2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 * Copyright (c) 2017 Facebook
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of version 2 of the GNU General Public
9 * License as published by the Free Software Foundation.
13 #include <asm/types.h>
14 #include <linux/types.h>
26 #include <sys/capability.h>
28 #include <linux/unistd.h>
29 #include <linux/filter.h>
30 #include <linux/bpf_perf_event.h>
31 #include <linux/bpf.h>
32 #include <linux/if_ether.h>
37 # include "autoconf.h"
39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
40 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
43 #include "bpf_rlimit.h"
44 #include "../../../include/linux/filter.h"
47 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
53 #define POINTER_VALUE 0xcafe4all
54 #define TEST_DATA_LEN 64
56 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
57 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
59 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
60 static bool unpriv_disabled = false;
64 struct bpf_insn insns[MAX_INSNS];
65 int fixup_map1[MAX_FIXUPS];
66 int fixup_map2[MAX_FIXUPS];
67 int fixup_prog[MAX_FIXUPS];
68 int fixup_map_in_map[MAX_FIXUPS];
70 const char *errstr_unpriv;
76 } result, result_unpriv;
77 enum bpf_prog_type prog_type;
81 /* Note we want this to be 64 bit aligned so that the end of our array is
82 * actually the end of the structure.
84 #define MAX_ENTRIES 11
91 static struct bpf_test tests[] = {
95 BPF_MOV64_IMM(BPF_REG_1, 1),
96 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
97 BPF_MOV64_IMM(BPF_REG_2, 3),
98 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
99 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
100 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
101 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
108 "DIV32 by 0, zero check 1",
110 BPF_MOV32_IMM(BPF_REG_0, 42),
111 BPF_MOV32_IMM(BPF_REG_1, 0),
112 BPF_MOV32_IMM(BPF_REG_2, 1),
113 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
120 "DIV32 by 0, zero check 2",
122 BPF_MOV32_IMM(BPF_REG_0, 42),
123 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
124 BPF_MOV32_IMM(BPF_REG_2, 1),
125 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
132 "DIV64 by 0, zero check",
134 BPF_MOV32_IMM(BPF_REG_0, 42),
135 BPF_MOV32_IMM(BPF_REG_1, 0),
136 BPF_MOV32_IMM(BPF_REG_2, 1),
137 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
144 "MOD32 by 0, zero check 1",
146 BPF_MOV32_IMM(BPF_REG_0, 42),
147 BPF_MOV32_IMM(BPF_REG_1, 0),
148 BPF_MOV32_IMM(BPF_REG_2, 1),
149 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
156 "MOD32 by 0, zero check 2",
158 BPF_MOV32_IMM(BPF_REG_0, 42),
159 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
160 BPF_MOV32_IMM(BPF_REG_2, 1),
161 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
168 "MOD64 by 0, zero check",
170 BPF_MOV32_IMM(BPF_REG_0, 42),
171 BPF_MOV32_IMM(BPF_REG_1, 0),
172 BPF_MOV32_IMM(BPF_REG_2, 1),
173 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
180 "DIV32 by 0, zero check ok, cls",
182 BPF_MOV32_IMM(BPF_REG_0, 42),
183 BPF_MOV32_IMM(BPF_REG_1, 2),
184 BPF_MOV32_IMM(BPF_REG_2, 16),
185 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
186 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
189 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
194 "DIV32 by 0, zero check 1, cls",
196 BPF_MOV32_IMM(BPF_REG_1, 0),
197 BPF_MOV32_IMM(BPF_REG_0, 1),
198 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
201 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
206 "DIV32 by 0, zero check 2, cls",
208 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
209 BPF_MOV32_IMM(BPF_REG_0, 1),
210 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
213 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
218 "DIV64 by 0, zero check, cls",
220 BPF_MOV32_IMM(BPF_REG_1, 0),
221 BPF_MOV32_IMM(BPF_REG_0, 1),
222 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
225 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
230 "MOD32 by 0, zero check ok, cls",
232 BPF_MOV32_IMM(BPF_REG_0, 42),
233 BPF_MOV32_IMM(BPF_REG_1, 3),
234 BPF_MOV32_IMM(BPF_REG_2, 5),
235 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
236 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
239 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
244 "MOD32 by 0, zero check 1, cls",
246 BPF_MOV32_IMM(BPF_REG_1, 0),
247 BPF_MOV32_IMM(BPF_REG_0, 1),
248 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
251 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
256 "MOD32 by 0, zero check 2, cls",
258 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
259 BPF_MOV32_IMM(BPF_REG_0, 1),
260 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
263 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
268 "MOD64 by 0, zero check 1, cls",
270 BPF_MOV32_IMM(BPF_REG_1, 0),
271 BPF_MOV32_IMM(BPF_REG_0, 2),
272 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
275 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
280 "MOD64 by 0, zero check 2, cls",
282 BPF_MOV32_IMM(BPF_REG_1, 0),
283 BPF_MOV32_IMM(BPF_REG_0, -1),
284 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
287 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
291 /* Just make sure that JITs used udiv/umod as otherwise we get
292 * an exception from INT_MIN/-1 overflow similarly as with div
296 "DIV32 overflow, check 1",
298 BPF_MOV32_IMM(BPF_REG_1, -1),
299 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
300 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
303 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
308 "DIV32 overflow, check 2",
310 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
311 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
314 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
319 "DIV64 overflow, check 1",
321 BPF_MOV64_IMM(BPF_REG_1, -1),
322 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
323 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
326 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
331 "DIV64 overflow, check 2",
333 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
334 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
337 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
342 "MOD32 overflow, check 1",
344 BPF_MOV32_IMM(BPF_REG_1, -1),
345 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
346 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
349 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
354 "MOD32 overflow, check 2",
356 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
357 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
360 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
365 "MOD64 overflow, check 1",
367 BPF_MOV64_IMM(BPF_REG_1, -1),
368 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
369 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
370 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
371 BPF_MOV32_IMM(BPF_REG_0, 0),
372 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
373 BPF_MOV32_IMM(BPF_REG_0, 1),
376 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
381 "MOD64 overflow, check 2",
383 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
384 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
385 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
386 BPF_MOV32_IMM(BPF_REG_0, 0),
387 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
388 BPF_MOV32_IMM(BPF_REG_0, 1),
391 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
396 "xor32 zero extend check",
398 BPF_MOV32_IMM(BPF_REG_2, -1),
399 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
400 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
401 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
402 BPF_MOV32_IMM(BPF_REG_0, 2),
403 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
404 BPF_MOV32_IMM(BPF_REG_0, 1),
407 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
415 .errstr = "unknown opcode 00",
423 .errstr = "R0 !read_ok",
432 .errstr = "unreachable",
438 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
439 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
442 .errstr = "unreachable",
448 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
451 .errstr = "jump out of range",
455 "out of range jump2",
457 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
460 .errstr = "jump out of range",
466 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
467 BPF_LD_IMM64(BPF_REG_0, 0),
468 BPF_LD_IMM64(BPF_REG_0, 0),
469 BPF_LD_IMM64(BPF_REG_0, 1),
470 BPF_LD_IMM64(BPF_REG_0, 1),
471 BPF_MOV64_IMM(BPF_REG_0, 2),
474 .errstr = "invalid BPF_LD_IMM insn",
475 .errstr_unpriv = "R1 pointer comparison",
481 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
482 BPF_LD_IMM64(BPF_REG_0, 0),
483 BPF_LD_IMM64(BPF_REG_0, 0),
484 BPF_LD_IMM64(BPF_REG_0, 1),
485 BPF_LD_IMM64(BPF_REG_0, 1),
488 .errstr = "invalid BPF_LD_IMM insn",
489 .errstr_unpriv = "R1 pointer comparison",
495 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
496 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
497 BPF_LD_IMM64(BPF_REG_0, 0),
498 BPF_LD_IMM64(BPF_REG_0, 0),
499 BPF_LD_IMM64(BPF_REG_0, 1),
500 BPF_LD_IMM64(BPF_REG_0, 1),
503 .errstr = "invalid bpf_ld_imm64 insn",
509 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
512 .errstr = "invalid bpf_ld_imm64 insn",
518 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
520 .errstr = "invalid bpf_ld_imm64 insn",
526 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
527 BPF_RAW_INSN(0, 0, 0, 0, 0),
535 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
536 BPF_RAW_INSN(0, 0, 0, 0, 1),
545 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
546 BPF_RAW_INSN(0, 0, 0, 0, 1),
549 .errstr = "uses reserved fields",
555 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
556 BPF_RAW_INSN(0, 0, 0, 1, 1),
559 .errstr = "invalid bpf_ld_imm64 insn",
565 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
566 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
569 .errstr = "invalid bpf_ld_imm64 insn",
575 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
576 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
579 .errstr = "invalid bpf_ld_imm64 insn",
585 BPF_MOV64_IMM(BPF_REG_1, 0),
586 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
587 BPF_RAW_INSN(0, 0, 0, 0, 1),
590 .errstr = "not pointing to valid bpf_map",
596 BPF_MOV64_IMM(BPF_REG_1, 0),
597 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
598 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
601 .errstr = "invalid bpf_ld_imm64 insn",
607 BPF_MOV64_IMM(BPF_REG_0, 1),
608 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
612 .errstr = "unknown opcode c4",
617 BPF_MOV64_IMM(BPF_REG_0, 1),
618 BPF_MOV64_IMM(BPF_REG_1, 5),
619 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
623 .errstr = "unknown opcode cc",
628 BPF_MOV64_IMM(BPF_REG_0, 1),
629 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
637 BPF_MOV64_IMM(BPF_REG_0, 1),
638 BPF_MOV64_IMM(BPF_REG_1, 5),
639 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
647 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
649 .errstr = "not an exit",
655 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
658 .errstr = "back-edge",
664 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
665 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
666 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
667 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
670 .errstr = "back-edge",
676 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
677 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
678 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
679 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
682 .errstr = "back-edge",
686 "read uninitialized register",
688 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
691 .errstr = "R2 !read_ok",
695 "read invalid register",
697 BPF_MOV64_REG(BPF_REG_0, -1),
700 .errstr = "R15 is invalid",
704 "program doesn't init R0 before exit",
706 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
709 .errstr = "R0 !read_ok",
713 "program doesn't init R0 before exit in all branches",
715 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
716 BPF_MOV64_IMM(BPF_REG_0, 1),
717 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
720 .errstr = "R0 !read_ok",
721 .errstr_unpriv = "R1 pointer comparison",
725 "stack out of bounds",
727 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
730 .errstr = "invalid stack",
734 "invalid call insn1",
736 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
739 .errstr = "unknown opcode 8d",
743 "invalid call insn2",
745 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
748 .errstr = "BPF_CALL uses reserved",
752 "invalid function call",
754 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
757 .errstr = "invalid func unknown#1234567",
761 "uninitialized stack1",
763 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
764 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
765 BPF_LD_MAP_FD(BPF_REG_1, 0),
766 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
767 BPF_FUNC_map_lookup_elem),
771 .errstr = "invalid indirect read from stack",
775 "uninitialized stack2",
777 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
778 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
781 .errstr = "invalid read from stack",
785 "invalid fp arithmetic",
786 /* If this gets ever changed, make sure JITs can deal with it. */
788 BPF_MOV64_IMM(BPF_REG_0, 0),
789 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
790 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
791 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
794 .errstr = "R1 subtraction from stack pointer",
798 "non-invalid fp arithmetic",
800 BPF_MOV64_IMM(BPF_REG_0, 0),
801 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
807 "invalid argument register",
809 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
810 BPF_FUNC_get_cgroup_classid),
811 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
812 BPF_FUNC_get_cgroup_classid),
815 .errstr = "R1 !read_ok",
817 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
820 "non-invalid argument register",
822 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
823 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
824 BPF_FUNC_get_cgroup_classid),
825 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
826 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
827 BPF_FUNC_get_cgroup_classid),
831 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
834 "check valid spill/fill",
836 /* spill R1(ctx) into stack */
837 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
838 /* fill it back into R2 */
839 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
840 /* should be able to access R0 = *(R2 + 8) */
841 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
842 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
845 .errstr_unpriv = "R0 leaks addr",
847 .result_unpriv = REJECT,
848 .retval = POINTER_VALUE,
851 "check valid spill/fill, skb mark",
853 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
854 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
855 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
856 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
857 offsetof(struct __sk_buff, mark)),
861 .result_unpriv = ACCEPT,
864 "check corrupted spill/fill",
866 /* spill R1(ctx) into stack */
867 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
868 /* mess up with R1 pointer on stack */
869 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
870 /* fill back into R0 should fail */
871 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
874 .errstr_unpriv = "attempt to corrupt spilled",
875 .errstr = "corrupted spill",
879 "invalid src register in STX",
881 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
884 .errstr = "R15 is invalid",
888 "invalid dst register in STX",
890 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
893 .errstr = "R14 is invalid",
897 "invalid dst register in ST",
899 BPF_ST_MEM(BPF_B, 14, -1, -1),
902 .errstr = "R14 is invalid",
906 "invalid src register in LDX",
908 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
911 .errstr = "R12 is invalid",
915 "invalid dst register in LDX",
917 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
920 .errstr = "R11 is invalid",
926 BPF_RAW_INSN(0, 0, 0, 0, 0),
929 .errstr = "unknown opcode 00",
935 BPF_RAW_INSN(1, 0, 0, 0, 0),
938 .errstr = "BPF_LDX uses reserved fields",
944 BPF_RAW_INSN(-1, 0, 0, 0, 0),
947 .errstr = "unknown opcode ff",
953 BPF_RAW_INSN(-1, -1, -1, -1, -1),
956 .errstr = "unknown opcode ff",
962 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
965 .errstr = "BPF_ALU uses reserved fields",
969 "misaligned read from stack",
971 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
972 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
975 .errstr = "misaligned stack access",
979 "invalid map_fd for function call",
981 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
982 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
984 BPF_LD_MAP_FD(BPF_REG_1, 0),
985 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
986 BPF_FUNC_map_delete_elem),
989 .errstr = "fd 0 is not pointing to valid bpf_map",
993 "don't check return value before access",
995 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
996 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
997 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
998 BPF_LD_MAP_FD(BPF_REG_1, 0),
999 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1000 BPF_FUNC_map_lookup_elem),
1001 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1004 .fixup_map1 = { 3 },
1005 .errstr = "R0 invalid mem access 'map_value_or_null'",
1009 "access memory with incorrect alignment",
1011 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1012 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1014 BPF_LD_MAP_FD(BPF_REG_1, 0),
1015 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1016 BPF_FUNC_map_lookup_elem),
1017 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1018 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1021 .fixup_map1 = { 3 },
1022 .errstr = "misaligned value access",
1024 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1027 "sometimes access memory with incorrect alignment",
1029 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1030 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1032 BPF_LD_MAP_FD(BPF_REG_1, 0),
1033 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1034 BPF_FUNC_map_lookup_elem),
1035 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1036 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1038 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1041 .fixup_map1 = { 3 },
1042 .errstr = "R0 invalid mem access",
1043 .errstr_unpriv = "R0 leaks addr",
1045 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1050 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1051 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1052 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1053 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1054 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1055 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1056 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1057 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1058 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1059 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1060 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1061 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1062 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1063 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1064 BPF_MOV64_IMM(BPF_REG_0, 0),
1067 .errstr_unpriv = "R1 pointer comparison",
1068 .result_unpriv = REJECT,
1074 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1075 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1076 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1077 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1078 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1079 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1080 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1081 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1082 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1083 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1084 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1085 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1086 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1087 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1088 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1089 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1090 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1091 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1092 BPF_MOV64_IMM(BPF_REG_0, 0),
1095 .errstr_unpriv = "R1 pointer comparison",
1096 .result_unpriv = REJECT,
1102 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1103 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1104 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1105 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1106 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1107 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1108 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1109 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1110 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1111 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1112 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1114 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1115 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1116 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1118 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1119 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1120 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1122 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1123 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1124 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1125 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1126 BPF_LD_MAP_FD(BPF_REG_1, 0),
1127 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1128 BPF_FUNC_map_delete_elem),
1131 .fixup_map1 = { 24 },
1132 .errstr_unpriv = "R1 pointer comparison",
1133 .result_unpriv = REJECT,
1140 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1141 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1142 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1143 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1144 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1145 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1146 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1147 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1148 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1149 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1150 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1151 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1152 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1154 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1155 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1156 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1157 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1158 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1159 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1160 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1161 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1162 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1163 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1164 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1165 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1166 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1168 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1169 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1170 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1171 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1172 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1174 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1175 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1176 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1177 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1178 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1179 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1180 BPF_MOV64_IMM(BPF_REG_0, 0),
1183 .errstr_unpriv = "R1 pointer comparison",
1184 .result_unpriv = REJECT,
1190 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1191 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1192 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1193 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1194 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1195 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1196 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1197 BPF_MOV64_IMM(BPF_REG_0, 0),
1198 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1199 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1200 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1201 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1202 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1203 BPF_MOV64_IMM(BPF_REG_0, 0),
1204 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1205 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1206 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1207 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1208 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1209 BPF_MOV64_IMM(BPF_REG_0, 0),
1210 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1211 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1212 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1213 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1214 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1215 BPF_MOV64_IMM(BPF_REG_0, 0),
1216 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1217 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1218 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1219 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1220 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1221 BPF_MOV64_IMM(BPF_REG_0, 0),
1224 .errstr_unpriv = "R1 pointer comparison",
1225 .result_unpriv = REJECT,
1229 "access skb fields ok",
1231 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1232 offsetof(struct __sk_buff, len)),
1233 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1234 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1235 offsetof(struct __sk_buff, mark)),
1236 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1237 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1238 offsetof(struct __sk_buff, pkt_type)),
1239 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1240 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1241 offsetof(struct __sk_buff, queue_mapping)),
1242 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1243 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1244 offsetof(struct __sk_buff, protocol)),
1245 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1246 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1247 offsetof(struct __sk_buff, vlan_present)),
1248 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1249 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1250 offsetof(struct __sk_buff, vlan_tci)),
1251 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1252 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1253 offsetof(struct __sk_buff, napi_id)),
1254 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1260 "access skb fields bad1",
1262 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1265 .errstr = "invalid bpf_context access",
1269 "access skb fields bad2",
1271 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1272 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1273 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1275 BPF_LD_MAP_FD(BPF_REG_1, 0),
1276 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1277 BPF_FUNC_map_lookup_elem),
1278 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1281 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1282 offsetof(struct __sk_buff, pkt_type)),
1285 .fixup_map1 = { 4 },
1286 .errstr = "different pointers",
1287 .errstr_unpriv = "R1 pointer comparison",
1291 "access skb fields bad3",
1293 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1294 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1295 offsetof(struct __sk_buff, pkt_type)),
1297 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1298 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1299 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1300 BPF_LD_MAP_FD(BPF_REG_1, 0),
1301 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1302 BPF_FUNC_map_lookup_elem),
1303 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1305 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1306 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1308 .fixup_map1 = { 6 },
1309 .errstr = "different pointers",
1310 .errstr_unpriv = "R1 pointer comparison",
1314 "access skb fields bad4",
1316 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1317 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1318 offsetof(struct __sk_buff, len)),
1319 BPF_MOV64_IMM(BPF_REG_0, 0),
1321 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1322 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1323 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1324 BPF_LD_MAP_FD(BPF_REG_1, 0),
1325 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1326 BPF_FUNC_map_lookup_elem),
1327 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1329 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1330 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1332 .fixup_map1 = { 7 },
1333 .errstr = "different pointers",
1334 .errstr_unpriv = "R1 pointer comparison",
1338 "invalid access __sk_buff family",
1340 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1341 offsetof(struct __sk_buff, family)),
1344 .errstr = "invalid bpf_context access",
1348 "invalid access __sk_buff remote_ip4",
1350 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1351 offsetof(struct __sk_buff, remote_ip4)),
1354 .errstr = "invalid bpf_context access",
1358 "invalid access __sk_buff local_ip4",
1360 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1361 offsetof(struct __sk_buff, local_ip4)),
1364 .errstr = "invalid bpf_context access",
1368 "invalid access __sk_buff remote_ip6",
1370 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1371 offsetof(struct __sk_buff, remote_ip6)),
1374 .errstr = "invalid bpf_context access",
1378 "invalid access __sk_buff local_ip6",
1380 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1381 offsetof(struct __sk_buff, local_ip6)),
1384 .errstr = "invalid bpf_context access",
1388 "invalid access __sk_buff remote_port",
1390 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1391 offsetof(struct __sk_buff, remote_port)),
1394 .errstr = "invalid bpf_context access",
1398 "invalid access __sk_buff remote_port",
1400 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1401 offsetof(struct __sk_buff, local_port)),
1404 .errstr = "invalid bpf_context access",
1408 "valid access __sk_buff family",
1410 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1411 offsetof(struct __sk_buff, family)),
1415 .prog_type = BPF_PROG_TYPE_SK_SKB,
1418 "valid access __sk_buff remote_ip4",
1420 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1421 offsetof(struct __sk_buff, remote_ip4)),
1425 .prog_type = BPF_PROG_TYPE_SK_SKB,
1428 "valid access __sk_buff local_ip4",
1430 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1431 offsetof(struct __sk_buff, local_ip4)),
1435 .prog_type = BPF_PROG_TYPE_SK_SKB,
1438 "valid access __sk_buff remote_ip6",
1440 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1441 offsetof(struct __sk_buff, remote_ip6[0])),
1442 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1443 offsetof(struct __sk_buff, remote_ip6[1])),
1444 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1445 offsetof(struct __sk_buff, remote_ip6[2])),
1446 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1447 offsetof(struct __sk_buff, remote_ip6[3])),
1451 .prog_type = BPF_PROG_TYPE_SK_SKB,
1454 "valid access __sk_buff local_ip6",
1456 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1457 offsetof(struct __sk_buff, local_ip6[0])),
1458 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1459 offsetof(struct __sk_buff, local_ip6[1])),
1460 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1461 offsetof(struct __sk_buff, local_ip6[2])),
1462 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1463 offsetof(struct __sk_buff, local_ip6[3])),
1467 .prog_type = BPF_PROG_TYPE_SK_SKB,
1470 "valid access __sk_buff remote_port",
1472 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1473 offsetof(struct __sk_buff, remote_port)),
1477 .prog_type = BPF_PROG_TYPE_SK_SKB,
1480 "valid access __sk_buff remote_port",
1482 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1483 offsetof(struct __sk_buff, local_port)),
1487 .prog_type = BPF_PROG_TYPE_SK_SKB,
1490 "invalid access of tc_classid for SK_SKB",
1492 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1493 offsetof(struct __sk_buff, tc_classid)),
1497 .prog_type = BPF_PROG_TYPE_SK_SKB,
1498 .errstr = "invalid bpf_context access",
1501 "invalid access of skb->mark for SK_SKB",
1503 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1504 offsetof(struct __sk_buff, mark)),
1508 .prog_type = BPF_PROG_TYPE_SK_SKB,
1509 .errstr = "invalid bpf_context access",
1512 "check skb->mark is not writeable by SK_SKB",
1514 BPF_MOV64_IMM(BPF_REG_0, 0),
1515 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1516 offsetof(struct __sk_buff, mark)),
1520 .prog_type = BPF_PROG_TYPE_SK_SKB,
1521 .errstr = "invalid bpf_context access",
1524 "check skb->tc_index is writeable by SK_SKB",
1526 BPF_MOV64_IMM(BPF_REG_0, 0),
1527 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1528 offsetof(struct __sk_buff, tc_index)),
1532 .prog_type = BPF_PROG_TYPE_SK_SKB,
1535 "check skb->priority is writeable by SK_SKB",
1537 BPF_MOV64_IMM(BPF_REG_0, 0),
1538 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1539 offsetof(struct __sk_buff, priority)),
1543 .prog_type = BPF_PROG_TYPE_SK_SKB,
1546 "direct packet read for SK_SKB",
1548 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1549 offsetof(struct __sk_buff, data)),
1550 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1551 offsetof(struct __sk_buff, data_end)),
1552 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1553 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1554 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1555 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1556 BPF_MOV64_IMM(BPF_REG_0, 0),
1560 .prog_type = BPF_PROG_TYPE_SK_SKB,
1563 "direct packet write for SK_SKB",
1565 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1566 offsetof(struct __sk_buff, data)),
1567 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1568 offsetof(struct __sk_buff, data_end)),
1569 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1570 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1571 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1572 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1573 BPF_MOV64_IMM(BPF_REG_0, 0),
1577 .prog_type = BPF_PROG_TYPE_SK_SKB,
1580 "overlapping checks for direct packet access SK_SKB",
1582 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1583 offsetof(struct __sk_buff, data)),
1584 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1585 offsetof(struct __sk_buff, data_end)),
1586 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1588 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1589 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1591 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1592 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1593 BPF_MOV64_IMM(BPF_REG_0, 0),
1597 .prog_type = BPF_PROG_TYPE_SK_SKB,
1600 "direct packet read for SK_MSG",
1602 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1603 offsetof(struct sk_msg_md, data)),
1604 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1605 offsetof(struct sk_msg_md, data_end)),
1606 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1608 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1609 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1610 BPF_MOV64_IMM(BPF_REG_0, 0),
1614 .prog_type = BPF_PROG_TYPE_SK_MSG,
1617 "direct packet write for SK_MSG",
1619 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1620 offsetof(struct sk_msg_md, data)),
1621 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1622 offsetof(struct sk_msg_md, data_end)),
1623 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1624 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1625 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1626 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1627 BPF_MOV64_IMM(BPF_REG_0, 0),
1631 .prog_type = BPF_PROG_TYPE_SK_MSG,
1634 "overlapping checks for direct packet access SK_MSG",
1636 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1637 offsetof(struct sk_msg_md, data)),
1638 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1639 offsetof(struct sk_msg_md, data_end)),
1640 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1641 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1642 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1643 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1644 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1645 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1646 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1647 BPF_MOV64_IMM(BPF_REG_0, 0),
1651 .prog_type = BPF_PROG_TYPE_SK_MSG,
1654 "check skb->mark is not writeable by sockets",
1656 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1657 offsetof(struct __sk_buff, mark)),
1660 .errstr = "invalid bpf_context access",
1661 .errstr_unpriv = "R1 leaks addr",
1665 "check skb->tc_index is not writeable by sockets",
1667 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1668 offsetof(struct __sk_buff, tc_index)),
1671 .errstr = "invalid bpf_context access",
1672 .errstr_unpriv = "R1 leaks addr",
1676 "check cb access: byte",
1678 BPF_MOV64_IMM(BPF_REG_0, 0),
1679 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1680 offsetof(struct __sk_buff, cb[0])),
1681 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1682 offsetof(struct __sk_buff, cb[0]) + 1),
1683 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1684 offsetof(struct __sk_buff, cb[0]) + 2),
1685 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1686 offsetof(struct __sk_buff, cb[0]) + 3),
1687 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1688 offsetof(struct __sk_buff, cb[1])),
1689 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1690 offsetof(struct __sk_buff, cb[1]) + 1),
1691 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1692 offsetof(struct __sk_buff, cb[1]) + 2),
1693 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1694 offsetof(struct __sk_buff, cb[1]) + 3),
1695 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1696 offsetof(struct __sk_buff, cb[2])),
1697 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1698 offsetof(struct __sk_buff, cb[2]) + 1),
1699 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1700 offsetof(struct __sk_buff, cb[2]) + 2),
1701 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1702 offsetof(struct __sk_buff, cb[2]) + 3),
1703 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1704 offsetof(struct __sk_buff, cb[3])),
1705 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1706 offsetof(struct __sk_buff, cb[3]) + 1),
1707 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1708 offsetof(struct __sk_buff, cb[3]) + 2),
1709 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1710 offsetof(struct __sk_buff, cb[3]) + 3),
1711 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1712 offsetof(struct __sk_buff, cb[4])),
1713 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1714 offsetof(struct __sk_buff, cb[4]) + 1),
1715 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1716 offsetof(struct __sk_buff, cb[4]) + 2),
1717 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1718 offsetof(struct __sk_buff, cb[4]) + 3),
1719 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1720 offsetof(struct __sk_buff, cb[0])),
1721 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1722 offsetof(struct __sk_buff, cb[0]) + 1),
1723 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1724 offsetof(struct __sk_buff, cb[0]) + 2),
1725 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1726 offsetof(struct __sk_buff, cb[0]) + 3),
1727 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1728 offsetof(struct __sk_buff, cb[1])),
1729 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1730 offsetof(struct __sk_buff, cb[1]) + 1),
1731 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1732 offsetof(struct __sk_buff, cb[1]) + 2),
1733 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1734 offsetof(struct __sk_buff, cb[1]) + 3),
1735 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1736 offsetof(struct __sk_buff, cb[2])),
1737 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1738 offsetof(struct __sk_buff, cb[2]) + 1),
1739 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1740 offsetof(struct __sk_buff, cb[2]) + 2),
1741 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1742 offsetof(struct __sk_buff, cb[2]) + 3),
1743 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1744 offsetof(struct __sk_buff, cb[3])),
1745 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1746 offsetof(struct __sk_buff, cb[3]) + 1),
1747 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1748 offsetof(struct __sk_buff, cb[3]) + 2),
1749 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1750 offsetof(struct __sk_buff, cb[3]) + 3),
1751 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1752 offsetof(struct __sk_buff, cb[4])),
1753 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1754 offsetof(struct __sk_buff, cb[4]) + 1),
1755 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1756 offsetof(struct __sk_buff, cb[4]) + 2),
1757 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1758 offsetof(struct __sk_buff, cb[4]) + 3),
1764 "__sk_buff->hash, offset 0, byte store not permitted",
1766 BPF_MOV64_IMM(BPF_REG_0, 0),
1767 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1768 offsetof(struct __sk_buff, hash)),
1771 .errstr = "invalid bpf_context access",
1775 "__sk_buff->tc_index, offset 3, byte store not permitted",
1777 BPF_MOV64_IMM(BPF_REG_0, 0),
1778 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1779 offsetof(struct __sk_buff, tc_index) + 3),
1782 .errstr = "invalid bpf_context access",
1786 "check skb->hash byte load permitted",
1788 BPF_MOV64_IMM(BPF_REG_0, 0),
1789 #if __BYTE_ORDER == __LITTLE_ENDIAN
1790 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1791 offsetof(struct __sk_buff, hash)),
1793 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1794 offsetof(struct __sk_buff, hash) + 3),
1801 "check skb->hash byte load not permitted 1",
1803 BPF_MOV64_IMM(BPF_REG_0, 0),
1804 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1805 offsetof(struct __sk_buff, hash) + 1),
1808 .errstr = "invalid bpf_context access",
1812 "check skb->hash byte load not permitted 2",
1814 BPF_MOV64_IMM(BPF_REG_0, 0),
1815 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1816 offsetof(struct __sk_buff, hash) + 2),
1819 .errstr = "invalid bpf_context access",
1823 "check skb->hash byte load not permitted 3",
1825 BPF_MOV64_IMM(BPF_REG_0, 0),
1826 #if __BYTE_ORDER == __LITTLE_ENDIAN
1827 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1828 offsetof(struct __sk_buff, hash) + 3),
1830 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1831 offsetof(struct __sk_buff, hash)),
1835 .errstr = "invalid bpf_context access",
1839 "check cb access: byte, wrong type",
1841 BPF_MOV64_IMM(BPF_REG_0, 0),
1842 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1843 offsetof(struct __sk_buff, cb[0])),
1846 .errstr = "invalid bpf_context access",
1848 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1851 "check cb access: half",
1853 BPF_MOV64_IMM(BPF_REG_0, 0),
1854 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1855 offsetof(struct __sk_buff, cb[0])),
1856 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1857 offsetof(struct __sk_buff, cb[0]) + 2),
1858 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1859 offsetof(struct __sk_buff, cb[1])),
1860 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1861 offsetof(struct __sk_buff, cb[1]) + 2),
1862 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1863 offsetof(struct __sk_buff, cb[2])),
1864 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1865 offsetof(struct __sk_buff, cb[2]) + 2),
1866 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1867 offsetof(struct __sk_buff, cb[3])),
1868 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1869 offsetof(struct __sk_buff, cb[3]) + 2),
1870 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1871 offsetof(struct __sk_buff, cb[4])),
