2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 * Copyright (c) 2017 Facebook
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of version 2 of the GNU General Public
9 * License as published by the Free Software Foundation.
13 #include <asm/types.h>
14 #include <linux/types.h>
26 #include <sys/capability.h>
28 #include <linux/unistd.h>
29 #include <linux/filter.h>
30 #include <linux/bpf_perf_event.h>
31 #include <linux/bpf.h>
32 #include <linux/if_ether.h>
37 # include "autoconf.h"
39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
40 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
43 #include "bpf_rlimit.h"
45 #include "../../../include/linux/filter.h"
48 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
51 #define MAX_INSNS BPF_MAXINSNS
54 #define POINTER_VALUE 0xcafe4all
55 #define TEST_DATA_LEN 64
57 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
58 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
60 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
61 static bool unpriv_disabled = false;
65 struct bpf_insn insns[MAX_INSNS];
66 int fixup_map1[MAX_FIXUPS];
67 int fixup_map2[MAX_FIXUPS];
68 int fixup_map3[MAX_FIXUPS];
69 int fixup_map4[MAX_FIXUPS];
70 int fixup_prog1[MAX_FIXUPS];
71 int fixup_prog2[MAX_FIXUPS];
72 int fixup_map_in_map[MAX_FIXUPS];
73 int fixup_cgroup_storage[MAX_FIXUPS];
75 const char *errstr_unpriv;
81 } result, result_unpriv;
82 enum bpf_prog_type prog_type;
84 __u8 data[TEST_DATA_LEN];
85 void (*fill_helper)(struct bpf_test *self);
88 /* Note we want this to be 64 bit aligned so that the end of our array is
89 * actually the end of the structure.
91 #define MAX_ENTRIES 11
103 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
105 /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
107 unsigned int len = BPF_MAXINSNS;
108 struct bpf_insn *insn = self->insns;
111 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
113 for (j = 0; j < PUSH_CNT; j++) {
114 insn[i++] = BPF_LD_ABS(BPF_B, 0);
115 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
117 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
118 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
119 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
120 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
121 BPF_FUNC_skb_vlan_push),
122 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
126 for (j = 0; j < PUSH_CNT; j++) {
127 insn[i++] = BPF_LD_ABS(BPF_B, 0);
128 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
130 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
131 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
132 BPF_FUNC_skb_vlan_pop),
133 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
139 for (; i < len - 1; i++)
140 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
141 insn[len - 1] = BPF_EXIT_INSN();
144 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
146 struct bpf_insn *insn = self->insns;
147 unsigned int len = BPF_MAXINSNS;
150 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
151 insn[i++] = BPF_LD_ABS(BPF_B, 0);
152 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
155 insn[i++] = BPF_LD_ABS(BPF_B, 1);
156 insn[i] = BPF_EXIT_INSN();
159 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
161 struct bpf_insn *insn = self->insns;
165 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
166 while (i < self->retval) {
167 uint64_t val = bpf_semi_rand_get();
168 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
173 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
175 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
176 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
177 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
178 insn[i] = BPF_EXIT_INSN();
180 self->retval = (uint32_t)res;
183 static struct bpf_test tests[] = {
187 BPF_MOV64_IMM(BPF_REG_1, 1),
188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
189 BPF_MOV64_IMM(BPF_REG_2, 3),
190 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
191 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
192 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
193 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
200 "DIV32 by 0, zero check 1",
202 BPF_MOV32_IMM(BPF_REG_0, 42),
203 BPF_MOV32_IMM(BPF_REG_1, 0),
204 BPF_MOV32_IMM(BPF_REG_2, 1),
205 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
212 "DIV32 by 0, zero check 2",
214 BPF_MOV32_IMM(BPF_REG_0, 42),
215 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
216 BPF_MOV32_IMM(BPF_REG_2, 1),
217 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
224 "DIV64 by 0, zero check",
226 BPF_MOV32_IMM(BPF_REG_0, 42),
227 BPF_MOV32_IMM(BPF_REG_1, 0),
228 BPF_MOV32_IMM(BPF_REG_2, 1),
229 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
236 "MOD32 by 0, zero check 1",
238 BPF_MOV32_IMM(BPF_REG_0, 42),
239 BPF_MOV32_IMM(BPF_REG_1, 0),
240 BPF_MOV32_IMM(BPF_REG_2, 1),
241 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
248 "MOD32 by 0, zero check 2",
250 BPF_MOV32_IMM(BPF_REG_0, 42),
251 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
252 BPF_MOV32_IMM(BPF_REG_2, 1),
253 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
260 "MOD64 by 0, zero check",
262 BPF_MOV32_IMM(BPF_REG_0, 42),
263 BPF_MOV32_IMM(BPF_REG_1, 0),
264 BPF_MOV32_IMM(BPF_REG_2, 1),
265 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
272 "DIV32 by 0, zero check ok, cls",
274 BPF_MOV32_IMM(BPF_REG_0, 42),
275 BPF_MOV32_IMM(BPF_REG_1, 2),
276 BPF_MOV32_IMM(BPF_REG_2, 16),
277 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
278 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
281 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
286 "DIV32 by 0, zero check 1, cls",
288 BPF_MOV32_IMM(BPF_REG_1, 0),
289 BPF_MOV32_IMM(BPF_REG_0, 1),
290 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
293 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
298 "DIV32 by 0, zero check 2, cls",
300 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
301 BPF_MOV32_IMM(BPF_REG_0, 1),
302 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
305 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
310 "DIV64 by 0, zero check, cls",
312 BPF_MOV32_IMM(BPF_REG_1, 0),
313 BPF_MOV32_IMM(BPF_REG_0, 1),
314 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
317 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
322 "MOD32 by 0, zero check ok, cls",
324 BPF_MOV32_IMM(BPF_REG_0, 42),
325 BPF_MOV32_IMM(BPF_REG_1, 3),
326 BPF_MOV32_IMM(BPF_REG_2, 5),
327 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
328 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
331 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
336 "MOD32 by 0, zero check 1, cls",
338 BPF_MOV32_IMM(BPF_REG_1, 0),
339 BPF_MOV32_IMM(BPF_REG_0, 1),
340 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
343 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
348 "MOD32 by 0, zero check 2, cls",
350 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
351 BPF_MOV32_IMM(BPF_REG_0, 1),
352 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
355 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
360 "MOD64 by 0, zero check 1, cls",
362 BPF_MOV32_IMM(BPF_REG_1, 0),
363 BPF_MOV32_IMM(BPF_REG_0, 2),
364 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
367 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
372 "MOD64 by 0, zero check 2, cls",
374 BPF_MOV32_IMM(BPF_REG_1, 0),
375 BPF_MOV32_IMM(BPF_REG_0, -1),
376 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
379 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
383 /* Just make sure that JITs used udiv/umod as otherwise we get
384 * an exception from INT_MIN/-1 overflow similarly as with div
388 "DIV32 overflow, check 1",
390 BPF_MOV32_IMM(BPF_REG_1, -1),
391 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
392 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
395 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
400 "DIV32 overflow, check 2",
402 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
403 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
406 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
411 "DIV64 overflow, check 1",
413 BPF_MOV64_IMM(BPF_REG_1, -1),
414 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
415 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
418 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
423 "DIV64 overflow, check 2",
425 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
426 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
429 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
434 "MOD32 overflow, check 1",
436 BPF_MOV32_IMM(BPF_REG_1, -1),
437 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
438 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
441 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
446 "MOD32 overflow, check 2",
448 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
449 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
452 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
457 "MOD64 overflow, check 1",
459 BPF_MOV64_IMM(BPF_REG_1, -1),
460 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
461 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
462 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
463 BPF_MOV32_IMM(BPF_REG_0, 0),
464 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
465 BPF_MOV32_IMM(BPF_REG_0, 1),
468 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
473 "MOD64 overflow, check 2",
475 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
476 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
477 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
478 BPF_MOV32_IMM(BPF_REG_0, 0),
479 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
480 BPF_MOV32_IMM(BPF_REG_0, 1),
483 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
488 "xor32 zero extend check",
490 BPF_MOV32_IMM(BPF_REG_2, -1),
491 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
492 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
493 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
494 BPF_MOV32_IMM(BPF_REG_0, 2),
495 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
496 BPF_MOV32_IMM(BPF_REG_0, 1),
499 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
507 .errstr = "unknown opcode 00",
515 .errstr = "R0 !read_ok",
524 .errstr = "unreachable",
530 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
531 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
534 .errstr = "unreachable",
540 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
543 .errstr = "jump out of range",
547 "out of range jump2",
549 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
552 .errstr = "jump out of range",
558 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
559 BPF_LD_IMM64(BPF_REG_0, 0),
560 BPF_LD_IMM64(BPF_REG_0, 0),
561 BPF_LD_IMM64(BPF_REG_0, 1),
562 BPF_LD_IMM64(BPF_REG_0, 1),
563 BPF_MOV64_IMM(BPF_REG_0, 2),
566 .errstr = "invalid BPF_LD_IMM insn",
567 .errstr_unpriv = "R1 pointer comparison",
573 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
574 BPF_LD_IMM64(BPF_REG_0, 0),
575 BPF_LD_IMM64(BPF_REG_0, 0),
576 BPF_LD_IMM64(BPF_REG_0, 1),
577 BPF_LD_IMM64(BPF_REG_0, 1),
580 .errstr = "invalid BPF_LD_IMM insn",
581 .errstr_unpriv = "R1 pointer comparison",
587 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
588 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
589 BPF_LD_IMM64(BPF_REG_0, 0),
590 BPF_LD_IMM64(BPF_REG_0, 0),
591 BPF_LD_IMM64(BPF_REG_0, 1),
592 BPF_LD_IMM64(BPF_REG_0, 1),
595 .errstr = "invalid bpf_ld_imm64 insn",
601 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
604 .errstr = "invalid bpf_ld_imm64 insn",
610 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
612 .errstr = "invalid bpf_ld_imm64 insn",
618 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
619 BPF_RAW_INSN(0, 0, 0, 0, 0),
627 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
628 BPF_RAW_INSN(0, 0, 0, 0, 1),
637 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
638 BPF_RAW_INSN(0, 0, 0, 0, 1),
641 .errstr = "uses reserved fields",
647 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
648 BPF_RAW_INSN(0, 0, 0, 1, 1),
651 .errstr = "invalid bpf_ld_imm64 insn",
657 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
658 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
661 .errstr = "invalid bpf_ld_imm64 insn",
667 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
668 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
671 .errstr = "invalid bpf_ld_imm64 insn",
677 BPF_MOV64_IMM(BPF_REG_1, 0),
678 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
679 BPF_RAW_INSN(0, 0, 0, 0, 1),
682 .errstr = "not pointing to valid bpf_map",
688 BPF_MOV64_IMM(BPF_REG_1, 0),
689 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
690 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
693 .errstr = "invalid bpf_ld_imm64 insn",
699 BPF_MOV64_IMM(BPF_REG_0, 1),
700 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
704 .errstr = "unknown opcode c4",
709 BPF_MOV64_IMM(BPF_REG_0, 1),
710 BPF_MOV64_IMM(BPF_REG_1, 5),
711 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
715 .errstr = "unknown opcode cc",
720 BPF_MOV64_IMM(BPF_REG_0, 1),
721 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
729 BPF_MOV64_IMM(BPF_REG_0, 1),
730 BPF_MOV64_IMM(BPF_REG_1, 5),
731 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
739 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
741 .errstr = "not an exit",
747 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
750 .errstr = "back-edge",
756 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
757 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
758 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
759 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
762 .errstr = "back-edge",
768 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
769 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
770 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
771 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
774 .errstr = "back-edge",
778 "read uninitialized register",
780 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
783 .errstr = "R2 !read_ok",
787 "read invalid register",
789 BPF_MOV64_REG(BPF_REG_0, -1),
792 .errstr = "R15 is invalid",
796 "program doesn't init R0 before exit",
798 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
801 .errstr = "R0 !read_ok",
805 "program doesn't init R0 before exit in all branches",
807 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
808 BPF_MOV64_IMM(BPF_REG_0, 1),
809 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
812 .errstr = "R0 !read_ok",
813 .errstr_unpriv = "R1 pointer comparison",
817 "stack out of bounds",
819 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
822 .errstr = "invalid stack",
826 "invalid call insn1",
828 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
831 .errstr = "unknown opcode 8d",
835 "invalid call insn2",
837 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
840 .errstr = "BPF_CALL uses reserved",
844 "invalid function call",
846 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
849 .errstr = "invalid func unknown#1234567",
853 "uninitialized stack1",
855 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
856 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
857 BPF_LD_MAP_FD(BPF_REG_1, 0),
858 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
859 BPF_FUNC_map_lookup_elem),
863 .errstr = "invalid indirect read from stack",
867 "uninitialized stack2",
869 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
870 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
873 .errstr = "invalid read from stack",
877 "invalid fp arithmetic",
878 /* If this gets ever changed, make sure JITs can deal with it. */
880 BPF_MOV64_IMM(BPF_REG_0, 0),
881 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
882 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
883 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
886 .errstr = "R1 subtraction from stack pointer",
890 "non-invalid fp arithmetic",
892 BPF_MOV64_IMM(BPF_REG_0, 0),
893 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
899 "invalid argument register",
901 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
902 BPF_FUNC_get_cgroup_classid),
903 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
904 BPF_FUNC_get_cgroup_classid),
907 .errstr = "R1 !read_ok",
909 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
912 "non-invalid argument register",
914 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
915 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
916 BPF_FUNC_get_cgroup_classid),
917 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
918 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
919 BPF_FUNC_get_cgroup_classid),
923 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
926 "check valid spill/fill",
928 /* spill R1(ctx) into stack */
929 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
930 /* fill it back into R2 */
931 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
932 /* should be able to access R0 = *(R2 + 8) */
933 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
934 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
937 .errstr_unpriv = "R0 leaks addr",
939 .result_unpriv = REJECT,
940 .retval = POINTER_VALUE,
943 "check valid spill/fill, skb mark",
945 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
946 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
947 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
948 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
949 offsetof(struct __sk_buff, mark)),
953 .result_unpriv = ACCEPT,
956 "check corrupted spill/fill",
