3,
5408 offsetof(struct test_val, foo)),
5409 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5410 BPF_MOV64_IMM(BPF_REG_2, -8),
5411 BPF_MOV64_IMM(BPF_REG_3, 0),
5412 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5415 .fixup_map2 = { 3 },
5416 .errstr = "R2 min value is negative",
5418 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5421 "helper access to adjusted map (via const reg): negative range (< adjustment)",
5423 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5425 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5426 BPF_LD_MAP_FD(BPF_REG_1, 0),
5427 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5428 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5429 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5430 BPF_MOV64_IMM(BPF_REG_3,
5431 offsetof(struct test_val, foo)),
5432 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5433 BPF_MOV64_IMM(BPF_REG_2, -1),
5434 BPF_MOV64_IMM(BPF_REG_3, 0),
5435 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5438 .fixup_map2 = { 3 },
5439 .errstr = "R2 min value is negative",
5441 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5444 "helper access to adjusted map (via variable): full range",
5446 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5447 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5448 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5449 BPF_LD_MAP_FD(BPF_REG_1, 0),
5450 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5451 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5452 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5453 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5454 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5455 offsetof(struct test_val, foo), 4),
5456 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5457 BPF_MOV64_IMM(BPF_REG_2,
5458 sizeof(struct test_val) -
5459 offsetof(struct test_val, foo)),
5460 BPF_MOV64_IMM(BPF_REG_3, 0),
5461 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5464 .fixup_map2 = { 3 },
5466 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5469 "helper access to adjusted map (via variable): partial range",
5471 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5472 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5473 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5474 BPF_LD_MAP_FD(BPF_REG_1, 0),
5475 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5476 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5477 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5478 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5479 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5480 offsetof(struct test_val, foo), 4),
5481 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5482 BPF_MOV64_IMM(BPF_REG_2, 8),
5483 BPF_MOV64_IMM(BPF_REG_3, 0),
5484 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5487 .fixup_map2 = { 3 },
5489 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5492 "helper access to adjusted map (via variable): empty range",
5494 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5495 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5496 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5497 BPF_LD_MAP_FD(BPF_REG_1, 0),
5498 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5499 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5500 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5501 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5502 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5503 offsetof(struct test_val, foo), 3),
5504 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5505 BPF_MOV64_IMM(BPF_REG_2, 0),
5506 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5509 .fixup_map2 = { 3 },
5510 .errstr = "R1 min value is outside of the array range",
5512 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5515 "helper access to adjusted map (via variable): no max check",
5517 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5518 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5519 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5520 BPF_LD_MAP_FD(BPF_REG_1, 0),
5521 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5522 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5523 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5524 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5525 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5526 BPF_MOV64_IMM(BPF_REG_2, 1),
5527 BPF_MOV64_IMM(BPF_REG_3, 0),
5528 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5531 .fixup_map2 = { 3 },
5532 .errstr = "R1 unbounded memory access",
5534 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5537 "helper access to adjusted map (via variable): wrong max check",
5539 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5541 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5542 BPF_LD_MAP_FD(BPF_REG_1, 0),
5543 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5544 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5545 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5546 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5547 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5548 offsetof(struct test_val, foo), 4),
5549 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5550 BPF_MOV64_IMM(BPF_REG_2,
5551 sizeof(struct test_val) -
5552 offsetof(struct test_val, foo) + 1),
5553 BPF_MOV64_IMM(BPF_REG_3, 0),
5554 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5557 .fixup_map2 = { 3 },
5558 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
5560 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5563 "helper access to map: bounds check using <, good access",
5565 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5566 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5567 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5568 BPF_LD_MAP_FD(BPF_REG_1, 0),
5569 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5570 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5571 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5572 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5573 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5574 BPF_MOV64_IMM(BPF_REG_0, 0),
5576 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5577 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5578 BPF_MOV64_IMM(BPF_REG_0, 0),
5581 .fixup_map2 = { 3 },
5583 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5586 "helper access to map: bounds check using <, bad access",
5588 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5589 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5590 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5591 BPF_LD_MAP_FD(BPF_REG_1, 0),
5592 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5593 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5594 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5595 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5596 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5597 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5598 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5599 BPF_MOV64_IMM(BPF_REG_0, 0),
5601 BPF_MOV64_IMM(BPF_REG_0, 0),
5604 .fixup_map2 = { 3 },
5606 .errstr = "R1 unbounded memory access",
5607 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5610 "helper access to map: bounds check using <=, good access",
5612 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5613 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5614 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5615 BPF_LD_MAP_FD(BPF_REG_1, 0),
5616 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5617 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5618 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5619 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5620 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5621 BPF_MOV64_IMM(BPF_REG_0, 0),
5623 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5624 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5625 BPF_MOV64_IMM(BPF_REG_0, 0),
5628 .fixup_map2 = { 3 },
5630 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5633 "helper access to map: bounds check using <=, bad access",
5635 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5636 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5637 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5638 BPF_LD_MAP_FD(BPF_REG_1, 0),
5639 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5640 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5641 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5642 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5643 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5644 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5645 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5646 BPF_MOV64_IMM(BPF_REG_0, 0),
5648 BPF_MOV64_IMM(BPF_REG_0, 0),
5651 .fixup_map2 = { 3 },
5653 .errstr = "R1 unbounded memory access",
5654 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5657 "helper access to map: bounds check using s<, good access",
5659 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5661 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5662 BPF_LD_MAP_FD(BPF_REG_1, 0),
5663 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5664 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5665 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5666 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5667 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5668 BPF_MOV64_IMM(BPF_REG_0, 0),
5670 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5671 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5672 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5673 BPF_MOV64_IMM(BPF_REG_0, 0),
5676 .fixup_map2 = { 3 },
5678 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5681 "helper access to map: bounds check using s<, good access 2",
5683 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5684 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5685 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5686 BPF_LD_MAP_FD(BPF_REG_1, 0),
5687 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5688 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5689 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5690 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5691 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5692 BPF_MOV64_IMM(BPF_REG_0, 0),
5694 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5695 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5696 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5697 BPF_MOV64_IMM(BPF_REG_0, 0),
5700 .fixup_map2 = { 3 },
5702 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5705 "helper access to map: bounds check using s<, bad access",
5707 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5709 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5710 BPF_LD_MAP_FD(BPF_REG_1, 0),
5711 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5712 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5713 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5714 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5715 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5716 BPF_MOV64_IMM(BPF_REG_0, 0),
5718 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5719 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5720 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5721 BPF_MOV64_IMM(BPF_REG_0, 0),
5724 .fixup_map2 = { 3 },
5726 .errstr = "R1 min value is negative",
5727 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5730 "helper access to map: bounds check using s<=, good access",
5732 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5733 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5734 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5735 BPF_LD_MAP_FD(BPF_REG_1, 0),
5736 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5737 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5738 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5739 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5740 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5741 BPF_MOV64_IMM(BPF_REG_0, 0),
5743 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5744 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5745 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5746 BPF_MOV64_IMM(BPF_REG_0, 0),
5749 .fixup_map2 = { 3 },
5751 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5754 "helper access to map: bounds check using s<=, good access 2",
5756 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5757 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5758 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5759 BPF_LD_MAP_FD(BPF_REG_1, 0),
5760 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5761 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5762 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5763 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5764 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5765 BPF_MOV64_IMM(BPF_REG_0, 0),
5767 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5768 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5769 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5770 BPF_MOV64_IMM(BPF_REG_0, 0),
5773 .fixup_map2 = { 3 },
5775 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5778 "helper access to map: bounds check using s<=, bad access",
5780 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5781 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5782 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5783 BPF_LD_MAP_FD(BPF_REG_1, 0),
5784 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5786 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5787 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5788 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5789 BPF_MOV64_IMM(BPF_REG_0, 0),
5791 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5792 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5793 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5794 BPF_MOV64_IMM(BPF_REG_0, 0),
5797 .fixup_map2 = { 3 },
5799 .errstr = "R1 min value is negative",
5800 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5803 "map lookup helper access to map",
5805 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5807 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5808 BPF_LD_MAP_FD(BPF_REG_1, 0),
5809 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5810 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5811 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5812 BPF_LD_MAP_FD(BPF_REG_1, 0),
5813 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5816 .fixup_map3 = { 3, 8 },
5818 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5821 "map update helper access to map",
5823 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5825 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5826 BPF_LD_MAP_FD(BPF_REG_1, 0),
5827 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5828 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5829 BPF_MOV64_IMM(BPF_REG_4, 0),
5830 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5831 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5832 BPF_LD_MAP_FD(BPF_REG_1, 0),
5833 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5836 .fixup_map3 = { 3, 10 },
5838 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5841 "map update helper access to map: wrong size",
5843 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5845 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5846 BPF_LD_MAP_FD(BPF_REG_1, 0),
5847 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5848 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5849 BPF_MOV64_IMM(BPF_REG_4, 0),
5850 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5851 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5852 BPF_LD_MAP_FD(BPF_REG_1, 0),
5853 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5856 .fixup_map1 = { 3 },
5857 .fixup_map3 = { 10 },
5859 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
5860 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5863 "map helper access to adjusted map (via const imm)",
5865 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5866 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5867 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5868 BPF_LD_MAP_FD(BPF_REG_1, 0),
5869 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5870 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5871 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
5873 offsetof(struct other_val, bar)),
5874 BPF_LD_MAP_FD(BPF_REG_1, 0),
5875 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5878 .fixup_map3 = { 3, 9 },
5880 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5883 "map helper access to adjusted map (via const imm): out-of-bound 1",
5885 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5886 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5887 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5888 BPF_LD_MAP_FD(BPF_REG_1, 0),
5889 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5890 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5891 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5892 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
5893 sizeof(struct other_val) - 4),
5894 BPF_LD_MAP_FD(BPF_REG_1, 0),
5895 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5898 .fixup_map3 = { 3, 9 },
5900 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
5901 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5904 "map helper access to adjusted map (via const imm): out-of-bound 2",
5906 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5908 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5909 BPF_LD_MAP_FD(BPF_REG_1, 0),
5910 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5911 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5912 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5913 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5914 BPF_LD_MAP_FD(BPF_REG_1, 0),
5915 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5918 .fixup_map3 = { 3, 9 },
5920 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
5921 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5924 "map helper access to adjusted map (via const reg)",
5926 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5928 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5929 BPF_LD_MAP_FD(BPF_REG_1, 0),
5930 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5931 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5932 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5933 BPF_MOV64_IMM(BPF_REG_3,
5934 offsetof(struct other_val, bar)),
5935 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5936 BPF_LD_MAP_FD(BPF_REG_1, 0),
5937 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5940 .fixup_map3 = { 3, 10 },
5942 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5945 "map helper access to adjusted map (via const reg): out-of-bound 1",
5947 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5948 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5949 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5950 BPF_LD_MAP_FD(BPF_REG_1, 0),
5951 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5952 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5953 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5954 BPF_MOV64_IMM(BPF_REG_3,
5955 sizeof(struct other_val) - 4),
5956 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5957 BPF_LD_MAP_FD(BPF_REG_1, 0),
5958 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5961 .fixup_map3 = { 3, 10 },
5963 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
5964 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5967 "map helper access to adjusted map (via const reg): out-of-bound 2",
5969 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5971 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5972 BPF_LD_MAP_FD(BPF_REG_1, 0),
5973 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5974 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5975 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5976 BPF_MOV64_IMM(BPF_REG_3, -4),
5977 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5978 BPF_LD_MAP_FD(BPF_REG_1, 0),
5979 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5982 .fixup_map3 = { 3, 10 },
5984 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
5985 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5988 "map helper access to adjusted map (via variable)",
5990 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5992 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5993 BPF_LD_MAP_FD(BPF_REG_1, 0),
5994 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5995 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5996 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5997 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5998 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5999 offsetof(struct other_val, bar), 4),
6000 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6001 BPF_LD_MAP_FD(BPF_REG_1, 0),
6002 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6005 .fixup_map3 = { 3, 11 },
6007 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6010 "map helper access to adjusted map (via variable): no max check",
6012 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6014 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6015 BPF_LD_MAP_FD(BPF_REG_1, 0),
6016 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6017 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6018 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6019 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6020 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6021 BPF_LD_MAP_FD(BPF_REG_1, 0),
6022 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6025 .fixup_map3 = { 3, 10 },
6027 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
6028 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6031 "map helper access to adjusted map (via variable): wrong max check",
6033 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6035 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6036 BPF_LD_MAP_FD(BPF_REG_1, 0),
6037 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6038 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6039 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6040 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6041 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6042 offsetof(struct other_val, bar) + 1, 4),
6043 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6044 BPF_LD_MAP_FD(BPF_REG_1, 0),
6045 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6048 .fixup_map3 = { 3, 11 },
6050 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
6051 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6054 "map element value is preserved across register spilling",
6056 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6057 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6058 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6059 BPF_LD_MAP_FD(BPF_REG_1, 0),
6060 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6061 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6062 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6063 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6064 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6065 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6066 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6067 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6070 .fixup_map2 = { 3 },
6071 .errstr_unpriv = "R0 leaks addr",
6073 .result_unpriv = REJECT,
6076 "map element value or null is marked on register spilling",
6078 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6079 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6080 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6081 BPF_LD_MAP_FD(BPF_REG_1, 0),
6082 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6083 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
6085 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6086 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6087 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6088 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6091 .fixup_map2 = { 3 },
6092 .errstr_unpriv = "R0 leaks addr",
6094 .result_unpriv = REJECT,
6097 "map element value store of cleared call register",
6099 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6100 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6101 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6102 BPF_LD_MAP_FD(BPF_REG_1, 0),
6103 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6104 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
6105 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
6108 .fixup_map2 = { 3 },
6109 .errstr_unpriv = "R1 !read_ok",
6110 .errstr = "R1 !read_ok",
6112 .result_unpriv = REJECT,
6115 "map element value with unaligned store",
6117 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6118 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6119 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6120 BPF_LD_MAP_FD(BPF_REG_1, 0),
6121 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6122 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
6123 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6124 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6125 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
6126 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
6127 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6128 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
6129 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
6130 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
6131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
6132 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
6133 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
6134 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
6135 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
6136 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
6137 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
6138 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
6139 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
6142 .fixup_map2 = { 3 },
6143 .errstr_unpriv = "R0 leaks addr",
6145 .result_unpriv = REJECT,
6146 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6149 "map element value with unaligned load",
6151 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6153 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6154 BPF_LD_MAP_FD(BPF_REG_1, 0),
6155 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6156 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6157 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6158 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
6159 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6160 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6161 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
6162 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6163 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
6164 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
6165 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
6166 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6167 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
6170 .fixup_map2 = { 3 },
6171 .errstr_unpriv = "R0 leaks addr",
6173 .result_unpriv = REJECT,
6174 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6177 "map element value illegal alu op, 1",
6179 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6180 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6181 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6182 BPF_LD_MAP_FD(BPF_REG_1, 0),
6183 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6184 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6185 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
6186 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6189 .fixup_map2 = { 3 },
6190 .errstr = "R0 bitwise operator &= on pointer",
6194 "map element value illegal alu op, 2",
6196 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6198 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6199 BPF_LD_MAP_FD(BPF_REG_1, 0),
6200 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6201 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6202 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
6203 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6206 .fixup_map2 = { 3 },
6207 .errstr = "R0 32-bit pointer arithmetic prohibited",
6211 "map element value illegal alu op, 3",
6213 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6215 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6216 BPF_LD_MAP_FD(BPF_REG_1, 0),
6217 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6218 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6219 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