1872 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1873 offsetof(struct __sk_buff, cb[4]) + 2),
1874 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1875 offsetof(struct __sk_buff, cb[0])),
1876 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1877 offsetof(struct __sk_buff, cb[0]) + 2),
1878 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1879 offsetof(struct __sk_buff, cb[1])),
1880 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1881 offsetof(struct __sk_buff, cb[1]) + 2),
1882 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1883 offsetof(struct __sk_buff, cb[2])),
1884 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1885 offsetof(struct __sk_buff, cb[2]) + 2),
1886 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1887 offsetof(struct __sk_buff, cb[3])),
1888 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1889 offsetof(struct __sk_buff, cb[3]) + 2),
1890 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1891 offsetof(struct __sk_buff, cb[4])),
1892 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1893 offsetof(struct __sk_buff, cb[4]) + 2),
1899 "check cb access: half, unaligned",
1901 BPF_MOV64_IMM(BPF_REG_0, 0),
1902 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1903 offsetof(struct __sk_buff, cb[0]) + 1),
1906 .errstr = "misaligned context access",
1908 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1911 "check __sk_buff->hash, offset 0, half store not permitted",
1913 BPF_MOV64_IMM(BPF_REG_0, 0),
1914 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1915 offsetof(struct __sk_buff, hash)),
1918 .errstr = "invalid bpf_context access",
1922 "check __sk_buff->tc_index, offset 2, half store not permitted",
1924 BPF_MOV64_IMM(BPF_REG_0, 0),
1925 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1926 offsetof(struct __sk_buff, tc_index) + 2),
1929 .errstr = "invalid bpf_context access",
1933 "check skb->hash half load permitted",
1935 BPF_MOV64_IMM(BPF_REG_0, 0),
1936 #if __BYTE_ORDER == __LITTLE_ENDIAN
1937 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1938 offsetof(struct __sk_buff, hash)),
1940 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1941 offsetof(struct __sk_buff, hash) + 2),
1948 "check skb->hash half load not permitted",
1950 BPF_MOV64_IMM(BPF_REG_0, 0),
1951 #if __BYTE_ORDER == __LITTLE_ENDIAN
1952 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1953 offsetof(struct __sk_buff, hash) + 2),
1955 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1956 offsetof(struct __sk_buff, hash)),
1960 .errstr = "invalid bpf_context access",
1964 "check cb access: half, wrong type",
1966 BPF_MOV64_IMM(BPF_REG_0, 0),
1967 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1968 offsetof(struct __sk_buff, cb[0])),
1971 .errstr = "invalid bpf_context access",
1973 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1976 "check cb access: word",
1978 BPF_MOV64_IMM(BPF_REG_0, 0),
1979 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1980 offsetof(struct __sk_buff, cb[0])),
1981 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1982 offsetof(struct __sk_buff, cb[1])),
1983 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1984 offsetof(struct __sk_buff, cb[2])),
1985 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1986 offsetof(struct __sk_buff, cb[3])),
1987 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1988 offsetof(struct __sk_buff, cb[4])),
1989 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1990 offsetof(struct __sk_buff, cb[0])),
1991 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1992 offsetof(struct __sk_buff, cb[1])),
1993 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1994 offsetof(struct __sk_buff, cb[2])),
1995 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1996 offsetof(struct __sk_buff, cb[3])),
1997 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1998 offsetof(struct __sk_buff, cb[4])),
2004 "check cb access: word, unaligned 1",
2006 BPF_MOV64_IMM(BPF_REG_0, 0),
2007 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2008 offsetof(struct __sk_buff, cb[0]) + 2),
2011 .errstr = "misaligned context access",
2013 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2016 "check cb access: word, unaligned 2",
2018 BPF_MOV64_IMM(BPF_REG_0, 0),
2019 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2020 offsetof(struct __sk_buff, cb[4]) + 1),
2023 .errstr = "misaligned context access",
2025 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2028 "check cb access: word, unaligned 3",
2030 BPF_MOV64_IMM(BPF_REG_0, 0),
2031 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2032 offsetof(struct __sk_buff, cb[4]) + 2),
2035 .errstr = "misaligned context access",
2037 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2040 "check cb access: word, unaligned 4",
2042 BPF_MOV64_IMM(BPF_REG_0, 0),
2043 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2044 offsetof(struct __sk_buff, cb[4]) + 3),
2047 .errstr = "misaligned context access",
2049 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2052 "check cb access: double",
2054 BPF_MOV64_IMM(BPF_REG_0, 0),
2055 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2056 offsetof(struct __sk_buff, cb[0])),
2057 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2058 offsetof(struct __sk_buff, cb[2])),
2059 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2060 offsetof(struct __sk_buff, cb[0])),
2061 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2062 offsetof(struct __sk_buff, cb[2])),
2068 "check cb access: double, unaligned 1",
2070 BPF_MOV64_IMM(BPF_REG_0, 0),
2071 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2072 offsetof(struct __sk_buff, cb[1])),
2075 .errstr = "misaligned context access",
2077 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2080 "check cb access: double, unaligned 2",
2082 BPF_MOV64_IMM(BPF_REG_0, 0),
2083 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2084 offsetof(struct __sk_buff, cb[3])),
2087 .errstr = "misaligned context access",
2089 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2092 "check cb access: double, oob 1",
2094 BPF_MOV64_IMM(BPF_REG_0, 0),
2095 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2096 offsetof(struct __sk_buff, cb[4])),
2099 .errstr = "invalid bpf_context access",
2103 "check cb access: double, oob 2",
2105 BPF_MOV64_IMM(BPF_REG_0, 0),
2106 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2107 offsetof(struct __sk_buff, cb[4])),
2110 .errstr = "invalid bpf_context access",
2114 "check __sk_buff->ifindex dw store not permitted",
2116 BPF_MOV64_IMM(BPF_REG_0, 0),
2117 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2118 offsetof(struct __sk_buff, ifindex)),
2121 .errstr = "invalid bpf_context access",
2125 "check __sk_buff->ifindex dw load not permitted",
2127 BPF_MOV64_IMM(BPF_REG_0, 0),
2128 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2129 offsetof(struct __sk_buff, ifindex)),
2132 .errstr = "invalid bpf_context access",
2136 "check cb access: double, wrong type",
2138 BPF_MOV64_IMM(BPF_REG_0, 0),
2139 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2140 offsetof(struct __sk_buff, cb[0])),
2143 .errstr = "invalid bpf_context access",
2145 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2148 "check out of range skb->cb access",
2150 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2151 offsetof(struct __sk_buff, cb[0]) + 256),
2154 .errstr = "invalid bpf_context access",
2155 .errstr_unpriv = "",
2157 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2160 "write skb fields from socket prog",
2162 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2163 offsetof(struct __sk_buff, cb[4])),
2164 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2165 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2166 offsetof(struct __sk_buff, mark)),
2167 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2168 offsetof(struct __sk_buff, tc_index)),
2169 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2170 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2171 offsetof(struct __sk_buff, cb[0])),
2172 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2173 offsetof(struct __sk_buff, cb[2])),
2177 .errstr_unpriv = "R1 leaks addr",
2178 .result_unpriv = REJECT,
2181 "write skb fields from tc_cls_act prog",
2183 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2184 offsetof(struct __sk_buff, cb[0])),
2185 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2186 offsetof(struct __sk_buff, mark)),
2187 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2188 offsetof(struct __sk_buff, tc_index)),
2189 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2190 offsetof(struct __sk_buff, tc_index)),
2191 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2192 offsetof(struct __sk_buff, cb[3])),
2195 .errstr_unpriv = "",
2196 .result_unpriv = REJECT,
2198 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2201 "PTR_TO_STACK store/load",
2203 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2204 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2205 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2206 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2210 .retval = 0xfaceb00c,
2213 "PTR_TO_STACK store/load - bad alignment on off",
2215 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2217 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2218 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2222 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2225 "PTR_TO_STACK store/load - bad alignment on reg",
2227 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2228 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2229 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2230 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2234 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2237 "PTR_TO_STACK store/load - out of bounds low",
2239 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2240 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2241 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2242 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2246 .errstr = "invalid stack off=-79992 size=8",
2249 "PTR_TO_STACK store/load - out of bounds high",
2251 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2253 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2254 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2258 .errstr = "invalid stack off=0 size=8",
2261 "unpriv: return pointer",
2263 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2267 .result_unpriv = REJECT,
2268 .errstr_unpriv = "R0 leaks addr",
2269 .retval = POINTER_VALUE,
2272 "unpriv: add const to pointer",
2274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2275 BPF_MOV64_IMM(BPF_REG_0, 0),
2281 "unpriv: add pointer to pointer",
2283 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2284 BPF_MOV64_IMM(BPF_REG_0, 0),
2288 .errstr = "R1 pointer += pointer",
2291 "unpriv: neg pointer",
2293 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2294 BPF_MOV64_IMM(BPF_REG_0, 0),
2298 .result_unpriv = REJECT,
2299 .errstr_unpriv = "R1 pointer arithmetic",
2302 "unpriv: cmp pointer with const",
2304 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2305 BPF_MOV64_IMM(BPF_REG_0, 0),
2309 .result_unpriv = REJECT,
2310 .errstr_unpriv = "R1 pointer comparison",
2313 "unpriv: cmp pointer with pointer",
2315 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2316 BPF_MOV64_IMM(BPF_REG_0, 0),
2320 .result_unpriv = REJECT,
2321 .errstr_unpriv = "R10 pointer comparison",
2324 "unpriv: check that printk is disallowed",
2326 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2327 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2329 BPF_MOV64_IMM(BPF_REG_2, 8),
2330 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2331 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2332 BPF_FUNC_trace_printk),
2333 BPF_MOV64_IMM(BPF_REG_0, 0),
2336 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2337 .result_unpriv = REJECT,
2341 "unpriv: pass pointer to helper function",
2343 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2344 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2345 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2346 BPF_LD_MAP_FD(BPF_REG_1, 0),
2347 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2348 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2349 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2350 BPF_FUNC_map_update_elem),
2351 BPF_MOV64_IMM(BPF_REG_0, 0),
2354 .fixup_map1 = { 3 },
2355 .errstr_unpriv = "R4 leaks addr",
2356 .result_unpriv = REJECT,
2360 "unpriv: indirectly pass pointer on stack to helper function",
2362 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2363 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2365 BPF_LD_MAP_FD(BPF_REG_1, 0),
2366 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2367 BPF_FUNC_map_lookup_elem),
2368 BPF_MOV64_IMM(BPF_REG_0, 0),
2371 .fixup_map1 = { 3 },
2372 .errstr = "invalid indirect read from stack off -8+0 size 8",
2376 "unpriv: mangle pointer on stack 1",
2378 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2379 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2380 BPF_MOV64_IMM(BPF_REG_0, 0),
2383 .errstr_unpriv = "attempt to corrupt spilled",
2384 .result_unpriv = REJECT,
2388 "unpriv: mangle pointer on stack 2",
2390 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2391 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2392 BPF_MOV64_IMM(BPF_REG_0, 0),
2395 .errstr_unpriv = "attempt to corrupt spilled",
2396 .result_unpriv = REJECT,
2400 "unpriv: read pointer from stack in small chunks",
2402 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2403 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2404 BPF_MOV64_IMM(BPF_REG_0, 0),
2407 .errstr = "invalid size",
2411 "unpriv: write pointer into ctx",
2413 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2414 BPF_MOV64_IMM(BPF_REG_0, 0),
2417 .errstr_unpriv = "R1 leaks addr",
2418 .result_unpriv = REJECT,
2419 .errstr = "invalid bpf_context access",
2423 "unpriv: spill/fill of ctx",
2425 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2426 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2427 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2428 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2429 BPF_MOV64_IMM(BPF_REG_0, 0),
2435 "unpriv: spill/fill of ctx 2",
2437 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2439 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2440 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2441 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2442 BPF_FUNC_get_hash_recalc),
2443 BPF_MOV64_IMM(BPF_REG_0, 0),
2447 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2450 "unpriv: spill/fill of ctx 3",
2452 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2454 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2455 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2456 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2457 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2458 BPF_FUNC_get_hash_recalc),
2462 .errstr = "R1 type=fp expected=ctx",
2463 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2466 "unpriv: spill/fill of ctx 4",
2468 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2469 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2470 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2471 BPF_MOV64_IMM(BPF_REG_0, 1),
2472 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2474 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2475 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2476 BPF_FUNC_get_hash_recalc),
2480 .errstr = "R1 type=inv expected=ctx",
2481 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2484 "unpriv: spill/fill of different pointers stx",
2486 BPF_MOV64_IMM(BPF_REG_3, 42),
2487 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2488 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2489 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2490 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2492 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2493 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2494 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2495 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2496 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2497 offsetof(struct __sk_buff, mark)),
2498 BPF_MOV64_IMM(BPF_REG_0, 0),
2502 .errstr = "same insn cannot be used with different pointers",
2503 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2506 "unpriv: spill/fill of different pointers ldx",
2508 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2509 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2510 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2511 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2512 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2513 -(__s32)offsetof(struct bpf_perf_event_data,
2514 sample_period) - 8),
2515 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2516 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2517 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2518 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2519 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2520 offsetof(struct bpf_perf_event_data,
2522 BPF_MOV64_IMM(BPF_REG_0, 0),
2526 .errstr = "same insn cannot be used with different pointers",
2527 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2530 "unpriv: write pointer into map elem value",
2532 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2533 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2535 BPF_LD_MAP_FD(BPF_REG_1, 0),
2536 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2537 BPF_FUNC_map_lookup_elem),
2538 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2539 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2542 .fixup_map1 = { 3 },
2543 .errstr_unpriv = "R0 leaks addr",
2544 .result_unpriv = REJECT,
2548 "unpriv: partial copy of pointer",
2550 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2551 BPF_MOV64_IMM(BPF_REG_0, 0),
2554 .errstr_unpriv = "R10 partial copy",
2555 .result_unpriv = REJECT,
2559 "unpriv: pass pointer to tail_call",
2561 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2562 BPF_LD_MAP_FD(BPF_REG_2, 0),
2563 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2564 BPF_FUNC_tail_call),
2565 BPF_MOV64_IMM(BPF_REG_0, 0),
2568 .fixup_prog = { 1 },
2569 .errstr_unpriv = "R3 leaks addr into helper",
2570 .result_unpriv = REJECT,
2574 "unpriv: cmp map pointer with zero",
2576 BPF_MOV64_IMM(BPF_REG_1, 0),
2577 BPF_LD_MAP_FD(BPF_REG_1, 0),
2578 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2579 BPF_MOV64_IMM(BPF_REG_0, 0),
2582 .fixup_map1 = { 1 },
2583 .errstr_unpriv = "R1 pointer comparison",
2584 .result_unpriv = REJECT,
2588 "unpriv: write into frame pointer",
2590 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2591 BPF_MOV64_IMM(BPF_REG_0, 0),
2594 .errstr = "frame pointer is read only",
2598 "unpriv: spill/fill frame pointer",
2600 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2601 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2602 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2603 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2604 BPF_MOV64_IMM(BPF_REG_0, 0),
2607 .errstr = "frame pointer is read only",
2611 "unpriv: cmp of frame pointer",
2613 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2614 BPF_MOV64_IMM(BPF_REG_0, 0),
2617 .errstr_unpriv = "R10 pointer comparison",
2618 .result_unpriv = REJECT,
2622 "unpriv: adding of fp",
2624 BPF_MOV64_IMM(BPF_REG_0, 0),
2625 BPF_MOV64_IMM(BPF_REG_1, 0),
2626 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2627 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2633 "unpriv: cmp of stack pointer",
2635 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2636 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2637 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2638 BPF_MOV64_IMM(BPF_REG_0, 0),
2641 .errstr_unpriv = "R2 pointer comparison",
2642 .result_unpriv = REJECT,
2646 "runtime/jit: tail_call within bounds, prog once",
2648 BPF_MOV64_IMM(BPF_REG_3, 0),
2649 BPF_LD_MAP_FD(BPF_REG_2, 0),
2650 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2651 BPF_FUNC_tail_call),
2652 BPF_MOV64_IMM(BPF_REG_0, 1),
2655 .fixup_prog = { 1 },
2660 "runtime/jit: tail_call within bounds, prog loop",
2662 BPF_MOV64_IMM(BPF_REG_3, 1),
2663 BPF_LD_MAP_FD(BPF_REG_2, 0),
2664 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2665 BPF_FUNC_tail_call),
2666 BPF_MOV64_IMM(BPF_REG_0, 1),
2669 .fixup_prog = { 1 },
2674 "runtime/jit: tail_call within bounds, no prog",
2676 BPF_MOV64_IMM(BPF_REG_3, 2),
2677 BPF_LD_MAP_FD(BPF_REG_2, 0),
2678 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2679 BPF_FUNC_tail_call),
2680 BPF_MOV64_IMM(BPF_REG_0, 1),
2683 .fixup_prog = { 1 },
2688 "runtime/jit: tail_call out of bounds",
2690 BPF_MOV64_IMM(BPF_REG_3, 256),
2691 BPF_LD_MAP_FD(BPF_REG_2, 0),
2692 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2693 BPF_FUNC_tail_call),
2694 BPF_MOV64_IMM(BPF_REG_0, 2),
2697 .fixup_prog = { 1 },
2702 "runtime/jit: pass negative index to tail_call",
2704 BPF_MOV64_IMM(BPF_REG_3, -1),
2705 BPF_LD_MAP_FD(BPF_REG_2, 0),
2706 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2707 BPF_FUNC_tail_call),
2708 BPF_MOV64_IMM(BPF_REG_0, 2),
2711 .fixup_prog = { 1 },
2716 "runtime/jit: pass > 32bit index to tail_call",
2718 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2719 BPF_LD_MAP_FD(BPF_REG_2, 0),
2720 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2721 BPF_FUNC_tail_call),
2722 BPF_MOV64_IMM(BPF_REG_0, 2),
2725 .fixup_prog = { 2 },
2730 "stack pointer arithmetic",
2732 BPF_MOV64_IMM(BPF_REG_1, 4),
2733 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2734 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2735 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2737 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2738 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2739 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2740 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2741 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2742 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2743 BPF_MOV64_IMM(BPF_REG_0, 0),
2749 "raw_stack: no skb_load_bytes",
2751 BPF_MOV64_IMM(BPF_REG_2, 4),
2752 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2754 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2755 BPF_MOV64_IMM(BPF_REG_4, 8),
2756 /* Call to skb_load_bytes() omitted. */
2757 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2761 .errstr = "invalid read from stack off -8+0 size 8",
2762 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2765 "raw_stack: skb_load_bytes, negative len",
2767 BPF_MOV64_IMM(BPF_REG_2, 4),
2768 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2769 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2770 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2771 BPF_MOV64_IMM(BPF_REG_4, -8),
2772 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2773 BPF_FUNC_skb_load_bytes),
2774 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2778 .errstr = "R4 min value is negative",
2779 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2782 "raw_stack: skb_load_bytes, negative len 2",
2784 BPF_MOV64_IMM(BPF_REG_2, 4),
2785 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2786 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2787 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2788 BPF_MOV64_IMM(BPF_REG_4, ~0),
2789 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2790 BPF_FUNC_skb_load_bytes),
2791 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2795 .errstr = "R4 min value is negative",
2796 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2799 "raw_stack: skb_load_bytes, zero len",
2801 BPF_MOV64_IMM(BPF_REG_2, 4),
2802 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2803 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2804 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2805 BPF_MOV64_IMM(BPF_REG_4, 0),
2806 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2807 BPF_FUNC_skb_load_bytes),
2808 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2812 .errstr = "invalid stack type R3",
2813 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2816 "raw_stack: skb_load_bytes, no init",
2818 BPF_MOV64_IMM(BPF_REG_2, 4),
2819 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2820 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2821 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2822 BPF_MOV64_IMM(BPF_REG_4, 8),
2823 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2824 BPF_FUNC_skb_load_bytes),
2825 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2829 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2832 "raw_stack: skb_load_bytes, init",
2834 BPF_MOV64_IMM(BPF_REG_2, 4),
2835 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2836 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2837 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2838 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2839 BPF_MOV64_IMM(BPF_REG_4, 8),
2840 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2841 BPF_FUNC_skb_load_bytes),
2842 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2846 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2849 "raw_stack: skb_load_bytes, spilled regs around bounds",
2851 BPF_MOV64_IMM(BPF_REG_2, 4),
2852 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2854 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2855 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2856 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2857 BPF_MOV64_IMM(BPF_REG_4, 8),
2858 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2859 BPF_FUNC_skb_load_bytes),
2860 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2861 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2862 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2863 offsetof(struct __sk_buff, mark)),
2864 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2865 offsetof(struct __sk_buff, priority)),
2866 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2870 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2873 "raw_stack: skb_load_bytes, spilled regs corruption",
2875 BPF_MOV64_IMM(BPF_REG_2, 4),
2876 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2878 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2879 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2880 BPF_MOV64_IMM(BPF_REG_4, 8),
2881 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2882 BPF_FUNC_skb_load_bytes),
2883 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2884 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2885 offsetof(struct __sk_buff, mark)),
2889 .errstr = "R0 invalid mem access 'inv'",
2890 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2893 "raw_stack: skb_load_bytes, spilled regs corruption 2",
2895 BPF_MOV64_IMM(BPF_REG_2, 4),
2896 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2898 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2899 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2900 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2901 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2902 BPF_MOV64_IMM(BPF_REG_4, 8),
2903 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2904 BPF_FUNC_skb_load_bytes),
2905 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2906 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2907 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
2908 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2909 offsetof(struct __sk_buff, mark)),
2910 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2911 offsetof(struct __sk_buff, priority)),
2912 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2913 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
2914 offsetof(struct __sk_buff, pkt_type)),
2915 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2919 .errstr = "R3 invalid mem access 'inv'",
2920 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2923 "raw_stack: skb_load_bytes, spilled regs + data",
2925 BPF_MOV64_IMM(BPF_REG_2, 4),
2926 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2928 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2929 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2930 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2931 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2932 BPF_MOV64_IMM(BPF_REG_4, 8),
2933 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2934 BPF_FUNC_skb_load_bytes),
2935 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2936 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2937 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
2938 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2939 offsetof(struct __sk_buff, mark)),
2940 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2941 offsetof(struct __sk_buff, priority)),
2942 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2943 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2947 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2950 "raw_stack: skb_load_bytes, invalid access 1",
2952 BPF_MOV64_IMM(BPF_REG_2, 4),
2953 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2954 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2955 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2956 BPF_MOV64_IMM(BPF_REG_4, 8),
2957 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2958 BPF_FUNC_skb_load_bytes),
2959 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2963 .errstr = "invalid stack type R3 off=-513 access_size=8",
2964 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2967 "raw_stack: skb_load_bytes, invalid access 2",
2969 BPF_MOV64_IMM(BPF_REG_2, 4),
2970 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2971 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2972 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2973 BPF_MOV64_IMM(BPF_REG_4, 8),
2974 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2975 BPF_FUNC_skb_load_bytes),
2976 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2980 .errstr = "invalid stack type R3 off=-1 access_size=8",
2981 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2984 "raw_stack: skb_load_bytes, invalid access 3",
2986 BPF_MOV64_IMM(BPF_REG_2, 4),
2987 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2989 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2990 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2991 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2992 BPF_FUNC_skb_load_bytes),
2993 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2997 .errstr = "R4 min value is negative",
2998 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3001 "raw_stack: skb_load_bytes, invalid access 4",
3003 BPF_MOV64_IMM(BPF_REG_2, 4),
3004 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3006 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3007 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3008 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3009 BPF_FUNC_skb_load_bytes),
3010 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3014 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3015 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3018 "raw_stack: skb_load_bytes, invalid access 5",
3020 BPF_MOV64_IMM(BPF_REG_2, 4),
3021 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3022 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3023 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3024 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3025 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3026 BPF_FUNC_skb_load_bytes),
3027 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3031 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3032 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3035 "raw_stack: skb_load_bytes, invalid access 6",
3037 BPF_MOV64_IMM(BPF_REG_2, 4),
3038 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3039 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3040 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3041 BPF_MOV64_IMM(BPF_REG_4, 0),
3042 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3043 BPF_FUNC_skb_load_bytes),
3044 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3048 .errstr = "invalid stack type R3 off=-512 access_size=0",
3049 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3052 "raw_stack: skb_load_bytes, large access",
3054 BPF_MOV64_IMM(BPF_REG_2, 4),
3055 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3056 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3057 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3058 BPF_MOV64_IMM(BPF_REG_4, 512),
3059 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3060 BPF_FUNC_skb_load_bytes),
3061 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3065 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3068 "context stores via ST",
3070 BPF_MOV64_IMM(BPF_REG_0, 0),
3071 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3074 .errstr = "BPF_ST stores into R1 context is not allowed",
3076 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3079 "context stores via XADD",
3081 BPF_MOV64_IMM(BPF_REG_0, 0),
3082 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3083 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3086 .errstr = "BPF_XADD stores into R1 context is not allowed",
3088 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3091 "direct packet access: test1",
3093 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3094 offsetof(struct __sk_buff, data)),
3095 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3096 offsetof(struct __sk_buff, data_end)),
3097 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3098 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3099 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3100 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3101 BPF_MOV64_IMM(BPF_REG_0, 0),
3105 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3108 "direct packet access: test2",
3110 BPF_MOV64_IMM(BPF_REG_0, 1),
3111 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3112 offsetof(struct __sk_buff, data_end)),
3113 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3114 offsetof(struct __sk_buff, data)),
3115 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3117 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3118 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3119 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3120 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3121 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3122 offsetof(struct __sk_buff, data)),
3123 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3124 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3125 offsetof(struct __sk_buff, len)),
3126 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3127 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3128 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3129 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3131 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3132 offsetof(struct __sk_buff, data_end)),
3133 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3134 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3135 BPF_MOV64_IMM(BPF_REG_0, 0),
3139 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3142 "direct packet access: test3",
3144 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3145 offsetof(struct __sk_buff, data)),
3146 BPF_MOV64_IMM(BPF_REG_0, 0),
3149 .errstr = "invalid bpf_context access off=76",
3151 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3154 "direct packet access: test4 (write)",
3156 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3157 offsetof(struct __sk_buff, data)),
3158 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3159 offsetof(struct __sk_buff, data_end)),
3160 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3161 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3162 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3163 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3164 BPF_MOV64_IMM(BPF_REG_0, 0),
3168 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3171 "direct packet access: test5 (pkt_end >= reg, good access)",
3173 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3174 offsetof(struct __sk_buff, data)),
3175 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3176 offsetof(struct __sk_buff, data_end)),
3177 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3178 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3179 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3180 BPF_MOV64_IMM(BPF_REG_0, 1),
3182 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3183 BPF_MOV64_IMM(BPF_REG_0, 0),
3187 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3190 "direct packet access: test6 (pkt_end >= reg, bad access)",
3192 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3193 offsetof(struct __sk_buff, data)),
3194 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3195 offsetof(struct __sk_buff, data_end)),
3196 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3198 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3199 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3200 BPF_MOV64_IMM(BPF_REG_0, 1),
3202 BPF_MOV64_IMM(BPF_REG_0, 0),
3205 .errstr = "invalid access to packet",
3207 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3210 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3212 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3213 offsetof(struct __sk_buff, data)),
3214 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3215 offsetof(struct __sk_buff, data_end)),
3216 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3217 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3218 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3219 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3220 BPF_MOV64_IMM(BPF_REG_0, 1),
3222 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3223 BPF_MOV64_IMM(BPF_REG_0, 0),
3226 .errstr = "invalid access to packet",
3228 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3231 "direct packet access: test8 (double test, variant 1)",
3233 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3234 offsetof(struct __sk_buff, data)),
3235 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3236 offsetof(struct __sk_buff, data_end)),
3237 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3239 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3240 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3241 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3242 BPF_MOV64_IMM(BPF_REG_0, 1),
3244 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3245 BPF_MOV64_IMM(BPF_REG_0, 0),
3249 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3252 "direct packet access: test9 (double test, variant 2)",
3254 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3255 offsetof(struct __sk_buff, data)),
3256 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3257 offsetof(struct __sk_buff, data_end)),
3258 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3259 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3260 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3261 BPF_MOV64_IMM(BPF_REG_0, 1),
3263 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3264 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3265 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3266 BPF_MOV64_IMM(BPF_REG_0, 0),
3270 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3273 "direct packet access: test10 (write invalid)",
3275 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3276 offsetof(struct __sk_buff, data)),
3277 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3278 offsetof(struct __sk_buff, data_end)),
3279 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3281 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3282 BPF_MOV64_IMM(BPF_REG_0, 0),
3284 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3285 BPF_MOV64_IMM(BPF_REG_0, 0),
3288 .errstr = "invalid access to packet",
3290 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3293 "direct packet access: test11 (shift, good access)",
3295 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3296 offsetof(struct __sk_buff, data)),
3297 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3298 offsetof(struct __sk_buff, data_end)),
3299 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3300 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3301 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3302 BPF_MOV64_IMM(BPF_REG_3, 144),
3303 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3305 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3306 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3307 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3308 BPF_MOV64_IMM(BPF_REG_0, 1),
3310 BPF_MOV64_IMM(BPF_REG_0, 0),
3314 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3318 "direct packet access: test12 (and, good access)",
3320 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3321 offsetof(struct __sk_buff, data)),
3322 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3323 offsetof(struct __sk_buff, data_end)),
3324 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3326 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3327 BPF_MOV64_IMM(BPF_REG_3, 144),
3328 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3329 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3330 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3331 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3332 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3333 BPF_MOV64_IMM(BPF_REG_0, 1),
3335 BPF_MOV64_IMM(BPF_REG_0, 0),
3339 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3343 "direct packet access: test13 (branches, good access)",
3345 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3346 offsetof(struct __sk_buff, data)),
3347 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3348 offsetof(struct __sk_buff, data_end)),
3349 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3350 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3351 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3352 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3353 offsetof(struct __sk_buff, mark)),
3354 BPF_MOV64_IMM(BPF_REG_4, 1),
3355 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3356 BPF_MOV64_IMM(BPF_REG_3, 14),
3357 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3358 BPF_MOV64_IMM(BPF_REG_3, 24),
3359 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3361 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3362 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3363 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3364 BPF_MOV64_IMM(BPF_REG_0, 1),
3366 BPF_MOV64_IMM(BPF_REG_0, 0),
3370 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3374 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3376 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3377 offsetof(struct __sk_buff, data)),
3378 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3379 offsetof(struct __sk_buff, data_end)),
3380 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3381 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3382 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3383 BPF_MOV64_IMM(BPF_REG_5, 12),
3384 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3385 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3386 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3387 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3388 BPF_MOV64_IMM(BPF_REG_0, 1),
3390 BPF_MOV64_IMM(BPF_REG_0, 0),
3394 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3398 "direct packet access: test15 (spill with xadd)",
3400 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3401 offsetof(struct __sk_buff, data)),
3402 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3403 offsetof(struct __sk_buff, data_end)),
3404 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3405 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3406 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3407 BPF_MOV64_IMM(BPF_REG_5, 4096),
3408 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3410 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3411 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3412 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3413 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3414 BPF_MOV64_IMM(BPF_REG_0, 0),
3417 .errstr = "R2 invalid mem access 'inv'",
3419 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3422 "direct packet access: test16 (arith on data_end)",
3424 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3425 offsetof(struct __sk_buff, data)),
3426 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3427 offsetof(struct __sk_buff, data_end)),
3428 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3429 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3430 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3431 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3432 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3433 BPF_MOV64_IMM(BPF_REG_0, 0),
3436 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3438 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3441 "direct packet access: test17 (pruning, alignment)",