958 /* spill R1(ctx) into stack */
959 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
960 /* mess up with R1 pointer on stack */
961 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
962 /* fill back into R0 should fail */
963 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
966 .errstr_unpriv = "attempt to corrupt spilled",
967 .errstr = "corrupted spill",
971 "invalid src register in STX",
973 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
976 .errstr = "R15 is invalid",
980 "invalid dst register in STX",
982 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
985 .errstr = "R14 is invalid",
989 "invalid dst register in ST",
991 BPF_ST_MEM(BPF_B, 14, -1, -1),
994 .errstr = "R14 is invalid",
998 "invalid src register in LDX",
1000 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1003 .errstr = "R12 is invalid",
1007 "invalid dst register in LDX",
1009 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1012 .errstr = "R11 is invalid",
1018 BPF_RAW_INSN(0, 0, 0, 0, 0),
1021 .errstr = "unknown opcode 00",
1027 BPF_RAW_INSN(1, 0, 0, 0, 0),
1030 .errstr = "BPF_LDX uses reserved fields",
1036 BPF_RAW_INSN(-1, 0, 0, 0, 0),
1039 .errstr = "unknown opcode ff",
1045 BPF_RAW_INSN(-1, -1, -1, -1, -1),
1048 .errstr = "unknown opcode ff",
1054 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1057 .errstr = "BPF_ALU uses reserved fields",
1061 "misaligned read from stack",
1063 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1064 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1067 .errstr = "misaligned stack access",
1071 "invalid map_fd for function call",
1073 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1074 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1075 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1076 BPF_LD_MAP_FD(BPF_REG_1, 0),
1077 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1078 BPF_FUNC_map_delete_elem),
1081 .errstr = "fd 0 is not pointing to valid bpf_map",
1085 "don't check return value before access",
1087 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1088 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1089 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1090 BPF_LD_MAP_FD(BPF_REG_1, 0),
1091 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1092 BPF_FUNC_map_lookup_elem),
1093 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1096 .fixup_map1 = { 3 },
1097 .errstr = "R0 invalid mem access 'map_value_or_null'",
1101 "access memory with incorrect alignment",
1103 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1104 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1105 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1106 BPF_LD_MAP_FD(BPF_REG_1, 0),
1107 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1108 BPF_FUNC_map_lookup_elem),
1109 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1110 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1113 .fixup_map1 = { 3 },
1114 .errstr = "misaligned value access",
1116 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1119 "sometimes access memory with incorrect alignment",
1121 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1122 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1123 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1124 BPF_LD_MAP_FD(BPF_REG_1, 0),
1125 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1126 BPF_FUNC_map_lookup_elem),
1127 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1128 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1130 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1133 .fixup_map1 = { 3 },
1134 .errstr = "R0 invalid mem access",
1135 .errstr_unpriv = "R0 leaks addr",
1137 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1142 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1143 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1144 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1145 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1146 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1147 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1148 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1149 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1150 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1151 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1152 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1153 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1154 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1155 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1156 BPF_MOV64_IMM(BPF_REG_0, 0),
1159 .errstr_unpriv = "R1 pointer comparison",
1160 .result_unpriv = REJECT,
1166 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1168 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1169 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1170 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1171 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1172 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1174 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1175 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1176 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1177 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1178 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1179 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1180 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1181 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1182 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1183 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1184 BPF_MOV64_IMM(BPF_REG_0, 0),
1187 .errstr_unpriv = "R1 pointer comparison",
1188 .result_unpriv = REJECT,
1194 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1195 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1196 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1198 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1199 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1200 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1201 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1202 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1203 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1204 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1206 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1207 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1208 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1210 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1211 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1212 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1213 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1214 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1215 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1216 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1217 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1218 BPF_LD_MAP_FD(BPF_REG_1, 0),
1219 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1220 BPF_FUNC_map_delete_elem),
1223 .fixup_map1 = { 24 },
1224 .errstr_unpriv = "R1 pointer comparison",
1225 .result_unpriv = REJECT,
1232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1233 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1234 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1235 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1237 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1238 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1239 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1240 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1241 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1242 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1243 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1244 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1245 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1246 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1247 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1248 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1250 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1251 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1252 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1257 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1259 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1260 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1261 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1262 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1266 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1269 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1270 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1271 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1272 BPF_MOV64_IMM(BPF_REG_0, 0),
1275 .errstr_unpriv = "R1 pointer comparison",
1276 .result_unpriv = REJECT,
1282 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1283 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1284 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1285 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1286 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1287 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1288 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1289 BPF_MOV64_IMM(BPF_REG_0, 0),
1290 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1291 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1292 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1293 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1294 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1295 BPF_MOV64_IMM(BPF_REG_0, 0),
1296 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1297 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1298 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1299 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1300 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1301 BPF_MOV64_IMM(BPF_REG_0, 0),
1302 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1303 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1304 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1305 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1306 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1307 BPF_MOV64_IMM(BPF_REG_0, 0),
1308 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1309 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1310 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1311 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1312 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1313 BPF_MOV64_IMM(BPF_REG_0, 0),
1316 .errstr_unpriv = "R1 pointer comparison",
1317 .result_unpriv = REJECT,
1321 "access skb fields ok",
1323 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1324 offsetof(struct __sk_buff, len)),
1325 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1326 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1327 offsetof(struct __sk_buff, mark)),
1328 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1329 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1330 offsetof(struct __sk_buff, pkt_type)),
1331 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1332 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1333 offsetof(struct __sk_buff, queue_mapping)),
1334 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1335 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1336 offsetof(struct __sk_buff, protocol)),
1337 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1338 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1339 offsetof(struct __sk_buff, vlan_present)),
1340 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1341 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1342 offsetof(struct __sk_buff, vlan_tci)),
1343 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1344 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1345 offsetof(struct __sk_buff, napi_id)),
1346 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1352 "access skb fields bad1",
1354 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1357 .errstr = "invalid bpf_context access",
1361 "access skb fields bad2",
1363 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1364 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1365 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1366 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1367 BPF_LD_MAP_FD(BPF_REG_1, 0),
1368 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1369 BPF_FUNC_map_lookup_elem),
1370 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1372 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1373 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1374 offsetof(struct __sk_buff, pkt_type)),
1377 .fixup_map1 = { 4 },
1378 .errstr = "different pointers",
1379 .errstr_unpriv = "R1 pointer comparison",
1383 "access skb fields bad3",
1385 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1386 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1387 offsetof(struct __sk_buff, pkt_type)),
1389 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1390 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1392 BPF_LD_MAP_FD(BPF_REG_1, 0),
1393 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1394 BPF_FUNC_map_lookup_elem),
1395 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1397 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1398 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1400 .fixup_map1 = { 6 },
1401 .errstr = "different pointers",
1402 .errstr_unpriv = "R1 pointer comparison",
1406 "access skb fields bad4",
1408 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1409 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1410 offsetof(struct __sk_buff, len)),
1411 BPF_MOV64_IMM(BPF_REG_0, 0),
1413 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1414 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1416 BPF_LD_MAP_FD(BPF_REG_1, 0),
1417 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1418 BPF_FUNC_map_lookup_elem),
1419 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1421 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1422 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1424 .fixup_map1 = { 7 },
1425 .errstr = "different pointers",
1426 .errstr_unpriv = "R1 pointer comparison",
1430 "invalid access __sk_buff family",
1432 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1433 offsetof(struct __sk_buff, family)),
1436 .errstr = "invalid bpf_context access",
1440 "invalid access __sk_buff remote_ip4",
1442 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1443 offsetof(struct __sk_buff, remote_ip4)),
1446 .errstr = "invalid bpf_context access",
1450 "invalid access __sk_buff local_ip4",
1452 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1453 offsetof(struct __sk_buff, local_ip4)),
1456 .errstr = "invalid bpf_context access",
1460 "invalid access __sk_buff remote_ip6",
1462 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1463 offsetof(struct __sk_buff, remote_ip6)),
1466 .errstr = "invalid bpf_context access",
1470 "invalid access __sk_buff local_ip6",
1472 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1473 offsetof(struct __sk_buff, local_ip6)),
1476 .errstr = "invalid bpf_context access",
1480 "invalid access __sk_buff remote_port",
1482 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1483 offsetof(struct __sk_buff, remote_port)),
1486 .errstr = "invalid bpf_context access",
1490 "invalid access __sk_buff remote_port",
1492 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1493 offsetof(struct __sk_buff, local_port)),
1496 .errstr = "invalid bpf_context access",
1500 "valid access __sk_buff family",
1502 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1503 offsetof(struct __sk_buff, family)),
1507 .prog_type = BPF_PROG_TYPE_SK_SKB,
1510 "valid access __sk_buff remote_ip4",
1512 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1513 offsetof(struct __sk_buff, remote_ip4)),
1517 .prog_type = BPF_PROG_TYPE_SK_SKB,
1520 "valid access __sk_buff local_ip4",
1522 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1523 offsetof(struct __sk_buff, local_ip4)),
1527 .prog_type = BPF_PROG_TYPE_SK_SKB,
1530 "valid access __sk_buff remote_ip6",
1532 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1533 offsetof(struct __sk_buff, remote_ip6[0])),
1534 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1535 offsetof(struct __sk_buff, remote_ip6[1])),
1536 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1537 offsetof(struct __sk_buff, remote_ip6[2])),
1538 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1539 offsetof(struct __sk_buff, remote_ip6[3])),
1543 .prog_type = BPF_PROG_TYPE_SK_SKB,
1546 "valid access __sk_buff local_ip6",
1548 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1549 offsetof(struct __sk_buff, local_ip6[0])),
1550 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1551 offsetof(struct __sk_buff, local_ip6[1])),
1552 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1553 offsetof(struct __sk_buff, local_ip6[2])),
1554 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1555 offsetof(struct __sk_buff, local_ip6[3])),
1559 .prog_type = BPF_PROG_TYPE_SK_SKB,
1562 "valid access __sk_buff remote_port",
1564 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1565 offsetof(struct __sk_buff, remote_port)),
1569 .prog_type = BPF_PROG_TYPE_SK_SKB,
1572 "valid access __sk_buff remote_port",
1574 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1575 offsetof(struct __sk_buff, local_port)),
1579 .prog_type = BPF_PROG_TYPE_SK_SKB,
1582 "invalid access of tc_classid for SK_SKB",
1584 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1585 offsetof(struct __sk_buff, tc_classid)),