6220 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6223 .fixup_map2 = { 3 },
6224 .errstr = "R0 pointer arithmetic with /= operator",
6228 "map element value illegal alu op, 4",
6230 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6231 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6232 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6233 BPF_LD_MAP_FD(BPF_REG_1, 0),
6234 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6235 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6236 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
6237 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6240 .fixup_map2 = { 3 },
6241 .errstr_unpriv = "R0 pointer arithmetic prohibited",
6242 .errstr = "invalid mem access 'inv'",
6244 .result_unpriv = REJECT,
6247 "map element value illegal alu op, 5",
6249 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6251 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6252 BPF_LD_MAP_FD(BPF_REG_1, 0),
6253 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6255 BPF_MOV64_IMM(BPF_REG_3, 4096),
6256 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6257 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6258 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6259 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
6260 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
6261 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6264 .fixup_map2 = { 3 },
6265 .errstr = "R0 invalid mem access 'inv'",
6269 "map element value is preserved across register spilling",
6271 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6272 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6273 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6274 BPF_LD_MAP_FD(BPF_REG_1, 0),
6275 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6276 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6277 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
6278 offsetof(struct test_val, foo)),
6279 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6282 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6283 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6284 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6287 .fixup_map2 = { 3 },
6288 .errstr_unpriv = "R0 leaks addr",
6290 .result_unpriv = REJECT,
6291 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6294 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
6296 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6298 BPF_MOV64_IMM(BPF_REG_0, 0),
6299 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6300 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6301 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6302 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6303 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6304 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6305 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6306 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6307 BPF_MOV64_IMM(BPF_REG_2, 16),
6308 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6309 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6310 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6311 BPF_MOV64_IMM(BPF_REG_4, 0),
6312 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6313 BPF_MOV64_IMM(BPF_REG_3, 0),
6314 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6315 BPF_MOV64_IMM(BPF_REG_0, 0),
6319 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6322 "helper access to variable memory: stack, bitwise AND, zero included",
6324 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6326 BPF_MOV64_IMM(BPF_REG_2, 16),
6327 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6328 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6329 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6330 BPF_MOV64_IMM(BPF_REG_3, 0),
6331 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6334 .errstr = "invalid indirect read from stack off -64+0 size 64",
6336 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6339 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
6341 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6342 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6343 BPF_MOV64_IMM(BPF_REG_2, 16),
6344 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6345 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6346 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
6347 BPF_MOV64_IMM(BPF_REG_4, 0),
6348 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6349 BPF_MOV64_IMM(BPF_REG_3, 0),
6350 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6351 BPF_MOV64_IMM(BPF_REG_0, 0),
6354 .errstr = "invalid stack type R1 off=-64 access_size=65",
6356 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6359 "helper access to variable memory: stack, JMP, correct bounds",
6361 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6363 BPF_MOV64_IMM(BPF_REG_0, 0),
6364 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6365 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6366 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6367 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6368 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6369 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6370 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6371 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6372 BPF_MOV64_IMM(BPF_REG_2, 16),
6373 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6374 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6375 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
6376 BPF_MOV64_IMM(BPF_REG_4, 0),
6377 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6378 BPF_MOV64_IMM(BPF_REG_3, 0),
6379 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6380 BPF_MOV64_IMM(BPF_REG_0, 0),
6384 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6387 "helper access to variable memory: stack, JMP (signed), correct bounds",
6389 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6391 BPF_MOV64_IMM(BPF_REG_0, 0),
6392 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6393 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6394 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6395 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6396 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6397 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6398 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6399 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6400 BPF_MOV64_IMM(BPF_REG_2, 16),
6401 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6402 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6403 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
6404 BPF_MOV64_IMM(BPF_REG_4, 0),
6405 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6406 BPF_MOV64_IMM(BPF_REG_3, 0),
6407 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6408 BPF_MOV64_IMM(BPF_REG_0, 0),
6412 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6415 "helper access to variable memory: stack, JMP, bounds + offset",
6417 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6418 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6419 BPF_MOV64_IMM(BPF_REG_2, 16),
6420 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6421 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6422 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
6423 BPF_MOV64_IMM(BPF_REG_4, 0),
6424 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
6425 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6426 BPF_MOV64_IMM(BPF_REG_3, 0),
6427 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6428 BPF_MOV64_IMM(BPF_REG_0, 0),
6431 .errstr = "invalid stack type R1 off=-64 access_size=65",
6433 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6436 "helper access to variable memory: stack, JMP, wrong max",
6438 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6440 BPF_MOV64_IMM(BPF_REG_2, 16),
6441 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6442 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6443 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
6444 BPF_MOV64_IMM(BPF_REG_4, 0),
6445 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6446 BPF_MOV64_IMM(BPF_REG_3, 0),
6447 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6448 BPF_MOV64_IMM(BPF_REG_0, 0),
6451 .errstr = "invalid stack type R1 off=-64 access_size=65",
6453 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6456 "helper access to variable memory: stack, JMP, no max check",
6458 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6460 BPF_MOV64_IMM(BPF_REG_2, 16),
6461 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6462 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6463 BPF_MOV64_IMM(BPF_REG_4, 0),
6464 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6465 BPF_MOV64_IMM(BPF_REG_3, 0),
6466 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6467 BPF_MOV64_IMM(BPF_REG_0, 0),
6470 /* because max wasn't checked, signed min is negative */
6471 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
6473 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6476 "helper access to variable memory: stack, JMP, no min check",
6478 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6480 BPF_MOV64_IMM(BPF_REG_2, 16),
6481 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6482 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6483 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
6484 BPF_MOV64_IMM(BPF_REG_3, 0),
6485 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6486 BPF_MOV64_IMM(BPF_REG_0, 0),
6489 .errstr = "invalid indirect read from stack off -64+0 size 64",
6491 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6494 "helper access to variable memory: stack, JMP (signed), no min check",
6496 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6497 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6498 BPF_MOV64_IMM(BPF_REG_2, 16),
6499 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6500 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6501 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
6502 BPF_MOV64_IMM(BPF_REG_3, 0),
6503 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6504 BPF_MOV64_IMM(BPF_REG_0, 0),
6507 .errstr = "R2 min value is negative",
6509 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6512 "helper access to variable memory: map, JMP, correct bounds",
6514 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6515 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6516 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6517 BPF_LD_MAP_FD(BPF_REG_1, 0),
6518 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6519 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6520 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6521 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6522 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6523 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6524 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6525 sizeof(struct test_val), 4),
6526 BPF_MOV64_IMM(BPF_REG_4, 0),
6527 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6528 BPF_MOV64_IMM(BPF_REG_3, 0),
6529 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6530 BPF_MOV64_IMM(BPF_REG_0, 0),
6533 .fixup_map2 = { 3 },
6535 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6538 "helper access to variable memory: map, JMP, wrong max",
6540 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6541 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6542 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6543 BPF_LD_MAP_FD(BPF_REG_1, 0),
6544 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6545 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6546 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6547 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6548 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6549 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6550 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6551 sizeof(struct test_val) + 1, 4),
6552 BPF_MOV64_IMM(BPF_REG_4, 0),
6553 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6554 BPF_MOV64_IMM(BPF_REG_3, 0),
6555 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6556 BPF_MOV64_IMM(BPF_REG_0, 0),
6559 .fixup_map2 = { 3 },
6560 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
6562 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6565 "helper access to variable memory: map adjusted, JMP, correct bounds",
6567 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6569 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6570 BPF_LD_MAP_FD(BPF_REG_1, 0),
6571 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6572 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6573 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6574 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6575 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6576 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6577 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6578 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6579 sizeof(struct test_val) - 20, 4),
6580 BPF_MOV64_IMM(BPF_REG_4, 0),
6581 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6582 BPF_MOV64_IMM(BPF_REG_3, 0),
6583 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6584 BPF_MOV64_IMM(BPF_REG_0, 0),
6587 .fixup_map2 = { 3 },
6589 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6592 "helper access to variable memory: map adjusted, JMP, wrong max",
6594 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6595 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6596 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6597 BPF_LD_MAP_FD(BPF_REG_1, 0),
6598 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6599 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6600 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6601 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6602 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6603 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6604 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6605 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6606 sizeof(struct test_val) - 19, 4),
6607 BPF_MOV64_IMM(BPF_REG_4, 0),
6608 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6609 BPF_MOV64_IMM(BPF_REG_3, 0),
6610 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6611 BPF_MOV64_IMM(BPF_REG_0, 0),
6614 .fixup_map2 = { 3 },
6615 .errstr = "R1 min value is outside of the array range",
6617 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6620 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6622 BPF_MOV64_IMM(BPF_REG_1, 0),
6623 BPF_MOV64_IMM(BPF_REG_2, 0),
6624 BPF_MOV64_IMM(BPF_REG_3, 0),
6625 BPF_MOV64_IMM(BPF_REG_4, 0),
6626 BPF_MOV64_IMM(BPF_REG_5, 0),
6627 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6631 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6634 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6636 BPF_MOV64_IMM(BPF_REG_1, 0),
6637 BPF_MOV64_IMM(BPF_REG_2, 1),
6638 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6639 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6640 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6641 BPF_MOV64_IMM(BPF_REG_3, 0),
6642 BPF_MOV64_IMM(BPF_REG_4, 0),
6643 BPF_MOV64_IMM(BPF_REG_5, 0),
6644 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6647 .errstr = "R1 type=inv expected=fp",
6649 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6652 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6654 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6655 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6656 BPF_MOV64_IMM(BPF_REG_2, 0),
6657 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6658 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
6659 BPF_MOV64_IMM(BPF_REG_3, 0),
6660 BPF_MOV64_IMM(BPF_REG_4, 0),
6661 BPF_MOV64_IMM(BPF_REG_5, 0),
6662 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6666 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6669 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6671 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6672 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6674 BPF_LD_MAP_FD(BPF_REG_1, 0),
6675 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6676 BPF_FUNC_map_lookup_elem),
6677 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6678 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6679 BPF_MOV64_IMM(BPF_REG_2, 0),
6680 BPF_MOV64_IMM(BPF_REG_3, 0),
6681 BPF_MOV64_IMM(BPF_REG_4, 0),
6682 BPF_MOV64_IMM(BPF_REG_5, 0),
6683 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6686 .fixup_map1 = { 3 },
6688 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6691 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6693 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6694 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6696 BPF_LD_MAP_FD(BPF_REG_1, 0),
6697 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6698 BPF_FUNC_map_lookup_elem),
6699 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6700 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6701 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
6702 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6704 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6705 BPF_MOV64_IMM(BPF_REG_3, 0),
6706 BPF_MOV64_IMM(BPF_REG_4, 0),
6707 BPF_MOV64_IMM(BPF_REG_5, 0),
6708 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6711 .fixup_map1 = { 3 },
6713 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6716 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6718 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6719 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6720 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6721 BPF_LD_MAP_FD(BPF_REG_1, 0),
6722 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6723 BPF_FUNC_map_lookup_elem),
6724 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6725 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6726 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6727 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6728 BPF_MOV64_IMM(BPF_REG_3, 0),
6729 BPF_MOV64_IMM(BPF_REG_4, 0),
6730 BPF_MOV64_IMM(BPF_REG_5, 0),
6731 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6734 .fixup_map1 = { 3 },
6736 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6739 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
6741 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6742 offsetof(struct __sk_buff, data)),
6743 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6744 offsetof(struct __sk_buff, data_end)),
6745 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
6746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6747 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
6748 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6749 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
6750 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6751 BPF_MOV64_IMM(BPF_REG_3, 0),
6752 BPF_MOV64_IMM(BPF_REG_4, 0),
6753 BPF_MOV64_IMM(BPF_REG_5, 0),
6754 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6758 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6759 .retval = 0 /* csum_diff of 64-byte packet */,
6762 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6764 BPF_MOV64_IMM(BPF_REG_1, 0),
6765 BPF_MOV64_IMM(BPF_REG_2, 0),
6766 BPF_MOV64_IMM(BPF_REG_3, 0),
6767 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6770 .errstr = "R1 type=inv expected=fp",
6772 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6775 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6777 BPF_MOV64_IMM(BPF_REG_1, 0),
6778 BPF_MOV64_IMM(BPF_REG_2, 1),
6779 BPF_MOV64_IMM(BPF_REG_3, 0),
6780 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6783 .errstr = "R1 type=inv expected=fp",
6785 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6788 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6790 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6792 BPF_MOV64_IMM(BPF_REG_2, 0),
6793 BPF_MOV64_IMM(BPF_REG_3, 0),
6794 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6798 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6801 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6803 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6804 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6805 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6806 BPF_LD_MAP_FD(BPF_REG_1, 0),
6807 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6808 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6809 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6810 BPF_MOV64_IMM(BPF_REG_2, 0),
6811 BPF_MOV64_IMM(BPF_REG_3, 0),
6812 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6815 .fixup_map1 = { 3 },
6817 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6820 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6822 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6823 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6825 BPF_LD_MAP_FD(BPF_REG_1, 0),
6826 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6827 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6828 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6829 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6832 BPF_MOV64_IMM(BPF_REG_3, 0),
6833 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6836 .fixup_map1 = { 3 },
6838 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6841 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6843 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6844 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6846 BPF_LD_MAP_FD(BPF_REG_1, 0),
6847 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6848 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6849 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6850 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6851 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
6852 BPF_MOV64_IMM(BPF_REG_3, 0),
6853 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6856 .fixup_map1 = { 3 },
6858 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6861 "helper access to variable memory: 8 bytes leak",
6863 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6864 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6865 BPF_MOV64_IMM(BPF_REG_0, 0),
6866 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6867 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6868 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6869 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6870 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6871 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6872 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6873 BPF_MOV64_IMM(BPF_REG_2, 1),
6874 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6875 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6876 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
6877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6878 BPF_MOV64_IMM(BPF_REG_3, 0),
6879 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6880 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6883 .errstr = "invalid indirect read from stack off -64+32 size 64",
6885 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6888 "helper access to variable memory: 8 bytes no leak (init memory)",
6890 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6891 BPF_MOV64_IMM(BPF_REG_0, 0),
6892 BPF_MOV64_IMM(BPF_REG_0, 0),
6893 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6894 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6895 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6896 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6897 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6898 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6899 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6900 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6901 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6902 BPF_MOV64_IMM(BPF_REG_2, 0),
6903 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
6904 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
6905 BPF_MOV64_IMM(BPF_REG_3, 0),
6906 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6907 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6911 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6914 "invalid and of negative number",
6916 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6917 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6919 BPF_LD_MAP_FD(BPF_REG_1, 0),
6920 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6921 BPF_FUNC_map_lookup_elem),
6922 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6923 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6924 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
6925 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
6926 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6927 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
6928 offsetof(struct test_val, foo)),
6931 .fixup_map2 = { 3 },
6932 .errstr = "R0 max value is outside of the array range",
6934 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6937 "invalid range check",
6939 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6940 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6942 BPF_LD_MAP_FD(BPF_REG_1, 0),
6943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6944 BPF_FUNC_map_lookup_elem),
6945 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
6946 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6947 BPF_MOV64_IMM(BPF_REG_9, 1),
6948 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
6949 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
6950 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
6951 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
6952 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
6953 BPF_MOV32_IMM(BPF_REG_3, 1),
6954 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
6955 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
6956 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
6957 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
6958 BPF_MOV64_REG(BPF_REG_0, 0),
6961 .fixup_map2 = { 3 },
6962 .errstr = "R0 max value is outside of the array range",
6964 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6967 "map in map access",
6969 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6970 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6971 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6972 BPF_LD_MAP_FD(BPF_REG_1, 0),
6973 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6974 BPF_FUNC_map_lookup_elem),
6975 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6976 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6977 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6978 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6979 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6980 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6981 BPF_FUNC_map_lookup_elem),
6982 BPF_MOV64_REG(BPF_REG_0, 0),
6985 .fixup_map_in_map = { 3 },
6989 "invalid inner map pointer",
6991 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6992 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6994 BPF_LD_MAP_FD(BPF_REG_1, 0),
6995 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6996 BPF_FUNC_map_lookup_elem),
6997 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6998 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7001 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7003 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7004 BPF_FUNC_map_lookup_elem),
7005 BPF_MOV64_REG(BPF_REG_0, 0),
7008 .fixup_map_in_map = { 3 },
7009 .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
7013 "forgot null checking on the inner map pointer",
7015 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7016 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7018 BPF_LD_MAP_FD(BPF_REG_1, 0),
7019 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7020 BPF_FUNC_map_lookup_elem),
7021 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7022 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7024 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7025 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7026 BPF_FUNC_map_lookup_elem),
7027 BPF_MOV64_REG(BPF_REG_0, 0),
7030 .fixup_map_in_map = { 3 },
7031 .errstr = "R1 type=map_value_or_null expected=map_ptr",
7035 "ld_abs: check calling conv, r1",
7037 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7038 BPF_MOV64_IMM(BPF_REG_1, 0),
7039 BPF_LD_ABS(BPF_W, -0x200000),
7040 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7043 .errstr = "R1 !read_ok",
7047 "ld_abs: check calling conv, r2",
7049 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7050 BPF_MOV64_IMM(BPF_REG_2, 0),
7051 BPF_LD_ABS(BPF_W, -0x200000),
7052 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7055 .errstr = "R2 !read_ok",
7059 "ld_abs: check calling conv, r3",
7061 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7062 BPF_MOV64_IMM(BPF_REG_3, 0),
7063 BPF_LD_ABS(BPF_W, -0x200000),
7064 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7067 .errstr = "R3 !read_ok",