3443 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3444 offsetof(struct __sk_buff, data)),
3445 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3446 offsetof(struct __sk_buff, data_end)),
3447 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3448 offsetof(struct __sk_buff, mark)),
3449 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3450 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3451 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3452 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3453 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3454 BPF_MOV64_IMM(BPF_REG_0, 0),
3456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3459 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3461 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3462 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3465 "direct packet access: test18 (imm += pkt_ptr, 1)",
3467 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3468 offsetof(struct __sk_buff, data)),
3469 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3470 offsetof(struct __sk_buff, data_end)),
3471 BPF_MOV64_IMM(BPF_REG_0, 8),
3472 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3473 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3474 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3475 BPF_MOV64_IMM(BPF_REG_0, 0),
3479 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3482 "direct packet access: test19 (imm += pkt_ptr, 2)",
3484 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3485 offsetof(struct __sk_buff, data)),
3486 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3487 offsetof(struct __sk_buff, data_end)),
3488 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3489 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3490 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3491 BPF_MOV64_IMM(BPF_REG_4, 4),
3492 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3493 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3494 BPF_MOV64_IMM(BPF_REG_0, 0),
3498 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3501 "direct packet access: test20 (x += pkt_ptr, 1)",
3503 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3504 offsetof(struct __sk_buff, data)),
3505 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3506 offsetof(struct __sk_buff, data_end)),
3507 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3508 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3509 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3510 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3511 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3512 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3513 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3514 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3515 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3516 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3517 BPF_MOV64_IMM(BPF_REG_0, 0),
3520 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3524 "direct packet access: test21 (x += pkt_ptr, 2)",
3526 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3527 offsetof(struct __sk_buff, data)),
3528 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3529 offsetof(struct __sk_buff, data_end)),
3530 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3531 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3532 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3533 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3534 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3535 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3536 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3537 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3538 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3539 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3540 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3541 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3542 BPF_MOV64_IMM(BPF_REG_0, 0),
3545 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3549 "direct packet access: test22 (x += pkt_ptr, 3)",
3551 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3552 offsetof(struct __sk_buff, data)),
3553 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3554 offsetof(struct __sk_buff, data_end)),
3555 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3557 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3558 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3559 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3560 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3561 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3562 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3563 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3564 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3565 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3566 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3567 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3569 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3570 BPF_MOV64_IMM(BPF_REG_2, 1),
3571 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3572 BPF_MOV64_IMM(BPF_REG_0, 0),
3575 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3579 "direct packet access: test23 (x += pkt_ptr, 4)",
3581 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3582 offsetof(struct __sk_buff, data)),
3583 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3584 offsetof(struct __sk_buff, data_end)),
3585 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3586 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3587 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3588 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3589 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3590 BPF_MOV64_IMM(BPF_REG_0, 31),
3591 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3592 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3593 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3594 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3595 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3596 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3597 BPF_MOV64_IMM(BPF_REG_0, 0),
3600 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3602 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3605 "direct packet access: test24 (x += pkt_ptr, 5)",
3607 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3608 offsetof(struct __sk_buff, data)),
3609 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3610 offsetof(struct __sk_buff, data_end)),
3611 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3612 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3613 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3614 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3615 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3616 BPF_MOV64_IMM(BPF_REG_0, 64),
3617 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3618 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3619 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3620 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3621 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3622 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3623 BPF_MOV64_IMM(BPF_REG_0, 0),
3626 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3630 "direct packet access: test25 (marking on <, good access)",
3632 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3633 offsetof(struct __sk_buff, data)),
3634 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3635 offsetof(struct __sk_buff, data_end)),
3636 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3637 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3638 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3639 BPF_MOV64_IMM(BPF_REG_0, 0),
3641 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3642 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3645 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3648 "direct packet access: test26 (marking on <, bad access)",
3650 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3651 offsetof(struct __sk_buff, data)),
3652 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3653 offsetof(struct __sk_buff, data_end)),
3654 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3655 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3656 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3657 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3658 BPF_MOV64_IMM(BPF_REG_0, 0),
3660 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3663 .errstr = "invalid access to packet",
3664 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3667 "direct packet access: test27 (marking on <=, good access)",
3669 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3670 offsetof(struct __sk_buff, data)),
3671 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3672 offsetof(struct __sk_buff, data_end)),
3673 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3674 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3675 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3676 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3677 BPF_MOV64_IMM(BPF_REG_0, 1),
3681 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3685 "direct packet access: test28 (marking on <=, bad access)",
3687 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3688 offsetof(struct __sk_buff, data)),
3689 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3690 offsetof(struct __sk_buff, data_end)),
3691 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3692 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3693 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3694 BPF_MOV64_IMM(BPF_REG_0, 1),
3696 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3697 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3700 .errstr = "invalid access to packet",
3701 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3704 "helper access to packet: test1, valid packet_ptr range",
3706 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3707 offsetof(struct xdp_md, data)),
3708 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3709 offsetof(struct xdp_md, data_end)),
3710 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3711 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3712 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3713 BPF_LD_MAP_FD(BPF_REG_1, 0),
3714 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3715 BPF_MOV64_IMM(BPF_REG_4, 0),
3716 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3717 BPF_FUNC_map_update_elem),
3718 BPF_MOV64_IMM(BPF_REG_0, 0),
3721 .fixup_map1 = { 5 },
3722 .result_unpriv = ACCEPT,
3724 .prog_type = BPF_PROG_TYPE_XDP,
3727 "helper access to packet: test2, unchecked packet_ptr",
3729 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3730 offsetof(struct xdp_md, data)),
3731 BPF_LD_MAP_FD(BPF_REG_1, 0),
3732 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3733 BPF_FUNC_map_lookup_elem),
3734 BPF_MOV64_IMM(BPF_REG_0, 0),
3737 .fixup_map1 = { 1 },
3739 .errstr = "invalid access to packet",
3740 .prog_type = BPF_PROG_TYPE_XDP,
3743 "helper access to packet: test3, variable add",
3745 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3746 offsetof(struct xdp_md, data)),
3747 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3748 offsetof(struct xdp_md, data_end)),
3749 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3751 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3752 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3753 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3754 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3755 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3756 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3757 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3758 BPF_LD_MAP_FD(BPF_REG_1, 0),
3759 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3760 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3761 BPF_FUNC_map_lookup_elem),
3762 BPF_MOV64_IMM(BPF_REG_0, 0),
3765 .fixup_map1 = { 11 },
3767 .prog_type = BPF_PROG_TYPE_XDP,
3770 "helper access to packet: test4, packet_ptr with bad range",
3772 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3773 offsetof(struct xdp_md, data)),
3774 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3775 offsetof(struct xdp_md, data_end)),
3776 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3778 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3779 BPF_MOV64_IMM(BPF_REG_0, 0),
3781 BPF_LD_MAP_FD(BPF_REG_1, 0),
3782 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3783 BPF_FUNC_map_lookup_elem),
3784 BPF_MOV64_IMM(BPF_REG_0, 0),
3787 .fixup_map1 = { 7 },
3789 .errstr = "invalid access to packet",
3790 .prog_type = BPF_PROG_TYPE_XDP,
3793 "helper access to packet: test5, packet_ptr with too short range",
3795 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3796 offsetof(struct xdp_md, data)),
3797 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3798 offsetof(struct xdp_md, data_end)),
3799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3800 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3801 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3802 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3803 BPF_LD_MAP_FD(BPF_REG_1, 0),
3804 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3805 BPF_FUNC_map_lookup_elem),
3806 BPF_MOV64_IMM(BPF_REG_0, 0),
3809 .fixup_map1 = { 6 },
3811 .errstr = "invalid access to packet",
3812 .prog_type = BPF_PROG_TYPE_XDP,
3815 "helper access to packet: test6, cls valid packet_ptr range",
3817 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3818 offsetof(struct __sk_buff, data)),
3819 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3820 offsetof(struct __sk_buff, data_end)),
3821 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3822 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3823 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3824 BPF_LD_MAP_FD(BPF_REG_1, 0),
3825 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3826 BPF_MOV64_IMM(BPF_REG_4, 0),
3827 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3828 BPF_FUNC_map_update_elem),
3829 BPF_MOV64_IMM(BPF_REG_0, 0),
3832 .fixup_map1 = { 5 },
3834 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3837 "helper access to packet: test7, cls unchecked packet_ptr",
3839 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3840 offsetof(struct __sk_buff, data)),
3841 BPF_LD_MAP_FD(BPF_REG_1, 0),
3842 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3843 BPF_FUNC_map_lookup_elem),
3844 BPF_MOV64_IMM(BPF_REG_0, 0),
3847 .fixup_map1 = { 1 },
3849 .errstr = "invalid access to packet",
3850 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3853 "helper access to packet: test8, cls variable add",
3855 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3856 offsetof(struct __sk_buff, data)),
3857 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3858 offsetof(struct __sk_buff, data_end)),
3859 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3860 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3861 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3862 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3863 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3864 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3865 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3866 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3867 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3868 BPF_LD_MAP_FD(BPF_REG_1, 0),
3869 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3870 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3871 BPF_FUNC_map_lookup_elem),
3872 BPF_MOV64_IMM(BPF_REG_0, 0),
3875 .fixup_map1 = { 11 },
3877 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3880 "helper access to packet: test9, cls packet_ptr with bad range",
3882 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3883 offsetof(struct __sk_buff, data)),
3884 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3885 offsetof(struct __sk_buff, data_end)),
3886 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3887 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3888 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3889 BPF_MOV64_IMM(BPF_REG_0, 0),
3891 BPF_LD_MAP_FD(BPF_REG_1, 0),
3892 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3893 BPF_FUNC_map_lookup_elem),
3894 BPF_MOV64_IMM(BPF_REG_0, 0),
3897 .fixup_map1 = { 7 },
3899 .errstr = "invalid access to packet",
3900 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3903 "helper access to packet: test10, cls packet_ptr with too short range",
3905 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3906 offsetof(struct __sk_buff, data)),
3907 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3908 offsetof(struct __sk_buff, data_end)),
3909 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3910 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3911 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3912 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3913 BPF_LD_MAP_FD(BPF_REG_1, 0),
3914 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3915 BPF_FUNC_map_lookup_elem),
3916 BPF_MOV64_IMM(BPF_REG_0, 0),
3919 .fixup_map1 = { 6 },
3921 .errstr = "invalid access to packet",
3922 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3925 "helper access to packet: test11, cls unsuitable helper 1",
3927 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3928 offsetof(struct __sk_buff, data)),
3929 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3930 offsetof(struct __sk_buff, data_end)),
3931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3932 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3933 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
3934 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
3935 BPF_MOV64_IMM(BPF_REG_2, 0),
3936 BPF_MOV64_IMM(BPF_REG_4, 42),
3937 BPF_MOV64_IMM(BPF_REG_5, 0),
3938 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3939 BPF_FUNC_skb_store_bytes),
3940 BPF_MOV64_IMM(BPF_REG_0, 0),
3944 .errstr = "helper access to the packet",
3945 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3948 "helper access to packet: test12, cls unsuitable helper 2",
3950 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3951 offsetof(struct __sk_buff, data)),
3952 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3953 offsetof(struct __sk_buff, data_end)),
3954 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
3956 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
3957 BPF_MOV64_IMM(BPF_REG_2, 0),
3958 BPF_MOV64_IMM(BPF_REG_4, 4),
3959 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3960 BPF_FUNC_skb_load_bytes),
3961 BPF_MOV64_IMM(BPF_REG_0, 0),
3965 .errstr = "helper access to the packet",
3966 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3969 "helper access to packet: test13, cls helper ok",
3971 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3972 offsetof(struct __sk_buff, data)),
3973 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3974 offsetof(struct __sk_buff, data_end)),
3975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3976 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3977 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3978 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3979 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3980 BPF_MOV64_IMM(BPF_REG_2, 4),
3981 BPF_MOV64_IMM(BPF_REG_3, 0),
3982 BPF_MOV64_IMM(BPF_REG_4, 0),
3983 BPF_MOV64_IMM(BPF_REG_5, 0),
3984 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3985 BPF_FUNC_csum_diff),
3986 BPF_MOV64_IMM(BPF_REG_0, 0),
3990 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3993 "helper access to packet: test14, cls helper ok sub",
3995 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3996 offsetof(struct __sk_buff, data)),
3997 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3998 offsetof(struct __sk_buff, data_end)),
3999 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4000 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4001 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4002 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4003 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4004 BPF_MOV64_IMM(BPF_REG_2, 4),
4005 BPF_MOV64_IMM(BPF_REG_3, 0),
4006 BPF_MOV64_IMM(BPF_REG_4, 0),
4007 BPF_MOV64_IMM(BPF_REG_5, 0),
4008 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4009 BPF_FUNC_csum_diff),
4010 BPF_MOV64_IMM(BPF_REG_0, 0),
4014 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4017 "helper access to packet: test15, cls helper fail sub",
4019 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4020 offsetof(struct __sk_buff, data)),
4021 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4022 offsetof(struct __sk_buff, data_end)),
4023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4024 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4025 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4026 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4027 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4028 BPF_MOV64_IMM(BPF_REG_2, 4),
4029 BPF_MOV64_IMM(BPF_REG_3, 0),
4030 BPF_MOV64_IMM(BPF_REG_4, 0),
4031 BPF_MOV64_IMM(BPF_REG_5, 0),
4032 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4033 BPF_FUNC_csum_diff),
4034 BPF_MOV64_IMM(BPF_REG_0, 0),
4038 .errstr = "invalid access to packet",
4039 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4042 "helper access to packet: test16, cls helper fail range 1",
4044 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4045 offsetof(struct __sk_buff, data)),
4046 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4047 offsetof(struct __sk_buff, data_end)),
4048 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4049 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4050 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4051 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4052 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4053 BPF_MOV64_IMM(BPF_REG_2, 8),
4054 BPF_MOV64_IMM(BPF_REG_3, 0),
4055 BPF_MOV64_IMM(BPF_REG_4, 0),
4056 BPF_MOV64_IMM(BPF_REG_5, 0),
4057 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4058 BPF_FUNC_csum_diff),
4059 BPF_MOV64_IMM(BPF_REG_0, 0),
4063 .errstr = "invalid access to packet",
4064 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4067 "helper access to packet: test17, cls helper fail range 2",
4069 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4070 offsetof(struct __sk_buff, data)),
4071 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4072 offsetof(struct __sk_buff, data_end)),
4073 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4074 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4075 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4076 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4077 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4078 BPF_MOV64_IMM(BPF_REG_2, -9),
4079 BPF_MOV64_IMM(BPF_REG_3, 0),
4080 BPF_MOV64_IMM(BPF_REG_4, 0),
4081 BPF_MOV64_IMM(BPF_REG_5, 0),
4082 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4083 BPF_FUNC_csum_diff),
4084 BPF_MOV64_IMM(BPF_REG_0, 0),
4088 .errstr = "R2 min value is negative",
4089 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4092 "helper access to packet: test18, cls helper fail range 3",
4094 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4095 offsetof(struct __sk_buff, data)),
4096 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4097 offsetof(struct __sk_buff, data_end)),
4098 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4099 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4100 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4101 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4102 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4103 BPF_MOV64_IMM(BPF_REG_2, ~0),
4104 BPF_MOV64_IMM(BPF_REG_3, 0),
4105 BPF_MOV64_IMM(BPF_REG_4, 0),
4106 BPF_MOV64_IMM(BPF_REG_5, 0),
4107 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4108 BPF_FUNC_csum_diff),
4109 BPF_MOV64_IMM(BPF_REG_0, 0),
4113 .errstr = "R2 min value is negative",
4114 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4117 "helper access to packet: test19, cls helper range zero",
4119 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4120 offsetof(struct __sk_buff, data)),
4121 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4122 offsetof(struct __sk_buff, data_end)),
4123 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4124 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4125 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4126 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4127 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4128 BPF_MOV64_IMM(BPF_REG_2, 0),
4129 BPF_MOV64_IMM(BPF_REG_3, 0),
4130 BPF_MOV64_IMM(BPF_REG_4, 0),
4131 BPF_MOV64_IMM(BPF_REG_5, 0),
4132 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4133 BPF_FUNC_csum_diff),
4134 BPF_MOV64_IMM(BPF_REG_0, 0),
4138 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4141 "helper access to packet: test20, pkt end as input",
4143 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4144 offsetof(struct __sk_buff, data)),
4145 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4146 offsetof(struct __sk_buff, data_end)),
4147 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4148 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4149 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4150 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4151 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4152 BPF_MOV64_IMM(BPF_REG_2, 4),
4153 BPF_MOV64_IMM(BPF_REG_3, 0),
4154 BPF_MOV64_IMM(BPF_REG_4, 0),
4155 BPF_MOV64_IMM(BPF_REG_5, 0),
4156 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4157 BPF_FUNC_csum_diff),
4158 BPF_MOV64_IMM(BPF_REG_0, 0),
4162 .errstr = "R1 type=pkt_end expected=fp",
4163 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4166 "helper access to packet: test21, wrong reg",
4168 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4169 offsetof(struct __sk_buff, data)),
4170 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4171 offsetof(struct __sk_buff, data_end)),
4172 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4173 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4174 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4175 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4176 BPF_MOV64_IMM(BPF_REG_2, 4),
4177 BPF_MOV64_IMM(BPF_REG_3, 0),
4178 BPF_MOV64_IMM(BPF_REG_4, 0),
4179 BPF_MOV64_IMM(BPF_REG_5, 0),
4180 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4181 BPF_FUNC_csum_diff),
4182 BPF_MOV64_IMM(BPF_REG_0, 0),
4186 .errstr = "invalid access to packet",
4187 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4190 "valid map access into an array with a constant",
4192 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4193 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4195 BPF_LD_MAP_FD(BPF_REG_1, 0),
4196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4197 BPF_FUNC_map_lookup_elem),
4198 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4199 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4200 offsetof(struct test_val, foo)),
4203 .fixup_map2 = { 3 },
4204 .errstr_unpriv = "R0 leaks addr",
4205 .result_unpriv = REJECT,
4209 "valid map access into an array with a register",
4211 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4212 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4213 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4214 BPF_LD_MAP_FD(BPF_REG_1, 0),
4215 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4216 BPF_FUNC_map_lookup_elem),
4217 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4218 BPF_MOV64_IMM(BPF_REG_1, 4),
4219 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4220 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4221 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4222 offsetof(struct test_val, foo)),
4225 .fixup_map2 = { 3 },
4226 .errstr_unpriv = "R0 leaks addr",
4227 .result_unpriv = REJECT,
4229 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4232 "valid map access into an array with a variable",
4234 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4235 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4237 BPF_LD_MAP_FD(BPF_REG_1, 0),
4238 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4239 BPF_FUNC_map_lookup_elem),
4240 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4241 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4242 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4243 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4244 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4245 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4246 offsetof(struct test_val, foo)),
4249 .fixup_map2 = { 3 },
4250 .errstr_unpriv = "R0 leaks addr",
4251 .result_unpriv = REJECT,
4253 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4256 "valid map access into an array with a signed variable",
4258 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4259 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4260 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4261 BPF_LD_MAP_FD(BPF_REG_1, 0),
4262 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4263 BPF_FUNC_map_lookup_elem),
4264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4265 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4266 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4267 BPF_MOV32_IMM(BPF_REG_1, 0),
4268 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4269 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4270 BPF_MOV32_IMM(BPF_REG_1, 0),
4271 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4272 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4273 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4274 offsetof(struct test_val, foo)),
4277 .fixup_map2 = { 3 },
4278 .errstr_unpriv = "R0 leaks addr",
4279 .result_unpriv = REJECT,
4281 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4284 "invalid map access into an array with a constant",
4286 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4287 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4288 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4289 BPF_LD_MAP_FD(BPF_REG_1, 0),
4290 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4291 BPF_FUNC_map_lookup_elem),
4292 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4293 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4294 offsetof(struct test_val, foo)),
4297 .fixup_map2 = { 3 },
4298 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4302 "invalid map access into an array with a register",
4304 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4305 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4306 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4307 BPF_LD_MAP_FD(BPF_REG_1, 0),
4308 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4309 BPF_FUNC_map_lookup_elem),
4310 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4311 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4312 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4313 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4314 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4315 offsetof(struct test_val, foo)),
4318 .fixup_map2 = { 3 },
4319 .errstr = "R0 min value is outside of the array range",
4321 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4324 "invalid map access into an array with a variable",
4326 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4327 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4329 BPF_LD_MAP_FD(BPF_REG_1, 0),
4330 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4331 BPF_FUNC_map_lookup_elem),
4332 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4333 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4334 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4335 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4336 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4337 offsetof(struct test_val, foo)),
4340 .fixup_map2 = { 3 },
4341 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4343 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4346 "invalid map access into an array with no floor check",
4348 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4349 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4350 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4351 BPF_LD_MAP_FD(BPF_REG_1, 0),
4352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4353 BPF_FUNC_map_lookup_elem),
4354 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4355 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4356 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4357 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4358 BPF_MOV32_IMM(BPF_REG_1, 0),
4359 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4360 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4361 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4362 offsetof(struct test_val, foo)),
4365 .fixup_map2 = { 3 },
4366 .errstr_unpriv = "R0 leaks addr",
4367 .errstr = "R0 unbounded memory access",
4368 .result_unpriv = REJECT,
4370 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4373 "invalid map access into an array with a invalid max check",
4375 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4376 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4377 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4378 BPF_LD_MAP_FD(BPF_REG_1, 0),
4379 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4380 BPF_FUNC_map_lookup_elem),
4381 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4382 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4383 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4384 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4385 BPF_MOV32_IMM(BPF_REG_1, 0),
4386 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4387 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4388 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4389 offsetof(struct test_val, foo)),
4392 .fixup_map2 = { 3 },
4393 .errstr_unpriv = "R0 leaks addr",
4394 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
4395 .result_unpriv = REJECT,
4397 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4400 "invalid map access into an array with a invalid max check",
4402 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4403 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4405 BPF_LD_MAP_FD(BPF_REG_1, 0),
4406 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4407 BPF_FUNC_map_lookup_elem),
4408 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4409 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4410 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4411 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4413 BPF_LD_MAP_FD(BPF_REG_1, 0),
4414 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4415 BPF_FUNC_map_lookup_elem),
4416 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4417 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4418 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4419 offsetof(struct test_val, foo)),
4422 .fixup_map2 = { 3, 11 },
4423 .errstr = "R0 pointer += pointer",
4425 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4428 "multiple registers share map_lookup_elem result",
4430 BPF_MOV64_IMM(BPF_REG_1, 10),
4431 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4432 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4433 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4434 BPF_LD_MAP_FD(BPF_REG_1, 0),
4435 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4436 BPF_FUNC_map_lookup_elem),
4437 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4438 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4439 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4442 .fixup_map1 = { 4 },
4444 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4447 "alu ops on ptr_to_map_value_or_null, 1",
4449 BPF_MOV64_IMM(BPF_REG_1, 10),
4450 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4451 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4452 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4453 BPF_LD_MAP_FD(BPF_REG_1, 0),
4454 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4455 BPF_FUNC_map_lookup_elem),
4456 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4457 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4459 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4460 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4463 .fixup_map1 = { 4 },
4464 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4466 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4469 "alu ops on ptr_to_map_value_or_null, 2",
4471 BPF_MOV64_IMM(BPF_REG_1, 10),
4472 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4473 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4474 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4475 BPF_LD_MAP_FD(BPF_REG_1, 0),
4476 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4477 BPF_FUNC_map_lookup_elem),
4478 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4479 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4480 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4481 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4484 .fixup_map1 = { 4 },
4485 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4487 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4490 "alu ops on ptr_to_map_value_or_null, 3",
4492 BPF_MOV64_IMM(BPF_REG_1, 10),
4493 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4494 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4495 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4496 BPF_LD_MAP_FD(BPF_REG_1, 0),
4497 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4498 BPF_FUNC_map_lookup_elem),
4499 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4500 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4501 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4502 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4505 .fixup_map1 = { 4 },
4506 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4508 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4511 "invalid memory access with multiple map_lookup_elem calls",
4513 BPF_MOV64_IMM(BPF_REG_1, 10),
4514 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4515 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4516 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4517 BPF_LD_MAP_FD(BPF_REG_1, 0),
4518 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4519 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4520 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4521 BPF_FUNC_map_lookup_elem),
4522 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4523 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4524 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4525 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4526 BPF_FUNC_map_lookup_elem),
4527 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4528 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4531 .fixup_map1 = { 4 },
4533 .errstr = "R4 !read_ok",
4534 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4537 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4539 BPF_MOV64_IMM(BPF_REG_1, 10),
4540 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4541 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4543 BPF_LD_MAP_FD(BPF_REG_1, 0),
4544 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4545 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4546 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4547 BPF_FUNC_map_lookup_elem),
4548 BPF_MOV64_IMM(BPF_REG_2, 10),
4549 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4550 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4551 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4552 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4553 BPF_FUNC_map_lookup_elem),
4554 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4555 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4556 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4559 .fixup_map1 = { 4 },
4561 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4564 "invalid map access from else condition",
4566 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4567 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4569 BPF_LD_MAP_FD(BPF_REG_1, 0),
4570 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4571 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4572 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4573 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4574 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4575 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4576 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4577 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4580 .fixup_map2 = { 3 },
4581 .errstr = "R0 unbounded memory access",
4583 .errstr_unpriv = "R0 leaks addr",
4584 .result_unpriv = REJECT,
4585 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4588 "constant register |= constant should keep constant type",
4590 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4591 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4592 BPF_MOV64_IMM(BPF_REG_2, 34),
4593 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4594 BPF_MOV64_IMM(BPF_REG_3, 0),
4595 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4599 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4602 "constant register |= constant should not bypass stack boundary checks",
4604 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4606 BPF_MOV64_IMM(BPF_REG_2, 34),
4607 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4608 BPF_MOV64_IMM(BPF_REG_3, 0),
4609 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4612 .errstr = "invalid stack type R1 off=-48 access_size=58",
4614 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4617 "constant register |= constant register should keep constant type",
4619 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4620 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4621 BPF_MOV64_IMM(BPF_REG_2, 34),
4622 BPF_MOV64_IMM(BPF_REG_4, 13),
4623 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4624 BPF_MOV64_IMM(BPF_REG_3, 0),
4625 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4629 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4632 "constant register |= constant register should not bypass stack boundary checks",
4634 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4635 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4636 BPF_MOV64_IMM(BPF_REG_2, 34),
4637 BPF_MOV64_IMM(BPF_REG_4, 24),
4638 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4639 BPF_MOV64_IMM(BPF_REG_3, 0),
4640 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4643 .errstr = "invalid stack type R1 off=-48 access_size=58",
4645 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4648 "invalid direct packet write for LWT_IN",
4650 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4651 offsetof(struct __sk_buff, data)),
4652 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4653 offsetof(struct __sk_buff, data_end)),
4654 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4655 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4656 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4657 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4658 BPF_MOV64_IMM(BPF_REG_0, 0),
4661 .errstr = "cannot write into packet",
4663 .prog_type = BPF_PROG_TYPE_LWT_IN,
4666 "invalid direct packet write for LWT_OUT",
4668 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4669 offsetof(struct __sk_buff, data)),
4670 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4671 offsetof(struct __sk_buff, data_end)),
4672 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4674 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4675 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4676 BPF_MOV64_IMM(BPF_REG_0, 0),
4679 .errstr = "cannot write into packet",
4681 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4684 "direct packet write for LWT_XMIT",
4686 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4687 offsetof(struct __sk_buff, data)),
4688 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4689 offsetof(struct __sk_buff, data_end)),
4690 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4691 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4692 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4693 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4694 BPF_MOV64_IMM(BPF_REG_0, 0),
4698 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4701 "direct packet read for LWT_IN",
4703 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4704 offsetof(struct __sk_buff, data)),
4705 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4706 offsetof(struct __sk_buff, data_end)),
4707 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4709 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4710 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4711 BPF_MOV64_IMM(BPF_REG_0, 0),
4715 .prog_type = BPF_PROG_TYPE_LWT_IN,
4718 "direct packet read for LWT_OUT",
4720 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4721 offsetof(struct __sk_buff, data)),