1589 .prog_type = BPF_PROG_TYPE_SK_SKB,
1590 .errstr = "invalid bpf_context access",
1593 "invalid access of skb->mark for SK_SKB",
1595 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1596 offsetof(struct __sk_buff, mark)),
1600 .prog_type = BPF_PROG_TYPE_SK_SKB,
1601 .errstr = "invalid bpf_context access",
1604 "check skb->mark is not writeable by SK_SKB",
1606 BPF_MOV64_IMM(BPF_REG_0, 0),
1607 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1608 offsetof(struct __sk_buff, mark)),
1612 .prog_type = BPF_PROG_TYPE_SK_SKB,
1613 .errstr = "invalid bpf_context access",
1616 "check skb->tc_index is writeable by SK_SKB",
1618 BPF_MOV64_IMM(BPF_REG_0, 0),
1619 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1620 offsetof(struct __sk_buff, tc_index)),
1624 .prog_type = BPF_PROG_TYPE_SK_SKB,
1627 "check skb->priority is writeable by SK_SKB",
1629 BPF_MOV64_IMM(BPF_REG_0, 0),
1630 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1631 offsetof(struct __sk_buff, priority)),
1635 .prog_type = BPF_PROG_TYPE_SK_SKB,
1638 "direct packet read for SK_SKB",
1640 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1641 offsetof(struct __sk_buff, data)),
1642 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1643 offsetof(struct __sk_buff, data_end)),
1644 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1645 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1646 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1647 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1648 BPF_MOV64_IMM(BPF_REG_0, 0),
1652 .prog_type = BPF_PROG_TYPE_SK_SKB,
1655 "direct packet write for SK_SKB",
1657 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1658 offsetof(struct __sk_buff, data)),
1659 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1660 offsetof(struct __sk_buff, data_end)),
1661 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1662 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1663 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1664 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1665 BPF_MOV64_IMM(BPF_REG_0, 0),
1669 .prog_type = BPF_PROG_TYPE_SK_SKB,
1672 "overlapping checks for direct packet access SK_SKB",
1674 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1675 offsetof(struct __sk_buff, data)),
1676 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1677 offsetof(struct __sk_buff, data_end)),
1678 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1679 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1680 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1681 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1682 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1683 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1684 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1685 BPF_MOV64_IMM(BPF_REG_0, 0),
1689 .prog_type = BPF_PROG_TYPE_SK_SKB,
1692 "valid access family in SK_MSG",
1694 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1695 offsetof(struct sk_msg_md, family)),
1699 .prog_type = BPF_PROG_TYPE_SK_MSG,
1702 "valid access remote_ip4 in SK_MSG",
1704 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1705 offsetof(struct sk_msg_md, remote_ip4)),
1709 .prog_type = BPF_PROG_TYPE_SK_MSG,
1712 "valid access local_ip4 in SK_MSG",
1714 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1715 offsetof(struct sk_msg_md, local_ip4)),
1719 .prog_type = BPF_PROG_TYPE_SK_MSG,
1722 "valid access remote_port in SK_MSG",
1724 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1725 offsetof(struct sk_msg_md, remote_port)),
1729 .prog_type = BPF_PROG_TYPE_SK_MSG,
1732 "valid access local_port in SK_MSG",
1734 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1735 offsetof(struct sk_msg_md, local_port)),
1739 .prog_type = BPF_PROG_TYPE_SK_MSG,
1742 "valid access remote_ip6 in SK_MSG",
1744 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1745 offsetof(struct sk_msg_md, remote_ip6[0])),
1746 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1747 offsetof(struct sk_msg_md, remote_ip6[1])),
1748 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1749 offsetof(struct sk_msg_md, remote_ip6[2])),
1750 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1751 offsetof(struct sk_msg_md, remote_ip6[3])),
1755 .prog_type = BPF_PROG_TYPE_SK_SKB,
1758 "valid access local_ip6 in SK_MSG",
1760 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1761 offsetof(struct sk_msg_md, local_ip6[0])),
1762 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1763 offsetof(struct sk_msg_md, local_ip6[1])),
1764 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1765 offsetof(struct sk_msg_md, local_ip6[2])),
1766 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1767 offsetof(struct sk_msg_md, local_ip6[3])),
1771 .prog_type = BPF_PROG_TYPE_SK_SKB,
1774 "invalid 64B read of family in SK_MSG",
1776 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1777 offsetof(struct sk_msg_md, family)),
1780 .errstr = "invalid bpf_context access",
1782 .prog_type = BPF_PROG_TYPE_SK_MSG,
1785 "invalid read past end of SK_MSG",
1787 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1788 offsetof(struct sk_msg_md, local_port) + 4),
1791 .errstr = "R0 !read_ok",
1793 .prog_type = BPF_PROG_TYPE_SK_MSG,
1796 "invalid read offset in SK_MSG",
1798 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1799 offsetof(struct sk_msg_md, family) + 1),
1802 .errstr = "invalid bpf_context access",
1804 .prog_type = BPF_PROG_TYPE_SK_MSG,
1807 "direct packet read for SK_MSG",
1809 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1810 offsetof(struct sk_msg_md, data)),
1811 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1812 offsetof(struct sk_msg_md, data_end)),
1813 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1815 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1816 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1817 BPF_MOV64_IMM(BPF_REG_0, 0),
1821 .prog_type = BPF_PROG_TYPE_SK_MSG,
1824 "direct packet write for SK_MSG",
1826 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1827 offsetof(struct sk_msg_md, data)),
1828 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1829 offsetof(struct sk_msg_md, data_end)),
1830 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1832 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1833 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1834 BPF_MOV64_IMM(BPF_REG_0, 0),
1838 .prog_type = BPF_PROG_TYPE_SK_MSG,
1841 "overlapping checks for direct packet access SK_MSG",
1843 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1844 offsetof(struct sk_msg_md, data)),
1845 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1846 offsetof(struct sk_msg_md, data_end)),
1847 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1849 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1850 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1851 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1852 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1853 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1854 BPF_MOV64_IMM(BPF_REG_0, 0),
1858 .prog_type = BPF_PROG_TYPE_SK_MSG,
1861 "check skb->mark is not writeable by sockets",
1863 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1864 offsetof(struct __sk_buff, mark)),
1867 .errstr = "invalid bpf_context access",
1868 .errstr_unpriv = "R1 leaks addr",
1872 "check skb->tc_index is not writeable by sockets",
1874 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1875 offsetof(struct __sk_buff, tc_index)),
1878 .errstr = "invalid bpf_context access",
1879 .errstr_unpriv = "R1 leaks addr",
1883 "check cb access: byte",
1885 BPF_MOV64_IMM(BPF_REG_0, 0),
1886 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1887 offsetof(struct __sk_buff, cb[0])),
1888 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1889 offsetof(struct __sk_buff, cb[0]) + 1),
1890 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1891 offsetof(struct __sk_buff, cb[0]) + 2),
1892 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1893 offsetof(struct __sk_buff, cb[0]) + 3),
1894 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1895 offsetof(struct __sk_buff, cb[1])),
1896 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1897 offsetof(struct __sk_buff, cb[1]) + 1),
1898 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1899 offsetof(struct __sk_buff, cb[1]) + 2),
1900 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1901 offsetof(struct __sk_buff, cb[1]) + 3),
1902 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1903 offsetof(struct __sk_buff, cb[2])),
1904 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1905 offsetof(struct __sk_buff, cb[2]) + 1),
1906 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1907 offsetof(struct __sk_buff, cb[2]) + 2),
1908 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1909 offsetof(struct __sk_buff, cb[2]) + 3),
1910 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1911 offsetof(struct __sk_buff, cb[3])),
1912 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1913 offsetof(struct __sk_buff, cb[3]) + 1),
1914 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1915 offsetof(struct __sk_buff, cb[3]) + 2),
1916 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1917 offsetof(struct __sk_buff, cb[3]) + 3),
1918 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1919 offsetof(struct __sk_buff, cb[4])),
1920 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1921 offsetof(struct __sk_buff, cb[4]) + 1),
1922 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1923 offsetof(struct __sk_buff, cb[4]) + 2),
1924 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1925 offsetof(struct __sk_buff, cb[4]) + 3),
1926 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1927 offsetof(struct __sk_buff, cb[0])),
1928 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1929 offsetof(struct __sk_buff, cb[0]) + 1),
1930 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1931 offsetof(struct __sk_buff, cb[0]) + 2),
1932 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1933 offsetof(struct __sk_buff, cb[0]) + 3),
1934 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1935 offsetof(struct __sk_buff, cb[1])),
1936 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1937 offsetof(struct __sk_buff, cb[1]) + 1),
1938 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1939 offsetof(struct __sk_buff, cb[1]) + 2),
1940 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1941 offsetof(struct __sk_buff, cb[1]) + 3),
1942 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1943 offsetof(struct __sk_buff, cb[2])),
1944 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1945 offsetof(struct __sk_buff, cb[2]) + 1),
1946 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1947 offsetof(struct __sk_buff, cb[2]) + 2),
1948 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1949 offsetof(struct __sk_buff, cb[2]) + 3),
1950 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1951 offsetof(struct __sk_buff, cb[3])),
1952 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1953 offsetof(struct __sk_buff, cb[3]) + 1),
1954 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1955 offsetof(struct __sk_buff, cb[3]) + 2),
1956 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1957 offsetof(struct __sk_buff, cb[3]) + 3),
1958 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1959 offsetof(struct __sk_buff, cb[4])),
1960 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1961 offsetof(struct __sk_buff, cb[4]) + 1),
1962 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1963 offsetof(struct __sk_buff, cb[4]) + 2),
1964 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1965 offsetof(struct __sk_buff, cb[4]) + 3),
1971 "__sk_buff->hash, offset 0, byte store not permitted",
1973 BPF_MOV64_IMM(BPF_REG_0, 0),
1974 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1975 offsetof(struct __sk_buff, hash)),
1978 .errstr = "invalid bpf_context access",
1982 "__sk_buff->tc_index, offset 3, byte store not permitted",
1984 BPF_MOV64_IMM(BPF_REG_0, 0),
1985 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1986 offsetof(struct __sk_buff, tc_index) + 3),
1989 .errstr = "invalid bpf_context access",
1993 "check skb->hash byte load permitted",
1995 BPF_MOV64_IMM(BPF_REG_0, 0),
1996 #if __BYTE_ORDER == __LITTLE_ENDIAN
1997 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1998 offsetof(struct __sk_buff, hash)),
2000 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2001 offsetof(struct __sk_buff, hash) + 3),
2008 "check skb->hash byte load not permitted 1",
2010 BPF_MOV64_IMM(BPF_REG_0, 0),
2011 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2012 offsetof(struct __sk_buff, hash) + 1),
2015 .errstr = "invalid bpf_context access",
2019 "check skb->hash byte load not permitted 2",
2021 BPF_MOV64_IMM(BPF_REG_0, 0),
2022 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2023 offsetof(struct __sk_buff, hash) + 2),
2026 .errstr = "invalid bpf_context access",
2030 "check skb->hash byte load not permitted 3",
2032 BPF_MOV64_IMM(BPF_REG_0, 0),
2033 #if __BYTE_ORDER == __LITTLE_ENDIAN
2034 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2035 offsetof(struct __sk_buff, hash) + 3),
2037 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2038 offsetof(struct __sk_buff, hash)),
2042 .errstr = "invalid bpf_context access",
2046 "check cb access: byte, wrong type",
2048 BPF_MOV64_IMM(BPF_REG_0, 0),
2049 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2050 offsetof(struct __sk_buff, cb[0])),
2053 .errstr = "invalid bpf_context access",
2055 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2058 "check cb access: half",
2060 BPF_MOV64_IMM(BPF_REG_0, 0),
2061 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2062 offsetof(struct __sk_buff, cb[0])),
2063 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2064 offsetof(struct __sk_buff, cb[0]) + 2),
2065 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2066 offsetof(struct __sk_buff, cb[1])),
2067 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2068 offsetof(struct __sk_buff, cb[1]) + 2),
2069 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2070 offsetof(struct __sk_buff, cb[2])),
2071 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2072 offsetof(struct __sk_buff, cb[2]) + 2),
2073 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2074 offsetof(struct __sk_buff, cb[3])),
2075 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2076 offsetof(struct __sk_buff, cb[3]) + 2),
2077 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2078 offsetof(struct __sk_buff, cb[4])),
2079 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2080 offsetof(struct __sk_buff, cb[4]) + 2),
2081 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2082 offsetof(struct __sk_buff, cb[0])),
2083 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2084 offsetof(struct __sk_buff, cb[0]) + 2),
2085 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2086 offsetof(struct __sk_buff, cb[1])),
2087 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2088 offsetof(struct __sk_buff, cb[1]) + 2),
2089 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2090 offsetof(struct __sk_buff, cb[2])),
2091 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2092 offsetof(struct __sk_buff, cb[2]) + 2),
2093 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2094 offsetof(struct __sk_buff, cb[3])),
2095 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2096 offsetof(struct __sk_buff, cb[3]) + 2),
2097 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2098 offsetof(struct __sk_buff, cb[4])),
2099 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2100 offsetof(struct __sk_buff, cb[4]) + 2),
2106 "check cb access: half, unaligned",
2108 BPF_MOV64_IMM(BPF_REG_0, 0),
2109 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2110 offsetof(struct __sk_buff, cb[0]) + 1),
2113 .errstr = "misaligned context access",
2115 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2118 "check __sk_buff->hash, offset 0, half store not permitted",
2120 BPF_MOV64_IMM(BPF_REG_0, 0),
2121 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2122 offsetof(struct __sk_buff, hash)),
2125 .errstr = "invalid bpf_context access",
2129 "check __sk_buff->tc_index, offset 2, half store not permitted",
2131 BPF_MOV64_IMM(BPF_REG_0, 0),
2132 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2133 offsetof(struct __sk_buff, tc_index) + 2),
2136 .errstr = "invalid bpf_context access",
2140 "check skb->hash half load permitted",
2142 BPF_MOV64_IMM(BPF_REG_0, 0),
2143 #if __BYTE_ORDER == __LITTLE_ENDIAN
2144 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2145 offsetof(struct __sk_buff, hash)),
2147 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2148 offsetof(struct __sk_buff, hash) + 2),
2155 "check skb->hash half load not permitted",
2157 BPF_MOV64_IMM(BPF_REG_0, 0),
2158 #if __BYTE_ORDER == __LITTLE_ENDIAN
2159 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2160 offsetof(struct __sk_buff, hash) + 2),
2162 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2163 offsetof(struct __sk_buff, hash)),
2167 .errstr = "invalid bpf_context access",
2171 "check cb access: half, wrong type",
2173 BPF_MOV64_IMM(BPF_REG_0, 0),
2174 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2175 offsetof(struct __sk_buff, cb[0])),
2178 .errstr = "invalid bpf_context access",
2180 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2183 "check cb access: word",
2185 BPF_MOV64_IMM(BPF_REG_0, 0),
2186 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2187 offsetof(struct __sk_buff, cb[0])),
2188 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2189 offsetof(struct __sk_buff, cb[1])),