7071 "ld_abs: check calling conv, r4",
7073 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7074 BPF_MOV64_IMM(BPF_REG_4, 0),
7075 BPF_LD_ABS(BPF_W, -0x200000),
7076 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7079 .errstr = "R4 !read_ok",
7083 "ld_abs: check calling conv, r5",
7085 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7086 BPF_MOV64_IMM(BPF_REG_5, 0),
7087 BPF_LD_ABS(BPF_W, -0x200000),
7088 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7091 .errstr = "R5 !read_ok",
7095 "ld_abs: check calling conv, r7",
7097 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7098 BPF_MOV64_IMM(BPF_REG_7, 0),
7099 BPF_LD_ABS(BPF_W, -0x200000),
7100 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7106 "ld_abs: tests on r6 and skb data reload helper",
7108 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7109 BPF_LD_ABS(BPF_B, 0),
7110 BPF_LD_ABS(BPF_H, 0),
7111 BPF_LD_ABS(BPF_W, 0),
7112 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
7113 BPF_MOV64_IMM(BPF_REG_6, 0),
7114 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
7115 BPF_MOV64_IMM(BPF_REG_2, 1),
7116 BPF_MOV64_IMM(BPF_REG_3, 2),
7117 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7118 BPF_FUNC_skb_vlan_push),
7119 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
7120 BPF_LD_ABS(BPF_B, 0),
7121 BPF_LD_ABS(BPF_H, 0),
7122 BPF_LD_ABS(BPF_W, 0),
7123 BPF_MOV64_IMM(BPF_REG_0, 42),
7126 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7128 .retval = 42 /* ultimate return value */,
7131 "ld_ind: check calling conv, r1",
7133 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7134 BPF_MOV64_IMM(BPF_REG_1, 1),
7135 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
7136 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7139 .errstr = "R1 !read_ok",
7143 "ld_ind: check calling conv, r2",
7145 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7146 BPF_MOV64_IMM(BPF_REG_2, 1),
7147 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
7148 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7151 .errstr = "R2 !read_ok",
7155 "ld_ind: check calling conv, r3",
7157 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7158 BPF_MOV64_IMM(BPF_REG_3, 1),
7159 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
7160 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7163 .errstr = "R3 !read_ok",
7167 "ld_ind: check calling conv, r4",
7169 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7170 BPF_MOV64_IMM(BPF_REG_4, 1),
7171 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
7172 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7175 .errstr = "R4 !read_ok",
7179 "ld_ind: check calling conv, r5",
7181 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7182 BPF_MOV64_IMM(BPF_REG_5, 1),
7183 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
7184 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7187 .errstr = "R5 !read_ok",
7191 "ld_ind: check calling conv, r7",
7193 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7194 BPF_MOV64_IMM(BPF_REG_7, 1),
7195 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
7196 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7203 "check bpf_perf_event_data->sample_period byte load permitted",
7205 BPF_MOV64_IMM(BPF_REG_0, 0),
7206 #if __BYTE_ORDER == __LITTLE_ENDIAN
7207 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7208 offsetof(struct bpf_perf_event_data, sample_period)),
7210 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7211 offsetof(struct bpf_perf_event_data, sample_period) + 7),
7216 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7219 "check bpf_perf_event_data->sample_period half load permitted",
7221 BPF_MOV64_IMM(BPF_REG_0, 0),
7222 #if __BYTE_ORDER == __LITTLE_ENDIAN
7223 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7224 offsetof(struct bpf_perf_event_data, sample_period)),
7226 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7227 offsetof(struct bpf_perf_event_data, sample_period) + 6),
7232 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7235 "check bpf_perf_event_data->sample_period word load permitted",
7237 BPF_MOV64_IMM(BPF_REG_0, 0),
7238 #if __BYTE_ORDER == __LITTLE_ENDIAN
7239 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7240 offsetof(struct bpf_perf_event_data, sample_period)),
7242 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7243 offsetof(struct bpf_perf_event_data, sample_period) + 4),
7248 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7251 "check bpf_perf_event_data->sample_period dword load permitted",
7253 BPF_MOV64_IMM(BPF_REG_0, 0),
7254 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
7255 offsetof(struct bpf_perf_event_data, sample_period)),
7259 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7262 "check skb->data half load not permitted",
7264 BPF_MOV64_IMM(BPF_REG_0, 0),
7265 #if __BYTE_ORDER == __LITTLE_ENDIAN
7266 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7267 offsetof(struct __sk_buff, data)),
7269 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7270 offsetof(struct __sk_buff, data) + 2),
7275 .errstr = "invalid bpf_context access",
7278 "check skb->tc_classid half load not permitted for lwt prog",
7280 BPF_MOV64_IMM(BPF_REG_0, 0),
7281 #if __BYTE_ORDER == __LITTLE_ENDIAN
7282 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7283 offsetof(struct __sk_buff, tc_classid)),
7285 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7286 offsetof(struct __sk_buff, tc_classid) + 2),
7291 .errstr = "invalid bpf_context access",
7292 .prog_type = BPF_PROG_TYPE_LWT_IN,
7295 "bounds checks mixing signed and unsigned, positive bounds",
7297 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7298 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7299 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7300 BPF_LD_MAP_FD(BPF_REG_1, 0),
7301 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7302 BPF_FUNC_map_lookup_elem),
7303 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7304 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7305 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7306 BPF_MOV64_IMM(BPF_REG_2, 2),
7307 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
7308 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
7309 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7310 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7311 BPF_MOV64_IMM(BPF_REG_0, 0),
7314 .fixup_map1 = { 3 },
7315 .errstr = "unbounded min value",
7319 "bounds checks mixing signed and unsigned",
7321 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7322 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7323 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7324 BPF_LD_MAP_FD(BPF_REG_1, 0),
7325 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7326 BPF_FUNC_map_lookup_elem),
7327 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7328 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7329 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7330 BPF_MOV64_IMM(BPF_REG_2, -1),
7331 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7332 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7333 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7334 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7335 BPF_MOV64_IMM(BPF_REG_0, 0),
7338 .fixup_map1 = { 3 },
7339 .errstr = "unbounded min value",
7343 "bounds checks mixing signed and unsigned, variant 2",
7345 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7346 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7348 BPF_LD_MAP_FD(BPF_REG_1, 0),
7349 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7350 BPF_FUNC_map_lookup_elem),
7351 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7352 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7353 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7354 BPF_MOV64_IMM(BPF_REG_2, -1),
7355 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7356 BPF_MOV64_IMM(BPF_REG_8, 0),
7357 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
7358 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7359 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7360 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7361 BPF_MOV64_IMM(BPF_REG_0, 0),
7364 .fixup_map1 = { 3 },
7365 .errstr = "unbounded min value",
7369 "bounds checks mixing signed and unsigned, variant 3",
7371 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7372 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7373 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7374 BPF_LD_MAP_FD(BPF_REG_1, 0),
7375 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7376 BPF_FUNC_map_lookup_elem),
7377 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7378 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7379 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7380 BPF_MOV64_IMM(BPF_REG_2, -1),
7381 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
7382 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
7383 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7384 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7385 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7386 BPF_MOV64_IMM(BPF_REG_0, 0),
7389 .fixup_map1 = { 3 },
7390 .errstr = "unbounded min value",
7394 "bounds checks mixing signed and unsigned, variant 4",
7396 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7397 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7399 BPF_LD_MAP_FD(BPF_REG_1, 0),
7400 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7401 BPF_FUNC_map_lookup_elem),
7402 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7403 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7404 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7405 BPF_MOV64_IMM(BPF_REG_2, 1),
7406 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
7407 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7408 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7409 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7410 BPF_MOV64_IMM(BPF_REG_0, 0),
7413 .fixup_map1 = { 3 },
7417 "bounds checks mixing signed and unsigned, variant 5",
7419 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7420 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7421 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7422 BPF_LD_MAP_FD(BPF_REG_1, 0),
7423 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7424 BPF_FUNC_map_lookup_elem),
7425 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7426 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7427 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7428 BPF_MOV64_IMM(BPF_REG_2, -1),
7429 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7430 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
7431 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
7432 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7433 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7434 BPF_MOV64_IMM(BPF_REG_0, 0),
7437 .fixup_map1 = { 3 },
7438 .errstr = "unbounded min value",
7442 "bounds checks mixing signed and unsigned, variant 6",
7444 BPF_MOV64_IMM(BPF_REG_2, 0),
7445 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
7446 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
7447 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7448 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
7449 BPF_MOV64_IMM(BPF_REG_6, -1),
7450 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
7451 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
7452 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7453 BPF_MOV64_IMM(BPF_REG_5, 0),
7454 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
7455 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7456 BPF_FUNC_skb_load_bytes),
7457 BPF_MOV64_IMM(BPF_REG_0, 0),
7460 .errstr = "R4 min value is negative, either use unsigned",
7464 "bounds checks mixing signed and unsigned, variant 7",
7466 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7467 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7468 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7469 BPF_LD_MAP_FD(BPF_REG_1, 0),
7470 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7471 BPF_FUNC_map_lookup_elem),
7472 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7473 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7474 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7475 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
7476 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7477 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7478 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7479 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7480 BPF_MOV64_IMM(BPF_REG_0, 0),
7483 .fixup_map1 = { 3 },
7487 "bounds checks mixing signed and unsigned, variant 8",
7489 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7490 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7492 BPF_LD_MAP_FD(BPF_REG_1, 0),
7493 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7494 BPF_FUNC_map_lookup_elem),
7495 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7496 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7497 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7498 BPF_MOV64_IMM(BPF_REG_2, -1),
7499 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7500 BPF_MOV64_IMM(BPF_REG_0, 0),
7502 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7503 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7504 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7505 BPF_MOV64_IMM(BPF_REG_0, 0),
7508 .fixup_map1 = { 3 },
7509 .errstr = "unbounded min value",
7513 "bounds checks mixing signed and unsigned, variant 9",
7515 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7516 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7518 BPF_LD_MAP_FD(BPF_REG_1, 0),
7519 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7520 BPF_FUNC_map_lookup_elem),
7521 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7522 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7523 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7524 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
7525 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7526 BPF_MOV64_IMM(BPF_REG_0, 0),
7528 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7529 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7530 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7531 BPF_MOV64_IMM(BPF_REG_0, 0),
7534 .fixup_map1 = { 3 },
7538 "bounds checks mixing signed and unsigned, variant 10",
7540 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7541 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7543 BPF_LD_MAP_FD(BPF_REG_1, 0),
7544 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7545 BPF_FUNC_map_lookup_elem),
7546 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7547 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7548 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7549 BPF_MOV64_IMM(BPF_REG_2, 0),
7550 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7551 BPF_MOV64_IMM(BPF_REG_0, 0),
7553 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7554 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7555 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7556 BPF_MOV64_IMM(BPF_REG_0, 0),
7559 .fixup_map1 = { 3 },
7560 .errstr = "unbounded min value",
7564 "bounds checks mixing signed and unsigned, variant 11",
7566 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7567 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7569 BPF_LD_MAP_FD(BPF_REG_1, 0),
7570 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7571 BPF_FUNC_map_lookup_elem),
7572 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7573 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7574 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7575 BPF_MOV64_IMM(BPF_REG_2, -1),
7576 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7578 BPF_MOV64_IMM(BPF_REG_0, 0),
7580 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7581 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7582 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7583 BPF_MOV64_IMM(BPF_REG_0, 0),
7586 .fixup_map1 = { 3 },
7587 .errstr = "unbounded min value",
7591 "bounds checks mixing signed and unsigned, variant 12",
7593 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7594 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7595 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7596 BPF_LD_MAP_FD(BPF_REG_1, 0),
7597 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7598 BPF_FUNC_map_lookup_elem),
7599 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7600 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7601 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7602 BPF_MOV64_IMM(BPF_REG_2, -6),
7603 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7604 BPF_MOV64_IMM(BPF_REG_0, 0),
7606 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7607 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7608 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7609 BPF_MOV64_IMM(BPF_REG_0, 0),
7612 .fixup_map1 = { 3 },
7613 .errstr = "unbounded min value",
7617 "bounds checks mixing signed and unsigned, variant 13",
7619 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7620 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7621 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7622 BPF_LD_MAP_FD(BPF_REG_1, 0),
7623 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7624 BPF_FUNC_map_lookup_elem),
7625 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7626 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7627 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7628 BPF_MOV64_IMM(BPF_REG_2, 2),
7629 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7630 BPF_MOV64_IMM(BPF_REG_7, 1),
7631 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
7632 BPF_MOV64_IMM(BPF_REG_0, 0),
7634 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
7635 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
7636 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
7637 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7638 BPF_MOV64_IMM(BPF_REG_0, 0),
7641 .fixup_map1 = { 3 },
7642 .errstr = "unbounded min value",
7646 "bounds checks mixing signed and unsigned, variant 14",
7648 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
7649 offsetof(struct __sk_buff, mark)),
7650 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7651 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7652 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7653 BPF_LD_MAP_FD(BPF_REG_1, 0),
7654 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7655 BPF_FUNC_map_lookup_elem),
7656 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7657 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7658 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7659 BPF_MOV64_IMM(BPF_REG_2, -1),
7660 BPF_MOV64_IMM(BPF_REG_8, 2),
7661 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
7662 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
7663 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7664 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7665 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7666 BPF_MOV64_IMM(BPF_REG_0, 0),
7668 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
7669 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
7671 .fixup_map1 = { 4 },
7672 .errstr = "R0 invalid mem access 'inv'",
7676 "bounds checks mixing signed and unsigned, variant 15",
7678 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7679 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7680 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7681 BPF_LD_MAP_FD(BPF_REG_1, 0),
7682 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7683 BPF_FUNC_map_lookup_elem),
7684 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7685 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7686 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7687 BPF_MOV64_IMM(BPF_REG_2, -6),
7688 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7689 BPF_MOV64_IMM(BPF_REG_0, 0),
7691 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7692 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
7693 BPF_MOV64_IMM(BPF_REG_0, 0),
7695 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7696 BPF_MOV64_IMM(BPF_REG_0, 0),
7699 .fixup_map1 = { 3 },
7700 .errstr = "unbounded min value",
7702 .result_unpriv = REJECT,
7705 "subtraction bounds (map value) variant 1",
7707 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7708 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7709 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7710 BPF_LD_MAP_FD(BPF_REG_1, 0),
7711 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7712 BPF_FUNC_map_lookup_elem),
7713 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7714 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7715 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
7716 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7717 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
7718 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7719 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
7720 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7721 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7723 BPF_MOV64_IMM(BPF_REG_0, 0),
7726 .fixup_map1 = { 3 },
7727 .errstr = "R0 max value is outside of the array range",
7731 "subtraction bounds (map value) variant 2",
7733 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7734 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7735 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7736 BPF_LD_MAP_FD(BPF_REG_1, 0),
7737 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7738 BPF_FUNC_map_lookup_elem),
7739 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7740 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7741 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
7742 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7743 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
7744 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7745 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7746 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7748 BPF_MOV64_IMM(BPF_REG_0, 0),
7751 .fixup_map1 = { 3 },
7752 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
7756 "bounds check based on zero-extended MOV",
7758 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7759 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7760 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7761 BPF_LD_MAP_FD(BPF_REG_1, 0),
7762 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7763 BPF_FUNC_map_lookup_elem),
7764 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7765 /* r2 = 0x0000'0000'ffff'ffff */
7766 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
7768 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7770 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7771 /* access at offset 0 */
7772 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7774 BPF_MOV64_IMM(BPF_REG_0, 0),
7777 .fixup_map1 = { 3 },
7781 "bounds check based on sign-extended MOV. test1",
7783 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7784 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7785 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7786 BPF_LD_MAP_FD(BPF_REG_1, 0),
7787 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7788 BPF_FUNC_map_lookup_elem),
7789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7790 /* r2 = 0xffff'ffff'ffff'ffff */
7791 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7792 /* r2 = 0xffff'ffff */
7793 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7794 /* r0 = <oob pointer> */
7795 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7796 /* access to OOB pointer */
7797 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7799 BPF_MOV64_IMM(BPF_REG_0, 0),
7802 .fixup_map1 = { 3 },
7803 .errstr = "map_value pointer and 4294967295",
7807 "bounds check based on sign-extended MOV. test2",
7809 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7810 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7812 BPF_LD_MAP_FD(BPF_REG_1, 0),
7813 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7814 BPF_FUNC_map_lookup_elem),
7815 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7816 /* r2 = 0xffff'ffff'ffff'ffff */
7817 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7818 /* r2 = 0xfff'ffff */
7819 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
7820 /* r0 = <oob pointer> */
7821 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7822 /* access to OOB pointer */
7823 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7825 BPF_MOV64_IMM(BPF_REG_0, 0),
7828 .fixup_map1 = { 3 },
7829 .errstr = "R0 min value is outside of the array range",
7833 "bounds check based on reg_off + var_off + insn_off. test1",
7835 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7836 offsetof(struct __sk_buff, mark)),
7837 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7838 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7839 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7840 BPF_LD_MAP_FD(BPF_REG_1, 0),
7841 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7842 BPF_FUNC_map_lookup_elem),
7843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7844 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
7846 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7848 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7849 BPF_MOV64_IMM(BPF_REG_0, 0),
7852 .fixup_map1 = { 4 },
7853 .errstr = "value_size=8 off=1073741825",
7855 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7858 "bounds check based on reg_off + var_off + insn_off. test2",
7860 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7861 offsetof(struct __sk_buff, mark)),
7862 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7863 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7864 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7865 BPF_LD_MAP_FD(BPF_REG_1, 0),
7866 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7867 BPF_FUNC_map_lookup_elem),
7868 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7869 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7870 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
7871 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7873 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7874 BPF_MOV64_IMM(BPF_REG_0, 0),
7877 .fixup_map1 = { 4 },
7878 .errstr = "value 1073741823",
7880 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7883 "bounds check after truncation of non-boundary-crossing range",
7885 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7886 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7887 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7888 BPF_LD_MAP_FD(BPF_REG_1, 0),
7889 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7890 BPF_FUNC_map_lookup_elem),
7891 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7892 /* r1 = [0x00, 0xff] */
7893 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7894 BPF_MOV64_IMM(BPF_REG_2, 1),
7895 /* r2 = 0x10'0000'0000 */
7896 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
7897 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
7898 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
7899 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
7900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7901 /* r1 = [0x00, 0xff] */
7902 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
7904 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7906 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7907 /* access at offset 0 */
7908 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7910 BPF_MOV64_IMM(BPF_REG_0, 0),
7913 .fixup_map1 = { 3 },
7917 "bounds check after truncation of boundary-crossing range (1)",
7919 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7920 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7921 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7922 BPF_LD_MAP_FD(BPF_REG_1, 0),
7923 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7924 BPF_FUNC_map_lookup_elem),
7925 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7926 /* r1 = [0x00, 0xff] */
7927 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7929 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
7930 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7931 /* r1 = [0xffff'ff80, 0xffff'ffff] or
7932 * [0x0000'0000, 0x0000'007f]
7934 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
7935 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7936 /* r1 = [0x00, 0xff] or
7937 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7939 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7941 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7943 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7944 /* no-op or OOB pointer computation */
7945 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7946 /* potentially OOB access */
7947 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7949 BPF_MOV64_IMM(BPF_REG_0, 0),
7952 .fixup_map1 = { 3 },