4722 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4723 offsetof(struct __sk_buff, data_end)),
4724 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4725 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4726 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4727 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4728 BPF_MOV64_IMM(BPF_REG_0, 0),
4732 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4735 "direct packet read for LWT_XMIT",
4737 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4738 offsetof(struct __sk_buff, data)),
4739 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4740 offsetof(struct __sk_buff, data_end)),
4741 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4743 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4744 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4745 BPF_MOV64_IMM(BPF_REG_0, 0),
4749 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4752 "overlapping checks for direct packet access",
4754 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4755 offsetof(struct __sk_buff, data)),
4756 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4757 offsetof(struct __sk_buff, data_end)),
4758 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4759 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4760 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4761 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4762 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4763 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4764 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4765 BPF_MOV64_IMM(BPF_REG_0, 0),
4769 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4772 "invalid access of tc_classid for LWT_IN",
4774 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4775 offsetof(struct __sk_buff, tc_classid)),
4779 .errstr = "invalid bpf_context access",
4782 "invalid access of tc_classid for LWT_OUT",
4784 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4785 offsetof(struct __sk_buff, tc_classid)),
4789 .errstr = "invalid bpf_context access",
4792 "invalid access of tc_classid for LWT_XMIT",
4794 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4795 offsetof(struct __sk_buff, tc_classid)),
4799 .errstr = "invalid bpf_context access",
4802 "leak pointer into ctx 1",
4804 BPF_MOV64_IMM(BPF_REG_0, 0),
4805 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4806 offsetof(struct __sk_buff, cb[0])),
4807 BPF_LD_MAP_FD(BPF_REG_2, 0),
4808 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
4809 offsetof(struct __sk_buff, cb[0])),
4812 .fixup_map1 = { 2 },
4813 .errstr_unpriv = "R2 leaks addr into mem",
4814 .result_unpriv = REJECT,
4816 .errstr = "BPF_XADD stores into R1 context is not allowed",
4819 "leak pointer into ctx 2",
4821 BPF_MOV64_IMM(BPF_REG_0, 0),
4822 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4823 offsetof(struct __sk_buff, cb[0])),
4824 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
4825 offsetof(struct __sk_buff, cb[0])),
4828 .errstr_unpriv = "R10 leaks addr into mem",
4829 .result_unpriv = REJECT,
4831 .errstr = "BPF_XADD stores into R1 context is not allowed",
4834 "leak pointer into ctx 3",
4836 BPF_MOV64_IMM(BPF_REG_0, 0),
4837 BPF_LD_MAP_FD(BPF_REG_2, 0),
4838 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
4839 offsetof(struct __sk_buff, cb[0])),
4842 .fixup_map1 = { 1 },
4843 .errstr_unpriv = "R2 leaks addr into ctx",
4844 .result_unpriv = REJECT,
4848 "leak pointer into map val",
4850 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
4851 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4852 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4854 BPF_LD_MAP_FD(BPF_REG_1, 0),
4855 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4856 BPF_FUNC_map_lookup_elem),
4857 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4858 BPF_MOV64_IMM(BPF_REG_3, 0),
4859 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
4860 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
4861 BPF_MOV64_IMM(BPF_REG_0, 0),
4864 .fixup_map1 = { 4 },
4865 .errstr_unpriv = "R6 leaks addr into mem",
4866 .result_unpriv = REJECT,
4870 "helper access to map: full range",
4872 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4873 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4874 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4875 BPF_LD_MAP_FD(BPF_REG_1, 0),
4876 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4877 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4878 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4879 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4880 BPF_MOV64_IMM(BPF_REG_3, 0),
4881 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4884 .fixup_map2 = { 3 },
4886 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4889 "helper access to map: partial range",
4891 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4892 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4893 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4894 BPF_LD_MAP_FD(BPF_REG_1, 0),
4895 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4896 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4897 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4898 BPF_MOV64_IMM(BPF_REG_2, 8),
4899 BPF_MOV64_IMM(BPF_REG_3, 0),
4900 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4903 .fixup_map2 = { 3 },
4905 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4908 "helper access to map: empty range",
4910 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4911 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4912 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4913 BPF_LD_MAP_FD(BPF_REG_1, 0),
4914 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4915 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4916 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4917 BPF_MOV64_IMM(BPF_REG_2, 0),
4918 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4921 .fixup_map2 = { 3 },
4922 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
4924 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4927 "helper access to map: out-of-bound range",
4929 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4930 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4931 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4932 BPF_LD_MAP_FD(BPF_REG_1, 0),
4933 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4934 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4935 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4936 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
4937 BPF_MOV64_IMM(BPF_REG_3, 0),
4938 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4941 .fixup_map2 = { 3 },
4942 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
4944 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4947 "helper access to map: negative range",
4949 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4950 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4951 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4952 BPF_LD_MAP_FD(BPF_REG_1, 0),
4953 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4954 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4955 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4956 BPF_MOV64_IMM(BPF_REG_2, -8),
4957 BPF_MOV64_IMM(BPF_REG_3, 0),
4958 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4961 .fixup_map2 = { 3 },
4962 .errstr = "R2 min value is negative",
4964 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4967 "helper access to adjusted map (via const imm): full range",
4969 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4971 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4972 BPF_LD_MAP_FD(BPF_REG_1, 0),
4973 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4974 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4975 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4976 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4977 offsetof(struct test_val, foo)),
4978 BPF_MOV64_IMM(BPF_REG_2,
4979 sizeof(struct test_val) -
4980 offsetof(struct test_val, foo)),
4981 BPF_MOV64_IMM(BPF_REG_3, 0),
4982 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4985 .fixup_map2 = { 3 },
4987 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4990 "helper access to adjusted map (via const imm): partial range",
4992 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4994 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4995 BPF_LD_MAP_FD(BPF_REG_1, 0),
4996 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4997 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4998 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4999 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5000 offsetof(struct test_val, foo)),
5001 BPF_MOV64_IMM(BPF_REG_2, 8),
5002 BPF_MOV64_IMM(BPF_REG_3, 0),
5003 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5006 .fixup_map2 = { 3 },
5008 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5011 "helper access to adjusted map (via const imm): empty range",
5013 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5014 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5015 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5016 BPF_LD_MAP_FD(BPF_REG_1, 0),
5017 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5018 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5019 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5020 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5021 offsetof(struct test_val, foo)),
5022 BPF_MOV64_IMM(BPF_REG_2, 0),
5023 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5026 .fixup_map2 = { 3 },
5027 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5029 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5032 "helper access to adjusted map (via const imm): out-of-bound range",
5034 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5035 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5036 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5037 BPF_LD_MAP_FD(BPF_REG_1, 0),
5038 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5039 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5040 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5042 offsetof(struct test_val, foo)),
5043 BPF_MOV64_IMM(BPF_REG_2,
5044 sizeof(struct test_val) -
5045 offsetof(struct test_val, foo) + 8),
5046 BPF_MOV64_IMM(BPF_REG_3, 0),
5047 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5050 .fixup_map2 = { 3 },
5051 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5053 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5056 "helper access to adjusted map (via const imm): negative range (> adjustment)",
5058 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5059 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5060 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5061 BPF_LD_MAP_FD(BPF_REG_1, 0),
5062 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5063 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5064 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5066 offsetof(struct test_val, foo)),
5067 BPF_MOV64_IMM(BPF_REG_2, -8),
5068 BPF_MOV64_IMM(BPF_REG_3, 0),
5069 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5072 .fixup_map2 = { 3 },
5073 .errstr = "R2 min value is negative",
5075 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5078 "helper access to adjusted map (via const imm): negative range (< adjustment)",
5080 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5082 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5083 BPF_LD_MAP_FD(BPF_REG_1, 0),
5084 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5085 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5086 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5088 offsetof(struct test_val, foo)),
5089 BPF_MOV64_IMM(BPF_REG_2, -1),
5090 BPF_MOV64_IMM(BPF_REG_3, 0),
5091 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5094 .fixup_map2 = { 3 },
5095 .errstr = "R2 min value is negative",
5097 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5100 "helper access to adjusted map (via const reg): full range",
5102 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5104 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5105 BPF_LD_MAP_FD(BPF_REG_1, 0),
5106 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5107 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5108 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5109 BPF_MOV64_IMM(BPF_REG_3,
5110 offsetof(struct test_val, foo)),
5111 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5112 BPF_MOV64_IMM(BPF_REG_2,
5113 sizeof(struct test_val) -
5114 offsetof(struct test_val, foo)),
5115 BPF_MOV64_IMM(BPF_REG_3, 0),
5116 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5119 .fixup_map2 = { 3 },
5121 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5124 "helper access to adjusted map (via const reg): partial range",
5126 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5127 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5128 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5129 BPF_LD_MAP_FD(BPF_REG_1, 0),
5130 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5131 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5132 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5133 BPF_MOV64_IMM(BPF_REG_3,
5134 offsetof(struct test_val, foo)),
5135 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5136 BPF_MOV64_IMM(BPF_REG_2, 8),
5137 BPF_MOV64_IMM(BPF_REG_3, 0),
5138 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5141 .fixup_map2 = { 3 },
5143 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5146 "helper access to adjusted map (via const reg): empty range",
5148 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5149 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5150 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5151 BPF_LD_MAP_FD(BPF_REG_1, 0),
5152 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5154 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5155 BPF_MOV64_IMM(BPF_REG_3, 0),
5156 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5157 BPF_MOV64_IMM(BPF_REG_2, 0),
5158 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5161 .fixup_map2 = { 3 },
5162 .errstr = "R1 min value is outside of the array range",
5164 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5167 "helper access to adjusted map (via const reg): out-of-bound range",
5169 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5170 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5171 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5172 BPF_LD_MAP_FD(BPF_REG_1, 0),
5173 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5174 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5175 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5176 BPF_MOV64_IMM(BPF_REG_3,
5177 offsetof(struct test_val, foo)),
5178 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5179 BPF_MOV64_IMM(BPF_REG_2,
5180 sizeof(struct test_val) -
5181 offsetof(struct test_val, foo) + 8),
5182 BPF_MOV64_IMM(BPF_REG_3, 0),
5183 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5186 .fixup_map2 = { 3 },
5187 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5189 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5192 "helper access to adjusted map (via const reg): negative range (> adjustment)",
5194 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5196 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5197 BPF_LD_MAP_FD(BPF_REG_1, 0),
5198 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5199 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5200 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5201 BPF_MOV64_IMM(BPF_REG_3,
5202 offsetof(struct test_val, foo)),
5203 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5204 BPF_MOV64_IMM(BPF_REG_2, -8),
5205 BPF_MOV64_IMM(BPF_REG_3, 0),
5206 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5209 .fixup_map2 = { 3 },
5210 .errstr = "R2 min value is negative",
5212 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5215 "helper access to adjusted map (via const reg): negative range (< adjustment)",
5217 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5218 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5219 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5220 BPF_LD_MAP_FD(BPF_REG_1, 0),
5221 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5222 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5223 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5224 BPF_MOV64_IMM(BPF_REG_3,
5225 offsetof(struct test_val, foo)),
5226 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5227 BPF_MOV64_IMM(BPF_REG_2, -1),
5228 BPF_MOV64_IMM(BPF_REG_3, 0),
5229 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5232 .fixup_map2 = { 3 },
5233 .errstr = "R2 min value is negative",
5235 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5238 "helper access to adjusted map (via variable): full range",
5240 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5241 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5242 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5243 BPF_LD_MAP_FD(BPF_REG_1, 0),
5244 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5245 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5246 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5247 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5248 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5249 offsetof(struct test_val, foo), 4),
5250 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5251 BPF_MOV64_IMM(BPF_REG_2,
5252 sizeof(struct test_val) -
5253 offsetof(struct test_val, foo)),
5254 BPF_MOV64_IMM(BPF_REG_3, 0),
5255 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5258 .fixup_map2 = { 3 },
5260 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5263 "helper access to adjusted map (via variable): partial range",
5265 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5266 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5267 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5268 BPF_LD_MAP_FD(BPF_REG_1, 0),
5269 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5270 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5271 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5272 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5273 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5274 offsetof(struct test_val, foo), 4),
5275 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5276 BPF_MOV64_IMM(BPF_REG_2, 8),
5277 BPF_MOV64_IMM(BPF_REG_3, 0),
5278 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5281 .fixup_map2 = { 3 },
5283 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5286 "helper access to adjusted map (via variable): empty range",
5288 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5289 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5290 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5291 BPF_LD_MAP_FD(BPF_REG_1, 0),
5292 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5293 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5294 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5295 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5296 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5297 offsetof(struct test_val, foo), 3),
5298 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5299 BPF_MOV64_IMM(BPF_REG_2, 0),
5300 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5303 .fixup_map2 = { 3 },
5304 .errstr = "R1 min value is outside of the array range",
5306 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5309 "helper access to adjusted map (via variable): no max check",
5311 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5312 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5313 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5314 BPF_LD_MAP_FD(BPF_REG_1, 0),
5315 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5316 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5317 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5318 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5319 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5320 BPF_MOV64_IMM(BPF_REG_2, 1),
5321 BPF_MOV64_IMM(BPF_REG_3, 0),
5322 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5325 .fixup_map2 = { 3 },
5326 .errstr = "R1 unbounded memory access",
5328 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5331 "helper access to adjusted map (via variable): wrong max check",
5333 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5334 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5335 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5336 BPF_LD_MAP_FD(BPF_REG_1, 0),
5337 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5338 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5339 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5340 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5341 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5342 offsetof(struct test_val, foo), 4),
5343 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5344 BPF_MOV64_IMM(BPF_REG_2,
5345 sizeof(struct test_val) -
5346 offsetof(struct test_val, foo) + 1),
5347 BPF_MOV64_IMM(BPF_REG_3, 0),
5348 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5351 .fixup_map2 = { 3 },
5352 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
5354 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5357 "helper access to map: bounds check using <, good access",
5359 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5361 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5362 BPF_LD_MAP_FD(BPF_REG_1, 0),
5363 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5364 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5365 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5366 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5367 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5368 BPF_MOV64_IMM(BPF_REG_0, 0),
5370 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5371 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5372 BPF_MOV64_IMM(BPF_REG_0, 0),
5375 .fixup_map2 = { 3 },
5377 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5380 "helper access to map: bounds check using <, bad access",
5382 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5384 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5385 BPF_LD_MAP_FD(BPF_REG_1, 0),
5386 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5387 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5388 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5389 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5390 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5391 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5392 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5393 BPF_MOV64_IMM(BPF_REG_0, 0),
5395 BPF_MOV64_IMM(BPF_REG_0, 0),
5398 .fixup_map2 = { 3 },
5400 .errstr = "R1 unbounded memory access",
5401 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5404 "helper access to map: bounds check using <=, good access",
5406 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5408 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5409 BPF_LD_MAP_FD(BPF_REG_1, 0),
5410 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5411 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5412 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5413 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5414 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5415 BPF_MOV64_IMM(BPF_REG_0, 0),
5417 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5418 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5419 BPF_MOV64_IMM(BPF_REG_0, 0),
5422 .fixup_map2 = { 3 },
5424 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5427 "helper access to map: bounds check using <=, bad access",
5429 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5430 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5431 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5432 BPF_LD_MAP_FD(BPF_REG_1, 0),
5433 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5434 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5435 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5436 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5437 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5438 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5439 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5440 BPF_MOV64_IMM(BPF_REG_0, 0),
5442 BPF_MOV64_IMM(BPF_REG_0, 0),
5445 .fixup_map2 = { 3 },
5447 .errstr = "R1 unbounded memory access",
5448 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5451 "helper access to map: bounds check using s<, good access",
5453 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5454 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5455 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5456 BPF_LD_MAP_FD(BPF_REG_1, 0),
5457 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5458 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5459 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5460 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5461 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5462 BPF_MOV64_IMM(BPF_REG_0, 0),
5464 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5465 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5466 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5467 BPF_MOV64_IMM(BPF_REG_0, 0),
5470 .fixup_map2 = { 3 },
5472 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5475 "helper access to map: bounds check using s<, good access 2",
5477 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5479 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5480 BPF_LD_MAP_FD(BPF_REG_1, 0),
5481 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5482 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5483 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5484 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5485 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5486 BPF_MOV64_IMM(BPF_REG_0, 0),
5488 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5489 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5490 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5491 BPF_MOV64_IMM(BPF_REG_0, 0),
5494 .fixup_map2 = { 3 },
5496 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5499 "helper access to map: bounds check using s<, bad access",
5501 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5503 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5504 BPF_LD_MAP_FD(BPF_REG_1, 0),
5505 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5506 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5507 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5508 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5509 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5510 BPF_MOV64_IMM(BPF_REG_0, 0),
5512 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5513 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5514 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5515 BPF_MOV64_IMM(BPF_REG_0, 0),
5518 .fixup_map2 = { 3 },
5520 .errstr = "R1 min value is negative",
5521 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5524 "helper access to map: bounds check using s<=, good access",
5526 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5527 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5528 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5529 BPF_LD_MAP_FD(BPF_REG_1, 0),
5530 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5531 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5532 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5533 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5534 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5535 BPF_MOV64_IMM(BPF_REG_0, 0),
5537 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5538 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5539 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5540 BPF_MOV64_IMM(BPF_REG_0, 0),
5543 .fixup_map2 = { 3 },
5545 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5548 "helper access to map: bounds check using s<=, good access 2",
5550 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5551 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5552 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5553 BPF_LD_MAP_FD(BPF_REG_1, 0),
5554 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5555 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5556 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5557 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5558 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5559 BPF_MOV64_IMM(BPF_REG_0, 0),
5561 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5562 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5563 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5564 BPF_MOV64_IMM(BPF_REG_0, 0),
5567 .fixup_map2 = { 3 },
5569 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5572 "helper access to map: bounds check using s<=, bad access",
5574 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5575 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5576 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5577 BPF_LD_MAP_FD(BPF_REG_1, 0),
5578 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5579 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5580 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5581 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5582 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5583 BPF_MOV64_IMM(BPF_REG_0, 0),
5585 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5586 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5587 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5588 BPF_MOV64_IMM(BPF_REG_0, 0),
5591 .fixup_map2 = { 3 },
5593 .errstr = "R1 min value is negative",
5594 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5597 "map element value is preserved across register spilling",
5599 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5600 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5601 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5602 BPF_LD_MAP_FD(BPF_REG_1, 0),
5603 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5604 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5605 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5606 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5608 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5609 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5610 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5613 .fixup_map2 = { 3 },
5614 .errstr_unpriv = "R0 leaks addr",
5616 .result_unpriv = REJECT,
5619 "map element value or null is marked on register spilling",
5621 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5622 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5623 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5624 BPF_LD_MAP_FD(BPF_REG_1, 0),
5625 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5626 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5627 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
5628 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5629 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5630 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5631 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5634 .fixup_map2 = { 3 },
5635 .errstr_unpriv = "R0 leaks addr",
5637 .result_unpriv = REJECT,
5640 "map element value store of cleared call register",
5642 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5643 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5644 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5645 BPF_LD_MAP_FD(BPF_REG_1, 0),
5646 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5647 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5648 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
5651 .fixup_map2 = { 3 },
5652 .errstr_unpriv = "R1 !read_ok",
5653 .errstr = "R1 !read_ok",
5655 .result_unpriv = REJECT,
5658 "map element value with unaligned store",
5660 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5662 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5663 BPF_LD_MAP_FD(BPF_REG_1, 0),
5664 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5665 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
5666 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5667 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5668 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
5669 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
5670 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5671 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
5672 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
5673 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
5674 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
5675 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
5676 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
5677 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
5678 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
5679 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
5680 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
5681 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
5682 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
5685 .fixup_map2 = { 3 },
5686 .errstr_unpriv = "R0 leaks addr",
5688 .result_unpriv = REJECT,
5689 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5692 "map element value with unaligned load",
5694 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5696 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5697 BPF_LD_MAP_FD(BPF_REG_1, 0),
5698 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5699 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5700 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5701 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
5702 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5703 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5704 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
5705 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5706 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
5707 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
5708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
5709 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5710 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
5713 .fixup_map2 = { 3 },
5714 .errstr_unpriv = "R0 leaks addr",
5716 .result_unpriv = REJECT,
5717 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5720 "map element value illegal alu op, 1",
5722 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5723 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5724 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5725 BPF_LD_MAP_FD(BPF_REG_1, 0),
5726 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5727 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5728 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
5729 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5732 .fixup_map2 = { 3 },
5733 .errstr = "R0 bitwise operator &= on pointer",
5737 "map element value illegal alu op, 2",
5739 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5740 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5741 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5742 BPF_LD_MAP_FD(BPF_REG_1, 0),
5743 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5744 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5745 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
5746 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5749 .fixup_map2 = { 3 },
5750 .errstr = "R0 32-bit pointer arithmetic prohibited",
5754 "map element value illegal alu op, 3",
5756 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5757 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5758 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5759 BPF_LD_MAP_FD(BPF_REG_1, 0),
5760 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5761 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5762 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
5763 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5766 .fixup_map2 = { 3 },
5767 .errstr = "R0 pointer arithmetic with /= operator",
5771 "map element value illegal alu op, 4",
5773 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5775 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5776 BPF_LD_MAP_FD(BPF_REG_1, 0),
5777 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5779 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
5780 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5783 .fixup_map2 = { 3 },
5784 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5785 .errstr = "invalid mem access 'inv'",
5787 .result_unpriv = REJECT,
5790 "map element value illegal alu op, 5",
5792 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5794 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5795 BPF_LD_MAP_FD(BPF_REG_1, 0),
5796 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5798 BPF_MOV64_IMM(BPF_REG_3, 4096),
5799 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5800 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5801 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5802 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
5803 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
5804 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5807 .fixup_map2 = { 3 },
5808 .errstr = "R0 invalid mem access 'inv'",
5812 "map element value is preserved across register spilling",
5814 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5815 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5816 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5817 BPF_LD_MAP_FD(BPF_REG_1, 0),
5818 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5820 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
5821 offsetof(struct test_val, foo)),
5822 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5823 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5825 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5826 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5827 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5830 .fixup_map2 = { 3 },
5831 .errstr_unpriv = "R0 leaks addr",
5833 .result_unpriv = REJECT,
5834 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5837 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
5839 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5840 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5841 BPF_MOV64_IMM(BPF_REG_0, 0),
5842 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5843 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5844 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5845 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5846 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5847 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5848 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5849 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5850 BPF_MOV64_IMM(BPF_REG_2, 16),
5851 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5852 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5853 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5854 BPF_MOV64_IMM(BPF_REG_4, 0),
5855 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5856 BPF_MOV64_IMM(BPF_REG_3, 0),
5857 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5858 BPF_MOV64_IMM(BPF_REG_0, 0),
5862 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5865 "helper access to variable memory: stack, bitwise AND, zero included",
5867 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5869 BPF_MOV64_IMM(BPF_REG_2, 16),
5870 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5871 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5872 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5873 BPF_MOV64_IMM(BPF_REG_3, 0),
5874 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5877 .errstr = "invalid indirect read from stack off -64+0 size 64",
5879 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5882 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
5884 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5885 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5886 BPF_MOV64_IMM(BPF_REG_2, 16),
5887 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5888 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5889 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
5890 BPF_MOV64_IMM(BPF_REG_4, 0),
5891 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5892 BPF_MOV64_IMM(BPF_REG_3, 0),
5893 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5894 BPF_MOV64_IMM(BPF_REG_0, 0),
5897 .errstr = "invalid stack type R1 off=-64 access_size=65",
5899 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5902 "helper access to variable memory: stack, JMP, correct bounds",
5904 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5905 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5906 BPF_MOV64_IMM(BPF_REG_0, 0),
5907 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5908 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5909 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5910 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5911 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5912 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5913 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5914 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5915 BPF_MOV64_IMM(BPF_REG_2, 16),
5916 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5917 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5918 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
5919 BPF_MOV64_IMM(BPF_REG_4, 0),
5920 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5921 BPF_MOV64_IMM(BPF_REG_3, 0),
5922 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5923 BPF_MOV64_IMM(BPF_REG_0, 0),
5927 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5930 "helper access to variable memory: stack, JMP (signed), correct bounds",
5932 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5933 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5934 BPF_MOV64_IMM(BPF_REG_0, 0),
5935 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5936 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5937 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5938 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5939 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5940 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5941 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5942 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5943 BPF_MOV64_IMM(BPF_REG_2, 16),
5944 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5945 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5946 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
5947 BPF_MOV64_IMM(BPF_REG_4, 0),
5948 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5949 BPF_MOV64_IMM(BPF_REG_3, 0),
5950 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5951 BPF_MOV64_IMM(BPF_REG_0, 0),
5955 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5958 "helper access to variable memory: stack, JMP, bounds + offset",
5960 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5961 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5962 BPF_MOV64_IMM(BPF_REG_2, 16),
5963 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5964 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5965 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
5966 BPF_MOV64_IMM(BPF_REG_4, 0),
5967 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
5968 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5969 BPF_MOV64_IMM(BPF_REG_3, 0),
5970 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5971 BPF_MOV64_IMM(BPF_REG_0, 0),
5974 .errstr = "invalid stack type R1 off=-64 access_size=65",
5976 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5979 "helper access to variable memory: stack, JMP, wrong max",
5981 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5982 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5983 BPF_MOV64_IMM(BPF_REG_2, 16),
5984 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5985 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5986 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
5987 BPF_MOV64_IMM(BPF_REG_4, 0),
5988 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5989 BPF_MOV64_IMM(BPF_REG_3, 0),
5990 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5991 BPF_MOV64_IMM(BPF_REG_0, 0),
5994 .errstr = "invalid stack type R1 off=-64 access_size=65",
5996 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5999 "helper access to variable memory: stack, JMP, no max check",
6001 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6003 BPF_MOV64_IMM(BPF_REG_2, 16),
6004 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6005 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6006 BPF_MOV64_IMM(BPF_REG_4, 0),
6007 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6008 BPF_MOV64_IMM(BPF_REG_3, 0),
6009 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6010 BPF_MOV64_IMM(BPF_REG_0, 0),
6013 /* because max wasn't checked, signed min is negative */
6014 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
6016 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6019 "helper access to variable memory: stack, JMP, no min check",
6021 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6022 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6023 BPF_MOV64_IMM(BPF_REG_2, 16),