2190 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2191 offsetof(struct __sk_buff, cb[2])),
2192 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2193 offsetof(struct __sk_buff, cb[3])),
2194 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2195 offsetof(struct __sk_buff, cb[4])),
2196 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2197 offsetof(struct __sk_buff, cb[0])),
2198 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2199 offsetof(struct __sk_buff, cb[1])),
2200 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2201 offsetof(struct __sk_buff, cb[2])),
2202 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2203 offsetof(struct __sk_buff, cb[3])),
2204 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2205 offsetof(struct __sk_buff, cb[4])),
2211 "check cb access: word, unaligned 1",
2213 BPF_MOV64_IMM(BPF_REG_0, 0),
2214 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2215 offsetof(struct __sk_buff, cb[0]) + 2),
2218 .errstr = "misaligned context access",
2220 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2223 "check cb access: word, unaligned 2",
2225 BPF_MOV64_IMM(BPF_REG_0, 0),
2226 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2227 offsetof(struct __sk_buff, cb[4]) + 1),
2230 .errstr = "misaligned context access",
2232 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2235 "check cb access: word, unaligned 3",
2237 BPF_MOV64_IMM(BPF_REG_0, 0),
2238 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2239 offsetof(struct __sk_buff, cb[4]) + 2),
2242 .errstr = "misaligned context access",
2244 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2247 "check cb access: word, unaligned 4",
2249 BPF_MOV64_IMM(BPF_REG_0, 0),
2250 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2251 offsetof(struct __sk_buff, cb[4]) + 3),
2254 .errstr = "misaligned context access",
2256 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2259 "check cb access: double",
2261 BPF_MOV64_IMM(BPF_REG_0, 0),
2262 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2263 offsetof(struct __sk_buff, cb[0])),
2264 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2265 offsetof(struct __sk_buff, cb[2])),
2266 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2267 offsetof(struct __sk_buff, cb[0])),
2268 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2269 offsetof(struct __sk_buff, cb[2])),
2275 "check cb access: double, unaligned 1",
2277 BPF_MOV64_IMM(BPF_REG_0, 0),
2278 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2279 offsetof(struct __sk_buff, cb[1])),
2282 .errstr = "misaligned context access",
2284 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2287 "check cb access: double, unaligned 2",
2289 BPF_MOV64_IMM(BPF_REG_0, 0),
2290 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2291 offsetof(struct __sk_buff, cb[3])),
2294 .errstr = "misaligned context access",
2296 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2299 "check cb access: double, oob 1",
2301 BPF_MOV64_IMM(BPF_REG_0, 0),
2302 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2303 offsetof(struct __sk_buff, cb[4])),
2306 .errstr = "invalid bpf_context access",
2310 "check cb access: double, oob 2",
2312 BPF_MOV64_IMM(BPF_REG_0, 0),
2313 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2314 offsetof(struct __sk_buff, cb[4])),
2317 .errstr = "invalid bpf_context access",
2321 "check __sk_buff->ifindex dw store not permitted",
2323 BPF_MOV64_IMM(BPF_REG_0, 0),
2324 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2325 offsetof(struct __sk_buff, ifindex)),
2328 .errstr = "invalid bpf_context access",
2332 "check __sk_buff->ifindex dw load not permitted",
2334 BPF_MOV64_IMM(BPF_REG_0, 0),
2335 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2336 offsetof(struct __sk_buff, ifindex)),
2339 .errstr = "invalid bpf_context access",
2343 "check cb access: double, wrong type",
2345 BPF_MOV64_IMM(BPF_REG_0, 0),
2346 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2347 offsetof(struct __sk_buff, cb[0])),
2350 .errstr = "invalid bpf_context access",
2352 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2355 "check out of range skb->cb access",
2357 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2358 offsetof(struct __sk_buff, cb[0]) + 256),
2361 .errstr = "invalid bpf_context access",
2362 .errstr_unpriv = "",
2364 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2367 "write skb fields from socket prog",
2369 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2370 offsetof(struct __sk_buff, cb[4])),
2371 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2372 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2373 offsetof(struct __sk_buff, mark)),
2374 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2375 offsetof(struct __sk_buff, tc_index)),
2376 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2377 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2378 offsetof(struct __sk_buff, cb[0])),
2379 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2380 offsetof(struct __sk_buff, cb[2])),
2384 .errstr_unpriv = "R1 leaks addr",
2385 .result_unpriv = REJECT,
2388 "write skb fields from tc_cls_act prog",
2390 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2391 offsetof(struct __sk_buff, cb[0])),
2392 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2393 offsetof(struct __sk_buff, mark)),
2394 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2395 offsetof(struct __sk_buff, tc_index)),
2396 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2397 offsetof(struct __sk_buff, tc_index)),
2398 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2399 offsetof(struct __sk_buff, cb[3])),
2402 .errstr_unpriv = "",
2403 .result_unpriv = REJECT,
2405 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2408 "PTR_TO_STACK store/load",
2410 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2411 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2412 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2413 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2417 .retval = 0xfaceb00c,
2420 "PTR_TO_STACK store/load - bad alignment on off",
2422 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2423 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2424 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2425 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2429 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2432 "PTR_TO_STACK store/load - bad alignment on reg",
2434 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2436 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2437 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2441 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2444 "PTR_TO_STACK store/load - out of bounds low",
2446 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2447 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2448 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2449 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2453 .errstr = "invalid stack off=-79992 size=8",
2456 "PTR_TO_STACK store/load - out of bounds high",
2458 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2460 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2461 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2465 .errstr = "invalid stack off=0 size=8",
2468 "unpriv: return pointer",
2470 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2474 .result_unpriv = REJECT,
2475 .errstr_unpriv = "R0 leaks addr",
2476 .retval = POINTER_VALUE,
2479 "unpriv: add const to pointer",
2481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2482 BPF_MOV64_IMM(BPF_REG_0, 0),
2488 "unpriv: add pointer to pointer",
2490 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2491 BPF_MOV64_IMM(BPF_REG_0, 0),
2495 .errstr = "R1 pointer += pointer",
2498 "unpriv: neg pointer",
2500 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2501 BPF_MOV64_IMM(BPF_REG_0, 0),
2505 .result_unpriv = REJECT,
2506 .errstr_unpriv = "R1 pointer arithmetic",
2509 "unpriv: cmp pointer with const",
2511 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2512 BPF_MOV64_IMM(BPF_REG_0, 0),
2516 .result_unpriv = REJECT,
2517 .errstr_unpriv = "R1 pointer comparison",
2520 "unpriv: cmp pointer with pointer",
2522 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2523 BPF_MOV64_IMM(BPF_REG_0, 0),
2527 .result_unpriv = REJECT,
2528 .errstr_unpriv = "R10 pointer comparison",
2531 "unpriv: check that printk is disallowed",
2533 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2534 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2536 BPF_MOV64_IMM(BPF_REG_2, 8),
2537 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2538 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2539 BPF_FUNC_trace_printk),
2540 BPF_MOV64_IMM(BPF_REG_0, 0),
2543 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2544 .result_unpriv = REJECT,
2548 "unpriv: pass pointer to helper function",
2550 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2551 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2552 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2553 BPF_LD_MAP_FD(BPF_REG_1, 0),
2554 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2555 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2556 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2557 BPF_FUNC_map_update_elem),
2558 BPF_MOV64_IMM(BPF_REG_0, 0),
2561 .fixup_map1 = { 3 },
2562 .errstr_unpriv = "R4 leaks addr",
2563 .result_unpriv = REJECT,
2567 "unpriv: indirectly pass pointer on stack to helper function",
2569 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2570 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2571 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2572 BPF_LD_MAP_FD(BPF_REG_1, 0),
2573 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2574 BPF_FUNC_map_lookup_elem),
2575 BPF_MOV64_IMM(BPF_REG_0, 0),
2578 .fixup_map1 = { 3 },
2579 .errstr = "invalid indirect read from stack off -8+0 size 8",
2583 "unpriv: mangle pointer on stack 1",
2585 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2586 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2587 BPF_MOV64_IMM(BPF_REG_0, 0),
2590 .errstr_unpriv = "attempt to corrupt spilled",
2591 .result_unpriv = REJECT,
2595 "unpriv: mangle pointer on stack 2",
2597 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2598 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2599 BPF_MOV64_IMM(BPF_REG_0, 0),
2602 .errstr_unpriv = "attempt to corrupt spilled",
2603 .result_unpriv = REJECT,
2607 "unpriv: read pointer from stack in small chunks",
2609 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2610 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2611 BPF_MOV64_IMM(BPF_REG_0, 0),
2614 .errstr = "invalid size",
2618 "unpriv: write pointer into ctx",
2620 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2621 BPF_MOV64_IMM(BPF_REG_0, 0),
2624 .errstr_unpriv = "R1 leaks addr",
2625 .result_unpriv = REJECT,
2626 .errstr = "invalid bpf_context access",
2630 "unpriv: spill/fill of ctx",
2632 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2633 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2634 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2635 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2636 BPF_MOV64_IMM(BPF_REG_0, 0),
2642 "unpriv: spill/fill of ctx 2",
2644 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2645 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2646 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2647 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2648 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2649 BPF_FUNC_get_hash_recalc),
2650 BPF_MOV64_IMM(BPF_REG_0, 0),
2654 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2657 "unpriv: spill/fill of ctx 3",
2659 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2661 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2662 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2663 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2664 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2665 BPF_FUNC_get_hash_recalc),
2669 .errstr = "R1 type=fp expected=ctx",
2670 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2673 "unpriv: spill/fill of ctx 4",
2675 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2677 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2678 BPF_MOV64_IMM(BPF_REG_0, 1),
2679 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2681 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2682 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2683 BPF_FUNC_get_hash_recalc),
2687 .errstr = "R1 type=inv expected=ctx",
2688 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2691 "unpriv: spill/fill of different pointers stx",
2693 BPF_MOV64_IMM(BPF_REG_3, 42),
2694 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2696 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2697 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2698 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2699 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2700 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2701 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2702 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2703 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2704 offsetof(struct __sk_buff, mark)),
2705 BPF_MOV64_IMM(BPF_REG_0, 0),
2709 .errstr = "same insn cannot be used with different pointers",
2710 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2713 "unpriv: spill/fill of different pointers ldx",
2715 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2718 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2719 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2720 -(__s32)offsetof(struct bpf_perf_event_data,
2721 sample_period) - 8),
2722 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2723 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2724 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2725 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2726 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2727 offsetof(struct bpf_perf_event_data,
2729 BPF_MOV64_IMM(BPF_REG_0, 0),
2733 .errstr = "same insn cannot be used with different pointers",
2734 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2737 "unpriv: write pointer into map elem value",
2739 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2740 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2741 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2742 BPF_LD_MAP_FD(BPF_REG_1, 0),
2743 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2744 BPF_FUNC_map_lookup_elem),
2745 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2746 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2749 .fixup_map1 = { 3 },
2750 .errstr_unpriv = "R0 leaks addr",
2751 .result_unpriv = REJECT,
2755 "unpriv: partial copy of pointer",
2757 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2758 BPF_MOV64_IMM(BPF_REG_0, 0),
2761 .errstr_unpriv = "R10 partial copy",
2762 .result_unpriv = REJECT,
2766 "unpriv: pass pointer to tail_call",
2768 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2769 BPF_LD_MAP_FD(BPF_REG_2, 0),
2770 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2771 BPF_FUNC_tail_call),
2772 BPF_MOV64_IMM(BPF_REG_0, 0),
2775 .fixup_prog1 = { 1 },
2776 .errstr_unpriv = "R3 leaks addr into helper",
2777 .result_unpriv = REJECT,
2781 "unpriv: cmp map pointer with zero",
2783 BPF_MOV64_IMM(BPF_REG_1, 0),
2784 BPF_LD_MAP_FD(BPF_REG_1, 0),
2785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2786 BPF_MOV64_IMM(BPF_REG_0, 0),
2789 .fixup_map1 = { 1 },
2790 .errstr_unpriv = "R1 pointer comparison",
2791 .result_unpriv = REJECT,
2795 "unpriv: write into frame pointer",
2797 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2798 BPF_MOV64_IMM(BPF_REG_0, 0),
2801 .errstr = "frame pointer is read only",
2805 "unpriv: spill/fill frame pointer",
2807 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2808 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2809 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2810 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2811 BPF_MOV64_IMM(BPF_REG_0, 0),
2814 .errstr = "frame pointer is read only",
2818 "unpriv: cmp of frame pointer",
2820 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2821 BPF_MOV64_IMM(BPF_REG_0, 0),
2824 .errstr_unpriv = "R10 pointer comparison",
2825 .result_unpriv = REJECT,
2829 "unpriv: adding of fp",
2831 BPF_MOV64_IMM(BPF_REG_0, 0),
2832 BPF_MOV64_IMM(BPF_REG_1, 0),
2833 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2834 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2840 "unpriv: cmp of stack pointer",
2842 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2844 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2845 BPF_MOV64_IMM(BPF_REG_0, 0),
2848 .errstr_unpriv = "R2 pointer comparison",
2849 .result_unpriv = REJECT,
2853 "runtime/jit: tail_call within bounds, prog once",
2855 BPF_MOV64_IMM(BPF_REG_3, 0),
2856 BPF_LD_MAP_FD(BPF_REG_2, 0),
2857 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2858 BPF_FUNC_tail_call),
2859 BPF_MOV64_IMM(BPF_REG_0, 1),
2862 .fixup_prog1 = { 1 },
2867 "runtime/jit: tail_call within bounds, prog loop",
2869 BPF_MOV64_IMM(BPF_REG_3, 1),
2870 BPF_LD_MAP_FD(BPF_REG_2, 0),
2871 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2872 BPF_FUNC_tail_call),
2873 BPF_MOV64_IMM(BPF_REG_0, 1),
2876 .fixup_prog1 = { 1 },
2881 "runtime/jit: tail_call within bounds, no prog",
2883 BPF_MOV64_IMM(BPF_REG_3, 2),
2884 BPF_LD_MAP_FD(BPF_REG_2, 0),
2885 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2886 BPF_FUNC_tail_call),