7953 /* not actually fully unbounded, but the bound is very high */
7954 .errstr = "R0 unbounded memory access",
7958 "bounds check after truncation of boundary-crossing range (2)",
7960 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7961 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7962 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7963 BPF_LD_MAP_FD(BPF_REG_1, 0),
7964 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7965 BPF_FUNC_map_lookup_elem),
7966 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7967 /* r1 = [0x00, 0xff] */
7968 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7969 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7970 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
7971 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7972 /* r1 = [0xffff'ff80, 0xffff'ffff] or
7973 * [0x0000'0000, 0x0000'007f]
7974 * difference to previous test: truncation via MOV32
7977 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
7978 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7979 /* r1 = [0x00, 0xff] or
7980 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7982 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7984 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7986 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7987 /* no-op or OOB pointer computation */
7988 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7989 /* potentially OOB access */
7990 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7992 BPF_MOV64_IMM(BPF_REG_0, 0),
7995 .fixup_map1 = { 3 },
7996 /* not actually fully unbounded, but the bound is very high */
7997 .errstr = "R0 unbounded memory access",
8001 "bounds check after wrapping 32-bit addition",
8003 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8004 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8006 BPF_LD_MAP_FD(BPF_REG_1, 0),
8007 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8008 BPF_FUNC_map_lookup_elem),
8009 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8010 /* r1 = 0x7fff'ffff */
8011 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
8012 /* r1 = 0xffff'fffe */
8013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8015 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
8017 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8018 /* access at offset 0 */
8019 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8021 BPF_MOV64_IMM(BPF_REG_0, 0),
8024 .fixup_map1 = { 3 },
8028 "bounds check after shift with oversized count operand",
8030 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8031 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8032 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8033 BPF_LD_MAP_FD(BPF_REG_1, 0),
8034 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8035 BPF_FUNC_map_lookup_elem),
8036 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8037 BPF_MOV64_IMM(BPF_REG_2, 32),
8038 BPF_MOV64_IMM(BPF_REG_1, 1),
8039 /* r1 = (u32)1 << (u32)32 = ? */
8040 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
8041 /* r1 = [0x0000, 0xffff] */
8042 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
8043 /* computes unknown pointer, potentially OOB */
8044 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8045 /* potentially OOB access */
8046 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8048 BPF_MOV64_IMM(BPF_REG_0, 0),
8051 .fixup_map1 = { 3 },
8052 .errstr = "R0 max value is outside of the array range",
8056 "bounds check after right shift of maybe-negative number",
8058 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8059 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8061 BPF_LD_MAP_FD(BPF_REG_1, 0),
8062 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8063 BPF_FUNC_map_lookup_elem),
8064 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8065 /* r1 = [0x00, 0xff] */
8066 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8067 /* r1 = [-0x01, 0xfe] */
8068 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
8069 /* r1 = 0 or 0xff'ffff'ffff'ffff */
8070 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8071 /* r1 = 0 or 0xffff'ffff'ffff */
8072 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8073 /* computes unknown pointer, potentially OOB */
8074 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8075 /* potentially OOB access */
8076 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8078 BPF_MOV64_IMM(BPF_REG_0, 0),
8081 .fixup_map1 = { 3 },
8082 .errstr = "R0 unbounded memory access",
8086 "bounds check map access with off+size signed 32bit overflow. test1",
8088 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8089 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8090 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8091 BPF_LD_MAP_FD(BPF_REG_1, 0),
8092 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8093 BPF_FUNC_map_lookup_elem),
8094 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8096 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
8097 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8101 .fixup_map1 = { 3 },
8102 .errstr = "map_value pointer and 2147483646",
8106 "bounds check map access with off+size signed 32bit overflow. test2",
8108 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8109 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8111 BPF_LD_MAP_FD(BPF_REG_1, 0),
8112 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8113 BPF_FUNC_map_lookup_elem),
8114 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8118 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8119 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8123 .fixup_map1 = { 3 },
8124 .errstr = "pointer offset 1073741822",
8128 "bounds check map access with off+size signed 32bit overflow. test3",
8130 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8131 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8132 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8133 BPF_LD_MAP_FD(BPF_REG_1, 0),
8134 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8135 BPF_FUNC_map_lookup_elem),
8136 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8138 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8139 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8140 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8144 .fixup_map1 = { 3 },
8145 .errstr = "pointer offset -1073741822",
8149 "bounds check map access with off+size signed 32bit overflow. test4",
8151 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8152 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8153 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8154 BPF_LD_MAP_FD(BPF_REG_1, 0),
8155 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8156 BPF_FUNC_map_lookup_elem),
8157 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8159 BPF_MOV64_IMM(BPF_REG_1, 1000000),
8160 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
8161 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8162 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8166 .fixup_map1 = { 3 },
8167 .errstr = "map_value pointer and 1000000000000",
8171 "pointer/scalar confusion in state equality check (way 1)",
8173 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8174 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8175 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8176 BPF_LD_MAP_FD(BPF_REG_1, 0),
8177 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8178 BPF_FUNC_map_lookup_elem),
8179 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8180 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8182 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8186 .fixup_map1 = { 3 },
8188 .retval = POINTER_VALUE,
8189 .result_unpriv = REJECT,
8190 .errstr_unpriv = "R0 leaks addr as return value"
8193 "pointer/scalar confusion in state equality check (way 2)",
8195 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8196 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8198 BPF_LD_MAP_FD(BPF_REG_1, 0),
8199 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8200 BPF_FUNC_map_lookup_elem),
8201 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
8202 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8204 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8207 .fixup_map1 = { 3 },
8209 .retval = POINTER_VALUE,
8210 .result_unpriv = REJECT,
8211 .errstr_unpriv = "R0 leaks addr as return value"
8214 "variable-offset ctx access",
8216 /* Get an unknown value */
8217 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8218 /* Make it small and 4-byte aligned */
8219 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8220 /* add it to skb. We now have either &skb->len or
8221 * &skb->pkt_type, but we don't know which
8223 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8224 /* dereference it */
8225 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8228 .errstr = "variable ctx access var_off=(0x0; 0x4)",
8230 .prog_type = BPF_PROG_TYPE_LWT_IN,
8233 "variable-offset stack access",
8235 /* Fill the top 8 bytes of the stack */
8236 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8237 /* Get an unknown value */
8238 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8239 /* Make it small and 4-byte aligned */
8240 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8241 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8242 /* add it to fp. We now have either fp-4 or fp-8, but
8243 * we don't know which
8245 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8246 /* dereference it */
8247 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
8250 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
8252 .prog_type = BPF_PROG_TYPE_LWT_IN,
8255 "indirect variable-offset stack access",
8257 /* Fill the top 8 bytes of the stack */
8258 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8259 /* Get an unknown value */
8260 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8261 /* Make it small and 4-byte aligned */
8262 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8263 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8264 /* add it to fp. We now have either fp-4 or fp-8, but
8265 * we don't know which
8267 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8268 /* dereference it indirectly */
8269 BPF_LD_MAP_FD(BPF_REG_1, 0),
8270 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8271 BPF_FUNC_map_lookup_elem),
8272 BPF_MOV64_IMM(BPF_REG_0, 0),
8275 .fixup_map1 = { 5 },
8276 .errstr = "variable stack read R2",
8278 .prog_type = BPF_PROG_TYPE_LWT_IN,
8281 "direct stack access with 32-bit wraparound. test1",
8283 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8284 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8285 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8286 BPF_MOV32_IMM(BPF_REG_0, 0),
8287 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8290 .errstr = "fp pointer and 2147483647",
8294 "direct stack access with 32-bit wraparound. test2",
8296 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8298 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8299 BPF_MOV32_IMM(BPF_REG_0, 0),
8300 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8303 .errstr = "fp pointer and 1073741823",
8307 "direct stack access with 32-bit wraparound. test3",
8309 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8310 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8312 BPF_MOV32_IMM(BPF_REG_0, 0),
8313 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8316 .errstr = "fp pointer offset 1073741822",
8320 "liveness pruning and write screening",
8322 /* Get an unknown value */
8323 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8324 /* branch conditions teach us nothing about R2 */
8325 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8326 BPF_MOV64_IMM(BPF_REG_0, 0),
8327 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8328 BPF_MOV64_IMM(BPF_REG_0, 0),
8331 .errstr = "R0 !read_ok",
8333 .prog_type = BPF_PROG_TYPE_LWT_IN,
8336 "varlen_map_value_access pruning",
8338 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8339 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8340 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8341 BPF_LD_MAP_FD(BPF_REG_1, 0),
8342 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8343 BPF_FUNC_map_lookup_elem),
8344 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8345 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
8346 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
8347 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
8348 BPF_MOV32_IMM(BPF_REG_1, 0),
8349 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
8350 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8351 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
8352 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
8353 offsetof(struct test_val, foo)),
8356 .fixup_map2 = { 3 },
8357 .errstr_unpriv = "R0 leaks addr",
8358 .errstr = "R0 unbounded memory access",
8359 .result_unpriv = REJECT,
8361 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8364 "invalid 64-bit BPF_END",
8366 BPF_MOV32_IMM(BPF_REG_0, 0),
8368 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
8369 .dst_reg = BPF_REG_0,
8376 .errstr = "unknown opcode d7",
8380 "XDP, using ifindex from netdev",
8382 BPF_MOV64_IMM(BPF_REG_0, 0),
8383 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8384 offsetof(struct xdp_md, ingress_ifindex)),
8385 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
8386 BPF_MOV64_IMM(BPF_REG_0, 1),
8390 .prog_type = BPF_PROG_TYPE_XDP,
8394 "meta access, test1",
8396 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8397 offsetof(struct xdp_md, data_meta)),
8398 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8399 offsetof(struct xdp_md, data)),
8400 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8401 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8402 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8403 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8404 BPF_MOV64_IMM(BPF_REG_0, 0),
8408 .prog_type = BPF_PROG_TYPE_XDP,
8411 "meta access, test2",
8413 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8414 offsetof(struct xdp_md, data_meta)),
8415 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8416 offsetof(struct xdp_md, data)),
8417 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8418 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
8419 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8421 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8422 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8423 BPF_MOV64_IMM(BPF_REG_0, 0),
8427 .errstr = "invalid access to packet, off=-8",
8428 .prog_type = BPF_PROG_TYPE_XDP,
8431 "meta access, test3",
8433 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8434 offsetof(struct xdp_md, data_meta)),
8435 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8436 offsetof(struct xdp_md, data_end)),
8437 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8439 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8440 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8441 BPF_MOV64_IMM(BPF_REG_0, 0),
8445 .errstr = "invalid access to packet",
8446 .prog_type = BPF_PROG_TYPE_XDP,
8449 "meta access, test4",
8451 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8452 offsetof(struct xdp_md, data_meta)),
8453 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8454 offsetof(struct xdp_md, data_end)),
8455 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8456 offsetof(struct xdp_md, data)),
8457 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8459 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8460 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8461 BPF_MOV64_IMM(BPF_REG_0, 0),
8465 .errstr = "invalid access to packet",
8466 .prog_type = BPF_PROG_TYPE_XDP,
8469 "meta access, test5",
8471 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8472 offsetof(struct xdp_md, data_meta)),
8473 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8474 offsetof(struct xdp_md, data)),
8475 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8476 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8477 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
8478 BPF_MOV64_IMM(BPF_REG_2, -8),
8479 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8480 BPF_FUNC_xdp_adjust_meta),
8481 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8482 BPF_MOV64_IMM(BPF_REG_0, 0),
8486 .errstr = "R3 !read_ok",
8487 .prog_type = BPF_PROG_TYPE_XDP,
8490 "meta access, test6",
8492 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8493 offsetof(struct xdp_md, data_meta)),
8494 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8495 offsetof(struct xdp_md, data)),
8496 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8497 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8498 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8499 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8500 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
8501 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8502 BPF_MOV64_IMM(BPF_REG_0, 0),
8506 .errstr = "invalid access to packet",
8507 .prog_type = BPF_PROG_TYPE_XDP,
8510 "meta access, test7",
8512 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8513 offsetof(struct xdp_md, data_meta)),
8514 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8515 offsetof(struct xdp_md, data)),
8516 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8518 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8519 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8520 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8521 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8522 BPF_MOV64_IMM(BPF_REG_0, 0),
8526 .prog_type = BPF_PROG_TYPE_XDP,
8529 "meta access, test8",
8531 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8532 offsetof(struct xdp_md, data_meta)),
8533 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8534 offsetof(struct xdp_md, data)),
8535 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8536 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8537 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8538 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8539 BPF_MOV64_IMM(BPF_REG_0, 0),
8543 .prog_type = BPF_PROG_TYPE_XDP,
8546 "meta access, test9",
8548 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8549 offsetof(struct xdp_md, data_meta)),
8550 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8551 offsetof(struct xdp_md, data)),
8552 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8553 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8554 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8555 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8556 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8557 BPF_MOV64_IMM(BPF_REG_0, 0),
8561 .errstr = "invalid access to packet",
8562 .prog_type = BPF_PROG_TYPE_XDP,
8565 "meta access, test10",
8567 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8568 offsetof(struct xdp_md, data_meta)),
8569 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8570 offsetof(struct xdp_md, data)),
8571 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8572 offsetof(struct xdp_md, data_end)),
8573 BPF_MOV64_IMM(BPF_REG_5, 42),
8574 BPF_MOV64_IMM(BPF_REG_6, 24),
8575 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8576 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8577 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8578 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8579 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
8580 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8581 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8583 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
8584 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
8585 BPF_MOV64_IMM(BPF_REG_0, 0),
8589 .errstr = "invalid access to packet",
8590 .prog_type = BPF_PROG_TYPE_XDP,
8593 "meta access, test11",
8595 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8596 offsetof(struct xdp_md, data_meta)),
8597 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8598 offsetof(struct xdp_md, data)),
8599 BPF_MOV64_IMM(BPF_REG_5, 42),
8600 BPF_MOV64_IMM(BPF_REG_6, 24),
8601 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8602 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8603 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8604 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8605 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
8606 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8607 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8609 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
8610 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
8611 BPF_MOV64_IMM(BPF_REG_0, 0),
8615 .prog_type = BPF_PROG_TYPE_XDP,
8618 "meta access, test12",
8620 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8621 offsetof(struct xdp_md, data_meta)),
8622 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8623 offsetof(struct xdp_md, data)),
8624 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8625 offsetof(struct xdp_md, data_end)),
8626 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8627 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8628 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
8629 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8630 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8632 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
8633 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8634 BPF_MOV64_IMM(BPF_REG_0, 0),
8638 .prog_type = BPF_PROG_TYPE_XDP,
8641 "arithmetic ops make PTR_TO_CTX unusable",
8643 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
8644 offsetof(struct __sk_buff, data) -
8645 offsetof(struct __sk_buff, mark)),
8646 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8647 offsetof(struct __sk_buff, mark)),
8650 .errstr = "dereference of modified ctx ptr",
8652 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8655 "pkt_end - pkt_start is allowed",
8657 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8658 offsetof(struct __sk_buff, data_end)),
8659 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8660 offsetof(struct __sk_buff, data)),
8661 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
8665 .retval = TEST_DATA_LEN,
8666 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8669 "XDP pkt read, pkt_end mangling, bad access 1",
8671 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8672 offsetof(struct xdp_md, data)),
8673 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8674 offsetof(struct xdp_md, data_end)),
8675 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8677 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
8678 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8679 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8680 BPF_MOV64_IMM(BPF_REG_0, 0),
8683 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8685 .prog_type = BPF_PROG_TYPE_XDP,
8688 "XDP pkt read, pkt_end mangling, bad access 2",
8690 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8691 offsetof(struct xdp_md, data)),
8692 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8693 offsetof(struct xdp_md, data_end)),
8694 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8696 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
8697 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8698 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8699 BPF_MOV64_IMM(BPF_REG_0, 0),
8702 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8704 .prog_type = BPF_PROG_TYPE_XDP,
8707 "XDP pkt read, pkt_data' > pkt_end, good access",
8709 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8710 offsetof(struct xdp_md, data)),
8711 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8712 offsetof(struct xdp_md, data_end)),
8713 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8714 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8715 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8716 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8717 BPF_MOV64_IMM(BPF_REG_0, 0),
8721 .prog_type = BPF_PROG_TYPE_XDP,
8724 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
8726 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8727 offsetof(struct xdp_md, data)),
8728 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8729 offsetof(struct xdp_md, data_end)),
8730 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8732 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8733 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8734 BPF_MOV64_IMM(BPF_REG_0, 0),
8737 .errstr = "R1 offset is outside of the packet",
8739 .prog_type = BPF_PROG_TYPE_XDP,
8740 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8743 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
8745 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8746 offsetof(struct xdp_md, data)),
8747 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8748 offsetof(struct xdp_md, data_end)),
8749 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8751 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8752 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8753 BPF_MOV64_IMM(BPF_REG_0, 0),
8756 .errstr = "R1 offset is outside of the packet",
8758 .prog_type = BPF_PROG_TYPE_XDP,
8761 "XDP pkt read, pkt_end > pkt_data', good access",
8763 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8764 offsetof(struct xdp_md, data)),
8765 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8766 offsetof(struct xdp_md, data_end)),
8767 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8768 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8769 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8770 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8771 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8772 BPF_MOV64_IMM(BPF_REG_0, 0),
8776 .prog_type = BPF_PROG_TYPE_XDP,
8777 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8780 "XDP pkt read, pkt_end > pkt_data', bad access 1",
8782 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8783 offsetof(struct xdp_md, data)),
8784 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8785 offsetof(struct xdp_md, data_end)),
8786 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8788 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8789 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8790 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8791 BPF_MOV64_IMM(BPF_REG_0, 0),
8794 .errstr = "R1 offset is outside of the packet",
8796 .prog_type = BPF_PROG_TYPE_XDP,
8799 "XDP pkt read, pkt_end > pkt_data', bad access 2",
8801 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8802 offsetof(struct xdp_md, data)),
8803 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8804 offsetof(struct xdp_md, data_end)),
8805 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8807 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8808 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8809 BPF_MOV64_IMM(BPF_REG_0, 0),
8812 .errstr = "R1 offset is outside of the packet",
8814 .prog_type = BPF_PROG_TYPE_XDP,
8817 "XDP pkt read, pkt_data' < pkt_end, good access",
8819 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8820 offsetof(struct xdp_md, data)),
8821 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8822 offsetof(struct xdp_md, data_end)),
8823 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8825 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8826 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8827 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8828 BPF_MOV64_IMM(BPF_REG_0, 0),
8832 .prog_type = BPF_PROG_TYPE_XDP,
8833 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8836 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
8838 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8839 offsetof(struct xdp_md, data)),
8840 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8841 offsetof(struct xdp_md, data_end)),
8842 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8844 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8845 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8846 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8847 BPF_MOV64_IMM(BPF_REG_0, 0),
8850 .errstr = "R1 offset is outside of the packet",
8852 .prog_type = BPF_PROG_TYPE_XDP,
8855 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
8857 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8858 offsetof(struct xdp_md, data)),
8859 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8860 offsetof(struct xdp_md, data_end)),
8861 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8862 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8863 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8864 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8865 BPF_MOV64_IMM(BPF_REG_0, 0),
8868 .errstr = "R1 offset is outside of the packet",
8870 .prog_type = BPF_PROG_TYPE_XDP,
8873 "XDP pkt read, pkt_end < pkt_data', good access",
8875 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8876 offsetof(struct xdp_md, data)),