6024 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6025 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6026 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
6027 BPF_MOV64_IMM(BPF_REG_3, 0),
6028 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6029 BPF_MOV64_IMM(BPF_REG_0, 0),
6032 .errstr = "invalid indirect read from stack off -64+0 size 64",
6034 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6037 "helper access to variable memory: stack, JMP (signed), no min check",
6039 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6041 BPF_MOV64_IMM(BPF_REG_2, 16),
6042 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6043 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6044 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
6045 BPF_MOV64_IMM(BPF_REG_3, 0),
6046 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6047 BPF_MOV64_IMM(BPF_REG_0, 0),
6050 .errstr = "R2 min value is negative",
6052 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6055 "helper access to variable memory: map, JMP, correct bounds",
6057 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6059 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6060 BPF_LD_MAP_FD(BPF_REG_1, 0),
6061 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6062 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6063 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6064 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6065 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6066 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6067 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6068 sizeof(struct test_val), 4),
6069 BPF_MOV64_IMM(BPF_REG_4, 0),
6070 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6071 BPF_MOV64_IMM(BPF_REG_3, 0),
6072 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6073 BPF_MOV64_IMM(BPF_REG_0, 0),
6076 .fixup_map2 = { 3 },
6078 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6081 "helper access to variable memory: map, JMP, wrong max",
6083 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6085 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6086 BPF_LD_MAP_FD(BPF_REG_1, 0),
6087 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6088 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6089 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6090 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6091 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6092 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6093 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6094 sizeof(struct test_val) + 1, 4),
6095 BPF_MOV64_IMM(BPF_REG_4, 0),
6096 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6097 BPF_MOV64_IMM(BPF_REG_3, 0),
6098 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6099 BPF_MOV64_IMM(BPF_REG_0, 0),
6102 .fixup_map2 = { 3 },
6103 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
6105 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6108 "helper access to variable memory: map adjusted, JMP, correct bounds",
6110 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6112 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6113 BPF_LD_MAP_FD(BPF_REG_1, 0),
6114 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6115 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6116 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6118 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6119 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6120 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6121 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6122 sizeof(struct test_val) - 20, 4),
6123 BPF_MOV64_IMM(BPF_REG_4, 0),
6124 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6125 BPF_MOV64_IMM(BPF_REG_3, 0),
6126 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6127 BPF_MOV64_IMM(BPF_REG_0, 0),
6130 .fixup_map2 = { 3 },
6132 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6135 "helper access to variable memory: map adjusted, JMP, wrong max",
6137 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6139 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6140 BPF_LD_MAP_FD(BPF_REG_1, 0),
6141 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6142 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6143 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6145 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6146 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6147 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6148 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6149 sizeof(struct test_val) - 19, 4),
6150 BPF_MOV64_IMM(BPF_REG_4, 0),
6151 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6152 BPF_MOV64_IMM(BPF_REG_3, 0),
6153 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6154 BPF_MOV64_IMM(BPF_REG_0, 0),
6157 .fixup_map2 = { 3 },
6158 .errstr = "R1 min value is outside of the array range",
6160 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6163 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6165 BPF_MOV64_IMM(BPF_REG_1, 0),
6166 BPF_MOV64_IMM(BPF_REG_2, 0),
6167 BPF_MOV64_IMM(BPF_REG_3, 0),
6168 BPF_MOV64_IMM(BPF_REG_4, 0),
6169 BPF_MOV64_IMM(BPF_REG_5, 0),
6170 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6174 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6177 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6179 BPF_MOV64_IMM(BPF_REG_1, 0),
6180 BPF_MOV64_IMM(BPF_REG_2, 1),
6181 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6182 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6183 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6184 BPF_MOV64_IMM(BPF_REG_3, 0),
6185 BPF_MOV64_IMM(BPF_REG_4, 0),
6186 BPF_MOV64_IMM(BPF_REG_5, 0),
6187 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6190 .errstr = "R1 type=inv expected=fp",
6192 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6195 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6197 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6199 BPF_MOV64_IMM(BPF_REG_2, 0),
6200 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6201 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
6202 BPF_MOV64_IMM(BPF_REG_3, 0),
6203 BPF_MOV64_IMM(BPF_REG_4, 0),
6204 BPF_MOV64_IMM(BPF_REG_5, 0),
6205 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6209 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6212 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6214 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6215 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6217 BPF_LD_MAP_FD(BPF_REG_1, 0),
6218 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6219 BPF_FUNC_map_lookup_elem),
6220 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6221 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6222 BPF_MOV64_IMM(BPF_REG_2, 0),
6223 BPF_MOV64_IMM(BPF_REG_3, 0),
6224 BPF_MOV64_IMM(BPF_REG_4, 0),
6225 BPF_MOV64_IMM(BPF_REG_5, 0),
6226 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6229 .fixup_map1 = { 3 },
6231 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6234 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6236 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6237 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6239 BPF_LD_MAP_FD(BPF_REG_1, 0),
6240 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6241 BPF_FUNC_map_lookup_elem),
6242 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6243 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6244 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
6245 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6247 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6248 BPF_MOV64_IMM(BPF_REG_3, 0),
6249 BPF_MOV64_IMM(BPF_REG_4, 0),
6250 BPF_MOV64_IMM(BPF_REG_5, 0),
6251 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6254 .fixup_map1 = { 3 },
6256 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6259 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6261 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6262 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6264 BPF_LD_MAP_FD(BPF_REG_1, 0),
6265 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6266 BPF_FUNC_map_lookup_elem),
6267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6268 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6269 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6270 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6271 BPF_MOV64_IMM(BPF_REG_3, 0),
6272 BPF_MOV64_IMM(BPF_REG_4, 0),
6273 BPF_MOV64_IMM(BPF_REG_5, 0),
6274 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6277 .fixup_map1 = { 3 },
6279 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6282 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
6284 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6285 offsetof(struct __sk_buff, data)),
6286 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6287 offsetof(struct __sk_buff, data_end)),
6288 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
6289 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6290 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
6291 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6292 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
6293 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6294 BPF_MOV64_IMM(BPF_REG_3, 0),
6295 BPF_MOV64_IMM(BPF_REG_4, 0),
6296 BPF_MOV64_IMM(BPF_REG_5, 0),
6297 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6301 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6302 .retval = 0 /* csum_diff of 64-byte packet */,
6305 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6307 BPF_MOV64_IMM(BPF_REG_1, 0),
6308 BPF_MOV64_IMM(BPF_REG_2, 0),
6309 BPF_MOV64_IMM(BPF_REG_3, 0),
6310 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6313 .errstr = "R1 type=inv expected=fp",
6315 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6318 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6320 BPF_MOV64_IMM(BPF_REG_1, 0),
6321 BPF_MOV64_IMM(BPF_REG_2, 1),
6322 BPF_MOV64_IMM(BPF_REG_3, 0),
6323 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6326 .errstr = "R1 type=inv expected=fp",
6328 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6331 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6333 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6334 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6335 BPF_MOV64_IMM(BPF_REG_2, 0),
6336 BPF_MOV64_IMM(BPF_REG_3, 0),
6337 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6341 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6344 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6346 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6347 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6349 BPF_LD_MAP_FD(BPF_REG_1, 0),
6350 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6351 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6352 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6353 BPF_MOV64_IMM(BPF_REG_2, 0),
6354 BPF_MOV64_IMM(BPF_REG_3, 0),
6355 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6358 .fixup_map1 = { 3 },
6360 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6363 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6365 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6366 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6367 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6368 BPF_LD_MAP_FD(BPF_REG_1, 0),
6369 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6370 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6371 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6372 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6373 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6374 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6375 BPF_MOV64_IMM(BPF_REG_3, 0),
6376 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6379 .fixup_map1 = { 3 },
6381 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6384 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6386 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6387 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6389 BPF_LD_MAP_FD(BPF_REG_1, 0),
6390 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6391 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6392 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6393 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6394 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
6395 BPF_MOV64_IMM(BPF_REG_3, 0),
6396 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6399 .fixup_map1 = { 3 },
6401 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6404 "helper access to variable memory: 8 bytes leak",
6406 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6408 BPF_MOV64_IMM(BPF_REG_0, 0),
6409 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6410 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6411 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6412 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6413 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6414 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6415 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6416 BPF_MOV64_IMM(BPF_REG_2, 1),
6417 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6418 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6419 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
6420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6421 BPF_MOV64_IMM(BPF_REG_3, 0),
6422 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6423 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6426 .errstr = "invalid indirect read from stack off -64+32 size 64",
6428 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6431 "helper access to variable memory: 8 bytes no leak (init memory)",
6433 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6434 BPF_MOV64_IMM(BPF_REG_0, 0),
6435 BPF_MOV64_IMM(BPF_REG_0, 0),
6436 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6437 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6438 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6439 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6440 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6441 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6442 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6443 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6445 BPF_MOV64_IMM(BPF_REG_2, 0),
6446 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
6447 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
6448 BPF_MOV64_IMM(BPF_REG_3, 0),
6449 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6450 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6454 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6457 "invalid and of negative number",
6459 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6460 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6462 BPF_LD_MAP_FD(BPF_REG_1, 0),
6463 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6464 BPF_FUNC_map_lookup_elem),
6465 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6466 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6467 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
6468 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
6469 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6470 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
6471 offsetof(struct test_val, foo)),
6474 .fixup_map2 = { 3 },
6475 .errstr = "R0 max value is outside of the array range",
6477 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6480 "invalid range check",
6482 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6483 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6484 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6485 BPF_LD_MAP_FD(BPF_REG_1, 0),
6486 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6487 BPF_FUNC_map_lookup_elem),
6488 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
6489 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6490 BPF_MOV64_IMM(BPF_REG_9, 1),
6491 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
6492 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
6493 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
6494 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
6495 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
6496 BPF_MOV32_IMM(BPF_REG_3, 1),
6497 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
6498 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
6499 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
6500 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
6501 BPF_MOV64_REG(BPF_REG_0, 0),
6504 .fixup_map2 = { 3 },
6505 .errstr = "R0 max value is outside of the array range",
6507 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6510 "map in map access",
6512 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6513 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6514 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6515 BPF_LD_MAP_FD(BPF_REG_1, 0),
6516 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6517 BPF_FUNC_map_lookup_elem),
6518 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6519 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6520 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6522 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6523 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6524 BPF_FUNC_map_lookup_elem),
6525 BPF_MOV64_REG(BPF_REG_0, 0),
6528 .fixup_map_in_map = { 3 },
6532 "invalid inner map pointer",
6534 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6535 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6536 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6537 BPF_LD_MAP_FD(BPF_REG_1, 0),
6538 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6539 BPF_FUNC_map_lookup_elem),
6540 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6541 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6542 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6543 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6544 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
6546 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6547 BPF_FUNC_map_lookup_elem),
6548 BPF_MOV64_REG(BPF_REG_0, 0),
6551 .fixup_map_in_map = { 3 },
6552 .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
6556 "forgot null checking on the inner map pointer",
6558 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6559 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6560 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6561 BPF_LD_MAP_FD(BPF_REG_1, 0),
6562 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6563 BPF_FUNC_map_lookup_elem),
6564 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6565 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6566 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6567 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6568 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6569 BPF_FUNC_map_lookup_elem),
6570 BPF_MOV64_REG(BPF_REG_0, 0),
6573 .fixup_map_in_map = { 3 },
6574 .errstr = "R1 type=map_value_or_null expected=map_ptr",
6578 "ld_abs: check calling conv, r1",
6580 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6581 BPF_MOV64_IMM(BPF_REG_1, 0),
6582 BPF_LD_ABS(BPF_W, -0x200000),
6583 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6586 .errstr = "R1 !read_ok",
6590 "ld_abs: check calling conv, r2",
6592 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6593 BPF_MOV64_IMM(BPF_REG_2, 0),
6594 BPF_LD_ABS(BPF_W, -0x200000),
6595 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6598 .errstr = "R2 !read_ok",
6602 "ld_abs: check calling conv, r3",
6604 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6605 BPF_MOV64_IMM(BPF_REG_3, 0),
6606 BPF_LD_ABS(BPF_W, -0x200000),
6607 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6610 .errstr = "R3 !read_ok",
6614 "ld_abs: check calling conv, r4",
6616 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6617 BPF_MOV64_IMM(BPF_REG_4, 0),
6618 BPF_LD_ABS(BPF_W, -0x200000),
6619 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6622 .errstr = "R4 !read_ok",
6626 "ld_abs: check calling conv, r5",
6628 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6629 BPF_MOV64_IMM(BPF_REG_5, 0),
6630 BPF_LD_ABS(BPF_W, -0x200000),
6631 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6634 .errstr = "R5 !read_ok",
6638 "ld_abs: check calling conv, r7",
6640 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6641 BPF_MOV64_IMM(BPF_REG_7, 0),
6642 BPF_LD_ABS(BPF_W, -0x200000),
6643 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6649 "ld_abs: tests on r6 and skb data reload helper",
6651 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6652 BPF_LD_ABS(BPF_B, 0),
6653 BPF_LD_ABS(BPF_H, 0),
6654 BPF_LD_ABS(BPF_W, 0),
6655 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
6656 BPF_MOV64_IMM(BPF_REG_6, 0),
6657 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
6658 BPF_MOV64_IMM(BPF_REG_2, 1),
6659 BPF_MOV64_IMM(BPF_REG_3, 2),
6660 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6661 BPF_FUNC_skb_vlan_push),
6662 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
6663 BPF_LD_ABS(BPF_B, 0),
6664 BPF_LD_ABS(BPF_H, 0),
6665 BPF_LD_ABS(BPF_W, 0),
6666 BPF_MOV64_IMM(BPF_REG_0, 42),
6669 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6671 .retval = 42 /* ultimate return value */,
6674 "ld_ind: check calling conv, r1",
6676 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6677 BPF_MOV64_IMM(BPF_REG_1, 1),
6678 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
6679 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6682 .errstr = "R1 !read_ok",
6686 "ld_ind: check calling conv, r2",
6688 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6689 BPF_MOV64_IMM(BPF_REG_2, 1),
6690 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
6691 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6694 .errstr = "R2 !read_ok",
6698 "ld_ind: check calling conv, r3",
6700 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6701 BPF_MOV64_IMM(BPF_REG_3, 1),
6702 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
6703 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6706 .errstr = "R3 !read_ok",
6710 "ld_ind: check calling conv, r4",
6712 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6713 BPF_MOV64_IMM(BPF_REG_4, 1),
6714 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
6715 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6718 .errstr = "R4 !read_ok",
6722 "ld_ind: check calling conv, r5",
6724 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6725 BPF_MOV64_IMM(BPF_REG_5, 1),
6726 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
6727 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6730 .errstr = "R5 !read_ok",
6734 "ld_ind: check calling conv, r7",
6736 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6737 BPF_MOV64_IMM(BPF_REG_7, 1),
6738 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
6739 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6746 "check bpf_perf_event_data->sample_period byte load permitted",
6748 BPF_MOV64_IMM(BPF_REG_0, 0),
6749 #if __BYTE_ORDER == __LITTLE_ENDIAN
6750 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6751 offsetof(struct bpf_perf_event_data, sample_period)),
6753 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6754 offsetof(struct bpf_perf_event_data, sample_period) + 7),
6759 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6762 "check bpf_perf_event_data->sample_period half load permitted",
6764 BPF_MOV64_IMM(BPF_REG_0, 0),
6765 #if __BYTE_ORDER == __LITTLE_ENDIAN
6766 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6767 offsetof(struct bpf_perf_event_data, sample_period)),
6769 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6770 offsetof(struct bpf_perf_event_data, sample_period) + 6),
6775 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6778 "check bpf_perf_event_data->sample_period word load permitted",
6780 BPF_MOV64_IMM(BPF_REG_0, 0),
6781 #if __BYTE_ORDER == __LITTLE_ENDIAN
6782 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6783 offsetof(struct bpf_perf_event_data, sample_period)),
6785 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6786 offsetof(struct bpf_perf_event_data, sample_period) + 4),
6791 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6794 "check bpf_perf_event_data->sample_period dword load permitted",
6796 BPF_MOV64_IMM(BPF_REG_0, 0),
6797 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
6798 offsetof(struct bpf_perf_event_data, sample_period)),
6802 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6805 "check skb->data half load not permitted",
6807 BPF_MOV64_IMM(BPF_REG_0, 0),
6808 #if __BYTE_ORDER == __LITTLE_ENDIAN
6809 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6810 offsetof(struct __sk_buff, data)),
6812 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6813 offsetof(struct __sk_buff, data) + 2),
6818 .errstr = "invalid bpf_context access",
6821 "check skb->tc_classid half load not permitted for lwt prog",
6823 BPF_MOV64_IMM(BPF_REG_0, 0),
6824 #if __BYTE_ORDER == __LITTLE_ENDIAN
6825 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6826 offsetof(struct __sk_buff, tc_classid)),
6828 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6829 offsetof(struct __sk_buff, tc_classid) + 2),
6834 .errstr = "invalid bpf_context access",
6835 .prog_type = BPF_PROG_TYPE_LWT_IN,
6838 "bounds checks mixing signed and unsigned, positive bounds",
6840 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6841 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6843 BPF_LD_MAP_FD(BPF_REG_1, 0),
6844 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6845 BPF_FUNC_map_lookup_elem),
6846 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6847 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6848 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6849 BPF_MOV64_IMM(BPF_REG_2, 2),
6850 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
6851 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
6852 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6853 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6854 BPF_MOV64_IMM(BPF_REG_0, 0),
6857 .fixup_map1 = { 3 },
6858 .errstr = "unbounded min value",
6862 "bounds checks mixing signed and unsigned",
6864 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6865 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6866 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6867 BPF_LD_MAP_FD(BPF_REG_1, 0),
6868 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6869 BPF_FUNC_map_lookup_elem),
6870 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6871 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6872 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6873 BPF_MOV64_IMM(BPF_REG_2, -1),
6874 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6875 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6876 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6877 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6878 BPF_MOV64_IMM(BPF_REG_0, 0),
6881 .fixup_map1 = { 3 },
6882 .errstr = "unbounded min value",
6886 "bounds checks mixing signed and unsigned, variant 2",
6888 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6889 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6891 BPF_LD_MAP_FD(BPF_REG_1, 0),
6892 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6893 BPF_FUNC_map_lookup_elem),
6894 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6895 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6896 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6897 BPF_MOV64_IMM(BPF_REG_2, -1),
6898 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6899 BPF_MOV64_IMM(BPF_REG_8, 0),
6900 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
6901 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6902 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6903 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6904 BPF_MOV64_IMM(BPF_REG_0, 0),
6907 .fixup_map1 = { 3 },
6908 .errstr = "unbounded min value",
6912 "bounds checks mixing signed and unsigned, variant 3",
6914 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6915 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6917 BPF_LD_MAP_FD(BPF_REG_1, 0),
6918 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6919 BPF_FUNC_map_lookup_elem),
6920 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6921 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6922 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6923 BPF_MOV64_IMM(BPF_REG_2, -1),
6924 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
6925 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
6926 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6927 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6928 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6929 BPF_MOV64_IMM(BPF_REG_0, 0),
6932 .fixup_map1 = { 3 },
6933 .errstr = "unbounded min value",
6937 "bounds checks mixing signed and unsigned, variant 4",
6939 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6940 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6942 BPF_LD_MAP_FD(BPF_REG_1, 0),
6943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6944 BPF_FUNC_map_lookup_elem),
6945 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6946 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6947 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6948 BPF_MOV64_IMM(BPF_REG_2, 1),
6949 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
6950 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6951 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6952 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6953 BPF_MOV64_IMM(BPF_REG_0, 0),
6956 .fixup_map1 = { 3 },
6960 "bounds checks mixing signed and unsigned, variant 5",
6962 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6963 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6964 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6965 BPF_LD_MAP_FD(BPF_REG_1, 0),
6966 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6967 BPF_FUNC_map_lookup_elem),
6968 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6969 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6970 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6971 BPF_MOV64_IMM(BPF_REG_2, -1),
6972 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6973 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
6974 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
6975 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6976 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6977 BPF_MOV64_IMM(BPF_REG_0, 0),
6980 .fixup_map1 = { 3 },
6981 .errstr = "unbounded min value",
6985 "bounds checks mixing signed and unsigned, variant 6",
6987 BPF_MOV64_IMM(BPF_REG_2, 0),
6988 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
6989 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
6990 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6991 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
6992 BPF_MOV64_IMM(BPF_REG_6, -1),
6993 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
6994 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
6995 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
6996 BPF_MOV64_IMM(BPF_REG_5, 0),
6997 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
6998 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6999 BPF_FUNC_skb_load_bytes),
7000 BPF_MOV64_IMM(BPF_REG_0, 0),
7003 .errstr = "R4 min value is negative, either use unsigned",
7007 "bounds checks mixing signed and unsigned, variant 7",
7009 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7010 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7012 BPF_LD_MAP_FD(BPF_REG_1, 0),
7013 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7014 BPF_FUNC_map_lookup_elem),
7015 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7016 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7017 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7018 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
7019 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7020 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7021 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7022 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7023 BPF_MOV64_IMM(BPF_REG_0, 0),
7026 .fixup_map1 = { 3 },
7030 "bounds checks mixing signed and unsigned, variant 8",
7032 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7033 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7035 BPF_LD_MAP_FD(BPF_REG_1, 0),
7036 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7037 BPF_FUNC_map_lookup_elem),
7038 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7039 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7040 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7041 BPF_MOV64_IMM(BPF_REG_2, -1),
7042 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7043 BPF_MOV64_IMM(BPF_REG_0, 0),
7045 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7046 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7047 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7048 BPF_MOV64_IMM(BPF_REG_0, 0),
7051 .fixup_map1 = { 3 },
7052 .errstr = "unbounded min value",
7056 "bounds checks mixing signed and unsigned, variant 9",
7058 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7059 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7061 BPF_LD_MAP_FD(BPF_REG_1, 0),
7062 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7063 BPF_FUNC_map_lookup_elem),
7064 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7065 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7066 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7067 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
7068 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7069 BPF_MOV64_IMM(BPF_REG_0, 0),
7071 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7072 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7073 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7074 BPF_MOV64_IMM(BPF_REG_0, 0),
7077 .fixup_map1 = { 3 },
7081 "bounds checks mixing signed and unsigned, variant 10",
7083 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7084 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7085 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7086 BPF_LD_MAP_FD(BPF_REG_1, 0),
7087 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7088 BPF_FUNC_map_lookup_elem),
7089 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7090 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7091 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7092 BPF_MOV64_IMM(BPF_REG_2, 0),
7093 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7094 BPF_MOV64_IMM(BPF_REG_0, 0),
7096 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7097 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7098 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7099 BPF_MOV64_IMM(BPF_REG_0, 0),
7102 .fixup_map1 = { 3 },
7103 .errstr = "unbounded min value",
7107 "bounds checks mixing signed and unsigned, variant 11",
7109 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7110 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7112 BPF_LD_MAP_FD(BPF_REG_1, 0),
7113 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7114 BPF_FUNC_map_lookup_elem),
7115 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7116 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7117 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7118 BPF_MOV64_IMM(BPF_REG_2, -1),
7119 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7121 BPF_MOV64_IMM(BPF_REG_0, 0),
7123 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7124 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7125 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7126 BPF_MOV64_IMM(BPF_REG_0, 0),
7129 .fixup_map1 = { 3 },
7130 .errstr = "unbounded min value",
7134 "bounds checks mixing signed and unsigned, variant 12",
7136 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7137 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7139 BPF_LD_MAP_FD(BPF_REG_1, 0),
7140 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7141 BPF_FUNC_map_lookup_elem),
7142 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7143 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7144 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7145 BPF_MOV64_IMM(BPF_REG_2, -6),
7146 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7147 BPF_MOV64_IMM(BPF_REG_0, 0),
7149 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7150 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7151 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7152 BPF_MOV64_IMM(BPF_REG_0, 0),
7155 .fixup_map1 = { 3 },
7156 .errstr = "unbounded min value",
7160 "bounds checks mixing signed and unsigned, variant 13",
7162 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7164 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7165 BPF_LD_MAP_FD(BPF_REG_1, 0),
7166 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7167 BPF_FUNC_map_lookup_elem),
7168 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7169 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7170 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7171 BPF_MOV64_IMM(BPF_REG_2, 2),
7172 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7173 BPF_MOV64_IMM(BPF_REG_7, 1),
7174 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
7175 BPF_MOV64_IMM(BPF_REG_0, 0),
7177 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
7178 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
7179 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
7180 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7181 BPF_MOV64_IMM(BPF_REG_0, 0),
7184 .fixup_map1 = { 3 },
7185 .errstr = "unbounded min value",
7189 "bounds checks mixing signed and unsigned, variant 14",
7191 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
7192 offsetof(struct __sk_buff, mark)),
7193 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7194 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7196 BPF_LD_MAP_FD(BPF_REG_1, 0),
7197 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7198 BPF_FUNC_map_lookup_elem),
7199 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7200 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7201 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7202 BPF_MOV64_IMM(BPF_REG_2, -1),
7203 BPF_MOV64_IMM(BPF_REG_8, 2),
7204 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
7205 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
7206 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7207 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7208 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7209 BPF_MOV64_IMM(BPF_REG_0, 0),
7211 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
7212 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
7214 .fixup_map1 = { 4 },
7215 .errstr = "R0 invalid mem access 'inv'",
7219 "bounds checks mixing signed and unsigned, variant 15",
7221 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7222 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7224 BPF_LD_MAP_FD(BPF_REG_1, 0),
7225 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7226 BPF_FUNC_map_lookup_elem),
7227 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7228 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7229 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7230 BPF_MOV64_IMM(BPF_REG_2, -6),
7231 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7232 BPF_MOV64_IMM(BPF_REG_0, 0),
7234 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7235 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
7236 BPF_MOV64_IMM(BPF_REG_0, 0),
7238 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7239 BPF_MOV64_IMM(BPF_REG_0, 0),
7242 .fixup_map1 = { 3 },
7243 .errstr = "unbounded min value",
7245 .result_unpriv = REJECT,
7248 "subtraction bounds (map value) variant 1",
7250 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7251 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7253 BPF_LD_MAP_FD(BPF_REG_1, 0),
7254 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7255 BPF_FUNC_map_lookup_elem),
7256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7257 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7258 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
7259 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7260 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
7261 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7262 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
7263 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7264 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7266 BPF_MOV64_IMM(BPF_REG_0, 0),
7269 .fixup_map1 = { 3 },
7270 .errstr = "R0 max value is outside of the array range",
7274 "subtraction bounds (map value) variant 2",
7276 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7277 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7278 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7279 BPF_LD_MAP_FD(BPF_REG_1, 0),
7280 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7281 BPF_FUNC_map_lookup_elem),
7282 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7283 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7284 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
7285 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7286 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
7287 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7288 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7289 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7291 BPF_MOV64_IMM(BPF_REG_0, 0),
7294 .fixup_map1 = { 3 },
7295 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
7299 "bounds check based on zero-extended MOV",
7301 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7302 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7303 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7304 BPF_LD_MAP_FD(BPF_REG_1, 0),
7305 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7306 BPF_FUNC_map_lookup_elem),
7307 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7308 /* r2 = 0x0000'0000'ffff'ffff */
7309 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
7311 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7313 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7314 /* access at offset 0 */
7315 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7317 BPF_MOV64_IMM(BPF_REG_0, 0),
7320 .fixup_map1 = { 3 },
7324 "bounds check based on sign-extended MOV. test1",
7326 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7327 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7329 BPF_LD_MAP_FD(BPF_REG_1, 0),
7330 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7331 BPF_FUNC_map_lookup_elem),
7332 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7333 /* r2 = 0xffff'ffff'ffff'ffff */
7334 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7335 /* r2 = 0xffff'ffff */
7336 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7337 /* r0 = <oob pointer> */
7338 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7339 /* access to OOB pointer */
7340 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7342 BPF_MOV64_IMM(BPF_REG_0, 0),
7345 .fixup_map1 = { 3 },
7346 .errstr = "map_value pointer and 4294967295",
7350 "bounds check based on sign-extended MOV. test2",
7352 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7353 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7354 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7355 BPF_LD_MAP_FD(BPF_REG_1, 0),
7356 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7357 BPF_FUNC_map_lookup_elem),
7358 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7359 /* r2 = 0xffff'ffff'ffff'ffff */
7360 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7361 /* r2 = 0xfff'ffff */
7362 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
7363 /* r0 = <oob pointer> */
7364 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7365 /* access to OOB pointer */
7366 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7368 BPF_MOV64_IMM(BPF_REG_0, 0),
7371 .fixup_map1 = { 3 },
7372 .errstr = "R0 min value is outside of the array range",
7376 "bounds check based on reg_off + var_off + insn_off. test1",
7378 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7379 offsetof(struct __sk_buff, mark)),
7380 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7381 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7382 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7383 BPF_LD_MAP_FD(BPF_REG_1, 0),
7384 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7385 BPF_FUNC_map_lookup_elem),
7386 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7387 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
7389 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7391 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7392 BPF_MOV64_IMM(BPF_REG_0, 0),
7395 .fixup_map1 = { 4 },
7396 .errstr = "value_size=8 off=1073741825",
7398 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7401 "bounds check based on reg_off + var_off + insn_off. test2",
7403 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7404 offsetof(struct __sk_buff, mark)),
7405 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7406 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7408 BPF_LD_MAP_FD(BPF_REG_1, 0),