2887 BPF_MOV64_IMM(BPF_REG_0, 1),
2890 .fixup_prog1 = { 1 },
2895 "runtime/jit: tail_call out of bounds",
2897 BPF_MOV64_IMM(BPF_REG_3, 256),
2898 BPF_LD_MAP_FD(BPF_REG_2, 0),
2899 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2900 BPF_FUNC_tail_call),
2901 BPF_MOV64_IMM(BPF_REG_0, 2),
2904 .fixup_prog1 = { 1 },
2909 "runtime/jit: pass negative index to tail_call",
2911 BPF_MOV64_IMM(BPF_REG_3, -1),
2912 BPF_LD_MAP_FD(BPF_REG_2, 0),
2913 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2914 BPF_FUNC_tail_call),
2915 BPF_MOV64_IMM(BPF_REG_0, 2),
2918 .fixup_prog1 = { 1 },
2923 "runtime/jit: pass > 32bit index to tail_call",
2925 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2926 BPF_LD_MAP_FD(BPF_REG_2, 0),
2927 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2928 BPF_FUNC_tail_call),
2929 BPF_MOV64_IMM(BPF_REG_0, 2),
2932 .fixup_prog1 = { 2 },
2937 "stack pointer arithmetic",
2939 BPF_MOV64_IMM(BPF_REG_1, 4),
2940 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2941 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2944 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2945 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2946 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2947 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2948 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2949 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2950 BPF_MOV64_IMM(BPF_REG_0, 0),
2956 "raw_stack: no skb_load_bytes",
2958 BPF_MOV64_IMM(BPF_REG_2, 4),
2959 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2961 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2962 BPF_MOV64_IMM(BPF_REG_4, 8),
2963 /* Call to skb_load_bytes() omitted. */
2964 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2968 .errstr = "invalid read from stack off -8+0 size 8",
2969 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2972 "raw_stack: skb_load_bytes, negative len",
2974 BPF_MOV64_IMM(BPF_REG_2, 4),
2975 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2976 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2977 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2978 BPF_MOV64_IMM(BPF_REG_4, -8),
2979 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2980 BPF_FUNC_skb_load_bytes),
2981 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2985 .errstr = "R4 min value is negative",
2986 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2989 "raw_stack: skb_load_bytes, negative len 2",
2991 BPF_MOV64_IMM(BPF_REG_2, 4),
2992 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2994 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2995 BPF_MOV64_IMM(BPF_REG_4, ~0),
2996 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2997 BPF_FUNC_skb_load_bytes),
2998 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3002 .errstr = "R4 min value is negative",
3003 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3006 "raw_stack: skb_load_bytes, zero len",
3008 BPF_MOV64_IMM(BPF_REG_2, 4),
3009 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3010 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3011 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3012 BPF_MOV64_IMM(BPF_REG_4, 0),
3013 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3014 BPF_FUNC_skb_load_bytes),
3015 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3019 .errstr = "invalid stack type R3",
3020 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3023 "raw_stack: skb_load_bytes, no init",
3025 BPF_MOV64_IMM(BPF_REG_2, 4),
3026 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3027 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3028 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3029 BPF_MOV64_IMM(BPF_REG_4, 8),
3030 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3031 BPF_FUNC_skb_load_bytes),
3032 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3036 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3039 "raw_stack: skb_load_bytes, init",
3041 BPF_MOV64_IMM(BPF_REG_2, 4),
3042 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3043 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3044 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3045 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3046 BPF_MOV64_IMM(BPF_REG_4, 8),
3047 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3048 BPF_FUNC_skb_load_bytes),
3049 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3053 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3056 "raw_stack: skb_load_bytes, spilled regs around bounds",
3058 BPF_MOV64_IMM(BPF_REG_2, 4),
3059 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3061 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3062 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3063 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3064 BPF_MOV64_IMM(BPF_REG_4, 8),
3065 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3066 BPF_FUNC_skb_load_bytes),
3067 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3068 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3069 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3070 offsetof(struct __sk_buff, mark)),
3071 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3072 offsetof(struct __sk_buff, priority)),
3073 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3077 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3080 "raw_stack: skb_load_bytes, spilled regs corruption",
3082 BPF_MOV64_IMM(BPF_REG_2, 4),
3083 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3085 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3086 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3087 BPF_MOV64_IMM(BPF_REG_4, 8),
3088 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3089 BPF_FUNC_skb_load_bytes),
3090 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3091 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3092 offsetof(struct __sk_buff, mark)),
3096 .errstr = "R0 invalid mem access 'inv'",
3097 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3100 "raw_stack: skb_load_bytes, spilled regs corruption 2",
3102 BPF_MOV64_IMM(BPF_REG_2, 4),
3103 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3105 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3106 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3107 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3108 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3109 BPF_MOV64_IMM(BPF_REG_4, 8),
3110 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3111 BPF_FUNC_skb_load_bytes),
3112 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3113 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3114 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3115 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3116 offsetof(struct __sk_buff, mark)),
3117 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3118 offsetof(struct __sk_buff, priority)),
3119 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3120 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3121 offsetof(struct __sk_buff, pkt_type)),
3122 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3126 .errstr = "R3 invalid mem access 'inv'",
3127 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3130 "raw_stack: skb_load_bytes, spilled regs + data",
3132 BPF_MOV64_IMM(BPF_REG_2, 4),
3133 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3134 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3135 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3136 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3137 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3138 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3139 BPF_MOV64_IMM(BPF_REG_4, 8),
3140 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3141 BPF_FUNC_skb_load_bytes),
3142 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3143 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3144 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3145 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3146 offsetof(struct __sk_buff, mark)),
3147 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3148 offsetof(struct __sk_buff, priority)),
3149 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3150 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3154 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3157 "raw_stack: skb_load_bytes, invalid access 1",
3159 BPF_MOV64_IMM(BPF_REG_2, 4),
3160 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3161 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3162 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3163 BPF_MOV64_IMM(BPF_REG_4, 8),
3164 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3165 BPF_FUNC_skb_load_bytes),
3166 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3170 .errstr = "invalid stack type R3 off=-513 access_size=8",
3171 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3174 "raw_stack: skb_load_bytes, invalid access 2",
3176 BPF_MOV64_IMM(BPF_REG_2, 4),
3177 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3178 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3179 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3180 BPF_MOV64_IMM(BPF_REG_4, 8),
3181 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3182 BPF_FUNC_skb_load_bytes),
3183 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3187 .errstr = "invalid stack type R3 off=-1 access_size=8",
3188 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3191 "raw_stack: skb_load_bytes, invalid access 3",
3193 BPF_MOV64_IMM(BPF_REG_2, 4),
3194 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3196 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3197 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3198 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3199 BPF_FUNC_skb_load_bytes),
3200 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3204 .errstr = "R4 min value is negative",
3205 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3208 "raw_stack: skb_load_bytes, invalid access 4",
3210 BPF_MOV64_IMM(BPF_REG_2, 4),
3211 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3213 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3214 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3215 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3216 BPF_FUNC_skb_load_bytes),
3217 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3221 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3222 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3225 "raw_stack: skb_load_bytes, invalid access 5",
3227 BPF_MOV64_IMM(BPF_REG_2, 4),
3228 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3230 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3231 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3232 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3233 BPF_FUNC_skb_load_bytes),
3234 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3238 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3239 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3242 "raw_stack: skb_load_bytes, invalid access 6",
3244 BPF_MOV64_IMM(BPF_REG_2, 4),
3245 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3247 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3248 BPF_MOV64_IMM(BPF_REG_4, 0),
3249 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3250 BPF_FUNC_skb_load_bytes),
3251 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3255 .errstr = "invalid stack type R3 off=-512 access_size=0",
3256 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3259 "raw_stack: skb_load_bytes, large access",
3261 BPF_MOV64_IMM(BPF_REG_2, 4),
3262 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3264 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3265 BPF_MOV64_IMM(BPF_REG_4, 512),
3266 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3267 BPF_FUNC_skb_load_bytes),
3268 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3272 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3275 "context stores via ST",
3277 BPF_MOV64_IMM(BPF_REG_0, 0),
3278 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3281 .errstr = "BPF_ST stores into R1 context is not allowed",
3283 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3286 "context stores via XADD",
3288 BPF_MOV64_IMM(BPF_REG_0, 0),
3289 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3290 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3293 .errstr = "BPF_XADD stores into R1 context is not allowed",
3295 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3298 "direct packet access: test1",
3300 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3301 offsetof(struct __sk_buff, data)),
3302 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3303 offsetof(struct __sk_buff, data_end)),
3304 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3305 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3306 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3307 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3308 BPF_MOV64_IMM(BPF_REG_0, 0),
3312 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3315 "direct packet access: test2",
3317 BPF_MOV64_IMM(BPF_REG_0, 1),
3318 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3319 offsetof(struct __sk_buff, data_end)),
3320 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3321 offsetof(struct __sk_buff, data)),
3322 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3323 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3324 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3325 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3326 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3327 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3328 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3329 offsetof(struct __sk_buff, data)),
3330 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3331 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3332 offsetof(struct __sk_buff, len)),
3333 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3334 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3335 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3336 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3337 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3338 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3339 offsetof(struct __sk_buff, data_end)),
3340 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3341 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3342 BPF_MOV64_IMM(BPF_REG_0, 0),
3346 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3349 "direct packet access: test3",
3351 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3352 offsetof(struct __sk_buff, data)),
3353 BPF_MOV64_IMM(BPF_REG_0, 0),
3356 .errstr = "invalid bpf_context access off=76",
3358 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3361 "direct packet access: test4 (write)",
3363 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3364 offsetof(struct __sk_buff, data)),
3365 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3366 offsetof(struct __sk_buff, data_end)),
3367 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3368 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3369 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3370 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3371 BPF_MOV64_IMM(BPF_REG_0, 0),
3375 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3378 "direct packet access: test5 (pkt_end >= reg, good access)",
3380 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3381 offsetof(struct __sk_buff, data)),
3382 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3383 offsetof(struct __sk_buff, data_end)),
3384 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3386 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3387 BPF_MOV64_IMM(BPF_REG_0, 1),
3389 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3390 BPF_MOV64_IMM(BPF_REG_0, 0),
3394 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3397 "direct packet access: test6 (pkt_end >= reg, bad access)",
3399 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3400 offsetof(struct __sk_buff, data)),
3401 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3402 offsetof(struct __sk_buff, data_end)),
3403 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3405 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3406 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3407 BPF_MOV64_IMM(BPF_REG_0, 1),
3409 BPF_MOV64_IMM(BPF_REG_0, 0),
3412 .errstr = "invalid access to packet",
3414 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3417 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3419 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3420 offsetof(struct __sk_buff, data)),
3421 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3422 offsetof(struct __sk_buff, data_end)),
3423 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3425 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3426 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3427 BPF_MOV64_IMM(BPF_REG_0, 1),
3429 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3430 BPF_MOV64_IMM(BPF_REG_0, 0),
3433 .errstr = "invalid access to packet",
3435 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3438 "direct packet access: test8 (double test, variant 1)",
3440 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3441 offsetof(struct __sk_buff, data)),
3442 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3443 offsetof(struct __sk_buff, data_end)),
3444 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3445 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3446 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3447 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3448 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3449 BPF_MOV64_IMM(BPF_REG_0, 1),