8877 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8878 offsetof(struct xdp_md, data_end)),
8879 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8881 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8882 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8883 BPF_MOV64_IMM(BPF_REG_0, 0),
8887 .prog_type = BPF_PROG_TYPE_XDP,
8890 "XDP pkt read, pkt_end < pkt_data', bad access 1",
8892 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8893 offsetof(struct xdp_md, data)),
8894 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8895 offsetof(struct xdp_md, data_end)),
8896 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8898 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8899 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8900 BPF_MOV64_IMM(BPF_REG_0, 0),
8903 .errstr = "R1 offset is outside of the packet",
8905 .prog_type = BPF_PROG_TYPE_XDP,
8906 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8909 "XDP pkt read, pkt_end < pkt_data', bad access 2",
8911 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8912 offsetof(struct xdp_md, data)),
8913 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8914 offsetof(struct xdp_md, data_end)),
8915 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8917 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
8918 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8919 BPF_MOV64_IMM(BPF_REG_0, 0),
8922 .errstr = "R1 offset is outside of the packet",
8924 .prog_type = BPF_PROG_TYPE_XDP,
8927 "XDP pkt read, pkt_data' >= pkt_end, good access",
8929 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8930 offsetof(struct xdp_md, data)),
8931 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8932 offsetof(struct xdp_md, data_end)),
8933 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8934 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8935 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8936 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8937 BPF_MOV64_IMM(BPF_REG_0, 0),
8941 .prog_type = BPF_PROG_TYPE_XDP,
8942 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8945 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
8947 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8948 offsetof(struct xdp_md, data)),
8949 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8950 offsetof(struct xdp_md, data_end)),
8951 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8952 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8953 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8954 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8955 BPF_MOV64_IMM(BPF_REG_0, 0),
8958 .errstr = "R1 offset is outside of the packet",
8960 .prog_type = BPF_PROG_TYPE_XDP,
8963 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
8965 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8966 offsetof(struct xdp_md, data)),
8967 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8968 offsetof(struct xdp_md, data_end)),
8969 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8971 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
8972 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8973 BPF_MOV64_IMM(BPF_REG_0, 0),
8976 .errstr = "R1 offset is outside of the packet",
8978 .prog_type = BPF_PROG_TYPE_XDP,
8979 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8982 "XDP pkt read, pkt_end >= pkt_data', good access",
8984 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8985 offsetof(struct xdp_md, data)),
8986 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8987 offsetof(struct xdp_md, data_end)),
8988 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8989 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8990 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8991 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8992 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8993 BPF_MOV64_IMM(BPF_REG_0, 0),
8997 .prog_type = BPF_PROG_TYPE_XDP,
9000 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
9002 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9003 offsetof(struct xdp_md, data)),
9004 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9005 offsetof(struct xdp_md, data_end)),
9006 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9007 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9008 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9009 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9010 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9011 BPF_MOV64_IMM(BPF_REG_0, 0),
9014 .errstr = "R1 offset is outside of the packet",
9016 .prog_type = BPF_PROG_TYPE_XDP,
9017 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9020 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
9022 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9023 offsetof(struct xdp_md, data)),
9024 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9025 offsetof(struct xdp_md, data_end)),
9026 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9027 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9028 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9029 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9030 BPF_MOV64_IMM(BPF_REG_0, 0),
9033 .errstr = "R1 offset is outside of the packet",
9035 .prog_type = BPF_PROG_TYPE_XDP,
9038 "XDP pkt read, pkt_data' <= pkt_end, good access",
9040 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9041 offsetof(struct xdp_md, data)),
9042 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9043 offsetof(struct xdp_md, data_end)),
9044 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9045 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9046 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9047 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9048 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9049 BPF_MOV64_IMM(BPF_REG_0, 0),
9053 .prog_type = BPF_PROG_TYPE_XDP,
9056 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
9058 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9059 offsetof(struct xdp_md, data)),
9060 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9061 offsetof(struct xdp_md, data_end)),
9062 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9063 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9064 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9065 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9066 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9067 BPF_MOV64_IMM(BPF_REG_0, 0),
9070 .errstr = "R1 offset is outside of the packet",
9072 .prog_type = BPF_PROG_TYPE_XDP,
9073 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9076 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
9078 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9079 offsetof(struct xdp_md, data)),
9080 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9081 offsetof(struct xdp_md, data_end)),
9082 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9084 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9085 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9086 BPF_MOV64_IMM(BPF_REG_0, 0),
9089 .errstr = "R1 offset is outside of the packet",
9091 .prog_type = BPF_PROG_TYPE_XDP,
9094 "XDP pkt read, pkt_end <= pkt_data', good access",
9096 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9097 offsetof(struct xdp_md, data)),
9098 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9099 offsetof(struct xdp_md, data_end)),
9100 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9102 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9103 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9104 BPF_MOV64_IMM(BPF_REG_0, 0),
9108 .prog_type = BPF_PROG_TYPE_XDP,
9109 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9112 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
9114 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9115 offsetof(struct xdp_md, data)),
9116 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9117 offsetof(struct xdp_md, data_end)),
9118 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9119 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9120 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9121 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9122 BPF_MOV64_IMM(BPF_REG_0, 0),
9125 .errstr = "R1 offset is outside of the packet",
9127 .prog_type = BPF_PROG_TYPE_XDP,
9130 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
9132 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9133 offsetof(struct xdp_md, data)),
9134 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9135 offsetof(struct xdp_md, data_end)),
9136 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9137 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9138 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9139 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9140 BPF_MOV64_IMM(BPF_REG_0, 0),
9143 .errstr = "R1 offset is outside of the packet",
9145 .prog_type = BPF_PROG_TYPE_XDP,
9146 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9149 "XDP pkt read, pkt_meta' > pkt_data, good access",
9151 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9152 offsetof(struct xdp_md, data_meta)),
9153 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9154 offsetof(struct xdp_md, data)),
9155 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9156 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9157 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9158 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9159 BPF_MOV64_IMM(BPF_REG_0, 0),
9163 .prog_type = BPF_PROG_TYPE_XDP,
9166 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
9168 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9169 offsetof(struct xdp_md, data_meta)),
9170 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9171 offsetof(struct xdp_md, data)),
9172 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9174 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9175 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9176 BPF_MOV64_IMM(BPF_REG_0, 0),
9179 .errstr = "R1 offset is outside of the packet",
9181 .prog_type = BPF_PROG_TYPE_XDP,
9182 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9185 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
9187 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9188 offsetof(struct xdp_md, data_meta)),
9189 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9190 offsetof(struct xdp_md, data)),
9191 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9193 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9194 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9195 BPF_MOV64_IMM(BPF_REG_0, 0),
9198 .errstr = "R1 offset is outside of the packet",
9200 .prog_type = BPF_PROG_TYPE_XDP,
9203 "XDP pkt read, pkt_data > pkt_meta', good access",
9205 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9206 offsetof(struct xdp_md, data_meta)),
9207 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9208 offsetof(struct xdp_md, data)),
9209 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9211 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9212 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9213 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9214 BPF_MOV64_IMM(BPF_REG_0, 0),
9218 .prog_type = BPF_PROG_TYPE_XDP,
9219 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9222 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
9224 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9225 offsetof(struct xdp_md, data_meta)),
9226 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9227 offsetof(struct xdp_md, data)),
9228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9230 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9231 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9232 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9233 BPF_MOV64_IMM(BPF_REG_0, 0),
9236 .errstr = "R1 offset is outside of the packet",
9238 .prog_type = BPF_PROG_TYPE_XDP,
9241 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
9243 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9244 offsetof(struct xdp_md, data_meta)),
9245 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9246 offsetof(struct xdp_md, data)),
9247 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9248 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9249 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9250 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9251 BPF_MOV64_IMM(BPF_REG_0, 0),
9254 .errstr = "R1 offset is outside of the packet",
9256 .prog_type = BPF_PROG_TYPE_XDP,
9259 "XDP pkt read, pkt_meta' < pkt_data, good access",
9261 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9262 offsetof(struct xdp_md, data_meta)),
9263 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9264 offsetof(struct xdp_md, data)),
9265 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9266 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9267 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9268 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9269 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9270 BPF_MOV64_IMM(BPF_REG_0, 0),
9274 .prog_type = BPF_PROG_TYPE_XDP,
9275 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9278 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
9280 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9281 offsetof(struct xdp_md, data_meta)),
9282 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9283 offsetof(struct xdp_md, data)),
9284 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9285 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9286 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9287 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9288 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9289 BPF_MOV64_IMM(BPF_REG_0, 0),
9292 .errstr = "R1 offset is outside of the packet",
9294 .prog_type = BPF_PROG_TYPE_XDP,
9297 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
9299 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9300 offsetof(struct xdp_md, data_meta)),
9301 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9302 offsetof(struct xdp_md, data)),
9303 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9305 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9306 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9307 BPF_MOV64_IMM(BPF_REG_0, 0),
9310 .errstr = "R1 offset is outside of the packet",
9312 .prog_type = BPF_PROG_TYPE_XDP,
9315 "XDP pkt read, pkt_data < pkt_meta', good access",
9317 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9318 offsetof(struct xdp_md, data_meta)),
9319 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9320 offsetof(struct xdp_md, data)),
9321 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9322 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9323 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9324 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9325 BPF_MOV64_IMM(BPF_REG_0, 0),
9329 .prog_type = BPF_PROG_TYPE_XDP,
9332 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
9334 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9335 offsetof(struct xdp_md, data_meta)),
9336 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9337 offsetof(struct xdp_md, data)),
9338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9340 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9341 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9342 BPF_MOV64_IMM(BPF_REG_0, 0),
9345 .errstr = "R1 offset is outside of the packet",
9347 .prog_type = BPF_PROG_TYPE_XDP,
9348 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9351 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
9353 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9354 offsetof(struct xdp_md, data_meta)),
9355 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9356 offsetof(struct xdp_md, data)),
9357 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9358 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9359 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9360 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9361 BPF_MOV64_IMM(BPF_REG_0, 0),
9364 .errstr = "R1 offset is outside of the packet",
9366 .prog_type = BPF_PROG_TYPE_XDP,
9369 "XDP pkt read, pkt_meta' >= pkt_data, good access",
9371 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9372 offsetof(struct xdp_md, data_meta)),
9373 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9374 offsetof(struct xdp_md, data)),
9375 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9377 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9378 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9379 BPF_MOV64_IMM(BPF_REG_0, 0),
9383 .prog_type = BPF_PROG_TYPE_XDP,
9384 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9387 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
9389 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9390 offsetof(struct xdp_md, data_meta)),
9391 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9392 offsetof(struct xdp_md, data)),
9393 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9394 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9395 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9396 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9397 BPF_MOV64_IMM(BPF_REG_0, 0),
9400 .errstr = "R1 offset is outside of the packet",
9402 .prog_type = BPF_PROG_TYPE_XDP,
9405 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
9407 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9408 offsetof(struct xdp_md, data_meta)),
9409 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9410 offsetof(struct xdp_md, data)),
9411 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9413 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9414 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9415 BPF_MOV64_IMM(BPF_REG_0, 0),
9418 .errstr = "R1 offset is outside of the packet",
9420 .prog_type = BPF_PROG_TYPE_XDP,
9421 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9424 "XDP pkt read, pkt_data >= pkt_meta', good access",
9426 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9427 offsetof(struct xdp_md, data_meta)),
9428 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9429 offsetof(struct xdp_md, data)),
9430 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9431 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9432 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9433 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9434 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9435 BPF_MOV64_IMM(BPF_REG_0, 0),
9439 .prog_type = BPF_PROG_TYPE_XDP,
9442 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
9444 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9445 offsetof(struct xdp_md, data_meta)),
9446 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9447 offsetof(struct xdp_md, data)),
9448 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9449 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9450 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9451 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9452 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9453 BPF_MOV64_IMM(BPF_REG_0, 0),
9456 .errstr = "R1 offset is outside of the packet",
9458 .prog_type = BPF_PROG_TYPE_XDP,
9459 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9462 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
9464 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9465 offsetof(struct xdp_md, data_meta)),
9466 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9467 offsetof(struct xdp_md, data)),
9468 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9469 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9470 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9471 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9472 BPF_MOV64_IMM(BPF_REG_0, 0),
9475 .errstr = "R1 offset is outside of the packet",
9477 .prog_type = BPF_PROG_TYPE_XDP,
9480 "XDP pkt read, pkt_meta' <= pkt_data, good access",
9482 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9483 offsetof(struct xdp_md, data_meta)),
9484 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9485 offsetof(struct xdp_md, data)),
9486 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9487 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9488 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9489 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9490 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9491 BPF_MOV64_IMM(BPF_REG_0, 0),
9495 .prog_type = BPF_PROG_TYPE_XDP,
9498 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
9500 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9501 offsetof(struct xdp_md, data_meta)),
9502 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9503 offsetof(struct xdp_md, data)),
9504 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9506 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9507 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9508 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9509 BPF_MOV64_IMM(BPF_REG_0, 0),
9512 .errstr = "R1 offset is outside of the packet",
9514 .prog_type = BPF_PROG_TYPE_XDP,
9515 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9518 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
9520 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9521 offsetof(struct xdp_md, data_meta)),
9522 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9523 offsetof(struct xdp_md, data)),
9524 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9525 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9526 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9527 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9528 BPF_MOV64_IMM(BPF_REG_0, 0),
9531 .errstr = "R1 offset is outside of the packet",
9533 .prog_type = BPF_PROG_TYPE_XDP,
9536 "XDP pkt read, pkt_data <= pkt_meta', good access",
9538 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9539 offsetof(struct xdp_md, data_meta)),
9540 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9541 offsetof(struct xdp_md, data)),
9542 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9543 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9544 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9545 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9546 BPF_MOV64_IMM(BPF_REG_0, 0),
9550 .prog_type = BPF_PROG_TYPE_XDP,
9551 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9554 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
9556 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9557 offsetof(struct xdp_md, data_meta)),
9558 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9559 offsetof(struct xdp_md, data)),
9560 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9561 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9562 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9563 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9564 BPF_MOV64_IMM(BPF_REG_0, 0),
9567 .errstr = "R1 offset is outside of the packet",
9569 .prog_type = BPF_PROG_TYPE_XDP,
9572 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
9574 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9575 offsetof(struct xdp_md, data_meta)),
9576 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9577 offsetof(struct xdp_md, data)),
9578 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9579 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9580 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9581 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9582 BPF_MOV64_IMM(BPF_REG_0, 0),
9585 .errstr = "R1 offset is outside of the packet",
9587 .prog_type = BPF_PROG_TYPE_XDP,
9588 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9591 "check deducing bounds from const, 1",
9593 BPF_MOV64_IMM(BPF_REG_0, 1),
9594 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
9595 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9599 .errstr = "R0 tried to subtract pointer from scalar",
9602 "check deducing bounds from const, 2",
9604 BPF_MOV64_IMM(BPF_REG_0, 1),
9605 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
9607 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
9609 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9616 "check deducing bounds from const, 3",
9618 BPF_MOV64_IMM(BPF_REG_0, 0),
9619 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9620 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9624 .errstr = "R0 tried to subtract pointer from scalar",
9627 "check deducing bounds from const, 4",
9629 BPF_MOV64_IMM(BPF_REG_0, 0),
9630 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
9632 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9634 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9640 "check deducing bounds from const, 5",
9642 BPF_MOV64_IMM(BPF_REG_0, 0),
9643 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9644 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9648 .errstr = "R0 tried to subtract pointer from scalar",
9651 "check deducing bounds from const, 6",
9653 BPF_MOV64_IMM(BPF_REG_0, 0),
9654 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9656 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9660 .errstr = "R0 tried to subtract pointer from scalar",
9663 "check deducing bounds from const, 7",
9665 BPF_MOV64_IMM(BPF_REG_0, ~0),
9666 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9667 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9668 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9669 offsetof(struct __sk_buff, mark)),
9673 .errstr = "dereference of modified ctx ptr",
9676 "check deducing bounds from const, 8",
9678 BPF_MOV64_IMM(BPF_REG_0, ~0),
9679 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9680 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
9681 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9682 offsetof(struct __sk_buff, mark)),
9686 .errstr = "dereference of modified ctx ptr",
9689 "check deducing bounds from const, 9",
9691 BPF_MOV64_IMM(BPF_REG_0, 0),
9692 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9693 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9697 .errstr = "R0 tried to subtract pointer from scalar",
9700 "check deducing bounds from const, 10",
9702 BPF_MOV64_IMM(BPF_REG_0, 0),
9703 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9704 /* Marks reg as unknown. */
9705 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
9706 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9710 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
9713 "bpf_exit with invalid return code. test1",
9715 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9718 .errstr = "R0 has value (0x0; 0xffffffff)",
9720 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9723 "bpf_exit with invalid return code. test2",
9725 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9726 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
9730 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9733 "bpf_exit with invalid return code. test3",
9735 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9736 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
9739 .errstr = "R0 has value (0x0; 0x3)",
9741 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9744 "bpf_exit with invalid return code. test4",
9746 BPF_MOV64_IMM(BPF_REG_0, 1),
9750 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9753 "bpf_exit with invalid return code. test5",
9755 BPF_MOV64_IMM(BPF_REG_0, 2),
9758 .errstr = "R0 has value (0x2; 0x0)",
9760 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9763 "bpf_exit with invalid return code. test6",
9765 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9768 .errstr = "R0 is not a known value (ctx)",
9770 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9773 "bpf_exit with invalid return code. test7",
9775 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9776 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
9777 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
9780 .errstr = "R0 has unknown scalar value",
9782 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9785 "calls: basic sanity",
9787 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9788 BPF_MOV64_IMM(BPF_REG_0, 1),
9790 BPF_MOV64_IMM(BPF_REG_0, 2),
9793 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9797 "calls: not on unpriviledged",
9799 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9800 BPF_MOV64_IMM(BPF_REG_0, 1),
9802 BPF_MOV64_IMM(BPF_REG_0, 2),
9805 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
9806 .result_unpriv = REJECT,
9811 "calls: div by 0 in subprog",
9813 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9814 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9815 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9816 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9817 offsetof(struct __sk_buff, data_end)),
9818 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9819 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9820 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9821 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9822 BPF_MOV64_IMM(BPF_REG_0, 1),
9824 BPF_MOV32_IMM(BPF_REG_2, 0),
9825 BPF_MOV32_IMM(BPF_REG_3, 1),