7409 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7410 BPF_FUNC_map_lookup_elem),
7411 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7412 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7413 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
7414 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7416 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7417 BPF_MOV64_IMM(BPF_REG_0, 0),
7420 .fixup_map1 = { 4 },
7421 .errstr = "value 1073741823",
7423 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7426 "bounds check after truncation of non-boundary-crossing range",
7428 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7429 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7430 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7431 BPF_LD_MAP_FD(BPF_REG_1, 0),
7432 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7433 BPF_FUNC_map_lookup_elem),
7434 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7435 /* r1 = [0x00, 0xff] */
7436 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7437 BPF_MOV64_IMM(BPF_REG_2, 1),
7438 /* r2 = 0x10'0000'0000 */
7439 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
7440 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
7441 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
7442 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
7443 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7444 /* r1 = [0x00, 0xff] */
7445 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
7447 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7449 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7450 /* access at offset 0 */
7451 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7453 BPF_MOV64_IMM(BPF_REG_0, 0),
7456 .fixup_map1 = { 3 },
7460 "bounds check after truncation of boundary-crossing range (1)",
7462 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7463 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7465 BPF_LD_MAP_FD(BPF_REG_1, 0),
7466 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7467 BPF_FUNC_map_lookup_elem),
7468 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7469 /* r1 = [0x00, 0xff] */
7470 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7471 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7472 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
7473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7474 /* r1 = [0xffff'ff80, 0xffff'ffff] or
7475 * [0x0000'0000, 0x0000'007f]
7477 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
7478 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7479 /* r1 = [0x00, 0xff] or
7480 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7482 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7484 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7486 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7487 /* no-op or OOB pointer computation */
7488 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7489 /* potentially OOB access */
7490 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7492 BPF_MOV64_IMM(BPF_REG_0, 0),
7495 .fixup_map1 = { 3 },
7496 /* not actually fully unbounded, but the bound is very high */
7497 .errstr = "R0 unbounded memory access",
7501 "bounds check after truncation of boundary-crossing range (2)",
7503 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7504 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7506 BPF_LD_MAP_FD(BPF_REG_1, 0),
7507 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7508 BPF_FUNC_map_lookup_elem),
7509 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7510 /* r1 = [0x00, 0xff] */
7511 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7512 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7513 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
7514 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7515 /* r1 = [0xffff'ff80, 0xffff'ffff] or
7516 * [0x0000'0000, 0x0000'007f]
7517 * difference to previous test: truncation via MOV32
7520 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
7521 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7522 /* r1 = [0x00, 0xff] or
7523 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7525 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7527 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7529 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7530 /* no-op or OOB pointer computation */
7531 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7532 /* potentially OOB access */
7533 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7535 BPF_MOV64_IMM(BPF_REG_0, 0),
7538 .fixup_map1 = { 3 },
7539 /* not actually fully unbounded, but the bound is very high */
7540 .errstr = "R0 unbounded memory access",
7544 "bounds check after wrapping 32-bit addition",
7546 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7547 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7548 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7549 BPF_LD_MAP_FD(BPF_REG_1, 0),
7550 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7551 BPF_FUNC_map_lookup_elem),
7552 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7553 /* r1 = 0x7fff'ffff */
7554 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
7555 /* r1 = 0xffff'fffe */
7556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7558 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
7560 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7561 /* access at offset 0 */
7562 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7564 BPF_MOV64_IMM(BPF_REG_0, 0),
7567 .fixup_map1 = { 3 },
7571 "bounds check after shift with oversized count operand",
7573 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7574 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7575 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7576 BPF_LD_MAP_FD(BPF_REG_1, 0),
7577 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7578 BPF_FUNC_map_lookup_elem),
7579 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7580 BPF_MOV64_IMM(BPF_REG_2, 32),
7581 BPF_MOV64_IMM(BPF_REG_1, 1),
7582 /* r1 = (u32)1 << (u32)32 = ? */
7583 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
7584 /* r1 = [0x0000, 0xffff] */
7585 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
7586 /* computes unknown pointer, potentially OOB */
7587 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7588 /* potentially OOB access */
7589 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7591 BPF_MOV64_IMM(BPF_REG_0, 0),
7594 .fixup_map1 = { 3 },
7595 .errstr = "R0 max value is outside of the array range",
7599 "bounds check after right shift of maybe-negative number",
7601 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7602 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7604 BPF_LD_MAP_FD(BPF_REG_1, 0),
7605 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7606 BPF_FUNC_map_lookup_elem),
7607 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7608 /* r1 = [0x00, 0xff] */
7609 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7610 /* r1 = [-0x01, 0xfe] */
7611 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
7612 /* r1 = 0 or 0xff'ffff'ffff'ffff */
7613 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7614 /* r1 = 0 or 0xffff'ffff'ffff */
7615 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7616 /* computes unknown pointer, potentially OOB */
7617 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7618 /* potentially OOB access */
7619 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7621 BPF_MOV64_IMM(BPF_REG_0, 0),
7624 .fixup_map1 = { 3 },
7625 .errstr = "R0 unbounded memory access",
7629 "bounds check map access with off+size signed 32bit overflow. test1",
7631 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7632 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7633 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7634 BPF_LD_MAP_FD(BPF_REG_1, 0),
7635 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7636 BPF_FUNC_map_lookup_elem),
7637 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7639 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
7640 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7644 .fixup_map1 = { 3 },
7645 .errstr = "map_value pointer and 2147483646",
7649 "bounds check map access with off+size signed 32bit overflow. test2",
7651 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7652 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7653 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7654 BPF_LD_MAP_FD(BPF_REG_1, 0),
7655 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7656 BPF_FUNC_map_lookup_elem),
7657 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7662 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7666 .fixup_map1 = { 3 },
7667 .errstr = "pointer offset 1073741822",
7671 "bounds check map access with off+size signed 32bit overflow. test3",
7673 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7674 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7676 BPF_LD_MAP_FD(BPF_REG_1, 0),
7677 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7678 BPF_FUNC_map_lookup_elem),
7679 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7681 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
7682 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
7683 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
7687 .fixup_map1 = { 3 },
7688 .errstr = "pointer offset -1073741822",
7692 "bounds check map access with off+size signed 32bit overflow. test4",
7694 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7695 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7696 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7697 BPF_LD_MAP_FD(BPF_REG_1, 0),
7698 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7699 BPF_FUNC_map_lookup_elem),
7700 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7702 BPF_MOV64_IMM(BPF_REG_1, 1000000),
7703 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
7704 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7705 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
7709 .fixup_map1 = { 3 },
7710 .errstr = "map_value pointer and 1000000000000",
7714 "pointer/scalar confusion in state equality check (way 1)",
7716 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7717 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7718 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7719 BPF_LD_MAP_FD(BPF_REG_1, 0),
7720 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7721 BPF_FUNC_map_lookup_elem),
7722 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7723 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7725 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
7729 .fixup_map1 = { 3 },
7731 .retval = POINTER_VALUE,
7732 .result_unpriv = REJECT,
7733 .errstr_unpriv = "R0 leaks addr as return value"
7736 "pointer/scalar confusion in state equality check (way 2)",
7738 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7739 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7740 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7741 BPF_LD_MAP_FD(BPF_REG_1, 0),
7742 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7743 BPF_FUNC_map_lookup_elem),
7744 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
7745 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
7747 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7750 .fixup_map1 = { 3 },
7752 .retval = POINTER_VALUE,
7753 .result_unpriv = REJECT,
7754 .errstr_unpriv = "R0 leaks addr as return value"
7757 "variable-offset ctx access",
7759 /* Get an unknown value */
7760 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7761 /* Make it small and 4-byte aligned */
7762 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7763 /* add it to skb. We now have either &skb->len or
7764 * &skb->pkt_type, but we don't know which
7766 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
7767 /* dereference it */
7768 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7771 .errstr = "variable ctx access var_off=(0x0; 0x4)",
7773 .prog_type = BPF_PROG_TYPE_LWT_IN,
7776 "variable-offset stack access",
7778 /* Fill the top 8 bytes of the stack */
7779 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7780 /* Get an unknown value */
7781 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7782 /* Make it small and 4-byte aligned */
7783 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7784 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
7785 /* add it to fp. We now have either fp-4 or fp-8, but
7786 * we don't know which
7788 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
7789 /* dereference it */
7790 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
7793 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
7795 .prog_type = BPF_PROG_TYPE_LWT_IN,
7798 "indirect variable-offset stack access",
7800 /* Fill the top 8 bytes of the stack */
7801 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7802 /* Get an unknown value */
7803 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7804 /* Make it small and 4-byte aligned */
7805 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7806 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
7807 /* add it to fp. We now have either fp-4 or fp-8, but
7808 * we don't know which
7810 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
7811 /* dereference it indirectly */
7812 BPF_LD_MAP_FD(BPF_REG_1, 0),
7813 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7814 BPF_FUNC_map_lookup_elem),
7815 BPF_MOV64_IMM(BPF_REG_0, 0),
7818 .fixup_map1 = { 5 },
7819 .errstr = "variable stack read R2",
7821 .prog_type = BPF_PROG_TYPE_LWT_IN,
7824 "direct stack access with 32-bit wraparound. test1",
7826 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7827 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7829 BPF_MOV32_IMM(BPF_REG_0, 0),
7830 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7833 .errstr = "fp pointer and 2147483647",
7837 "direct stack access with 32-bit wraparound. test2",
7839 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7840 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
7841 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
7842 BPF_MOV32_IMM(BPF_REG_0, 0),
7843 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7846 .errstr = "fp pointer and 1073741823",
7850 "direct stack access with 32-bit wraparound. test3",
7852 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
7854 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
7855 BPF_MOV32_IMM(BPF_REG_0, 0),
7856 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7859 .errstr = "fp pointer offset 1073741822",
7863 "liveness pruning and write screening",
7865 /* Get an unknown value */
7866 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7867 /* branch conditions teach us nothing about R2 */
7868 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
7869 BPF_MOV64_IMM(BPF_REG_0, 0),
7870 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
7871 BPF_MOV64_IMM(BPF_REG_0, 0),
7874 .errstr = "R0 !read_ok",
7876 .prog_type = BPF_PROG_TYPE_LWT_IN,
7879 "varlen_map_value_access pruning",
7881 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7882 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7884 BPF_LD_MAP_FD(BPF_REG_1, 0),
7885 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7886 BPF_FUNC_map_lookup_elem),
7887 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7888 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7889 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
7890 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
7891 BPF_MOV32_IMM(BPF_REG_1, 0),
7892 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
7893 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7894 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
7895 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7896 offsetof(struct test_val, foo)),
7899 .fixup_map2 = { 3 },
7900 .errstr_unpriv = "R0 leaks addr",
7901 .errstr = "R0 unbounded memory access",
7902 .result_unpriv = REJECT,
7904 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7907 "invalid 64-bit BPF_END",
7909 BPF_MOV32_IMM(BPF_REG_0, 0),
7911 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
7912 .dst_reg = BPF_REG_0,
7919 .errstr = "unknown opcode d7",
7923 "XDP, using ifindex from netdev",
7925 BPF_MOV64_IMM(BPF_REG_0, 0),
7926 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7927 offsetof(struct xdp_md, ingress_ifindex)),
7928 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
7929 BPF_MOV64_IMM(BPF_REG_0, 1),
7933 .prog_type = BPF_PROG_TYPE_XDP,
7937 "meta access, test1",
7939 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7940 offsetof(struct xdp_md, data_meta)),
7941 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7942 offsetof(struct xdp_md, data)),
7943 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7944 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7945 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7946 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7947 BPF_MOV64_IMM(BPF_REG_0, 0),
7951 .prog_type = BPF_PROG_TYPE_XDP,
7954 "meta access, test2",
7956 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7957 offsetof(struct xdp_md, data_meta)),
7958 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7959 offsetof(struct xdp_md, data)),
7960 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7961 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
7962 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7963 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
7964 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7965 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7966 BPF_MOV64_IMM(BPF_REG_0, 0),
7970 .errstr = "invalid access to packet, off=-8",
7971 .prog_type = BPF_PROG_TYPE_XDP,
7974 "meta access, test3",
7976 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7977 offsetof(struct xdp_md, data_meta)),
7978 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7979 offsetof(struct xdp_md, data_end)),
7980 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7982 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7983 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7984 BPF_MOV64_IMM(BPF_REG_0, 0),
7988 .errstr = "invalid access to packet",
7989 .prog_type = BPF_PROG_TYPE_XDP,
7992 "meta access, test4",
7994 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7995 offsetof(struct xdp_md, data_meta)),
7996 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7997 offsetof(struct xdp_md, data_end)),
7998 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7999 offsetof(struct xdp_md, data)),
8000 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8001 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8002 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8003 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8004 BPF_MOV64_IMM(BPF_REG_0, 0),
8008 .errstr = "invalid access to packet",
8009 .prog_type = BPF_PROG_TYPE_XDP,
8012 "meta access, test5",
8014 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8015 offsetof(struct xdp_md, data_meta)),
8016 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8017 offsetof(struct xdp_md, data)),
8018 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8019 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8020 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
8021 BPF_MOV64_IMM(BPF_REG_2, -8),
8022 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8023 BPF_FUNC_xdp_adjust_meta),
8024 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8025 BPF_MOV64_IMM(BPF_REG_0, 0),
8029 .errstr = "R3 !read_ok",
8030 .prog_type = BPF_PROG_TYPE_XDP,
8033 "meta access, test6",
8035 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8036 offsetof(struct xdp_md, data_meta)),
8037 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8038 offsetof(struct xdp_md, data)),
8039 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8041 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8042 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8043 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
8044 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8045 BPF_MOV64_IMM(BPF_REG_0, 0),
8049 .errstr = "invalid access to packet",
8050 .prog_type = BPF_PROG_TYPE_XDP,
8053 "meta access, test7",
8055 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8056 offsetof(struct xdp_md, data_meta)),
8057 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8058 offsetof(struct xdp_md, data)),
8059 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8061 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8062 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8063 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8064 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8065 BPF_MOV64_IMM(BPF_REG_0, 0),
8069 .prog_type = BPF_PROG_TYPE_XDP,
8072 "meta access, test8",
8074 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8075 offsetof(struct xdp_md, data_meta)),
8076 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8077 offsetof(struct xdp_md, data)),
8078 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8079 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8080 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8081 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8082 BPF_MOV64_IMM(BPF_REG_0, 0),
8086 .prog_type = BPF_PROG_TYPE_XDP,
8089 "meta access, test9",
8091 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8092 offsetof(struct xdp_md, data_meta)),
8093 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8094 offsetof(struct xdp_md, data)),
8095 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8096 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8098 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8099 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8100 BPF_MOV64_IMM(BPF_REG_0, 0),
8104 .errstr = "invalid access to packet",
8105 .prog_type = BPF_PROG_TYPE_XDP,
8108 "meta access, test10",
8110 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8111 offsetof(struct xdp_md, data_meta)),
8112 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8113 offsetof(struct xdp_md, data)),
8114 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8115 offsetof(struct xdp_md, data_end)),
8116 BPF_MOV64_IMM(BPF_REG_5, 42),
8117 BPF_MOV64_IMM(BPF_REG_6, 24),
8118 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8119 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8120 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8121 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8122 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
8123 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8124 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8125 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8126 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
8127 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
8128 BPF_MOV64_IMM(BPF_REG_0, 0),
8132 .errstr = "invalid access to packet",
8133 .prog_type = BPF_PROG_TYPE_XDP,
8136 "meta access, test11",
8138 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8139 offsetof(struct xdp_md, data_meta)),
8140 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8141 offsetof(struct xdp_md, data)),
8142 BPF_MOV64_IMM(BPF_REG_5, 42),
8143 BPF_MOV64_IMM(BPF_REG_6, 24),
8144 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8145 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8146 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8147 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8148 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
8149 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8150 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8151 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8152 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
8153 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
8154 BPF_MOV64_IMM(BPF_REG_0, 0),
8158 .prog_type = BPF_PROG_TYPE_XDP,
8161 "meta access, test12",
8163 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8164 offsetof(struct xdp_md, data_meta)),
8165 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8166 offsetof(struct xdp_md, data)),
8167 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8168 offsetof(struct xdp_md, data_end)),
8169 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8170 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8171 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
8172 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8173 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8174 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8175 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
8176 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8177 BPF_MOV64_IMM(BPF_REG_0, 0),
8181 .prog_type = BPF_PROG_TYPE_XDP,
8184 "arithmetic ops make PTR_TO_CTX unusable",
8186 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
8187 offsetof(struct __sk_buff, data) -
8188 offsetof(struct __sk_buff, mark)),
8189 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8190 offsetof(struct __sk_buff, mark)),
8193 .errstr = "dereference of modified ctx ptr R1 off=68+8, ctx+const is allowed, ctx+const+const is not",
8195 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8198 "pkt_end - pkt_start is allowed",
8200 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8201 offsetof(struct __sk_buff, data_end)),
8202 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8203 offsetof(struct __sk_buff, data)),
8204 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
8208 .retval = TEST_DATA_LEN,
8209 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8212 "XDP pkt read, pkt_end mangling, bad access 1",
8214 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8215 offsetof(struct xdp_md, data)),
8216 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8217 offsetof(struct xdp_md, data_end)),
8218 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8220 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
8221 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8222 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8223 BPF_MOV64_IMM(BPF_REG_0, 0),
8226 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8228 .prog_type = BPF_PROG_TYPE_XDP,
8231 "XDP pkt read, pkt_end mangling, bad access 2",
8233 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8234 offsetof(struct xdp_md, data)),
8235 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8236 offsetof(struct xdp_md, data_end)),
8237 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8239 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
8240 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8241 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8242 BPF_MOV64_IMM(BPF_REG_0, 0),
8245 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8247 .prog_type = BPF_PROG_TYPE_XDP,
8250 "XDP pkt read, pkt_data' > pkt_end, good access",
8252 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8253 offsetof(struct xdp_md, data)),
8254 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8255 offsetof(struct xdp_md, data_end)),
8256 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8257 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8258 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8259 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8260 BPF_MOV64_IMM(BPF_REG_0, 0),
8264 .prog_type = BPF_PROG_TYPE_XDP,
8267 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
8269 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8270 offsetof(struct xdp_md, data)),
8271 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8272 offsetof(struct xdp_md, data_end)),
8273 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8275 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8276 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8277 BPF_MOV64_IMM(BPF_REG_0, 0),
8280 .errstr = "R1 offset is outside of the packet",
8282 .prog_type = BPF_PROG_TYPE_XDP,
8283 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8286 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
8288 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8289 offsetof(struct xdp_md, data)),
8290 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8291 offsetof(struct xdp_md, data_end)),
8292 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8293 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8294 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8295 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8296 BPF_MOV64_IMM(BPF_REG_0, 0),
8299 .errstr = "R1 offset is outside of the packet",
8301 .prog_type = BPF_PROG_TYPE_XDP,
8304 "XDP pkt read, pkt_end > pkt_data', good access",
8306 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8307 offsetof(struct xdp_md, data)),
8308 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8309 offsetof(struct xdp_md, data_end)),
8310 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8312 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8313 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8314 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8315 BPF_MOV64_IMM(BPF_REG_0, 0),
8319 .prog_type = BPF_PROG_TYPE_XDP,
8320 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8323 "XDP pkt read, pkt_end > pkt_data', bad access 1",
8325 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8326 offsetof(struct xdp_md, data)),
8327 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8328 offsetof(struct xdp_md, data_end)),
8329 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8331 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8332 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8333 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8334 BPF_MOV64_IMM(BPF_REG_0, 0),
8337 .errstr = "R1 offset is outside of the packet",
8339 .prog_type = BPF_PROG_TYPE_XDP,
8342 "XDP pkt read, pkt_end > pkt_data', bad access 2",
8344 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8345 offsetof(struct xdp_md, data)),
8346 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8347 offsetof(struct xdp_md, data_end)),
8348 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8349 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8350 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8351 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8352 BPF_MOV64_IMM(BPF_REG_0, 0),
8355 .errstr = "R1 offset is outside of the packet",
8357 .prog_type = BPF_PROG_TYPE_XDP,
8360 "XDP pkt read, pkt_data' < pkt_end, good access",
8362 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8363 offsetof(struct xdp_md, data)),
8364 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8365 offsetof(struct xdp_md, data_end)),
8366 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8367 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8368 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8369 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8370 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8371 BPF_MOV64_IMM(BPF_REG_0, 0),
8375 .prog_type = BPF_PROG_TYPE_XDP,
8376 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8379 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
8381 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8382 offsetof(struct xdp_md, data)),
8383 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8384 offsetof(struct xdp_md, data_end)),
8385 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8387 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8388 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8389 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8390 BPF_MOV64_IMM(BPF_REG_0, 0),
8393 .errstr = "R1 offset is outside of the packet",
8395 .prog_type = BPF_PROG_TYPE_XDP,
8398 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
8400 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8401 offsetof(struct xdp_md, data)),
8402 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8403 offsetof(struct xdp_md, data_end)),
8404 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8405 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8406 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8407 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8408 BPF_MOV64_IMM(BPF_REG_0, 0),
8411 .errstr = "R1 offset is outside of the packet",
8413 .prog_type = BPF_PROG_TYPE_XDP,
8416 "XDP pkt read, pkt_end < pkt_data', good access",
8418 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8419 offsetof(struct xdp_md, data)),
8420 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8421 offsetof(struct xdp_md, data_end)),
8422 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8423 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8424 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8425 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8426 BPF_MOV64_IMM(BPF_REG_0, 0),
8430 .prog_type = BPF_PROG_TYPE_XDP,
8433 "XDP pkt read, pkt_end < pkt_data', bad access 1",
8435 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8436 offsetof(struct xdp_md, data)),
8437 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8438 offsetof(struct xdp_md, data_end)),
8439 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8441 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8442 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8443 BPF_MOV64_IMM(BPF_REG_0, 0),
8446 .errstr = "R1 offset is outside of the packet",
8448 .prog_type = BPF_PROG_TYPE_XDP,
8449 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8452 "XDP pkt read, pkt_end < pkt_data', bad access 2",
8454 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8455 offsetof(struct xdp_md, data)),
8456 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8457 offsetof(struct xdp_md, data_end)),
8458 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8460 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
8461 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8462 BPF_MOV64_IMM(BPF_REG_0, 0),
8465 .errstr = "R1 offset is outside of the packet",
8467 .prog_type = BPF_PROG_TYPE_XDP,
8470 "XDP pkt read, pkt_data' >= pkt_end, good access",
8472 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8473 offsetof(struct xdp_md, data)),
8474 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8475 offsetof(struct xdp_md, data_end)),
8476 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8477 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8478 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8479 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8480 BPF_MOV64_IMM(BPF_REG_0, 0),
8484 .prog_type = BPF_PROG_TYPE_XDP,
8485 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8488 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
8490 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8491 offsetof(struct xdp_md, data)),
8492 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8493 offsetof(struct xdp_md, data_end)),
8494 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8495 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8496 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8497 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8498 BPF_MOV64_IMM(BPF_REG_0, 0),
8501 .errstr = "R1 offset is outside of the packet",
8503 .prog_type = BPF_PROG_TYPE_XDP,
8506 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
8508 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8509 offsetof(struct xdp_md, data)),
8510 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8511 offsetof(struct xdp_md, data_end)),
8512 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8514 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
8515 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8516 BPF_MOV64_IMM(BPF_REG_0, 0),
8519 .errstr = "R1 offset is outside of the packet",
8521 .prog_type = BPF_PROG_TYPE_XDP,
8522 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8525 "XDP pkt read, pkt_end >= pkt_data', good access",
8527 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8528 offsetof(struct xdp_md, data)),
8529 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8530 offsetof(struct xdp_md, data_end)),
8531 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8533 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8534 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8535 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8536 BPF_MOV64_IMM(BPF_REG_0, 0),
8540 .prog_type = BPF_PROG_TYPE_XDP,
8543 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
8545 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8546 offsetof(struct xdp_md, data)),
8547 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8548 offsetof(struct xdp_md, data_end)),
8549 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8550 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8551 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8552 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8553 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8554 BPF_MOV64_IMM(BPF_REG_0, 0),
8557 .errstr = "R1 offset is outside of the packet",
8559 .prog_type = BPF_PROG_TYPE_XDP,
8560 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8563 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
8565 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8566 offsetof(struct xdp_md, data)),
8567 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8568 offsetof(struct xdp_md, data_end)),
8569 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8570 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8571 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8572 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8573 BPF_MOV64_IMM(BPF_REG_0, 0),
8576 .errstr = "R1 offset is outside of the packet",
8578 .prog_type = BPF_PROG_TYPE_XDP,
8581 "XDP pkt read, pkt_data' <= pkt_end, good access",
8583 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8584 offsetof(struct xdp_md, data)),
8585 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8586 offsetof(struct xdp_md, data_end)),
8587 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8589 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8590 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8591 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8592 BPF_MOV64_IMM(BPF_REG_0, 0),
8596 .prog_type = BPF_PROG_TYPE_XDP,
8599 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
8601 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8602 offsetof(struct xdp_md, data)),
8603 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8604 offsetof(struct xdp_md, data_end)),
8605 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8606 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8607 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8608 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8609 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8610 BPF_MOV64_IMM(BPF_REG_0, 0),
8613 .errstr = "R1 offset is outside of the packet",
8615 .prog_type = BPF_PROG_TYPE_XDP,
8616 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8619 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
8621 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8622 offsetof(struct xdp_md, data)),
8623 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8624 offsetof(struct xdp_md, data_end)),
8625 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8627 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8628 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8629 BPF_MOV64_IMM(BPF_REG_0, 0),
8632 .errstr = "R1 offset is outside of the packet",
8634 .prog_type = BPF_PROG_TYPE_XDP,
8637 "XDP pkt read, pkt_end <= pkt_data', good access",
8639 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8640 offsetof(struct xdp_md, data)),
8641 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8642 offsetof(struct xdp_md, data_end)),
8643 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8644 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8645 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8646 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8647 BPF_MOV64_IMM(BPF_REG_0, 0),
8651 .prog_type = BPF_PROG_TYPE_XDP,
8652 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8655 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
8657 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8658 offsetof(struct xdp_md, data)),
8659 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8660 offsetof(struct xdp_md, data_end)),
8661 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8662 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8663 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8664 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8665 BPF_MOV64_IMM(BPF_REG_0, 0),
8668 .errstr = "R1 offset is outside of the packet",
8670 .prog_type = BPF_PROG_TYPE_XDP,
8673 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
8675 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8676 offsetof(struct xdp_md, data)),
8677 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8678 offsetof(struct xdp_md, data_end)),
8679 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8680 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8681 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
8682 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8683 BPF_MOV64_IMM(BPF_REG_0, 0),
8686 .errstr = "R1 offset is outside of the packet",
8688 .prog_type = BPF_PROG_TYPE_XDP,
8689 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8692 "XDP pkt read, pkt_meta' > pkt_data, good access",
8694 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8695 offsetof(struct xdp_md, data_meta)),
8696 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8697 offsetof(struct xdp_md, data)),
8698 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8700 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8701 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8702 BPF_MOV64_IMM(BPF_REG_0, 0),
8706 .prog_type = BPF_PROG_TYPE_XDP,
8709 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
8711 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8712 offsetof(struct xdp_md, data_meta)),
8713 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8714 offsetof(struct xdp_md, data)),
8715 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8717 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8718 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8719 BPF_MOV64_IMM(BPF_REG_0, 0),
8722 .errstr = "R1 offset is outside of the packet",
8724 .prog_type = BPF_PROG_TYPE_XDP,
8725 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8728 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
8730 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8731 offsetof(struct xdp_md, data_meta)),
8732 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8733 offsetof(struct xdp_md, data)),
8734 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8735 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8736 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8737 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8738 BPF_MOV64_IMM(BPF_REG_0, 0),
8741 .errstr = "R1 offset is outside of the packet",
8743 .prog_type = BPF_PROG_TYPE_XDP,
8746 "XDP pkt read, pkt_data > pkt_meta', good access",
8748 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8749 offsetof(struct xdp_md, data_meta)),
8750 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8751 offsetof(struct xdp_md, data)),
8752 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8754 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8755 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8756 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8757 BPF_MOV64_IMM(BPF_REG_0, 0),
8761 .prog_type = BPF_PROG_TYPE_XDP,
8762 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8765 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
8767 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8768 offsetof(struct xdp_md, data_meta)),
8769 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8770 offsetof(struct xdp_md, data)),
8771 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8772 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8773 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8774 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8775 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8776 BPF_MOV64_IMM(BPF_REG_0, 0),
8779 .errstr = "R1 offset is outside of the packet",
8781 .prog_type = BPF_PROG_TYPE_XDP,
8784 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
8786 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8787 offsetof(struct xdp_md, data_meta)),
8788 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8789 offsetof(struct xdp_md, data)),
8790 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8792 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8793 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8794 BPF_MOV64_IMM(BPF_REG_0, 0),
8797 .errstr = "R1 offset is outside of the packet",
8799 .prog_type = BPF_PROG_TYPE_XDP,
8802 "XDP pkt read, pkt_meta' < pkt_data, good access",
8804 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8805 offsetof(struct xdp_md, data_meta)),
8806 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8807 offsetof(struct xdp_md, data)),
8808 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8809 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8810 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8811 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8812 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8813 BPF_MOV64_IMM(BPF_REG_0, 0),