3451 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3452 BPF_MOV64_IMM(BPF_REG_0, 0),
3456 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3459 "direct packet access: test9 (double test, variant 2)",
3461 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3462 offsetof(struct __sk_buff, data)),
3463 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3464 offsetof(struct __sk_buff, data_end)),
3465 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3466 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3467 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3468 BPF_MOV64_IMM(BPF_REG_0, 1),
3470 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3471 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3472 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3473 BPF_MOV64_IMM(BPF_REG_0, 0),
3477 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3480 "direct packet access: test10 (write invalid)",
3482 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3483 offsetof(struct __sk_buff, data)),
3484 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3485 offsetof(struct __sk_buff, data_end)),
3486 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3487 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3488 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3489 BPF_MOV64_IMM(BPF_REG_0, 0),
3491 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3492 BPF_MOV64_IMM(BPF_REG_0, 0),
3495 .errstr = "invalid access to packet",
3497 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3500 "direct packet access: test11 (shift, good access)",
3502 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3503 offsetof(struct __sk_buff, data)),
3504 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3505 offsetof(struct __sk_buff, data_end)),
3506 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3507 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3508 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3509 BPF_MOV64_IMM(BPF_REG_3, 144),
3510 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3511 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3512 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3513 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3514 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3515 BPF_MOV64_IMM(BPF_REG_0, 1),
3517 BPF_MOV64_IMM(BPF_REG_0, 0),
3521 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3525 "direct packet access: test12 (and, good access)",
3527 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3528 offsetof(struct __sk_buff, data)),
3529 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3530 offsetof(struct __sk_buff, data_end)),
3531 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3533 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3534 BPF_MOV64_IMM(BPF_REG_3, 144),
3535 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3536 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3537 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3538 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3539 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3540 BPF_MOV64_IMM(BPF_REG_0, 1),
3542 BPF_MOV64_IMM(BPF_REG_0, 0),
3546 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3550 "direct packet access: test13 (branches, good access)",
3552 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3553 offsetof(struct __sk_buff, data)),
3554 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3555 offsetof(struct __sk_buff, data_end)),
3556 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3557 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3558 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3559 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3560 offsetof(struct __sk_buff, mark)),
3561 BPF_MOV64_IMM(BPF_REG_4, 1),
3562 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3563 BPF_MOV64_IMM(BPF_REG_3, 14),
3564 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3565 BPF_MOV64_IMM(BPF_REG_3, 24),
3566 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3567 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3568 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3569 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3570 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3571 BPF_MOV64_IMM(BPF_REG_0, 1),
3573 BPF_MOV64_IMM(BPF_REG_0, 0),
3577 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3581 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3583 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3584 offsetof(struct __sk_buff, data)),
3585 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3586 offsetof(struct __sk_buff, data_end)),
3587 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3589 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3590 BPF_MOV64_IMM(BPF_REG_5, 12),
3591 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3592 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3593 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3594 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3595 BPF_MOV64_IMM(BPF_REG_0, 1),
3597 BPF_MOV64_IMM(BPF_REG_0, 0),
3601 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3605 "direct packet access: test15 (spill with xadd)",
3607 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3608 offsetof(struct __sk_buff, data)),
3609 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3610 offsetof(struct __sk_buff, data_end)),
3611 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3612 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3613 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3614 BPF_MOV64_IMM(BPF_REG_5, 4096),
3615 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3616 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3617 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3618 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3619 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3620 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3621 BPF_MOV64_IMM(BPF_REG_0, 0),
3624 .errstr = "R2 invalid mem access 'inv'",
3626 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3629 "direct packet access: test16 (arith on data_end)",
3631 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3632 offsetof(struct __sk_buff, data)),
3633 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3634 offsetof(struct __sk_buff, data_end)),
3635 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3636 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3637 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3638 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3639 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3640 BPF_MOV64_IMM(BPF_REG_0, 0),
3643 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3645 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3648 "direct packet access: test17 (pruning, alignment)",
3650 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3651 offsetof(struct __sk_buff, data)),
3652 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3653 offsetof(struct __sk_buff, data_end)),
3654 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3655 offsetof(struct __sk_buff, mark)),
3656 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3657 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3658 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3659 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3660 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3661 BPF_MOV64_IMM(BPF_REG_0, 0),
3663 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3666 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3668 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3669 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3672 "direct packet access: test18 (imm += pkt_ptr, 1)",
3674 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3675 offsetof(struct __sk_buff, data)),
3676 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3677 offsetof(struct __sk_buff, data_end)),
3678 BPF_MOV64_IMM(BPF_REG_0, 8),
3679 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3680 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3681 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3682 BPF_MOV64_IMM(BPF_REG_0, 0),
3686 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3689 "direct packet access: test19 (imm += pkt_ptr, 2)",
3691 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3692 offsetof(struct __sk_buff, data)),
3693 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3694 offsetof(struct __sk_buff, data_end)),
3695 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3696 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3697 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3698 BPF_MOV64_IMM(BPF_REG_4, 4),
3699 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3700 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3701 BPF_MOV64_IMM(BPF_REG_0, 0),
3705 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3708 "direct packet access: test20 (x += pkt_ptr, 1)",
3710 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3711 offsetof(struct __sk_buff, data)),
3712 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3713 offsetof(struct __sk_buff, data_end)),
3714 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3715 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3716 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3717 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3718 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3719 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3720 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3721 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3722 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3723 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3724 BPF_MOV64_IMM(BPF_REG_0, 0),
3727 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3731 "direct packet access: test21 (x += pkt_ptr, 2)",
3733 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3734 offsetof(struct __sk_buff, data)),
3735 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3736 offsetof(struct __sk_buff, data_end)),
3737 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3739 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3740 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3741 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3742 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3743 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3744 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3745 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3747 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3748 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3749 BPF_MOV64_IMM(BPF_REG_0, 0),
3752 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3756 "direct packet access: test22 (x += pkt_ptr, 3)",
3758 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3759 offsetof(struct __sk_buff, data)),
3760 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3761 offsetof(struct __sk_buff, data_end)),
3762 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3763 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3764 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3765 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3766 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3767 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3768 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3769 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3770 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3771 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3772 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3773 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3774 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3775 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3776 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3777 BPF_MOV64_IMM(BPF_REG_2, 1),
3778 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3779 BPF_MOV64_IMM(BPF_REG_0, 0),
3782 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3786 "direct packet access: test23 (x += pkt_ptr, 4)",
3788 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3789 offsetof(struct __sk_buff, data)),
3790 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3791 offsetof(struct __sk_buff, data_end)),
3792 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3793 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3794 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3795 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3796 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3797 BPF_MOV64_IMM(BPF_REG_0, 31),
3798 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3799 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3800 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3801 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3802 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3803 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3804 BPF_MOV64_IMM(BPF_REG_0, 0),
3807 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3809 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3812 "direct packet access: test24 (x += pkt_ptr, 5)",
3814 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3815 offsetof(struct __sk_buff, data)),
3816 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3817 offsetof(struct __sk_buff, data_end)),
3818 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3819 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3820 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3821 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3822 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3823 BPF_MOV64_IMM(BPF_REG_0, 64),
3824 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3825 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3826 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3827 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3828 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3829 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3830 BPF_MOV64_IMM(BPF_REG_0, 0),
3833 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3837 "direct packet access: test25 (marking on <, good access)",
3839 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3840 offsetof(struct __sk_buff, data)),
3841 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3842 offsetof(struct __sk_buff, data_end)),
3843 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3845 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3846 BPF_MOV64_IMM(BPF_REG_0, 0),
3848 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3849 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3852 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3855 "direct packet access: test26 (marking on <, bad access)",
3857 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3858 offsetof(struct __sk_buff, data)),
3859 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3860 offsetof(struct __sk_buff, data_end)),
3861 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3862 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3863 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3864 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3865 BPF_MOV64_IMM(BPF_REG_0, 0),
3867 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3870 .errstr = "invalid access to packet",
3871 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3874 "direct packet access: test27 (marking on <=, good access)",
3876 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3877 offsetof(struct __sk_buff, data)),
3878 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3879 offsetof(struct __sk_buff, data_end)),
3880 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3881 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3882 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3883 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3884 BPF_MOV64_IMM(BPF_REG_0, 1),
3888 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3892 "direct packet access: test28 (marking on <=, bad access)",
3894 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3895 offsetof(struct __sk_buff, data)),
3896 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3897 offsetof(struct __sk_buff, data_end)),
3898 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3899 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3900 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3901 BPF_MOV64_IMM(BPF_REG_0, 1),
3903 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3904 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3907 .errstr = "invalid access to packet",
3908 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3911 "helper access to packet: test1, valid packet_ptr range",
3913 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3914 offsetof(struct xdp_md, data)),
3915 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3916 offsetof(struct xdp_md, data_end)),
3917 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3919 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3920 BPF_LD_MAP_FD(BPF_REG_1, 0),
3921 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3922 BPF_MOV64_IMM(BPF_REG_4, 0),
3923 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3924 BPF_FUNC_map_update_elem),
3925 BPF_MOV64_IMM(BPF_REG_0, 0),
3928 .fixup_map1 = { 5 },
3929 .result_unpriv = ACCEPT,
3931 .prog_type = BPF_PROG_TYPE_XDP,
3934 "helper access to packet: test2, unchecked packet_ptr",
3936 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3937 offsetof(struct xdp_md, data)),
3938 BPF_LD_MAP_FD(BPF_REG_1, 0),