9826 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
9827 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9828 offsetof(struct __sk_buff, data)),
9831 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9836 "calls: multiple ret types in subprog 1",
9838 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9839 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9840 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9841 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9842 offsetof(struct __sk_buff, data_end)),
9843 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9845 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9846 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9847 BPF_MOV64_IMM(BPF_REG_0, 1),
9849 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9850 offsetof(struct __sk_buff, data)),
9851 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9852 BPF_MOV32_IMM(BPF_REG_0, 42),
9855 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9857 .errstr = "R0 invalid mem access 'inv'",
9860 "calls: multiple ret types in subprog 2",
9862 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9863 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9864 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9865 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9866 offsetof(struct __sk_buff, data_end)),
9867 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9869 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9870 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9871 BPF_MOV64_IMM(BPF_REG_0, 1),
9873 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9874 offsetof(struct __sk_buff, data)),
9875 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9876 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
9877 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9878 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9879 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9880 BPF_LD_MAP_FD(BPF_REG_1, 0),
9881 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9882 BPF_FUNC_map_lookup_elem),
9883 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9884 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
9885 offsetof(struct __sk_buff, data)),
9886 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
9889 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9890 .fixup_map1 = { 16 },
9892 .errstr = "R0 min value is outside of the array range",
9895 "calls: overlapping caller/callee",
9897 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
9898 BPF_MOV64_IMM(BPF_REG_0, 1),
9901 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9902 .errstr = "last insn is not an exit or jmp",
9906 "calls: wrong recursive calls",
9908 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9909 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9911 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9912 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9913 BPF_MOV64_IMM(BPF_REG_0, 1),
9916 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9917 .errstr = "jump out of range",
9921 "calls: wrong src reg",
9923 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
9924 BPF_MOV64_IMM(BPF_REG_0, 1),
9927 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9928 .errstr = "BPF_CALL uses reserved fields",
9932 "calls: wrong off value",
9934 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
9935 BPF_MOV64_IMM(BPF_REG_0, 1),
9937 BPF_MOV64_IMM(BPF_REG_0, 2),
9940 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9941 .errstr = "BPF_CALL uses reserved fields",
9945 "calls: jump back loop",
9947 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
9948 BPF_MOV64_IMM(BPF_REG_0, 1),
9951 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9952 .errstr = "back-edge from insn 0 to 0",
9956 "calls: conditional call",
9958 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9959 offsetof(struct __sk_buff, mark)),
9960 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9961 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9962 BPF_MOV64_IMM(BPF_REG_0, 1),
9964 BPF_MOV64_IMM(BPF_REG_0, 2),
9967 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9968 .errstr = "jump out of range",
9972 "calls: conditional call 2",
9974 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9975 offsetof(struct __sk_buff, mark)),
9976 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9977 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9978 BPF_MOV64_IMM(BPF_REG_0, 1),
9980 BPF_MOV64_IMM(BPF_REG_0, 2),
9982 BPF_MOV64_IMM(BPF_REG_0, 3),
9985 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9989 "calls: conditional call 3",
9991 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9992 offsetof(struct __sk_buff, mark)),
9993 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9994 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9995 BPF_MOV64_IMM(BPF_REG_0, 1),
9997 BPF_MOV64_IMM(BPF_REG_0, 1),
9998 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9999 BPF_MOV64_IMM(BPF_REG_0, 3),
10000 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10002 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10003 .errstr = "back-edge from insn",
10007 "calls: conditional call 4",
10009 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10010 offsetof(struct __sk_buff, mark)),
10011 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10012 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10013 BPF_MOV64_IMM(BPF_REG_0, 1),
10015 BPF_MOV64_IMM(BPF_REG_0, 1),
10016 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
10017 BPF_MOV64_IMM(BPF_REG_0, 3),
10020 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10024 "calls: conditional call 5",
10026 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10027 offsetof(struct __sk_buff, mark)),
10028 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10029 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10030 BPF_MOV64_IMM(BPF_REG_0, 1),
10032 BPF_MOV64_IMM(BPF_REG_0, 1),
10033 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10034 BPF_MOV64_IMM(BPF_REG_0, 3),
10037 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10038 .errstr = "back-edge from insn",
10042 "calls: conditional call 6",
10044 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10045 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
10047 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10048 offsetof(struct __sk_buff, mark)),
10051 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10052 .errstr = "back-edge from insn",
10056 "calls: using r0 returned by callee",
10058 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10060 BPF_MOV64_IMM(BPF_REG_0, 2),
10063 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10067 "calls: using uninit r0 from callee",
10069 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10073 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10074 .errstr = "!read_ok",
10078 "calls: callee is using r1",
10080 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10082 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10083 offsetof(struct __sk_buff, len)),
10086 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
10088 .retval = TEST_DATA_LEN,
10091 "calls: callee using args1",
10093 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10095 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10098 .errstr_unpriv = "allowed for root only",
10099 .result_unpriv = REJECT,
10101 .retval = POINTER_VALUE,
10104 "calls: callee using wrong args2",
10106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10108 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10111 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10112 .errstr = "R2 !read_ok",
10116 "calls: callee using two args",
10118 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10119 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
10120 offsetof(struct __sk_buff, len)),
10121 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
10122 offsetof(struct __sk_buff, len)),
10123 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10125 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10126 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
10129 .errstr_unpriv = "allowed for root only",
10130 .result_unpriv = REJECT,
10132 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
10135 "calls: callee changing pkt pointers",
10137 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
10138 offsetof(struct xdp_md, data)),
10139 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
10140 offsetof(struct xdp_md, data_end)),
10141 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
10142 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
10143 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
10144 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10145 /* clear_all_pkt_pointers() has to walk all frames
10146 * to make sure that pkt pointers in the caller
10147 * are cleared when callee is calling a helper that
10148 * adjusts packet size
10150 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10151 BPF_MOV32_IMM(BPF_REG_0, 0),
10153 BPF_MOV64_IMM(BPF_REG_2, 0),
10154 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10155 BPF_FUNC_xdp_adjust_head),
10159 .errstr = "R6 invalid mem access 'inv'",
10160 .prog_type = BPF_PROG_TYPE_XDP,
10163 "calls: two calls with args",
10165 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10167 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10168 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10169 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10170 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10171 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10172 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10173 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10175 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10176 offsetof(struct __sk_buff, len)),
10179 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10181 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
10184 "calls: calls with stack arith",
10186 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10187 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10188 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10190 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10191 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10193 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10194 BPF_MOV64_IMM(BPF_REG_0, 42),
10195 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10198 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10203 "calls: calls with misaligned stack access",
10205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10207 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
10210 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10213 BPF_MOV64_IMM(BPF_REG_0, 42),
10214 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10217 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10218 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
10219 .errstr = "misaligned stack access",
10223 "calls: calls control flow, jump test",
10225 BPF_MOV64_IMM(BPF_REG_0, 42),
10226 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10227 BPF_MOV64_IMM(BPF_REG_0, 43),
10228 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10229 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10232 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10237 "calls: calls control flow, jump test 2",
10239 BPF_MOV64_IMM(BPF_REG_0, 42),
10240 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10241 BPF_MOV64_IMM(BPF_REG_0, 43),
10242 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10243 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10246 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10247 .errstr = "jump out of range from insn 1 to 4",
10251 "calls: two calls with bad jump",
10253 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10255 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10256 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10257 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10258 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10259 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10260 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10261 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10263 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10264 offsetof(struct __sk_buff, len)),
10265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
10268 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10269 .errstr = "jump out of range from insn 11 to 9",
10273 "calls: recursive call. test1",
10275 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10277 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10280 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10281 .errstr = "back-edge",
10285 "calls: recursive call. test2",
10287 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10289 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10292 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10293 .errstr = "back-edge",
10297 "calls: unreachable code",
10299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10301 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10303 BPF_MOV64_IMM(BPF_REG_0, 0),
10305 BPF_MOV64_IMM(BPF_REG_0, 0),
10308 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10309 .errstr = "unreachable insn 6",
10313 "calls: invalid call",
10315 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10317 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
10320 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10321 .errstr = "invalid destination",
10325 "calls: invalid call 2",
10327 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10329 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
10332 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10333 .errstr = "invalid destination",
10337 "calls: jumping across function bodies. test1",
10339 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10340 BPF_MOV64_IMM(BPF_REG_0, 0),
10342 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
10345 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10346 .errstr = "jump out of range",
10350 "calls: jumping across function bodies. test2",
10352 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
10353 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10354 BPF_MOV64_IMM(BPF_REG_0, 0),
10358 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10359 .errstr = "jump out of range",
10363 "calls: call without exit",
10365 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10367 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10369 BPF_MOV64_IMM(BPF_REG_0, 0),
10370 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
10372 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10373 .errstr = "not an exit",
10377 "calls: call into middle of ld_imm64",
10379 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10380 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10381 BPF_MOV64_IMM(BPF_REG_0, 0),
10383 BPF_LD_IMM64(BPF_REG_0, 0),
10386 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10387 .errstr = "last insn",
10391 "calls: call into middle of other call",
10393 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10394 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10395 BPF_MOV64_IMM(BPF_REG_0, 0),
10397 BPF_MOV64_IMM(BPF_REG_0, 0),
10398 BPF_MOV64_IMM(BPF_REG_0, 0),
10401 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10402 .errstr = "last insn",
10406 "calls: ld_abs with changing ctx data in callee",
10408 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10409 BPF_LD_ABS(BPF_B, 0),
10410 BPF_LD_ABS(BPF_H, 0),
10411 BPF_LD_ABS(BPF_W, 0),
10412 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
10413 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10414 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
10415 BPF_LD_ABS(BPF_B, 0),
10416 BPF_LD_ABS(BPF_H, 0),
10417 BPF_LD_ABS(BPF_W, 0),
10419 BPF_MOV64_IMM(BPF_REG_2, 1),
10420 BPF_MOV64_IMM(BPF_REG_3, 2),
10421 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10422 BPF_FUNC_skb_vlan_push),
10425 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10426 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
10430 "calls: two calls with bad fallthrough",
10432 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10434 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10435 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10436 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10437 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10438 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10439 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10440 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10441 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
10442 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10443 offsetof(struct __sk_buff, len)),
10446 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10447 .errstr = "not an exit",
10451 "calls: two calls with stack read",
10453 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10454 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10455 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10456 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10458 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10459 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10460 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10461 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10462 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10463 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10464 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10466 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10469 .prog_type = BPF_PROG_TYPE_XDP,
10473 "calls: two calls with stack write",
10476 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10477 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10479 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10481 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10482 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10486 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10487 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10488 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
10489 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
10490 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10491 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10492 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
10493 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
10494 /* write into stack frame of main prog */
10495 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10499 /* read from stack frame of main prog */
10500 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10503 .prog_type = BPF_PROG_TYPE_XDP,
10507 "calls: stack overflow using two frames (pre-call access)",
10510 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10511 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
10515 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10516 BPF_MOV64_IMM(BPF_REG_0, 0),
10519 .prog_type = BPF_PROG_TYPE_XDP,
10520 .errstr = "combined stack size",
10524 "calls: stack overflow using two frames (post-call access)",
10527 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
10528 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10532 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10533 BPF_MOV64_IMM(BPF_REG_0, 0),
10536 .prog_type = BPF_PROG_TYPE_XDP,
10537 .errstr = "combined stack size",
10541 "calls: stack depth check using three frames. test1",
10544 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10545 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10546 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10547 BPF_MOV64_IMM(BPF_REG_0, 0),
10550 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10553 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10554 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10557 .prog_type = BPF_PROG_TYPE_XDP,
10558 /* stack_main=32, stack_A=256, stack_B=64
10559 * and max(main+A, main+A+B) < 512
10564 "calls: stack depth check using three frames. test2",
10567 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10568 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10569 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10570 BPF_MOV64_IMM(BPF_REG_0, 0),
10573 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10576 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10577 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10580 .prog_type = BPF_PROG_TYPE_XDP,
10581 /* stack_main=32, stack_A=64, stack_B=256
10582 * and max(main+A, main+A+B) < 512
10587 "calls: stack depth check using three frames. test3",
10590 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10591 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10592 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10593 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
10594 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
10595 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10596 BPF_MOV64_IMM(BPF_REG_0, 0),
10599 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
10601 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
10602 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10604 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
10605 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
10606 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10609 .prog_type = BPF_PROG_TYPE_XDP,
10610 /* stack_main=64, stack_A=224, stack_B=256
10611 * and max(main+A, main+A+B) > 512
10613 .errstr = "combined stack",
10617 "calls: stack depth check using three frames. test4",
10618 /* void main(void) {
10623 * void func1(int alloc_or_recurse) {
10624 * if (alloc_or_recurse) {
10625 * frame_pointer[-300] = 1;
10627 * func2(alloc_or_recurse);
10630 * void func2(int alloc_or_recurse) {
10631 * if (alloc_or_recurse) {
10632 * frame_pointer[-300] = 1;
10638 BPF_MOV64_IMM(BPF_REG_1, 0),
10639 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10640 BPF_MOV64_IMM(BPF_REG_1, 1),
10641 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10642 BPF_MOV64_IMM(BPF_REG_1, 1),
10643 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
10644 BPF_MOV64_IMM(BPF_REG_0, 0),
10647 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
10648 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10650 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10653 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10654 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10657 .prog_type = BPF_PROG_TYPE_XDP,
10659 .errstr = "combined stack",
10662 "calls: stack depth check using three frames. test5",
10665 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
10668 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10671 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
10674 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
10677 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
10680 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
10683 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
10686 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
10689 BPF_MOV64_IMM(BPF_REG_0, 0),
10692 .prog_type = BPF_PROG_TYPE_XDP,
10693 .errstr = "call stack",
10697 "calls: spill into caller stack frame",
10699 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10700 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10702 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10704 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
10705 BPF_MOV64_IMM(BPF_REG_0, 0),
10708 .prog_type = BPF_PROG_TYPE_XDP,
10709 .errstr = "cannot spill",
10713 "calls: write into caller stack frame",
10715 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10717 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10718 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10719 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10721 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
10722 BPF_MOV64_IMM(BPF_REG_0, 0),
10725 .prog_type = BPF_PROG_TYPE_XDP,
10730 "calls: write into callee stack frame",
10732 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10733 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
10735 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
10739 .prog_type = BPF_PROG_TYPE_XDP,
10740 .errstr = "cannot return stack pointer",
10744 "calls: two calls with stack write and void return",
10747 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10748 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10749 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10750 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10752 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10753 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10757 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10758 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10759 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10760 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10761 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10765 /* write into stack frame of main prog */
10766 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
10767 BPF_EXIT_INSN(), /* void return */
10769 .prog_type = BPF_PROG_TYPE_XDP,
10773 "calls: ambiguous return value",
10775 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10776 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10777 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10778 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10779 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10780 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10783 BPF_MOV64_IMM(BPF_REG_0, 0),
10786 .errstr_unpriv = "allowed for root only",
10787 .result_unpriv = REJECT,
10788 .errstr = "R0 !read_ok",
10792 "calls: two calls that return map_value",
10795 /* pass fp-16, fp-8 into a function */
10796 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10797 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10798 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10800 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10802 /* fetch map_value_ptr from the stack of this function */
10803 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
10804 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10805 /* write into map value */
10806 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10807 /* fetch secound map_value_ptr from the stack */
10808 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10809 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10810 /* write into map value */
10811 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10812 BPF_MOV64_IMM(BPF_REG_0, 0),
10816 /* call 3rd function twice */
10817 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10818 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10819 /* first time with fp-8 */
10820 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10821 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10822 /* second time with fp-16 */
10823 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10827 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10828 /* lookup from map */
10829 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10830 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10832 BPF_LD_MAP_FD(BPF_REG_1, 0),
10833 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10834 BPF_FUNC_map_lookup_elem),
10835 /* write map_value_ptr into stack frame of main prog */
10836 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10837 BPF_MOV64_IMM(BPF_REG_0, 0),
10838 BPF_EXIT_INSN(), /* return 0 */
10840 .prog_type = BPF_PROG_TYPE_XDP,
10841 .fixup_map1 = { 23 },
10845 "calls: two calls that return map_value with bool condition",
10848 /* pass fp-16, fp-8 into a function */
10849 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10851 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10853 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10854 BPF_MOV64_IMM(BPF_REG_0, 0),
10858 /* call 3rd function twice */
10859 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10860 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10861 /* first time with fp-8 */
10862 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10863 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10864 /* fetch map_value_ptr from the stack of this function */
10865 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10866 /* write into map value */
10867 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10868 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10869 /* second time with fp-16 */
10870 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10871 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10872 /* fetch secound map_value_ptr from the stack */
10873 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
10874 /* write into map value */
10875 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10879 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10880 /* lookup from map */