8817 .prog_type = BPF_PROG_TYPE_XDP,
8818 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8821 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
8823 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8824 offsetof(struct xdp_md, data_meta)),
8825 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8826 offsetof(struct xdp_md, data)),
8827 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8829 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8830 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8831 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8832 BPF_MOV64_IMM(BPF_REG_0, 0),
8835 .errstr = "R1 offset is outside of the packet",
8837 .prog_type = BPF_PROG_TYPE_XDP,
8840 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
8842 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8843 offsetof(struct xdp_md, data_meta)),
8844 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8845 offsetof(struct xdp_md, data)),
8846 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8848 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8849 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8850 BPF_MOV64_IMM(BPF_REG_0, 0),
8853 .errstr = "R1 offset is outside of the packet",
8855 .prog_type = BPF_PROG_TYPE_XDP,
8858 "XDP pkt read, pkt_data < pkt_meta', good access",
8860 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8861 offsetof(struct xdp_md, data_meta)),
8862 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8863 offsetof(struct xdp_md, data)),
8864 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8865 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8866 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8867 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8868 BPF_MOV64_IMM(BPF_REG_0, 0),
8872 .prog_type = BPF_PROG_TYPE_XDP,
8875 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
8877 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8878 offsetof(struct xdp_md, data_meta)),
8879 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8880 offsetof(struct xdp_md, data)),
8881 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8882 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8883 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8884 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8885 BPF_MOV64_IMM(BPF_REG_0, 0),
8888 .errstr = "R1 offset is outside of the packet",
8890 .prog_type = BPF_PROG_TYPE_XDP,
8891 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8894 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
8896 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8897 offsetof(struct xdp_md, data_meta)),
8898 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8899 offsetof(struct xdp_md, data)),
8900 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8901 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8902 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
8903 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8904 BPF_MOV64_IMM(BPF_REG_0, 0),
8907 .errstr = "R1 offset is outside of the packet",
8909 .prog_type = BPF_PROG_TYPE_XDP,
8912 "XDP pkt read, pkt_meta' >= pkt_data, good access",
8914 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8915 offsetof(struct xdp_md, data_meta)),
8916 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8917 offsetof(struct xdp_md, data)),
8918 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8920 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8921 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8922 BPF_MOV64_IMM(BPF_REG_0, 0),
8926 .prog_type = BPF_PROG_TYPE_XDP,
8927 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8930 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
8932 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8933 offsetof(struct xdp_md, data_meta)),
8934 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8935 offsetof(struct xdp_md, data)),
8936 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8937 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8938 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8939 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8940 BPF_MOV64_IMM(BPF_REG_0, 0),
8943 .errstr = "R1 offset is outside of the packet",
8945 .prog_type = BPF_PROG_TYPE_XDP,
8948 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
8950 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8951 offsetof(struct xdp_md, data_meta)),
8952 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8953 offsetof(struct xdp_md, data)),
8954 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8956 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
8957 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8958 BPF_MOV64_IMM(BPF_REG_0, 0),
8961 .errstr = "R1 offset is outside of the packet",
8963 .prog_type = BPF_PROG_TYPE_XDP,
8964 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8967 "XDP pkt read, pkt_data >= pkt_meta', good access",
8969 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8970 offsetof(struct xdp_md, data_meta)),
8971 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8972 offsetof(struct xdp_md, data)),
8973 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8974 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8975 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8976 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8977 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8978 BPF_MOV64_IMM(BPF_REG_0, 0),
8982 .prog_type = BPF_PROG_TYPE_XDP,
8985 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
8987 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8988 offsetof(struct xdp_md, data_meta)),
8989 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8990 offsetof(struct xdp_md, data)),
8991 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8992 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8993 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8994 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8995 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8996 BPF_MOV64_IMM(BPF_REG_0, 0),
8999 .errstr = "R1 offset is outside of the packet",
9001 .prog_type = BPF_PROG_TYPE_XDP,
9002 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9005 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
9007 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9008 offsetof(struct xdp_md, data_meta)),
9009 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9010 offsetof(struct xdp_md, data)),
9011 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9012 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9013 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9014 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9015 BPF_MOV64_IMM(BPF_REG_0, 0),
9018 .errstr = "R1 offset is outside of the packet",
9020 .prog_type = BPF_PROG_TYPE_XDP,
9023 "XDP pkt read, pkt_meta' <= pkt_data, good access",
9025 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9026 offsetof(struct xdp_md, data_meta)),
9027 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9028 offsetof(struct xdp_md, data)),
9029 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9030 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9031 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9032 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9033 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9034 BPF_MOV64_IMM(BPF_REG_0, 0),
9038 .prog_type = BPF_PROG_TYPE_XDP,
9041 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
9043 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9044 offsetof(struct xdp_md, data_meta)),
9045 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9046 offsetof(struct xdp_md, data)),
9047 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9048 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9049 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9050 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9051 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9052 BPF_MOV64_IMM(BPF_REG_0, 0),
9055 .errstr = "R1 offset is outside of the packet",
9057 .prog_type = BPF_PROG_TYPE_XDP,
9058 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9061 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
9063 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9064 offsetof(struct xdp_md, data_meta)),
9065 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9066 offsetof(struct xdp_md, data)),
9067 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9068 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9069 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9070 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9071 BPF_MOV64_IMM(BPF_REG_0, 0),
9074 .errstr = "R1 offset is outside of the packet",
9076 .prog_type = BPF_PROG_TYPE_XDP,
9079 "XDP pkt read, pkt_data <= pkt_meta', good access",
9081 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9082 offsetof(struct xdp_md, data_meta)),
9083 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9084 offsetof(struct xdp_md, data)),
9085 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9087 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9088 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9089 BPF_MOV64_IMM(BPF_REG_0, 0),
9093 .prog_type = BPF_PROG_TYPE_XDP,
9094 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9097 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
9099 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9100 offsetof(struct xdp_md, data_meta)),
9101 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9102 offsetof(struct xdp_md, data)),
9103 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9105 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9106 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9107 BPF_MOV64_IMM(BPF_REG_0, 0),
9110 .errstr = "R1 offset is outside of the packet",
9112 .prog_type = BPF_PROG_TYPE_XDP,
9115 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
9117 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9118 offsetof(struct xdp_md, data_meta)),
9119 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9120 offsetof(struct xdp_md, data)),
9121 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9122 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9123 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9124 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9125 BPF_MOV64_IMM(BPF_REG_0, 0),
9128 .errstr = "R1 offset is outside of the packet",
9130 .prog_type = BPF_PROG_TYPE_XDP,
9131 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9134 "check deducing bounds from const, 1",
9136 BPF_MOV64_IMM(BPF_REG_0, 1),
9137 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
9138 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9142 .errstr = "R0 tried to subtract pointer from scalar",
9145 "check deducing bounds from const, 2",
9147 BPF_MOV64_IMM(BPF_REG_0, 1),
9148 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
9150 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
9152 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9159 "check deducing bounds from const, 3",
9161 BPF_MOV64_IMM(BPF_REG_0, 0),
9162 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9163 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9167 .errstr = "R0 tried to subtract pointer from scalar",
9170 "check deducing bounds from const, 4",
9172 BPF_MOV64_IMM(BPF_REG_0, 0),
9173 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
9175 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9177 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9183 "check deducing bounds from const, 5",
9185 BPF_MOV64_IMM(BPF_REG_0, 0),
9186 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9187 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9191 .errstr = "R0 tried to subtract pointer from scalar",
9194 "check deducing bounds from const, 6",
9196 BPF_MOV64_IMM(BPF_REG_0, 0),
9197 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9199 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9203 .errstr = "R0 tried to subtract pointer from scalar",
9206 "check deducing bounds from const, 7",
9208 BPF_MOV64_IMM(BPF_REG_0, ~0),
9209 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9210 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9211 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9212 offsetof(struct __sk_buff, mark)),
9216 .errstr = "dereference of modified ctx ptr",
9219 "check deducing bounds from const, 8",
9221 BPF_MOV64_IMM(BPF_REG_0, ~0),
9222 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9223 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
9224 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9225 offsetof(struct __sk_buff, mark)),
9229 .errstr = "dereference of modified ctx ptr",
9232 "check deducing bounds from const, 9",
9234 BPF_MOV64_IMM(BPF_REG_0, 0),
9235 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9236 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9240 .errstr = "R0 tried to subtract pointer from scalar",
9243 "check deducing bounds from const, 10",
9245 BPF_MOV64_IMM(BPF_REG_0, 0),
9246 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9247 /* Marks reg as unknown. */
9248 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
9249 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9253 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
9256 "bpf_exit with invalid return code. test1",
9258 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9261 .errstr = "R0 has value (0x0; 0xffffffff)",
9263 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9266 "bpf_exit with invalid return code. test2",
9268 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9269 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
9273 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9276 "bpf_exit with invalid return code. test3",
9278 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9279 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
9282 .errstr = "R0 has value (0x0; 0x3)",
9284 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9287 "bpf_exit with invalid return code. test4",
9289 BPF_MOV64_IMM(BPF_REG_0, 1),
9293 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9296 "bpf_exit with invalid return code. test5",
9298 BPF_MOV64_IMM(BPF_REG_0, 2),
9301 .errstr = "R0 has value (0x2; 0x0)",
9303 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9306 "bpf_exit with invalid return code. test6",
9308 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9311 .errstr = "R0 is not a known value (ctx)",
9313 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9316 "bpf_exit with invalid return code. test7",
9318 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9319 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
9320 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
9323 .errstr = "R0 has unknown scalar value",
9325 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9328 "calls: basic sanity",
9330 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9331 BPF_MOV64_IMM(BPF_REG_0, 1),
9333 BPF_MOV64_IMM(BPF_REG_0, 2),
9336 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9340 "calls: not on unpriviledged",
9342 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9343 BPF_MOV64_IMM(BPF_REG_0, 1),
9345 BPF_MOV64_IMM(BPF_REG_0, 2),
9348 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
9349 .result_unpriv = REJECT,
9354 "calls: div by 0 in subprog",
9356 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9357 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9358 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9359 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9360 offsetof(struct __sk_buff, data_end)),
9361 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9363 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9364 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9365 BPF_MOV64_IMM(BPF_REG_0, 1),
9367 BPF_MOV32_IMM(BPF_REG_2, 0),
9368 BPF_MOV32_IMM(BPF_REG_3, 1),
9369 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
9370 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9371 offsetof(struct __sk_buff, data)),
9374 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9379 "calls: multiple ret types in subprog 1",
9381 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9382 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9383 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9384 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9385 offsetof(struct __sk_buff, data_end)),
9386 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9388 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9389 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9390 BPF_MOV64_IMM(BPF_REG_0, 1),
9392 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9393 offsetof(struct __sk_buff, data)),
9394 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9395 BPF_MOV32_IMM(BPF_REG_0, 42),
9398 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9400 .errstr = "R0 invalid mem access 'inv'",
9403 "calls: multiple ret types in subprog 2",
9405 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9406 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9407 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9408 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9409 offsetof(struct __sk_buff, data_end)),
9410 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9411 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9412 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9413 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9414 BPF_MOV64_IMM(BPF_REG_0, 1),
9416 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9417 offsetof(struct __sk_buff, data)),
9418 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9419 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
9420 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9421 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9422 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9423 BPF_LD_MAP_FD(BPF_REG_1, 0),
9424 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9425 BPF_FUNC_map_lookup_elem),
9426 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9427 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
9428 offsetof(struct __sk_buff, data)),
9429 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
9432 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9433 .fixup_map1 = { 16 },
9435 .errstr = "R0 min value is outside of the array range",
9438 "calls: overlapping caller/callee",
9440 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
9441 BPF_MOV64_IMM(BPF_REG_0, 1),
9444 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9445 .errstr = "last insn is not an exit or jmp",
9449 "calls: wrong recursive calls",
9451 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9452 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9453 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9454 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9455 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9456 BPF_MOV64_IMM(BPF_REG_0, 1),
9459 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9460 .errstr = "jump out of range",
9464 "calls: wrong src reg",
9466 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
9467 BPF_MOV64_IMM(BPF_REG_0, 1),
9470 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9471 .errstr = "BPF_CALL uses reserved fields",
9475 "calls: wrong off value",
9477 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
9478 BPF_MOV64_IMM(BPF_REG_0, 1),
9480 BPF_MOV64_IMM(BPF_REG_0, 2),
9483 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9484 .errstr = "BPF_CALL uses reserved fields",
9488 "calls: jump back loop",
9490 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
9491 BPF_MOV64_IMM(BPF_REG_0, 1),
9494 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9495 .errstr = "back-edge from insn 0 to 0",
9499 "calls: conditional call",
9501 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9502 offsetof(struct __sk_buff, mark)),
9503 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9504 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9505 BPF_MOV64_IMM(BPF_REG_0, 1),
9507 BPF_MOV64_IMM(BPF_REG_0, 2),
9510 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9511 .errstr = "jump out of range",
9515 "calls: conditional call 2",
9517 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9518 offsetof(struct __sk_buff, mark)),
9519 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9520 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9521 BPF_MOV64_IMM(BPF_REG_0, 1),
9523 BPF_MOV64_IMM(BPF_REG_0, 2),
9525 BPF_MOV64_IMM(BPF_REG_0, 3),
9528 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9532 "calls: conditional call 3",
9534 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9535 offsetof(struct __sk_buff, mark)),
9536 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9537 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9538 BPF_MOV64_IMM(BPF_REG_0, 1),
9540 BPF_MOV64_IMM(BPF_REG_0, 1),
9541 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9542 BPF_MOV64_IMM(BPF_REG_0, 3),
9543 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9545 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9546 .errstr = "back-edge from insn",
9550 "calls: conditional call 4",
9552 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9553 offsetof(struct __sk_buff, mark)),
9554 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9555 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9556 BPF_MOV64_IMM(BPF_REG_0, 1),
9558 BPF_MOV64_IMM(BPF_REG_0, 1),
9559 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
9560 BPF_MOV64_IMM(BPF_REG_0, 3),
9563 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9567 "calls: conditional call 5",
9569 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9570 offsetof(struct __sk_buff, mark)),
9571 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9572 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9573 BPF_MOV64_IMM(BPF_REG_0, 1),
9575 BPF_MOV64_IMM(BPF_REG_0, 1),
9576 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9577 BPF_MOV64_IMM(BPF_REG_0, 3),
9580 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9581 .errstr = "back-edge from insn",
9585 "calls: conditional call 6",
9587 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9588 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
9590 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9591 offsetof(struct __sk_buff, mark)),
9594 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9595 .errstr = "back-edge from insn",
9599 "calls: using r0 returned by callee",
9601 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9603 BPF_MOV64_IMM(BPF_REG_0, 2),
9606 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9610 "calls: using uninit r0 from callee",
9612 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9616 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9617 .errstr = "!read_ok",
9621 "calls: callee is using r1",
9623 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9625 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9626 offsetof(struct __sk_buff, len)),
9629 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
9631 .retval = TEST_DATA_LEN,
9634 "calls: callee using args1",
9636 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9638 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9641 .errstr_unpriv = "allowed for root only",
9642 .result_unpriv = REJECT,
9644 .retval = POINTER_VALUE,
9647 "calls: callee using wrong args2",
9649 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9651 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9654 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9655 .errstr = "R2 !read_ok",
9659 "calls: callee using two args",
9661 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9662 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
9663 offsetof(struct __sk_buff, len)),
9664 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
9665 offsetof(struct __sk_buff, len)),
9666 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9668 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9669 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
9672 .errstr_unpriv = "allowed for root only",
9673 .result_unpriv = REJECT,
9675 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
9678 "calls: callee changing pkt pointers",
9680 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
9681 offsetof(struct xdp_md, data)),
9682 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
9683 offsetof(struct xdp_md, data_end)),
9684 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
9685 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
9686 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
9687 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9688 /* clear_all_pkt_pointers() has to walk all frames
9689 * to make sure that pkt pointers in the caller
9690 * are cleared when callee is calling a helper that
9691 * adjusts packet size
9693 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
9694 BPF_MOV32_IMM(BPF_REG_0, 0),
9696 BPF_MOV64_IMM(BPF_REG_2, 0),
9697 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9698 BPF_FUNC_xdp_adjust_head),
9702 .errstr = "R6 invalid mem access 'inv'",
9703 .prog_type = BPF_PROG_TYPE_XDP,
9706 "calls: two calls with args",
9708 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9710 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9711 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
9712 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
9713 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9714 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9715 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
9716 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
9718 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9719 offsetof(struct __sk_buff, len)),
9722 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9724 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
9727 "calls: calls with stack arith",
9729 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9730 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
9731 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9733 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
9734 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
9737 BPF_MOV64_IMM(BPF_REG_0, 42),
9738 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
9741 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9746 "calls: calls with misaligned stack access",
9748 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9749 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
9750 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
9753 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
9756 BPF_MOV64_IMM(BPF_REG_0, 42),
9757 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
9760 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9761 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
9762 .errstr = "misaligned stack access",
9766 "calls: calls control flow, jump test",
9768 BPF_MOV64_IMM(BPF_REG_0, 42),
9769 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
9770 BPF_MOV64_IMM(BPF_REG_0, 43),
9771 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9772 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
9775 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9780 "calls: calls control flow, jump test 2",
9782 BPF_MOV64_IMM(BPF_REG_0, 42),
9783 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
9784 BPF_MOV64_IMM(BPF_REG_0, 43),
9785 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9786 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
9789 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9790 .errstr = "jump out of range from insn 1 to 4",
9794 "calls: two calls with bad jump",
9796 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9798 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9799 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
9800 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
9801 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9802 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9803 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
9804 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
9806 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9807 offsetof(struct __sk_buff, len)),
9808 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
9811 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9812 .errstr = "jump out of range from insn 11 to 9",
9816 "calls: recursive call. test1",
9818 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9820 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
9823 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9824 .errstr = "back-edge",
9828 "calls: recursive call. test2",
9830 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9832 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
9835 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9836 .errstr = "back-edge",
9840 "calls: unreachable code",
9842 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9844 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9846 BPF_MOV64_IMM(BPF_REG_0, 0),
9848 BPF_MOV64_IMM(BPF_REG_0, 0),
9851 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9852 .errstr = "unreachable insn 6",
9856 "calls: invalid call",
9858 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9860 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
9863 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9864 .errstr = "invalid destination",
9868 "calls: invalid call 2",
9870 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9872 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
9875 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9876 .errstr = "invalid destination",
9880 "calls: jumping across function bodies. test1",
9882 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9883 BPF_MOV64_IMM(BPF_REG_0, 0),
9885 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
9888 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9889 .errstr = "jump out of range",
9893 "calls: jumping across function bodies. test2",
9895 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
9896 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9897 BPF_MOV64_IMM(BPF_REG_0, 0),
9901 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9902 .errstr = "jump out of range",
9906 "calls: call without exit",
9908 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9912 BPF_MOV64_IMM(BPF_REG_0, 0),
9913 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
9915 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9916 .errstr = "not an exit",
9920 "calls: call into middle of ld_imm64",
9922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9923 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9924 BPF_MOV64_IMM(BPF_REG_0, 0),
9926 BPF_LD_IMM64(BPF_REG_0, 0),
9929 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9930 .errstr = "last insn",
9934 "calls: call into middle of other call",
9936 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9937 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9938 BPF_MOV64_IMM(BPF_REG_0, 0),
9940 BPF_MOV64_IMM(BPF_REG_0, 0),
9941 BPF_MOV64_IMM(BPF_REG_0, 0),
9944 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9945 .errstr = "last insn",
9949 "calls: ld_abs with changing ctx data in callee",
9951 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9952 BPF_LD_ABS(BPF_B, 0),
9953 BPF_LD_ABS(BPF_H, 0),
9954 BPF_LD_ABS(BPF_W, 0),
9955 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
9956 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
9957 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
9958 BPF_LD_ABS(BPF_B, 0),
9959 BPF_LD_ABS(BPF_H, 0),
9960 BPF_LD_ABS(BPF_W, 0),
9962 BPF_MOV64_IMM(BPF_REG_2, 1),
9963 BPF_MOV64_IMM(BPF_REG_3, 2),
9964 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9965 BPF_FUNC_skb_vlan_push),
9968 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9969 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
9973 "calls: two calls with bad fallthrough",
9975 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9977 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9978 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
9979 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
9980 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9981 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9982 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
9983 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
9984 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
9985 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9986 offsetof(struct __sk_buff, len)),
9989 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9990 .errstr = "not an exit",
9994 "calls: two calls with stack read",
9996 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9997 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9998 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9999 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10001 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10002 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10003 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10004 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10005 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10006 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10007 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10009 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10012 .prog_type = BPF_PROG_TYPE_XDP,
10016 "calls: two calls with stack write",
10019 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10020 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10021 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10022 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10024 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10025 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10029 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10030 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10031 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
10032 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
10033 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10034 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10035 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
10036 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
10037 /* write into stack frame of main prog */
10038 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10042 /* read from stack frame of main prog */
10043 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10046 .prog_type = BPF_PROG_TYPE_XDP,
10050 "calls: stack overflow using two frames (pre-call access)",
10053 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10054 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
10058 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10059 BPF_MOV64_IMM(BPF_REG_0, 0),
10062 .prog_type = BPF_PROG_TYPE_XDP,
10063 .errstr = "combined stack size",
10067 "calls: stack overflow using two frames (post-call access)",
10070 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
10071 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10075 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10076 BPF_MOV64_IMM(BPF_REG_0, 0),
10079 .prog_type = BPF_PROG_TYPE_XDP,
10080 .errstr = "combined stack size",
10084 "calls: stack depth check using three frames. test1",
10087 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10088 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10089 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10090 BPF_MOV64_IMM(BPF_REG_0, 0),
10093 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10096 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10097 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10100 .prog_type = BPF_PROG_TYPE_XDP,
10101 /* stack_main=32, stack_A=256, stack_B=64
10102 * and max(main+A, main+A+B) < 512
10107 "calls: stack depth check using three frames. test2",
10110 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10111 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10112 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10113 BPF_MOV64_IMM(BPF_REG_0, 0),
10116 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10119 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10120 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10123 .prog_type = BPF_PROG_TYPE_XDP,
10124 /* stack_main=32, stack_A=64, stack_B=256
10125 * and max(main+A, main+A+B) < 512
10130 "calls: stack depth check using three frames. test3",
10133 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10134 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10135 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10136 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
10137 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
10138 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10139 BPF_MOV64_IMM(BPF_REG_0, 0),
10142 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
10144 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
10145 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10147 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
10148 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
10149 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10152 .prog_type = BPF_PROG_TYPE_XDP,
10153 /* stack_main=64, stack_A=224, stack_B=256
10154 * and max(main+A, main+A+B) > 512
10156 .errstr = "combined stack",
10160 "calls: stack depth check using three frames. test4",
10161 /* void main(void) {
10166 * void func1(int alloc_or_recurse) {
10167 * if (alloc_or_recurse) {
10168 * frame_pointer[-300] = 1;
10170 * func2(alloc_or_recurse);
10173 * void func2(int alloc_or_recurse) {
10174 * if (alloc_or_recurse) {
10175 * frame_pointer[-300] = 1;
10181 BPF_MOV64_IMM(BPF_REG_1, 0),
10182 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10183 BPF_MOV64_IMM(BPF_REG_1, 1),
10184 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10185 BPF_MOV64_IMM(BPF_REG_1, 1),
10186 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
10187 BPF_MOV64_IMM(BPF_REG_0, 0),
10190 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
10191 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10193 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10196 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10197 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10200 .prog_type = BPF_PROG_TYPE_XDP,
10202 .errstr = "combined stack",
10205 "calls: stack depth check using three frames. test5",
10208 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
10211 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10214 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
10217 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
10220 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
10223 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
10226 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
10229 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
10232 BPF_MOV64_IMM(BPF_REG_0, 0),
10235 .prog_type = BPF_PROG_TYPE_XDP,
10236 .errstr = "call stack",
10240 "calls: spill into caller stack frame",
10242 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10243 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10244 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10245 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10247 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
10248 BPF_MOV64_IMM(BPF_REG_0, 0),
10251 .prog_type = BPF_PROG_TYPE_XDP,
10252 .errstr = "cannot spill",
10256 "calls: write into caller stack frame",
10258 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10259 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10260 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10261 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10262 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10264 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
10265 BPF_MOV64_IMM(BPF_REG_0, 0),
10268 .prog_type = BPF_PROG_TYPE_XDP,
10273 "calls: write into callee stack frame",
10275 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10276 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
10278 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10279 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
10282 .prog_type = BPF_PROG_TYPE_XDP,
10283 .errstr = "cannot return stack pointer",
10287 "calls: two calls with stack write and void return",
10290 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10291 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10292 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10293 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10294 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10295 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10296 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10300 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10301 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10302 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10303 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10304 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10308 /* write into stack frame of main prog */
10309 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
10310 BPF_EXIT_INSN(), /* void return */
10312 .prog_type = BPF_PROG_TYPE_XDP,
10316 "calls: ambiguous return value",
10318 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10319 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10320 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10321 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10322 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10323 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10325 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10326 BPF_MOV64_IMM(BPF_REG_0, 0),
10329 .errstr_unpriv = "allowed for root only",
10330 .result_unpriv = REJECT,
10331 .errstr = "R0 !read_ok",
10335 "calls: two calls that return map_value",
10338 /* pass fp-16, fp-8 into a function */
10339 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10340 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10341 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10342 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10343 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10345 /* fetch map_value_ptr from the stack of this function */
10346 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
10347 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10348 /* write into map value */
10349 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10350 /* fetch secound map_value_ptr from the stack */
10351 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10352 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10353 /* write into map value */
10354 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10355 BPF_MOV64_IMM(BPF_REG_0, 0),
10359 /* call 3rd function twice */
10360 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10361 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10362 /* first time with fp-8 */
10363 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10364 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10365 /* second time with fp-16 */
10366 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10370 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10371 /* lookup from map */
10372 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10373 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10374 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10375 BPF_LD_MAP_FD(BPF_REG_1, 0),
10376 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10377 BPF_FUNC_map_lookup_elem),
10378 /* write map_value_ptr into stack frame of main prog */
10379 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10380 BPF_MOV64_IMM(BPF_REG_0, 0),
10381 BPF_EXIT_INSN(), /* return 0 */
10383 .prog_type = BPF_PROG_TYPE_XDP,
10384 .fixup_map1 = { 23 },
10388 "calls: two calls that return map_value with bool condition",
10391 /* pass fp-16, fp-8 into a function */
10392 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10393 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10394 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10395 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10396 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10397 BPF_MOV64_IMM(BPF_REG_0, 0),
10401 /* call 3rd function twice */
10402 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10403 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10404 /* first time with fp-8 */
10405 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10406 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10407 /* fetch map_value_ptr from the stack of this function */
10408 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10409 /* write into map value */
10410 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10411 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10412 /* second time with fp-16 */
10413 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10414 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10415 /* fetch secound map_value_ptr from the stack */
10416 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
10417 /* write into map value */