3939 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3940 BPF_FUNC_map_lookup_elem),
3941 BPF_MOV64_IMM(BPF_REG_0, 0),
3944 .fixup_map1 = { 1 },
3946 .errstr = "invalid access to packet",
3947 .prog_type = BPF_PROG_TYPE_XDP,
3950 "helper access to packet: test3, variable add",
3952 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3953 offsetof(struct xdp_md, data)),
3954 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3955 offsetof(struct xdp_md, data_end)),
3956 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3957 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3958 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3959 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3960 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3961 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3962 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3963 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3964 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3965 BPF_LD_MAP_FD(BPF_REG_1, 0),
3966 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3967 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3968 BPF_FUNC_map_lookup_elem),
3969 BPF_MOV64_IMM(BPF_REG_0, 0),
3972 .fixup_map1 = { 11 },
3974 .prog_type = BPF_PROG_TYPE_XDP,
3977 "helper access to packet: test4, packet_ptr with bad range",
3979 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3980 offsetof(struct xdp_md, data)),
3981 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3982 offsetof(struct xdp_md, data_end)),
3983 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3984 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3985 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3986 BPF_MOV64_IMM(BPF_REG_0, 0),
3988 BPF_LD_MAP_FD(BPF_REG_1, 0),
3989 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3990 BPF_FUNC_map_lookup_elem),
3991 BPF_MOV64_IMM(BPF_REG_0, 0),
3994 .fixup_map1 = { 7 },
3996 .errstr = "invalid access to packet",
3997 .prog_type = BPF_PROG_TYPE_XDP,
4000 "helper access to packet: test5, packet_ptr with too short range",
4002 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4003 offsetof(struct xdp_md, data)),
4004 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4005 offsetof(struct xdp_md, data_end)),
4006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4007 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4009 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4010 BPF_LD_MAP_FD(BPF_REG_1, 0),
4011 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4012 BPF_FUNC_map_lookup_elem),
4013 BPF_MOV64_IMM(BPF_REG_0, 0),
4016 .fixup_map1 = { 6 },
4018 .errstr = "invalid access to packet",
4019 .prog_type = BPF_PROG_TYPE_XDP,
4022 "helper access to packet: test6, cls valid packet_ptr range",
4024 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4025 offsetof(struct __sk_buff, data)),
4026 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4027 offsetof(struct __sk_buff, data_end)),
4028 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4029 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4030 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4031 BPF_LD_MAP_FD(BPF_REG_1, 0),
4032 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4033 BPF_MOV64_IMM(BPF_REG_4, 0),
4034 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4035 BPF_FUNC_map_update_elem),
4036 BPF_MOV64_IMM(BPF_REG_0, 0),
4039 .fixup_map1 = { 5 },
4041 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4044 "helper access to packet: test7, cls unchecked packet_ptr",
4046 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4047 offsetof(struct __sk_buff, data)),
4048 BPF_LD_MAP_FD(BPF_REG_1, 0),
4049 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4050 BPF_FUNC_map_lookup_elem),
4051 BPF_MOV64_IMM(BPF_REG_0, 0),
4054 .fixup_map1 = { 1 },
4056 .errstr = "invalid access to packet",
4057 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4060 "helper access to packet: test8, cls variable add",
4062 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4063 offsetof(struct __sk_buff, data)),
4064 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4065 offsetof(struct __sk_buff, data_end)),
4066 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4067 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4068 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4069 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4070 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4071 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4072 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4073 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4074 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4075 BPF_LD_MAP_FD(BPF_REG_1, 0),
4076 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4077 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4078 BPF_FUNC_map_lookup_elem),
4079 BPF_MOV64_IMM(BPF_REG_0, 0),
4082 .fixup_map1 = { 11 },
4084 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4087 "helper access to packet: test9, cls packet_ptr with bad range",
4089 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4090 offsetof(struct __sk_buff, data)),
4091 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4092 offsetof(struct __sk_buff, data_end)),
4093 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4095 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4096 BPF_MOV64_IMM(BPF_REG_0, 0),
4098 BPF_LD_MAP_FD(BPF_REG_1, 0),
4099 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4100 BPF_FUNC_map_lookup_elem),
4101 BPF_MOV64_IMM(BPF_REG_0, 0),
4104 .fixup_map1 = { 7 },
4106 .errstr = "invalid access to packet",
4107 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4110 "helper access to packet: test10, cls packet_ptr with too short range",
4112 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4113 offsetof(struct __sk_buff, data)),
4114 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4115 offsetof(struct __sk_buff, data_end)),
4116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4117 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4118 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4119 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4120 BPF_LD_MAP_FD(BPF_REG_1, 0),
4121 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4122 BPF_FUNC_map_lookup_elem),
4123 BPF_MOV64_IMM(BPF_REG_0, 0),
4126 .fixup_map1 = { 6 },
4128 .errstr = "invalid access to packet",
4129 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4132 "helper access to packet: test11, cls unsuitable helper 1",
4134 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4135 offsetof(struct __sk_buff, data)),
4136 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4137 offsetof(struct __sk_buff, data_end)),
4138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4139 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4140 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4141 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4142 BPF_MOV64_IMM(BPF_REG_2, 0),
4143 BPF_MOV64_IMM(BPF_REG_4, 42),
4144 BPF_MOV64_IMM(BPF_REG_5, 0),
4145 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4146 BPF_FUNC_skb_store_bytes),
4147 BPF_MOV64_IMM(BPF_REG_0, 0),
4151 .errstr = "helper access to the packet",
4152 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4155 "helper access to packet: test12, cls unsuitable helper 2",
4157 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4158 offsetof(struct __sk_buff, data)),
4159 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4160 offsetof(struct __sk_buff, data_end)),
4161 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4162 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4163 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4164 BPF_MOV64_IMM(BPF_REG_2, 0),
4165 BPF_MOV64_IMM(BPF_REG_4, 4),
4166 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4167 BPF_FUNC_skb_load_bytes),
4168 BPF_MOV64_IMM(BPF_REG_0, 0),
4172 .errstr = "helper access to the packet",
4173 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4176 "helper access to packet: test13, cls helper ok",
4178 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4179 offsetof(struct __sk_buff, data)),
4180 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4181 offsetof(struct __sk_buff, data_end)),
4182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4183 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4184 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4185 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4186 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4187 BPF_MOV64_IMM(BPF_REG_2, 4),
4188 BPF_MOV64_IMM(BPF_REG_3, 0),
4189 BPF_MOV64_IMM(BPF_REG_4, 0),
4190 BPF_MOV64_IMM(BPF_REG_5, 0),
4191 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4192 BPF_FUNC_csum_diff),
4193 BPF_MOV64_IMM(BPF_REG_0, 0),
4197 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4200 "helper access to packet: test14, cls helper ok sub",
4202 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4203 offsetof(struct __sk_buff, data)),
4204 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4205 offsetof(struct __sk_buff, data_end)),
4206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4207 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4209 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4210 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4211 BPF_MOV64_IMM(BPF_REG_2, 4),
4212 BPF_MOV64_IMM(BPF_REG_3, 0),
4213 BPF_MOV64_IMM(BPF_REG_4, 0),
4214 BPF_MOV64_IMM(BPF_REG_5, 0),
4215 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4216 BPF_FUNC_csum_diff),
4217 BPF_MOV64_IMM(BPF_REG_0, 0),
4221 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4224 "helper access to packet: test15, cls helper fail sub",
4226 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4227 offsetof(struct __sk_buff, data)),
4228 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4229 offsetof(struct __sk_buff, data_end)),
4230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4231 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4232 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4233 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4234 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4235 BPF_MOV64_IMM(BPF_REG_2, 4),
4236 BPF_MOV64_IMM(BPF_REG_3, 0),
4237 BPF_MOV64_IMM(BPF_REG_4, 0),
4238 BPF_MOV64_IMM(BPF_REG_5, 0),
4239 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4240 BPF_FUNC_csum_diff),
4241 BPF_MOV64_IMM(BPF_REG_0, 0),
4245 .errstr = "invalid access to packet",
4246 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4249 "helper access to packet: test16, cls helper fail range 1",
4251 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4252 offsetof(struct __sk_buff, data)),
4253 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4254 offsetof(struct __sk_buff, data_end)),
4255 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4256 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4257 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4258 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4259 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4260 BPF_MOV64_IMM(BPF_REG_2, 8),
4261 BPF_MOV64_IMM(BPF_REG_3, 0),
4262 BPF_MOV64_IMM(BPF_REG_4, 0),
4263 BPF_MOV64_IMM(BPF_REG_5, 0),
4264 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4265 BPF_FUNC_csum_diff),
4266 BPF_MOV64_IMM(BPF_REG_0, 0),
4270 .errstr = "invalid access to packet",
4271 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4274 "helper access to packet: test17, cls helper fail range 2",
4276 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4277 offsetof(struct __sk_buff, data)),
4278 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4279 offsetof(struct __sk_buff, data_end)),
4280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4281 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4282 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4283 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4284 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4285 BPF_MOV64_IMM(BPF_REG_2, -9),
4286 BPF_MOV64_IMM(BPF_REG_3, 0),
4287 BPF_MOV64_IMM(BPF_REG_4, 0),
4288 BPF_MOV64_IMM(BPF_REG_5, 0),
4289 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4290 BPF_FUNC_csum_diff),
4291 BPF_MOV64_IMM(BPF_REG_0, 0),
4295 .errstr = "R2 min value is negative",
4296 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4299 "helper access to packet: test18, cls helper fail range 3",
4301 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4302 offsetof(struct __sk_buff, data)),
4303 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4304 offsetof(struct __sk_buff, data_end)),
4305 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4306 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4308 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4309 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4310 BPF_MOV64_IMM(BPF_REG_2, ~0),
4311 BPF_MOV64_IMM(BPF_REG_3, 0),
4312 BPF_MOV64_IMM(BPF_REG_4, 0),
4313 BPF_MOV64_IMM(BPF_REG_5, 0),
4314 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4315 BPF_FUNC_csum_diff),
4316 BPF_MOV64_IMM(BPF_REG_0, 0),
4320 .errstr = "R2 min value is negative",
4321 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4324 "helper access to packet: test19, cls helper range zero",
4326 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4327 offsetof(struct __sk_buff, data)),
4328 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4329 offsetof(struct __sk_buff, data_end)),
4330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4331 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4333 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4334 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4335 BPF_MOV64_IMM(BPF_REG_2, 0),
4336 BPF_MOV64_IMM(BPF_REG_3, 0),
4337 BPF_MOV64_IMM(BPF_REG_4, 0),
4338 BPF_MOV64_IMM(BPF_REG_5, 0),
4339 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4340 BPF_FUNC_csum_diff),
4341 BPF_MOV64_IMM(BPF_REG_0, 0),
4345 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4348 "helper access to packet: test20, pkt end as input",
4350 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4351 offsetof(struct __sk_buff, data)),
4352 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4353 offsetof(struct __sk_buff, data_end)),
4354 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4355 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4356 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4357 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4358 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4359 BPF_MOV64_IMM(BPF_REG_2, 4),
4360 BPF_MOV64_IMM(BPF_REG_3, 0),
4361 BPF_MOV64_IMM(BPF_REG_4, 0),
4362 BPF_MOV64_IMM(BPF_REG_5, 0),
4363 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4364 BPF_FUNC_csum_diff),
4365 BPF_MOV64_IMM(BPF_REG_0, 0),
4369 .errstr = "R1 type=pkt_end expected=fp",
4370 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4373 "helper access to packet: test21, wrong reg",
4375 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4376 offsetof(struct __sk_buff, data)),
4377 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4378 offsetof(struct __sk_buff, data_end)),
4379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4380 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4381 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4382 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4383 BPF_MOV64_IMM(BPF_REG_2, 4),
4384 BPF_MOV64_IMM(BPF_REG_3, 0),
4385 BPF_MOV64_IMM(BPF_REG_4, 0),
4386 BPF_MOV64_IMM(BPF_REG_5, 0),
4387 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4388 BPF_FUNC_csum_diff),
4389 BPF_MOV64_IMM(BPF_REG_0, 0),
4393 .errstr = "invalid access to packet",
4394 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4397 "valid map access into an array with a constant",
4399 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4400 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4401 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4402 BPF_LD_MAP_FD(BPF_REG_1, 0),
4403 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4404 BPF_FUNC_map_lookup_elem),
4405 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4406 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4407 offsetof(struct test_val, foo)),
4410 .fixup_map2 = { 3 },
4411 .errstr_unpriv = "R0 leaks addr",
4412 .result_unpriv = REJECT,
4416 "valid map access into an array with a register",
4418 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4419 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4421 BPF_LD_MAP_FD(BPF_REG_1, 0),
4422 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4423 BPF_FUNC_map_lookup_elem),
4424 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4425 BPF_MOV64_IMM(BPF_REG_1, 4),
4426 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4427 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4428 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4429 offsetof(struct test_val, foo)),
4432 .fixup_map2 = { 3 },
4433 .errstr_unpriv = "R0 leaks addr",
4434 .result_unpriv = REJECT,
4436 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4439 "valid map access into an array with a variable",
4441 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4442 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4443 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4444 BPF_LD_MAP_FD(BPF_REG_1, 0),
4445 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4446 BPF_FUNC_map_lookup_elem),