10881 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10882 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10884 BPF_LD_MAP_FD(BPF_REG_1, 0),
10885 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10886 BPF_FUNC_map_lookup_elem),
10887 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10888 BPF_MOV64_IMM(BPF_REG_0, 0),
10889 BPF_EXIT_INSN(), /* return 0 */
10890 /* write map_value_ptr into stack frame of main prog */
10891 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10892 BPF_MOV64_IMM(BPF_REG_0, 1),
10893 BPF_EXIT_INSN(), /* return 1 */
10895 .prog_type = BPF_PROG_TYPE_XDP,
10896 .fixup_map1 = { 23 },
10900 "calls: two calls that return map_value with incorrect bool check",
10903 /* pass fp-16, fp-8 into a function */
10904 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10905 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10906 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10908 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10909 BPF_MOV64_IMM(BPF_REG_0, 0),
10913 /* call 3rd function twice */
10914 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10915 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10916 /* first time with fp-8 */
10917 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10918 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10919 /* fetch map_value_ptr from the stack of this function */
10920 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10921 /* write into map value */
10922 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10923 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10924 /* second time with fp-16 */
10925 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10926 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10927 /* fetch secound map_value_ptr from the stack */
10928 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
10929 /* write into map value */
10930 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10934 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10935 /* lookup from map */
10936 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10937 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10938 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10939 BPF_LD_MAP_FD(BPF_REG_1, 0),
10940 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10941 BPF_FUNC_map_lookup_elem),
10942 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10943 BPF_MOV64_IMM(BPF_REG_0, 0),
10944 BPF_EXIT_INSN(), /* return 0 */
10945 /* write map_value_ptr into stack frame of main prog */
10946 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10947 BPF_MOV64_IMM(BPF_REG_0, 1),
10948 BPF_EXIT_INSN(), /* return 1 */
10950 .prog_type = BPF_PROG_TYPE_XDP,
10951 .fixup_map1 = { 23 },
10953 .errstr = "invalid read from stack off -16+0 size 8",
10956 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
10959 /* pass fp-16, fp-8 into a function */
10960 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10961 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10962 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10963 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10964 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10965 BPF_MOV64_IMM(BPF_REG_0, 0),
10969 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10970 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10971 /* 1st lookup from map */
10972 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10973 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10974 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10975 BPF_LD_MAP_FD(BPF_REG_1, 0),
10976 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10977 BPF_FUNC_map_lookup_elem),
10978 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10979 BPF_MOV64_IMM(BPF_REG_8, 0),
10980 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10981 /* write map_value_ptr into stack frame of main prog at fp-8 */
10982 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10983 BPF_MOV64_IMM(BPF_REG_8, 1),
10985 /* 2nd lookup from map */
10986 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
10987 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10988 BPF_LD_MAP_FD(BPF_REG_1, 0),
10989 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
10990 BPF_FUNC_map_lookup_elem),
10991 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10992 BPF_MOV64_IMM(BPF_REG_9, 0),
10993 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10994 /* write map_value_ptr into stack frame of main prog at fp-16 */
10995 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10996 BPF_MOV64_IMM(BPF_REG_9, 1),
10998 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10999 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11000 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11001 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11002 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11003 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11007 /* if arg2 == 1 do *arg1 = 0 */
11008 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11009 /* fetch map_value_ptr from the stack of this function */
11010 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11011 /* write into map value */
11012 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11014 /* if arg4 == 1 do *arg3 = 0 */
11015 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11016 /* fetch map_value_ptr from the stack of this function */
11017 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11018 /* write into map value */
11019 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11022 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11023 .fixup_map1 = { 12, 22 },
11025 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11028 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
11031 /* pass fp-16, fp-8 into a function */
11032 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11034 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11035 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11036 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11037 BPF_MOV64_IMM(BPF_REG_0, 0),
11041 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11042 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11043 /* 1st lookup from map */
11044 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11045 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11046 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11047 BPF_LD_MAP_FD(BPF_REG_1, 0),
11048 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11049 BPF_FUNC_map_lookup_elem),
11050 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11051 BPF_MOV64_IMM(BPF_REG_8, 0),
11052 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11053 /* write map_value_ptr into stack frame of main prog at fp-8 */
11054 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11055 BPF_MOV64_IMM(BPF_REG_8, 1),
11057 /* 2nd lookup from map */
11058 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11059 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11060 BPF_LD_MAP_FD(BPF_REG_1, 0),
11061 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11062 BPF_FUNC_map_lookup_elem),
11063 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11064 BPF_MOV64_IMM(BPF_REG_9, 0),
11065 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11066 /* write map_value_ptr into stack frame of main prog at fp-16 */
11067 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11068 BPF_MOV64_IMM(BPF_REG_9, 1),
11070 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11071 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11072 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11073 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11074 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11075 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11079 /* if arg2 == 1 do *arg1 = 0 */
11080 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11081 /* fetch map_value_ptr from the stack of this function */
11082 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11083 /* write into map value */
11084 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11086 /* if arg4 == 1 do *arg3 = 0 */
11087 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11088 /* fetch map_value_ptr from the stack of this function */
11089 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11090 /* write into map value */
11091 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11094 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11095 .fixup_map1 = { 12, 22 },
11099 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
11102 /* pass fp-16, fp-8 into a function */
11103 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11105 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11106 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11107 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11108 BPF_MOV64_IMM(BPF_REG_0, 0),
11112 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11113 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11114 /* 1st lookup from map */
11115 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
11116 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11118 BPF_LD_MAP_FD(BPF_REG_1, 0),
11119 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11120 BPF_FUNC_map_lookup_elem),
11121 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11122 BPF_MOV64_IMM(BPF_REG_8, 0),
11123 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11124 /* write map_value_ptr into stack frame of main prog at fp-8 */
11125 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11126 BPF_MOV64_IMM(BPF_REG_8, 1),
11128 /* 2nd lookup from map */
11129 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11131 BPF_LD_MAP_FD(BPF_REG_1, 0),
11132 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11133 BPF_FUNC_map_lookup_elem),
11134 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11135 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
11136 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11137 /* write map_value_ptr into stack frame of main prog at fp-16 */
11138 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11139 BPF_MOV64_IMM(BPF_REG_9, 1),
11141 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11142 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
11143 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11144 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11145 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11146 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
11147 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
11150 /* if arg2 == 1 do *arg1 = 0 */
11151 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11152 /* fetch map_value_ptr from the stack of this function */
11153 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11154 /* write into map value */
11155 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11157 /* if arg4 == 1 do *arg3 = 0 */
11158 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11159 /* fetch map_value_ptr from the stack of this function */
11160 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11161 /* write into map value */
11162 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11163 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
11165 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11166 .fixup_map1 = { 12, 22 },
11168 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11171 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
11174 /* pass fp-16, fp-8 into a function */
11175 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11177 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11178 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11179 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11180 BPF_MOV64_IMM(BPF_REG_0, 0),
11184 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11185 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11186 /* 1st lookup from map */
11187 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11188 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11189 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11190 BPF_LD_MAP_FD(BPF_REG_1, 0),
11191 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11192 BPF_FUNC_map_lookup_elem),
11193 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11194 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11195 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11196 BPF_MOV64_IMM(BPF_REG_8, 0),
11197 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11198 BPF_MOV64_IMM(BPF_REG_8, 1),
11200 /* 2nd lookup from map */
11201 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11203 BPF_LD_MAP_FD(BPF_REG_1, 0),
11204 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11205 BPF_FUNC_map_lookup_elem),
11206 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11207 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11208 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11209 BPF_MOV64_IMM(BPF_REG_9, 0),
11210 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11211 BPF_MOV64_IMM(BPF_REG_9, 1),
11213 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11214 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11215 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11216 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11217 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11218 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11222 /* if arg2 == 1 do *arg1 = 0 */
11223 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11224 /* fetch map_value_ptr from the stack of this function */
11225 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11226 /* write into map value */
11227 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11229 /* if arg4 == 1 do *arg3 = 0 */
11230 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11231 /* fetch map_value_ptr from the stack of this function */
11232 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11233 /* write into map value */
11234 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11237 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11238 .fixup_map1 = { 12, 22 },
11242 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
11245 /* pass fp-16, fp-8 into a function */
11246 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11248 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11250 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11251 BPF_MOV64_IMM(BPF_REG_0, 0),
11255 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11256 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11257 /* 1st lookup from map */
11258 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11259 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11260 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11261 BPF_LD_MAP_FD(BPF_REG_1, 0),
11262 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11263 BPF_FUNC_map_lookup_elem),
11264 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11265 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11266 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11267 BPF_MOV64_IMM(BPF_REG_8, 0),
11268 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11269 BPF_MOV64_IMM(BPF_REG_8, 1),
11271 /* 2nd lookup from map */
11272 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11273 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11274 BPF_LD_MAP_FD(BPF_REG_1, 0),
11275 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11276 BPF_FUNC_map_lookup_elem),
11277 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11278 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11279 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11280 BPF_MOV64_IMM(BPF_REG_9, 0),
11281 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11282 BPF_MOV64_IMM(BPF_REG_9, 1),
11284 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11285 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11286 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11287 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11288 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11289 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11293 /* if arg2 == 1 do *arg1 = 0 */
11294 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11295 /* fetch map_value_ptr from the stack of this function */
11296 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11297 /* write into map value */
11298 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11300 /* if arg4 == 0 do *arg3 = 0 */
11301 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
11302 /* fetch map_value_ptr from the stack of this function */
11303 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11304 /* write into map value */
11305 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11308 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11309 .fixup_map1 = { 12, 22 },
11311 .errstr = "R0 invalid mem access 'inv'",
11314 "calls: pkt_ptr spill into caller stack",
11316 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11318 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11322 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11323 offsetof(struct __sk_buff, data)),
11324 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11325 offsetof(struct __sk_buff, data_end)),
11326 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11327 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11328 /* spill unchecked pkt_ptr into stack of caller */
11329 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11330 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11331 /* now the pkt range is verified, read pkt_ptr from stack */
11332 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11333 /* write 4 bytes into packet */
11334 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11338 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11339 .retval = POINTER_VALUE,
11342 "calls: pkt_ptr spill into caller stack 2",
11344 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11345 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11346 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11347 /* Marking is still kept, but not in all cases safe. */
11348 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11349 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11353 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11354 offsetof(struct __sk_buff, data)),
11355 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11356 offsetof(struct __sk_buff, data_end)),
11357 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11358 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11359 /* spill unchecked pkt_ptr into stack of caller */
11360 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11361 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11362 /* now the pkt range is verified, read pkt_ptr from stack */
11363 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11364 /* write 4 bytes into packet */
11365 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11368 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11369 .errstr = "invalid access to packet",
11373 "calls: pkt_ptr spill into caller stack 3",
11375 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11377 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11378 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11379 /* Marking is still kept and safe here. */
11380 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11381 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11385 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11386 offsetof(struct __sk_buff, data)),
11387 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11388 offsetof(struct __sk_buff, data_end)),
11389 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11391 /* spill unchecked pkt_ptr into stack of caller */
11392 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11393 BPF_MOV64_IMM(BPF_REG_5, 0),
11394 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11395 BPF_MOV64_IMM(BPF_REG_5, 1),
11396 /* now the pkt range is verified, read pkt_ptr from stack */
11397 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11398 /* write 4 bytes into packet */
11399 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11400 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11403 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11408 "calls: pkt_ptr spill into caller stack 4",
11410 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11411 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11412 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11413 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11414 /* Check marking propagated. */
11415 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11416 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11420 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11421 offsetof(struct __sk_buff, data)),
11422 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11423 offsetof(struct __sk_buff, data_end)),
11424 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11425 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11426 /* spill unchecked pkt_ptr into stack of caller */
11427 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11428 BPF_MOV64_IMM(BPF_REG_5, 0),
11429 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11430 BPF_MOV64_IMM(BPF_REG_5, 1),
11431 /* don't read back pkt_ptr from stack here */
11432 /* write 4 bytes into packet */
11433 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11434 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11437 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11442 "calls: pkt_ptr spill into caller stack 5",
11444 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11445 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11446 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
11447 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11448 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11449 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11453 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11454 offsetof(struct __sk_buff, data)),
11455 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11456 offsetof(struct __sk_buff, data_end)),
11457 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11459 BPF_MOV64_IMM(BPF_REG_5, 0),
11460 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11461 /* spill checked pkt_ptr into stack of caller */
11462 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11463 BPF_MOV64_IMM(BPF_REG_5, 1),
11464 /* don't read back pkt_ptr from stack here */
11465 /* write 4 bytes into packet */
11466 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11467 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11470 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11471 .errstr = "same insn cannot be used with different",
11475 "calls: pkt_ptr spill into caller stack 6",
11477 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11478 offsetof(struct __sk_buff, data_end)),
11479 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11481 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11482 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11483 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11484 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11488 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11489 offsetof(struct __sk_buff, data)),
11490 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11491 offsetof(struct __sk_buff, data_end)),
11492 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11494 BPF_MOV64_IMM(BPF_REG_5, 0),
11495 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11496 /* spill checked pkt_ptr into stack of caller */
11497 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11498 BPF_MOV64_IMM(BPF_REG_5, 1),
11499 /* don't read back pkt_ptr from stack here */
11500 /* write 4 bytes into packet */
11501 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11502 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11505 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11506 .errstr = "R4 invalid mem access",
11510 "calls: pkt_ptr spill into caller stack 7",
11512 BPF_MOV64_IMM(BPF_REG_2, 0),
11513 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11514 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11515 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11516 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11517 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11518 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11522 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11523 offsetof(struct __sk_buff, data)),
11524 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11525 offsetof(struct __sk_buff, data_end)),
11526 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11527 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11528 BPF_MOV64_IMM(BPF_REG_5, 0),
11529 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11530 /* spill checked pkt_ptr into stack of caller */
11531 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11532 BPF_MOV64_IMM(BPF_REG_5, 1),
11533 /* don't read back pkt_ptr from stack here */
11534 /* write 4 bytes into packet */
11535 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11536 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11539 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11540 .errstr = "R4 invalid mem access",
11544 "calls: pkt_ptr spill into caller stack 8",
11546 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11547 offsetof(struct __sk_buff, data)),
11548 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11549 offsetof(struct __sk_buff, data_end)),
11550 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11551 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11552 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11554 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11555 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11556 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11557 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11558 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11559 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11563 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11564 offsetof(struct __sk_buff, data)),
11565 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11566 offsetof(struct __sk_buff, data_end)),
11567 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11569 BPF_MOV64_IMM(BPF_REG_5, 0),
11570 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11571 /* spill checked pkt_ptr into stack of caller */
11572 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11573 BPF_MOV64_IMM(BPF_REG_5, 1),
11574 /* don't read back pkt_ptr from stack here */
11575 /* write 4 bytes into packet */
11576 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11577 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11580 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11584 "calls: pkt_ptr spill into caller stack 9",
11586 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11587 offsetof(struct __sk_buff, data)),
11588 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11589 offsetof(struct __sk_buff, data_end)),
11590 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11591 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11592 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11594 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11595 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11596 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11597 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11598 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11599 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11603 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11604 offsetof(struct __sk_buff, data)),
11605 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11606 offsetof(struct __sk_buff, data_end)),
11607 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11609 BPF_MOV64_IMM(BPF_REG_5, 0),
11610 /* spill unchecked pkt_ptr into stack of caller */
11611 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11612 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11613 BPF_MOV64_IMM(BPF_REG_5, 1),
11614 /* don't read back pkt_ptr from stack here */
11615 /* write 4 bytes into packet */
11616 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11617 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11620 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11621 .errstr = "invalid access to packet",
11625 "calls: caller stack init to zero or map_value_or_null",
11627 BPF_MOV64_IMM(BPF_REG_0, 0),
11628 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11629 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11630 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11631 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11632 /* fetch map_value_or_null or const_zero from stack */
11633 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11634 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11635 /* store into map_value */