10418 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10422 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10423 /* lookup from map */
10424 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10425 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10426 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10427 BPF_LD_MAP_FD(BPF_REG_1, 0),
10428 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10429 BPF_FUNC_map_lookup_elem),
10430 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10431 BPF_MOV64_IMM(BPF_REG_0, 0),
10432 BPF_EXIT_INSN(), /* return 0 */
10433 /* write map_value_ptr into stack frame of main prog */
10434 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10435 BPF_MOV64_IMM(BPF_REG_0, 1),
10436 BPF_EXIT_INSN(), /* return 1 */
10438 .prog_type = BPF_PROG_TYPE_XDP,
10439 .fixup_map1 = { 23 },
10443 "calls: two calls that return map_value with incorrect bool check",
10446 /* pass fp-16, fp-8 into a function */
10447 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10449 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10450 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10451 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10452 BPF_MOV64_IMM(BPF_REG_0, 0),
10456 /* call 3rd function twice */
10457 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10458 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10459 /* first time with fp-8 */
10460 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10461 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10462 /* fetch map_value_ptr from the stack of this function */
10463 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10464 /* write into map value */
10465 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10466 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10467 /* second time with fp-16 */
10468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10469 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10470 /* fetch secound map_value_ptr from the stack */
10471 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
10472 /* write into map value */
10473 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10477 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10478 /* lookup from map */
10479 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10480 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10482 BPF_LD_MAP_FD(BPF_REG_1, 0),
10483 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10484 BPF_FUNC_map_lookup_elem),
10485 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10486 BPF_MOV64_IMM(BPF_REG_0, 0),
10487 BPF_EXIT_INSN(), /* return 0 */
10488 /* write map_value_ptr into stack frame of main prog */
10489 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10490 BPF_MOV64_IMM(BPF_REG_0, 1),
10491 BPF_EXIT_INSN(), /* return 1 */
10493 .prog_type = BPF_PROG_TYPE_XDP,
10494 .fixup_map1 = { 23 },
10496 .errstr = "invalid read from stack off -16+0 size 8",
10499 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
10502 /* pass fp-16, fp-8 into a function */
10503 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10504 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10505 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10507 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10508 BPF_MOV64_IMM(BPF_REG_0, 0),
10512 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10513 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10514 /* 1st lookup from map */
10515 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10516 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10518 BPF_LD_MAP_FD(BPF_REG_1, 0),
10519 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10520 BPF_FUNC_map_lookup_elem),
10521 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10522 BPF_MOV64_IMM(BPF_REG_8, 0),
10523 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10524 /* write map_value_ptr into stack frame of main prog at fp-8 */
10525 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10526 BPF_MOV64_IMM(BPF_REG_8, 1),
10528 /* 2nd lookup from map */
10529 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
10530 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10531 BPF_LD_MAP_FD(BPF_REG_1, 0),
10532 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
10533 BPF_FUNC_map_lookup_elem),
10534 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10535 BPF_MOV64_IMM(BPF_REG_9, 0),
10536 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10537 /* write map_value_ptr into stack frame of main prog at fp-16 */
10538 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10539 BPF_MOV64_IMM(BPF_REG_9, 1),
10541 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10542 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
10543 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10544 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10545 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10546 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
10550 /* if arg2 == 1 do *arg1 = 0 */
10551 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10552 /* fetch map_value_ptr from the stack of this function */
10553 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10554 /* write into map value */
10555 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10557 /* if arg4 == 1 do *arg3 = 0 */
10558 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10559 /* fetch map_value_ptr from the stack of this function */
10560 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10561 /* write into map value */
10562 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
10565 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10566 .fixup_map1 = { 12, 22 },
10568 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
10571 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
10574 /* pass fp-16, fp-8 into a function */
10575 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10576 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10577 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10578 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10579 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10580 BPF_MOV64_IMM(BPF_REG_0, 0),
10584 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10585 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10586 /* 1st lookup from map */
10587 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10588 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10589 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10590 BPF_LD_MAP_FD(BPF_REG_1, 0),
10591 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10592 BPF_FUNC_map_lookup_elem),
10593 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10594 BPF_MOV64_IMM(BPF_REG_8, 0),
10595 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10596 /* write map_value_ptr into stack frame of main prog at fp-8 */
10597 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10598 BPF_MOV64_IMM(BPF_REG_8, 1),
10600 /* 2nd lookup from map */
10601 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
10602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10603 BPF_LD_MAP_FD(BPF_REG_1, 0),
10604 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
10605 BPF_FUNC_map_lookup_elem),
10606 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10607 BPF_MOV64_IMM(BPF_REG_9, 0),
10608 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10609 /* write map_value_ptr into stack frame of main prog at fp-16 */
10610 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10611 BPF_MOV64_IMM(BPF_REG_9, 1),
10613 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10614 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
10615 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10616 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10617 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10618 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
10622 /* if arg2 == 1 do *arg1 = 0 */
10623 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10624 /* fetch map_value_ptr from the stack of this function */
10625 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10626 /* write into map value */
10627 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10629 /* if arg4 == 1 do *arg3 = 0 */
10630 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10631 /* fetch map_value_ptr from the stack of this function */
10632 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10633 /* write into map value */
10634 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10637 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10638 .fixup_map1 = { 12, 22 },
10642 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
10645 /* pass fp-16, fp-8 into a function */
10646 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10647 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10648 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10649 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10650 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
10651 BPF_MOV64_IMM(BPF_REG_0, 0),
10655 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10656 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10657 /* 1st lookup from map */
10658 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
10659 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
10661 BPF_LD_MAP_FD(BPF_REG_1, 0),
10662 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10663 BPF_FUNC_map_lookup_elem),
10664 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10665 BPF_MOV64_IMM(BPF_REG_8, 0),
10666 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10667 /* write map_value_ptr into stack frame of main prog at fp-8 */
10668 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10669 BPF_MOV64_IMM(BPF_REG_8, 1),
10671 /* 2nd lookup from map */
10672 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
10674 BPF_LD_MAP_FD(BPF_REG_1, 0),
10675 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10676 BPF_FUNC_map_lookup_elem),
10677 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10678 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
10679 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10680 /* write map_value_ptr into stack frame of main prog at fp-16 */
10681 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10682 BPF_MOV64_IMM(BPF_REG_9, 1),
10684 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10685 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
10686 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10687 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10688 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10689 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
10690 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
10693 /* if arg2 == 1 do *arg1 = 0 */
10694 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10695 /* fetch map_value_ptr from the stack of this function */
10696 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10697 /* write into map value */
10698 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10700 /* if arg4 == 1 do *arg3 = 0 */
10701 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10702 /* fetch map_value_ptr from the stack of this function */
10703 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10704 /* write into map value */
10705 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
10706 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
10708 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10709 .fixup_map1 = { 12, 22 },
10711 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
10714 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
10717 /* pass fp-16, fp-8 into a function */
10718 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10719 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10720 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10721 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10722 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10723 BPF_MOV64_IMM(BPF_REG_0, 0),
10727 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10728 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10729 /* 1st lookup from map */
10730 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10731 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10732 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10733 BPF_LD_MAP_FD(BPF_REG_1, 0),
10734 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10735 BPF_FUNC_map_lookup_elem),
10736 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
10737 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10738 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10739 BPF_MOV64_IMM(BPF_REG_8, 0),
10740 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10741 BPF_MOV64_IMM(BPF_REG_8, 1),
10743 /* 2nd lookup from map */
10744 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10745 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10746 BPF_LD_MAP_FD(BPF_REG_1, 0),
10747 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10748 BPF_FUNC_map_lookup_elem),
10749 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
10750 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10751 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10752 BPF_MOV64_IMM(BPF_REG_9, 0),
10753 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10754 BPF_MOV64_IMM(BPF_REG_9, 1),
10756 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10757 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10758 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10759 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10760 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10761 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10765 /* if arg2 == 1 do *arg1 = 0 */
10766 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10767 /* fetch map_value_ptr from the stack of this function */
10768 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10769 /* write into map value */
10770 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10772 /* if arg4 == 1 do *arg3 = 0 */
10773 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10774 /* fetch map_value_ptr from the stack of this function */
10775 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10776 /* write into map value */
10777 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10780 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10781 .fixup_map1 = { 12, 22 },
10785 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
10788 /* pass fp-16, fp-8 into a function */
10789 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10790 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10791 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10792 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10793 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10794 BPF_MOV64_IMM(BPF_REG_0, 0),
10798 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10799 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10800 /* 1st lookup from map */
10801 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10802 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10803 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10804 BPF_LD_MAP_FD(BPF_REG_1, 0),
10805 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10806 BPF_FUNC_map_lookup_elem),
10807 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
10808 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10809 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10810 BPF_MOV64_IMM(BPF_REG_8, 0),
10811 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10812 BPF_MOV64_IMM(BPF_REG_8, 1),
10814 /* 2nd lookup from map */
10815 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10816 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10817 BPF_LD_MAP_FD(BPF_REG_1, 0),
10818 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10819 BPF_FUNC_map_lookup_elem),
10820 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
10821 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10822 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10823 BPF_MOV64_IMM(BPF_REG_9, 0),
10824 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10825 BPF_MOV64_IMM(BPF_REG_9, 1),
10827 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10828 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10829 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10830 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10831 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10832 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10836 /* if arg2 == 1 do *arg1 = 0 */
10837 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10838 /* fetch map_value_ptr from the stack of this function */
10839 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10840 /* write into map value */
10841 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10843 /* if arg4 == 0 do *arg3 = 0 */
10844 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
10845 /* fetch map_value_ptr from the stack of this function */
10846 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10847 /* write into map value */
10848 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10851 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10852 .fixup_map1 = { 12, 22 },
10854 .errstr = "R0 invalid mem access 'inv'",
10857 "calls: pkt_ptr spill into caller stack",
10859 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10860 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10861 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10865 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10866 offsetof(struct __sk_buff, data)),
10867 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10868 offsetof(struct __sk_buff, data_end)),
10869 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10870 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10871 /* spill unchecked pkt_ptr into stack of caller */
10872 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10873 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
10874 /* now the pkt range is verified, read pkt_ptr from stack */
10875 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
10876 /* write 4 bytes into packet */
10877 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10881 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10882 .retval = POINTER_VALUE,
10885 "calls: pkt_ptr spill into caller stack 2",
10887 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10888 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10889 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10890 /* Marking is still kept, but not in all cases safe. */
10891 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10892 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
10896 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10897 offsetof(struct __sk_buff, data)),
10898 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10899 offsetof(struct __sk_buff, data_end)),
10900 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10901 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10902 /* spill unchecked pkt_ptr into stack of caller */
10903 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10904 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
10905 /* now the pkt range is verified, read pkt_ptr from stack */
10906 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
10907 /* write 4 bytes into packet */
10908 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10911 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10912 .errstr = "invalid access to packet",
10916 "calls: pkt_ptr spill into caller stack 3",
10918 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10920 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10921 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
10922 /* Marking is still kept and safe here. */
10923 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10924 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
10928 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10929 offsetof(struct __sk_buff, data)),
10930 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10931 offsetof(struct __sk_buff, data_end)),
10932 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10933 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10934 /* spill unchecked pkt_ptr into stack of caller */
10935 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10936 BPF_MOV64_IMM(BPF_REG_5, 0),
10937 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
10938 BPF_MOV64_IMM(BPF_REG_5, 1),
10939 /* now the pkt range is verified, read pkt_ptr from stack */
10940 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
10941 /* write 4 bytes into packet */
10942 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10943 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10946 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10951 "calls: pkt_ptr spill into caller stack 4",
10953 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10954 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10955 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10956 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
10957 /* Check marking propagated. */
10958 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10959 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
10963 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10964 offsetof(struct __sk_buff, data)),
10965 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10966 offsetof(struct __sk_buff, data_end)),
10967 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10968 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10969 /* spill unchecked pkt_ptr into stack of caller */
10970 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10971 BPF_MOV64_IMM(BPF_REG_5, 0),
10972 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
10973 BPF_MOV64_IMM(BPF_REG_5, 1),
10974 /* don't read back pkt_ptr from stack here */
10975 /* write 4 bytes into packet */
10976 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10977 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10980 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10985 "calls: pkt_ptr spill into caller stack 5",
10987 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10989 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
10990 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10991 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10992 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
10996 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10997 offsetof(struct __sk_buff, data)),
10998 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10999 offsetof(struct __sk_buff, data_end)),
11000 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11001 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11002 BPF_MOV64_IMM(BPF_REG_5, 0),
11003 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11004 /* spill checked pkt_ptr into stack of caller */
11005 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11006 BPF_MOV64_IMM(BPF_REG_5, 1),
11007 /* don't read back pkt_ptr from stack here */
11008 /* write 4 bytes into packet */
11009 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11010 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11013 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11014 .errstr = "same insn cannot be used with different",
11018 "calls: pkt_ptr spill into caller stack 6",
11020 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11021 offsetof(struct __sk_buff, data_end)),
11022 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11024 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11025 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11026 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11027 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11031 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11032 offsetof(struct __sk_buff, data)),
11033 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11034 offsetof(struct __sk_buff, data_end)),
11035 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11036 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11037 BPF_MOV64_IMM(BPF_REG_5, 0),
11038 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11039 /* spill checked pkt_ptr into stack of caller */
11040 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11041 BPF_MOV64_IMM(BPF_REG_5, 1),
11042 /* don't read back pkt_ptr from stack here */
11043 /* write 4 bytes into packet */
11044 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11045 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11048 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11049 .errstr = "R4 invalid mem access",
11053 "calls: pkt_ptr spill into caller stack 7",
11055 BPF_MOV64_IMM(BPF_REG_2, 0),
11056 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11057 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11058 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11059 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11060 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11061 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11065 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11066 offsetof(struct __sk_buff, data)),
11067 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11068 offsetof(struct __sk_buff, data_end)),
11069 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11070 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11071 BPF_MOV64_IMM(BPF_REG_5, 0),
11072 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11073 /* spill checked pkt_ptr into stack of caller */
11074 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11075 BPF_MOV64_IMM(BPF_REG_5, 1),
11076 /* don't read back pkt_ptr from stack here */
11077 /* write 4 bytes into packet */
11078 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11079 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11082 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11083 .errstr = "R4 invalid mem access",
11087 "calls: pkt_ptr spill into caller stack 8",
11089 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11090 offsetof(struct __sk_buff, data)),
11091 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11092 offsetof(struct __sk_buff, data_end)),
11093 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11095 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11097 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11098 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11099 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11100 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11101 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11102 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11106 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11107 offsetof(struct __sk_buff, data)),
11108 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11109 offsetof(struct __sk_buff, data_end)),
11110 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11112 BPF_MOV64_IMM(BPF_REG_5, 0),
11113 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11114 /* spill checked pkt_ptr into stack of caller */
11115 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11116 BPF_MOV64_IMM(BPF_REG_5, 1),
11117 /* don't read back pkt_ptr from stack here */
11118 /* write 4 bytes into packet */
11119 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11120 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11123 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11127 "calls: pkt_ptr spill into caller stack 9",
11129 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11130 offsetof(struct __sk_buff, data)),
11131 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11132 offsetof(struct __sk_buff, data_end)),
11133 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11134 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11135 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11137 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11139 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11140 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11141 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11142 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11146 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11147 offsetof(struct __sk_buff, data)),
11148 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11149 offsetof(struct __sk_buff, data_end)),
11150 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11151 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11152 BPF_MOV64_IMM(BPF_REG_5, 0),
11153 /* spill unchecked pkt_ptr into stack of caller */
11154 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11155 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11156 BPF_MOV64_IMM(BPF_REG_5, 1),
11157 /* don't read back pkt_ptr from stack here */
11158 /* write 4 bytes into packet */
11159 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11160 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11163 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11164 .errstr = "invalid access to packet",
11168 "calls: caller stack init to zero or map_value_or_null",
11170 BPF_MOV64_IMM(BPF_REG_0, 0),
11171 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11172 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11174 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11175 /* fetch map_value_or_null or const_zero from stack */
11176 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11177 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11178 /* store into map_value */
11179 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
11183 /* if (ctx == 0) return; */
11184 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
11185 /* else bpf_map_lookup() and *(fp - 8) = r0 */
11186 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
11187 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11189 BPF_LD_MAP_FD(BPF_REG_1, 0),
11190 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11191 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11192 BPF_FUNC_map_lookup_elem),
11193 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11194 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11197 .fixup_map1 = { 13 },
11199 .prog_type = BPF_PROG_TYPE_XDP,
11202 "calls: stack init to zero and pruning",
11204 /* first make allocated_stack 16 byte */
11205 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
11206 /* now fork the execution such that the false branch
11207 * of JGT insn will be verified second and it skisp zero
11208 * init of fp-8 stack slot. If stack liveness marking
11209 * is missing live_read marks from call map_lookup
11210 * processing then pruning will incorrectly assume
11211 * that fp-8 stack slot was unused in the fall-through
11212 * branch and will accept the program incorrectly
11214 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
11215 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11216 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
11217 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11218 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11219 BPF_LD_MAP_FD(BPF_REG_1, 0),
11220 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11221 BPF_FUNC_map_lookup_elem),
11224 .fixup_map2 = { 6 },
11225 .errstr = "invalid indirect read from stack off -8+0 size 8",
11227 .prog_type = BPF_PROG_TYPE_XDP,
11230 "search pruning: all branches should be verified (nop operation)",
11232 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11233 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11234 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11235 BPF_LD_MAP_FD(BPF_REG_1, 0),
11236 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11237 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
11238 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11239 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11240 BPF_MOV64_IMM(BPF_REG_4, 0),
11242 BPF_MOV64_IMM(BPF_REG_4, 1),
11243 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11244 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11245 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11246 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
11247 BPF_MOV64_IMM(BPF_REG_6, 0),
11248 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
11251 .fixup_map1 = { 3 },
11252 .errstr = "R6 invalid mem access 'inv'",
11254 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11257 "search pruning: all branches should be verified (invalid stack access)",
11259 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11260 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11261 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11262 BPF_LD_MAP_FD(BPF_REG_1, 0),
11263 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
11265 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11266 BPF_MOV64_IMM(BPF_REG_4, 0),
11267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11268 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11270 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
11271 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11272 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11275 .fixup_map1 = { 3 },
11276 .errstr = "invalid read from stack off -16+0 size 8",
11278 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11281 "jit: lsh, rsh, arsh by 1",
11283 BPF_MOV64_IMM(BPF_REG_0, 1),
11284 BPF_MOV64_IMM(BPF_REG_1, 0xff),
11285 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
11286 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
11287 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
11289 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
11290 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
11291 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
11293 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
11294 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
11296 BPF_MOV64_IMM(BPF_REG_0, 2),
11303 "jit: mov32 for ldimm64, 1",
11305 BPF_MOV64_IMM(BPF_REG_0, 2),
11306 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
11307 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
11308 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
11309 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
11310 BPF_MOV64_IMM(BPF_REG_0, 1),
11317 "jit: mov32 for ldimm64, 2",
11319 BPF_MOV64_IMM(BPF_REG_0, 1),
11320 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
11321 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
11322 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
11323 BPF_MOV64_IMM(BPF_REG_0, 2),
11330 "jit: various mul tests",
11332 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
11333 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
11334 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
11335 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
11336 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
11337 BPF_MOV64_IMM(BPF_REG_0, 1),
11339 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
11340 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
11341 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
11342 BPF_MOV64_IMM(BPF_REG_0, 1),
11344 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
11345 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
11346 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
11347 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
11348 BPF_MOV64_IMM(BPF_REG_0, 1),
11350 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
11351 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
11352 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
11353 BPF_MOV64_IMM(BPF_REG_0, 1),
11355 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
11356 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
11357 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
11358 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
11359 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
11360 BPF_MOV64_IMM(BPF_REG_0, 1),
11362 BPF_MOV64_IMM(BPF_REG_0, 2),
11369 "xadd/w check unaligned stack",
11371 BPF_MOV64_IMM(BPF_REG_0, 1),
11372 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11373 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
11374 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11378 .errstr = "misaligned stack access off",
11379 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11382 "xadd/w check unaligned map",
11384 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11385 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11387 BPF_LD_MAP_FD(BPF_REG_1, 0),
11388 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11389 BPF_FUNC_map_lookup_elem),
11390 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
11392 BPF_MOV64_IMM(BPF_REG_1, 1),
11393 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
11394 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
11397 .fixup_map1 = { 3 },
11399 .errstr = "misaligned value access off",
11400 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11403 "xadd/w check unaligned pkt",
11405 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11406 offsetof(struct xdp_md, data)),
11407 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11408 offsetof(struct xdp_md, data_end)),
11409 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11410 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11411 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
11412 BPF_MOV64_IMM(BPF_REG_0, 99),
11413 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
11414 BPF_MOV64_IMM(BPF_REG_0, 1),
11415 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11416 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
11417 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
11418 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
11419 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
11423 .errstr = "BPF_XADD stores into R2 packet",
11424 .prog_type = BPF_PROG_TYPE_XDP,
11428 static int probe_filter_length(const struct bpf_insn *fp)
11432 for (len = MAX_INSNS - 1; len > 0; --len)
11433 if (fp[len].code != 0 || fp[len].imm != 0)
11438 static int create_map(uint32_t size_value, uint32_t max_elem)
11442 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
11443 size_value, max_elem, BPF_F_NO_PREALLOC);
11445 printf("Failed to create hash map '%s'!\n", strerror(errno));
11450 static int create_prog_dummy1(void)
11452 struct bpf_insn prog[] = {
11453 BPF_MOV64_IMM(BPF_REG_0, 42),
11457 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
11458 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
11461 static int create_prog_dummy2(int mfd, int idx)
11463 struct bpf_insn prog[] = {
11464 BPF_MOV64_IMM(BPF_REG_3, idx),
11465 BPF_LD_MAP_FD(BPF_REG_2, mfd),
11466 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11467 BPF_FUNC_tail_call),
11468 BPF_MOV64_IMM(BPF_REG_0, 41),
11472 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
11473 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
11476 static int create_prog_array(void)
11478 int p1key = 0, p2key = 1;
11479 int mfd, p1fd, p2fd;
11481 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
11482 sizeof(int), 4, 0);
11484 printf("Failed to create prog array '%s'!\n", strerror(errno));
11488 p1fd = create_prog_dummy1();
11489 p2fd = create_prog_dummy2(mfd, p2key);
11490 if (p1fd < 0 || p2fd < 0)
11492 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
11494 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
11507 static int create_map_in_map(void)
11509 int inner_map_fd, outer_map_fd;
11511 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
11512 sizeof(int), 1, 0);
11513 if (inner_map_fd < 0) {
11514 printf("Failed to create array '%s'!\n", strerror(errno));
11515 return inner_map_fd;
11518 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
11519 sizeof(int), inner_map_fd, 1, 0);
11520 if (outer_map_fd < 0)
11521 printf("Failed to create array of maps '%s'!\n",
11524 close(inner_map_fd);
11526 return outer_map_fd;
11529 static char bpf_vlog[32768];
11531 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
11534 int *fixup_map1 = test->fixup_map1;
11535 int *fixup_map2 = test->fixup_map2;
11536 int *fixup_prog = test->fixup_prog;
11537 int *fixup_map_in_map = test->fixup_map_in_map;
11539 /* Allocating HTs with 1 elem is fine here, since we only test
11540 * for verifier and not do a runtime lookup, so the only thing
11541 * that really matters is value size in this case.
11544 map_fds[0] = create_map(sizeof(long long), 1);
11546 prog[*fixup_map1].imm = map_fds[0];
11548 } while (*fixup_map1);
11552 map_fds[1] = create_map(sizeof(struct test_val), 1);
11554 prog[*fixup_map2].imm = map_fds[1];
11556 } while (*fixup_map2);
11560 map_fds[2] = create_prog_array();
11562 prog[*fixup_prog].imm = map_fds[2];
11564 } while (*fixup_prog);
11567 if (*fixup_map_in_map) {
11568 map_fds[3] = create_map_in_map();
11570 prog[*fixup_map_in_map].imm = map_fds[3];
11571 fixup_map_in_map++;
11572 } while (*fixup_map_in_map);
11576 static void do_test_single(struct bpf_test *test, bool unpriv,
11577 int *passes, int *errors)
11579 int fd_prog, expected_ret, reject_from_alignment;
11580 struct bpf_insn *prog = test->insns;
11581 int prog_len = probe_filter_length(prog);
11582 char data_in[TEST_DATA_LEN] = {};
11583 int prog_type = test->prog_type;
11584 int map_fds[MAX_NR_MAPS];
11585 const char *expected_err;
11589 for (i = 0; i < MAX_NR_MAPS; i++)
11592 do_test_fixup(test, prog, map_fds);
11594 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
11595 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
11596 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
11598 expected_ret = unpriv && test->result_unpriv != UNDEF ?
11599 test->result_unpriv : test->result;
11600 expected_err = unpriv && test->errstr_unpriv ?
11601 test->errstr_unpriv : test->errstr;
11603 reject_from_alignment = fd_prog < 0 &&
11604 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
11605 strstr(bpf_vlog, "Unknown alignment.");
11606 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
11607 if (reject_from_alignment) {
11608 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
11613 if (expected_ret == ACCEPT) {
11614 if (fd_prog < 0 && !reject_from_alignment) {
11615 printf("FAIL\nFailed to load prog '%s'!\n",
11620 if (fd_prog >= 0) {
11621 printf("FAIL\nUnexpected success to load!\n");
11624 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
11625 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
11626 expected_err, bpf_vlog);
11631 if (fd_prog >= 0) {
11632 err = bpf_prog_test_run(fd_prog, 1, data_in, sizeof(data_in),
11633 NULL, NULL, &retval, NULL);
11634 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
11635 printf("Unexpected bpf_prog_test_run error\n");
11638 if (!err && retval != test->retval &&
11639 test->retval != POINTER_VALUE) {
11640 printf("FAIL retval %d != %d\n", retval, test->retval);
11645 printf("OK%s\n", reject_from_alignment ?
11646 " (NOTE: reject due to unknown alignment)" : "");
11649 for (i = 0; i < MAX_NR_MAPS; i++)
11655 printf("%s", bpf_vlog);
11659 static bool is_admin(void)
11662 cap_flag_value_t sysadmin = CAP_CLEAR;
11663 const cap_value_t cap_val = CAP_SYS_ADMIN;
11665 #ifdef CAP_IS_SUPPORTED
11666 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
11667 perror("cap_get_flag");
11671 caps = cap_get_proc();
11673 perror("cap_get_proc");
11676 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
11677 perror("cap_get_flag");
11678 if (cap_free(caps))
11679 perror("cap_free");
11680 return (sysadmin == CAP_SET);
11683 static int set_admin(bool admin)
11686 const cap_value_t cap_val = CAP_SYS_ADMIN;
11689 caps = cap_get_proc();
11691 perror("cap_get_proc");
11694 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
11695 admin ? CAP_SET : CAP_CLEAR)) {
11696 perror("cap_set_flag");
11699 if (cap_set_proc(caps)) {
11700 perror("cap_set_proc");
11705 if (cap_free(caps))
11706 perror("cap_free");
11710 static void get_unpriv_disabled()
11715 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
11716 if (fgets(buf, 2, fd) == buf && atoi(buf))
11717 unpriv_disabled = true;
11721 static int do_test(bool unpriv, unsigned int from, unsigned int to)
11723 int i, passes = 0, errors = 0, skips = 0;
11725 for (i = from; i < to; i++) {
11726 struct bpf_test *test = &tests[i];
11728 /* Program types that are not supported by non-root we
11731 if (!test->prog_type && unpriv_disabled) {
11732 printf("#%d/u %s SKIP\n", i, test->descr);
11734 } else if (!test->prog_type) {
11737 printf("#%d/u %s ", i, test->descr);
11738 do_test_single(test, true, &passes, &errors);
11744 printf("#%d/p %s SKIP\n", i, test->descr);
11747 printf("#%d/p %s ", i, test->descr);
11748 do_test_single(test, false, &passes, &errors);
11752 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
11754 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
11757 int main(int argc, char **argv)
11759 unsigned int from = 0, to = ARRAY_SIZE(tests);
11760 bool unpriv = !is_admin();
11763 unsigned int l = atoi(argv[argc - 2]);
11764 unsigned int u = atoi(argv[argc - 1]);
11766 if (l < to && u < to) {
11770 } else if (argc == 2) {
11771 unsigned int t = atoi(argv[argc - 1]);
11779 get_unpriv_disabled();
11780 if (unpriv && unpriv_disabled) {
11781 printf("Cannot run as unprivileged user with sysctl %s.\n",
11783 return EXIT_FAILURE;
11786 return do_test(unpriv, from, to);
projects / linux.git / blob