11636 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
11640 /* if (ctx == 0) return; */
11641 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
11642 /* else bpf_map_lookup() and *(fp - 8) = r0 */
11643 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
11644 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11645 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11646 BPF_LD_MAP_FD(BPF_REG_1, 0),
11647 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11648 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11649 BPF_FUNC_map_lookup_elem),
11650 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11651 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11654 .fixup_map1 = { 13 },
11656 .prog_type = BPF_PROG_TYPE_XDP,
11659 "calls: stack init to zero and pruning",
11661 /* first make allocated_stack 16 byte */
11662 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
11663 /* now fork the execution such that the false branch
11664 * of JGT insn will be verified second and it skisp zero
11665 * init of fp-8 stack slot. If stack liveness marking
11666 * is missing live_read marks from call map_lookup
11667 * processing then pruning will incorrectly assume
11668 * that fp-8 stack slot was unused in the fall-through
11669 * branch and will accept the program incorrectly
11671 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
11672 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11673 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
11674 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11676 BPF_LD_MAP_FD(BPF_REG_1, 0),
11677 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11678 BPF_FUNC_map_lookup_elem),
11681 .fixup_map2 = { 6 },
11682 .errstr = "invalid indirect read from stack off -8+0 size 8",
11684 .prog_type = BPF_PROG_TYPE_XDP,
11687 "calls: two calls returning different map pointers for lookup (hash, array)",
11690 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11692 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11694 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11695 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11696 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11697 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11698 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11699 BPF_FUNC_map_lookup_elem),
11700 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11701 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11702 offsetof(struct test_val, foo)),
11703 BPF_MOV64_IMM(BPF_REG_0, 1),
11706 BPF_LD_MAP_FD(BPF_REG_0, 0),
11709 BPF_LD_MAP_FD(BPF_REG_0, 0),
11712 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11713 .fixup_map2 = { 13 },
11714 .fixup_map4 = { 16 },
11719 "calls: two calls returning different map pointers for lookup (hash, map in map)",
11722 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11724 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11726 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11727 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11728 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11730 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11731 BPF_FUNC_map_lookup_elem),
11732 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11733 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11734 offsetof(struct test_val, foo)),
11735 BPF_MOV64_IMM(BPF_REG_0, 1),
11738 BPF_LD_MAP_FD(BPF_REG_0, 0),
11741 BPF_LD_MAP_FD(BPF_REG_0, 0),
11744 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11745 .fixup_map_in_map = { 16 },
11746 .fixup_map4 = { 13 },
11748 .errstr = "R0 invalid mem access 'map_ptr'",
11751 "cond: two branches returning different map pointers for lookup (tail, tail)",
11753 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11754 offsetof(struct __sk_buff, mark)),
11755 BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
11756 BPF_LD_MAP_FD(BPF_REG_2, 0),
11757 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11758 BPF_LD_MAP_FD(BPF_REG_2, 0),
11759 BPF_MOV64_IMM(BPF_REG_3, 7),
11760 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11761 BPF_FUNC_tail_call),
11762 BPF_MOV64_IMM(BPF_REG_0, 1),
11765 .fixup_prog1 = { 5 },
11766 .fixup_prog2 = { 2 },
11767 .result_unpriv = REJECT,
11768 .errstr_unpriv = "tail_call abusing map_ptr",
11773 "cond: two branches returning same map pointers for lookup (tail, tail)",
11775 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11776 offsetof(struct __sk_buff, mark)),
11777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
11778 BPF_LD_MAP_FD(BPF_REG_2, 0),
11779 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11780 BPF_LD_MAP_FD(BPF_REG_2, 0),
11781 BPF_MOV64_IMM(BPF_REG_3, 7),
11782 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11783 BPF_FUNC_tail_call),
11784 BPF_MOV64_IMM(BPF_REG_0, 1),
11787 .fixup_prog2 = { 2, 5 },
11788 .result_unpriv = ACCEPT,
11793 "search pruning: all branches should be verified (nop operation)",
11795 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11796 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11797 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11798 BPF_LD_MAP_FD(BPF_REG_1, 0),
11799 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
11801 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11803 BPF_MOV64_IMM(BPF_REG_4, 0),
11805 BPF_MOV64_IMM(BPF_REG_4, 1),
11806 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11807 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11808 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11809 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
11810 BPF_MOV64_IMM(BPF_REG_6, 0),
11811 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
11814 .fixup_map1 = { 3 },
11815 .errstr = "R6 invalid mem access 'inv'",
11817 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11820 "search pruning: all branches should be verified (invalid stack access)",
11822 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11824 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11825 BPF_LD_MAP_FD(BPF_REG_1, 0),
11826 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11827 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
11828 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11829 BPF_MOV64_IMM(BPF_REG_4, 0),
11830 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11831 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11833 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
11834 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11835 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11838 .fixup_map1 = { 3 },
11839 .errstr = "invalid read from stack off -16+0 size 8",
11841 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11844 "jit: lsh, rsh, arsh by 1",
11846 BPF_MOV64_IMM(BPF_REG_0, 1),
11847 BPF_MOV64_IMM(BPF_REG_1, 0xff),
11848 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
11849 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
11850 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
11852 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
11853 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
11854 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
11856 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
11857 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
11859 BPF_MOV64_IMM(BPF_REG_0, 2),
11866 "jit: mov32 for ldimm64, 1",
11868 BPF_MOV64_IMM(BPF_REG_0, 2),
11869 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
11870 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
11871 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
11872 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
11873 BPF_MOV64_IMM(BPF_REG_0, 1),
11880 "jit: mov32 for ldimm64, 2",
11882 BPF_MOV64_IMM(BPF_REG_0, 1),
11883 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
11884 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
11885 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
11886 BPF_MOV64_IMM(BPF_REG_0, 2),
11893 "jit: various mul tests",
11895 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
11896 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
11897 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
11898 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
11899 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
11900 BPF_MOV64_IMM(BPF_REG_0, 1),
11902 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
11903 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
11904 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
11905 BPF_MOV64_IMM(BPF_REG_0, 1),
11907 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
11908 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
11909 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
11910 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
11911 BPF_MOV64_IMM(BPF_REG_0, 1),
11913 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
11914 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
11915 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
11916 BPF_MOV64_IMM(BPF_REG_0, 1),
11918 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
11919 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
11920 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
11921 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
11922 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
11923 BPF_MOV64_IMM(BPF_REG_0, 1),
11925 BPF_MOV64_IMM(BPF_REG_0, 2),
11932 "xadd/w check unaligned stack",
11934 BPF_MOV64_IMM(BPF_REG_0, 1),
11935 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11936 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
11937 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11941 .errstr = "misaligned stack access off",
11942 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11945 "xadd/w check unaligned map",
11947 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11948 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11949 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11950 BPF_LD_MAP_FD(BPF_REG_1, 0),
11951 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11952 BPF_FUNC_map_lookup_elem),
11953 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
11955 BPF_MOV64_IMM(BPF_REG_1, 1),
11956 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
11957 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
11960 .fixup_map1 = { 3 },
11962 .errstr = "misaligned value access off",
11963 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11966 "xadd/w check unaligned pkt",
11968 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11969 offsetof(struct xdp_md, data)),
11970 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11971 offsetof(struct xdp_md, data_end)),
11972 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11973 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11974 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
11975 BPF_MOV64_IMM(BPF_REG_0, 99),
11976 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
11977 BPF_MOV64_IMM(BPF_REG_0, 1),
11978 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11979 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
11980 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
11981 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
11982 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
11986 .errstr = "BPF_XADD stores into R2 packet",
11987 .prog_type = BPF_PROG_TYPE_XDP,
11990 "bpf_get_stack return R0 within range",
11992 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11993 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11994 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11995 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11996 BPF_LD_MAP_FD(BPF_REG_1, 0),
11997 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11998 BPF_FUNC_map_lookup_elem),
11999 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
12000 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12001 BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
12002 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12003 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12004 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
12005 BPF_MOV64_IMM(BPF_REG_4, 256),
12006 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12007 BPF_MOV64_IMM(BPF_REG_1, 0),
12008 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
12009 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
12010 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
12011 BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
12012 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
12013 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12014 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
12015 BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
12016 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
12017 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
12018 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
12019 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
12020 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12021 BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
12022 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
12023 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
12024 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12025 BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
12026 BPF_MOV64_IMM(BPF_REG_4, 0),
12027 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12030 .fixup_map2 = { 4 },
12032 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12035 "ld_abs: invalid op 1",
12037 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12038 BPF_LD_ABS(BPF_DW, 0),
12041 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12043 .errstr = "unknown opcode",
12046 "ld_abs: invalid op 2",
12048 BPF_MOV32_IMM(BPF_REG_0, 256),
12049 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12050 BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
12053 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12055 .errstr = "unknown opcode",
12058 "ld_abs: nmap reduced",
12060 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12061 BPF_LD_ABS(BPF_H, 12),
12062 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
12063 BPF_LD_ABS(BPF_H, 12),
12064 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
12065 BPF_MOV32_IMM(BPF_REG_0, 18),
12066 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
12067 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
12068 BPF_LD_IND(BPF_W, BPF_REG_7, 14),
12069 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
12070 BPF_MOV32_IMM(BPF_REG_0, 280971478),
12071 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12072 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12073 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
12074 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12075 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
12076 BPF_LD_ABS(BPF_H, 12),
12077 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
12078 BPF_MOV32_IMM(BPF_REG_0, 22),
12079 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12080 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12081 BPF_LD_IND(BPF_H, BPF_REG_7, 14),
12082 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
12083 BPF_MOV32_IMM(BPF_REG_0, 17366),
12084 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
12085 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
12086 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
12087 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12088 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12089 BPF_MOV32_IMM(BPF_REG_0, 256),
12091 BPF_MOV32_IMM(BPF_REG_0, 0),
12095 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
12096 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
12097 0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
12099 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12104 "ld_abs: div + abs, test 1",
12106 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12107 BPF_LD_ABS(BPF_B, 3),
12108 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12109 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12110 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12111 BPF_LD_ABS(BPF_B, 4),
12112 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12113 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12117 10, 20, 30, 40, 50,
12119 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12124 "ld_abs: div + abs, test 2",
12126 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12127 BPF_LD_ABS(BPF_B, 3),
12128 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12129 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12130 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12131 BPF_LD_ABS(BPF_B, 128),
12132 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12133 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12137 10, 20, 30, 40, 50,
12139 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12144 "ld_abs: div + abs, test 3",
12146 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12147 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12148 BPF_LD_ABS(BPF_B, 3),
12149 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12153 10, 20, 30, 40, 50,
12155 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12160 "ld_abs: div + abs, test 4",
12162 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12163 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12164 BPF_LD_ABS(BPF_B, 256),
12165 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12169 10, 20, 30, 40, 50,
12171 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12176 "ld_abs: vlan + abs, test 1",
12181 .fill_helper = bpf_fill_ld_abs_vlan_push_pop,
12182 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12187 "ld_abs: vlan + abs, test 2",
12189 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12190 BPF_LD_ABS(BPF_B, 0),
12191 BPF_LD_ABS(BPF_H, 0),
12192 BPF_LD_ABS(BPF_W, 0),
12193 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
12194 BPF_MOV64_IMM(BPF_REG_6, 0),
12195 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12196 BPF_MOV64_IMM(BPF_REG_2, 1),
12197 BPF_MOV64_IMM(BPF_REG_3, 2),
12198 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12199 BPF_FUNC_skb_vlan_push),
12200 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
12201 BPF_LD_ABS(BPF_B, 0),
12202 BPF_LD_ABS(BPF_H, 0),
12203 BPF_LD_ABS(BPF_W, 0),
12204 BPF_MOV64_IMM(BPF_REG_0, 42),
12210 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12215 "ld_abs: jump around ld_abs",
12220 .fill_helper = bpf_fill_jump_around_ld_abs,
12221 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12226 "ld_dw: xor semi-random 64 bit imms, test 1",
12229 .fill_helper = bpf_fill_rand_ld_dw,
12230 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12235 "ld_dw: xor semi-random 64 bit imms, test 2",
12238 .fill_helper = bpf_fill_rand_ld_dw,
12239 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12244 "ld_dw: xor semi-random 64 bit imms, test 3",
12247 .fill_helper = bpf_fill_rand_ld_dw,
12248 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12253 "ld_dw: xor semi-random 64 bit imms, test 4",
12256 .fill_helper = bpf_fill_rand_ld_dw,
12257 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12262 "pass unmodified ctx pointer to helper",
12264 BPF_MOV64_IMM(BPF_REG_2, 0),
12265 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12266 BPF_FUNC_csum_update),
12267 BPF_MOV64_IMM(BPF_REG_0, 0),
12270 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12274 "pass modified ctx pointer to helper, 1",
12276 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
12277 BPF_MOV64_IMM(BPF_REG_2, 0),
12278 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12279 BPF_FUNC_csum_update),
12280 BPF_MOV64_IMM(BPF_REG_0, 0),
12283 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12285 .errstr = "dereference of modified ctx ptr",
12288 "pass modified ctx pointer to helper, 2",
12290 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
12291 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12292 BPF_FUNC_get_socket_cookie),
12293 BPF_MOV64_IMM(BPF_REG_0, 0),
12296 .result_unpriv = REJECT,
12298 .errstr_unpriv = "dereference of modified ctx ptr",
12299 .errstr = "dereference of modified ctx ptr",
12302 "pass modified ctx pointer to helper, 3",
12304 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
12305 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
12306 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
12307 BPF_MOV64_IMM(BPF_REG_2, 0),
12308 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12309 BPF_FUNC_csum_update),
12310 BPF_MOV64_IMM(BPF_REG_0, 0),
12313 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12315 .errstr = "variable ctx access var_off=(0x0; 0x4)",
12319 static int probe_filter_length(const struct bpf_insn *fp)
12323 for (len = MAX_INSNS - 1; len > 0; --len)
12324 if (fp[len].code != 0 || fp[len].imm != 0)
12329 static int create_map(uint32_t type, uint32_t size_key,
12330 uint32_t size_value, uint32_t max_elem)
12334 fd = bpf_create_map(type, size_key, size_value, max_elem,
12335 type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
12337 printf("Failed to create hash map '%s'!\n", strerror(errno));
12342 static int create_prog_dummy1(void)
12344 struct bpf_insn prog[] = {
12345 BPF_MOV64_IMM(BPF_REG_0, 42),
12349 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12350 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12353 static int create_prog_dummy2(int mfd, int idx)
12355 struct bpf_insn prog[] = {
12356 BPF_MOV64_IMM(BPF_REG_3, idx),
12357 BPF_LD_MAP_FD(BPF_REG_2, mfd),
12358 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12359 BPF_FUNC_tail_call),
12360 BPF_MOV64_IMM(BPF_REG_0, 41),
12364 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12365 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12368 static int create_prog_array(uint32_t max_elem, int p1key)
12371 int mfd, p1fd, p2fd;
12373 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
12374 sizeof(int), max_elem, 0);
12376 printf("Failed to create prog array '%s'!\n", strerror(errno));
12380 p1fd = create_prog_dummy1();
12381 p2fd = create_prog_dummy2(mfd, p2key);
12382 if (p1fd < 0 || p2fd < 0)
12384 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
12386 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
12399 static int create_map_in_map(void)
12401 int inner_map_fd, outer_map_fd;
12403 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12404 sizeof(int), 1, 0);
12405 if (inner_map_fd < 0) {
12406 printf("Failed to create array '%s'!\n", strerror(errno));
12407 return inner_map_fd;
12410 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
12411 sizeof(int), inner_map_fd, 1, 0);
12412 if (outer_map_fd < 0)
12413 printf("Failed to create array of maps '%s'!\n",
12416 close(inner_map_fd);
12418 return outer_map_fd;
12421 static char bpf_vlog[UINT_MAX >> 8];
12423 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
12426 int *fixup_map1 = test->fixup_map1;
12427 int *fixup_map2 = test->fixup_map2;
12428 int *fixup_map3 = test->fixup_map3;
12429 int *fixup_map4 = test->fixup_map4;
12430 int *fixup_prog1 = test->fixup_prog1;
12431 int *fixup_prog2 = test->fixup_prog2;
12432 int *fixup_map_in_map = test->fixup_map_in_map;
12434 if (test->fill_helper)
12435 test->fill_helper(test);
12437 /* Allocating HTs with 1 elem is fine here, since we only test
12438 * for verifier and not do a runtime lookup, so the only thing
12439 * that really matters is value size in this case.
12442 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12443 sizeof(long long), 1);
12445 prog[*fixup_map1].imm = map_fds[0];
12447 } while (*fixup_map1);
12451 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12452 sizeof(struct test_val), 1);
12454 prog[*fixup_map2].imm = map_fds[1];
12456 } while (*fixup_map2);
12460 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12461 sizeof(struct other_val), 1);
12463 prog[*fixup_map3].imm = map_fds[2];
12465 } while (*fixup_map3);
12469 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12470 sizeof(struct test_val), 1);
12472 prog[*fixup_map4].imm = map_fds[3];
12474 } while (*fixup_map4);
12477 if (*fixup_prog1) {
12478 map_fds[4] = create_prog_array(4, 0);
12480 prog[*fixup_prog1].imm = map_fds[4];
12482 } while (*fixup_prog1);
12485 if (*fixup_prog2) {
12486 map_fds[5] = create_prog_array(8, 7);
12488 prog[*fixup_prog2].imm = map_fds[5];
12490 } while (*fixup_prog2);
12493 if (*fixup_map_in_map) {
12494 map_fds[6] = create_map_in_map();
12496 prog[*fixup_map_in_map].imm = map_fds[6];
12497 fixup_map_in_map++;
12498 } while (*fixup_map_in_map);
12502 static void do_test_single(struct bpf_test *test, bool unpriv,
12503 int *passes, int *errors)
12505 int fd_prog, expected_ret, reject_from_alignment;
12506 int prog_len, prog_type = test->prog_type;
12507 struct bpf_insn *prog = test->insns;
12508 int map_fds[MAX_NR_MAPS];
12509 const char *expected_err;
12513 for (i = 0; i < MAX_NR_MAPS; i++)
12516 do_test_fixup(test, prog, map_fds);
12517 prog_len = probe_filter_length(prog);
12519 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
12520 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
12521 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
12523 expected_ret = unpriv && test->result_unpriv != UNDEF ?
12524 test->result_unpriv : test->result;
12525 expected_err = unpriv && test->errstr_unpriv ?
12526 test->errstr_unpriv : test->errstr;
12528 reject_from_alignment = fd_prog < 0 &&
12529 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
12530 strstr(bpf_vlog, "Unknown alignment.");
12531 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
12532 if (reject_from_alignment) {
12533 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
12538 if (expected_ret == ACCEPT) {
12539 if (fd_prog < 0 && !reject_from_alignment) {
12540 printf("FAIL\nFailed to load prog '%s'!\n",
12545 if (fd_prog >= 0) {
12546 printf("FAIL\nUnexpected success to load!\n");
12549 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
12550 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
12551 expected_err, bpf_vlog);
12556 if (fd_prog >= 0) {
12557 err = bpf_prog_test_run(fd_prog, 1, test->data,
12558 sizeof(test->data), NULL, NULL,
12560 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
12561 printf("Unexpected bpf_prog_test_run error\n");
12564 if (!err && retval != test->retval &&
12565 test->retval != POINTER_VALUE) {
12566 printf("FAIL retval %d != %d\n", retval, test->retval);
12571 printf("OK%s\n", reject_from_alignment ?
12572 " (NOTE: reject due to unknown alignment)" : "");
12575 for (i = 0; i < MAX_NR_MAPS; i++)
12581 printf("%s", bpf_vlog);
12585 static bool is_admin(void)
12588 cap_flag_value_t sysadmin = CAP_CLEAR;
12589 const cap_value_t cap_val = CAP_SYS_ADMIN;
12591 #ifdef CAP_IS_SUPPORTED
12592 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
12593 perror("cap_get_flag");
12597 caps = cap_get_proc();
12599 perror("cap_get_proc");
12602 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
12603 perror("cap_get_flag");
12604 if (cap_free(caps))
12605 perror("cap_free");
12606 return (sysadmin == CAP_SET);
12609 static int set_admin(bool admin)
12612 const cap_value_t cap_val = CAP_SYS_ADMIN;
12615 caps = cap_get_proc();
12617 perror("cap_get_proc");
12620 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
12621 admin ? CAP_SET : CAP_CLEAR)) {
12622 perror("cap_set_flag");
12625 if (cap_set_proc(caps)) {
12626 perror("cap_set_proc");
12631 if (cap_free(caps))
12632 perror("cap_free");
12636 static void get_unpriv_disabled()
12641 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
12643 perror("fopen /proc/sys/"UNPRIV_SYSCTL);
12644 unpriv_disabled = true;
12647 if (fgets(buf, 2, fd) == buf && atoi(buf))
12648 unpriv_disabled = true;
12652 static int do_test(bool unpriv, unsigned int from, unsigned int to)
12654 int i, passes = 0, errors = 0, skips = 0;
12656 for (i = from; i < to; i++) {
12657 struct bpf_test *test = &tests[i];
12659 /* Program types that are not supported by non-root we
12662 if (!test->prog_type && unpriv_disabled) {
12663 printf("#%d/u %s SKIP\n", i, test->descr);
12665 } else if (!test->prog_type) {
12668 printf("#%d/u %s ", i, test->descr);
12669 do_test_single(test, true, &passes, &errors);
12675 printf("#%d/p %s SKIP\n", i, test->descr);
12678 printf("#%d/p %s ", i, test->descr);
12679 do_test_single(test, false, &passes, &errors);
12683 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
12685 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
12688 int main(int argc, char **argv)
12690 unsigned int from = 0, to = ARRAY_SIZE(tests);
12691 bool unpriv = !is_admin();
12694 unsigned int l = atoi(argv[argc - 2]);
12695 unsigned int u = atoi(argv[argc - 1]);
12697 if (l < to && u < to) {
12701 } else if (argc == 2) {
12702 unsigned int t = atoi(argv[argc - 1]);
12710 get_unpriv_disabled();
12711 if (unpriv && unpriv_disabled) {
12712 printf("Cannot run as unprivileged user with sysctl %s.\n",
12714 return EXIT_FAILURE;
12717 bpf_semi_rand_init();
12718 return do_test(unpriv, from, to);
git.samba.org / sfrench / cifs-2.6.git / blob