4447 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4448 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4449 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4450 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4451 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4452 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4453 offsetof(struct test_val, foo)),
4456 .fixup_map2 = { 3 },
4457 .errstr_unpriv = "R0 leaks addr",
4458 .result_unpriv = REJECT,
4460 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4463 "valid map access into an array with a signed variable",
4465 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4466 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4467 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4468 BPF_LD_MAP_FD(BPF_REG_1, 0),
4469 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4470 BPF_FUNC_map_lookup_elem),
4471 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4472 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4473 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4474 BPF_MOV32_IMM(BPF_REG_1, 0),
4475 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4476 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4477 BPF_MOV32_IMM(BPF_REG_1, 0),
4478 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4479 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4480 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4481 offsetof(struct test_val, foo)),
4484 .fixup_map2 = { 3 },
4485 .errstr_unpriv = "R0 leaks addr",
4486 .result_unpriv = REJECT,
4488 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4491 "invalid map access into an array with a constant",
4493 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4494 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4495 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4496 BPF_LD_MAP_FD(BPF_REG_1, 0),
4497 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4498 BPF_FUNC_map_lookup_elem),
4499 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4500 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4501 offsetof(struct test_val, foo)),
4504 .fixup_map2 = { 3 },
4505 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4509 "invalid map access into an array with a register",
4511 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4512 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4514 BPF_LD_MAP_FD(BPF_REG_1, 0),
4515 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4516 BPF_FUNC_map_lookup_elem),
4517 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4518 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4519 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4520 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4521 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4522 offsetof(struct test_val, foo)),
4525 .fixup_map2 = { 3 },
4526 .errstr = "R0 min value is outside of the array range",
4528 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4531 "invalid map access into an array with a variable",
4533 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4534 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4536 BPF_LD_MAP_FD(BPF_REG_1, 0),
4537 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4538 BPF_FUNC_map_lookup_elem),
4539 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4540 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4541 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4542 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4543 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4544 offsetof(struct test_val, foo)),
4547 .fixup_map2 = { 3 },
4548 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4550 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4553 "invalid map access into an array with no floor check",
4555 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4556 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4557 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4558 BPF_LD_MAP_FD(BPF_REG_1, 0),
4559 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4560 BPF_FUNC_map_lookup_elem),
4561 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4562 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4563 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4564 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4565 BPF_MOV32_IMM(BPF_REG_1, 0),
4566 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4567 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4568 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4569 offsetof(struct test_val, foo)),
4572 .fixup_map2 = { 3 },
4573 .errstr_unpriv = "R0 leaks addr",
4574 .errstr = "R0 unbounded memory access",
4575 .result_unpriv = REJECT,
4577 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4580 "invalid map access into an array with a invalid max check",
4582 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4583 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4584 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4585 BPF_LD_MAP_FD(BPF_REG_1, 0),
4586 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4587 BPF_FUNC_map_lookup_elem),
4588 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4589 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4590 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4591 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4592 BPF_MOV32_IMM(BPF_REG_1, 0),
4593 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4594 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4595 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4596 offsetof(struct test_val, foo)),
4599 .fixup_map2 = { 3 },
4600 .errstr_unpriv = "R0 leaks addr",
4601 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
4602 .result_unpriv = REJECT,
4604 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4607 "invalid map access into an array with a invalid max check",
4609 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4610 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4611 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4612 BPF_LD_MAP_FD(BPF_REG_1, 0),
4613 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4614 BPF_FUNC_map_lookup_elem),
4615 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4616 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4617 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4618 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4619 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4620 BPF_LD_MAP_FD(BPF_REG_1, 0),
4621 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4622 BPF_FUNC_map_lookup_elem),
4623 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4624 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4625 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4626 offsetof(struct test_val, foo)),
4629 .fixup_map2 = { 3, 11 },
4630 .errstr = "R0 pointer += pointer",
4632 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4635 "valid cgroup storage access",
4637 BPF_MOV64_IMM(BPF_REG_2, 0),
4638 BPF_LD_MAP_FD(BPF_REG_1, 0),
4639 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4640 BPF_FUNC_get_local_storage),
4641 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4642 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4643 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4646 .fixup_cgroup_storage = { 1 },
4648 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4651 "invalid cgroup storage access 1",
4653 BPF_MOV64_IMM(BPF_REG_2, 0),
4654 BPF_LD_MAP_FD(BPF_REG_1, 0),
4655 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4656 BPF_FUNC_get_local_storage),
4657 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4658 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4659 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4662 .fixup_map1 = { 1 },
4664 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
4665 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4668 "invalid cgroup storage access 2",
4670 BPF_MOV64_IMM(BPF_REG_2, 0),
4671 BPF_LD_MAP_FD(BPF_REG_1, 1),
4672 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4673 BPF_FUNC_get_local_storage),
4674 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4678 .errstr = "fd 1 is not pointing to valid bpf_map",
4679 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4682 "invalid per-cgroup storage access 3",
4684 BPF_MOV64_IMM(BPF_REG_2, 0),
4685 BPF_LD_MAP_FD(BPF_REG_1, 0),
4686 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4687 BPF_FUNC_get_local_storage),
4688 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
4689 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4690 BPF_MOV64_IMM(BPF_REG_0, 0),
4693 .fixup_cgroup_storage = { 1 },
4695 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
4696 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4699 "invalid cgroup storage access 4",
4701 BPF_MOV64_IMM(BPF_REG_2, 0),
4702 BPF_LD_MAP_FD(BPF_REG_1, 0),
4703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4704 BPF_FUNC_get_local_storage),
4705 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
4706 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4707 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4710 .fixup_cgroup_storage = { 1 },
4712 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
4713 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4716 "invalid cgroup storage access 5",
4718 BPF_MOV64_IMM(BPF_REG_2, 7),
4719 BPF_LD_MAP_FD(BPF_REG_1, 0),
4720 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4721 BPF_FUNC_get_local_storage),
4722 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4723 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4724 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4727 .fixup_cgroup_storage = { 1 },
4729 .errstr = "get_local_storage() doesn't support non-zero flags",
4730 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4733 "invalid cgroup storage access 6",
4735 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
4736 BPF_LD_MAP_FD(BPF_REG_1, 0),
4737 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4738 BPF_FUNC_get_local_storage),
4739 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4740 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4741 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4744 .fixup_cgroup_storage = { 1 },
4746 .errstr = "get_local_storage() doesn't support non-zero flags",
4747 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4750 "multiple registers share map_lookup_elem result",
4752 BPF_MOV64_IMM(BPF_REG_1, 10),
4753 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4754 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4756 BPF_LD_MAP_FD(BPF_REG_1, 0),
4757 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4758 BPF_FUNC_map_lookup_elem),
4759 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4760 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4761 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4764 .fixup_map1 = { 4 },
4766 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4769 "alu ops on ptr_to_map_value_or_null, 1",
4771 BPF_MOV64_IMM(BPF_REG_1, 10),
4772 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4773 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4775 BPF_LD_MAP_FD(BPF_REG_1, 0),
4776 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4777 BPF_FUNC_map_lookup_elem),
4778 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4780 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4782 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4785 .fixup_map1 = { 4 },
4786 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4788 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4791 "alu ops on ptr_to_map_value_or_null, 2",
4793 BPF_MOV64_IMM(BPF_REG_1, 10),
4794 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4795 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4796 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4797 BPF_LD_MAP_FD(BPF_REG_1, 0),
4798 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4799 BPF_FUNC_map_lookup_elem),
4800 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4801 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4803 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4806 .fixup_map1 = { 4 },
4807 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4809 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4812 "alu ops on ptr_to_map_value_or_null, 3",
4814 BPF_MOV64_IMM(BPF_REG_1, 10),
4815 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4816 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4818 BPF_LD_MAP_FD(BPF_REG_1, 0),
4819 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4820 BPF_FUNC_map_lookup_elem),
4821 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4822 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4823 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4824 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4827 .fixup_map1 = { 4 },
4828 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4830 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4833 "invalid memory access with multiple map_lookup_elem calls",
4835 BPF_MOV64_IMM(BPF_REG_1, 10),
4836 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4837 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4838 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4839 BPF_LD_MAP_FD(BPF_REG_1, 0),
4840 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4841 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4842 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4843 BPF_FUNC_map_lookup_elem),
4844 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4845 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4846 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4847 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4848 BPF_FUNC_map_lookup_elem),
4849 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4850 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4853 .fixup_map1 = { 4 },
4855 .errstr = "R4 !read_ok",
4856 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4859 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4861 BPF_MOV64_IMM(BPF_REG_1, 10),
4862 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4863 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4864 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4865 BPF_LD_MAP_FD(BPF_REG_1, 0),
4866 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4867 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4868 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4869 BPF_FUNC_map_lookup_elem),
4870 BPF_MOV64_IMM(BPF_REG_2, 10),
4871 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4872 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4873 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4874 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4875 BPF_FUNC_map_lookup_elem),
4876 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4877 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4878 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4881 .fixup_map1 = { 4 },
4883 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4886 "invalid map access from else condition",
4888 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4889 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4891 BPF_LD_MAP_FD(BPF_REG_1, 0),
4892 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4893 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4894 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4895 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4897 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4898 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4899 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4902 .fixup_map2 = { 3 },
4903 .errstr = "R0 unbounded memory access",
4905 .errstr_unpriv = "R0 leaks addr",
4906 .result_unpriv = REJECT,
4907 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4910 "constant register |= constant should keep constant type",
4912 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4913 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4914 BPF_MOV64_IMM(BPF_REG_2, 34),
4915 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4916 BPF_MOV64_IMM(BPF_REG_3, 0),
4917 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4921 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4924 "constant register |= constant should not bypass stack boundary checks",
4926 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4928 BPF_MOV64_IMM(BPF_REG_2, 34),
4929 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4930 BPF_MOV64_IMM(BPF_REG_3, 0),
4931 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4934 .errstr = "invalid stack type R1 off=-48 access_size=58",
4936 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4939 "constant register |= constant register should keep constant type",
4941 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4943 BPF_MOV64_IMM(BPF_REG_2, 34),
4944 BPF_MOV64_IMM(BPF_REG_4, 13),
4945 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4946 BPF_MOV64_IMM(BPF_REG_3, 0),
4947 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4951 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4954 "constant register |= constant register should not bypass stack boundary checks",
4956 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4957 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4958 BPF_MOV64_IMM(BPF_REG_2, 34),
4959 BPF_MOV64_IMM(BPF_REG_4, 24),
4960 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4961 BPF_MOV64_IMM(BPF_REG_3, 0),
4962 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4965 .errstr = "invalid stack type R1 off=-48 access_size=58",
4967 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4970 "invalid direct packet write for LWT_IN",
4972 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4973 offsetof(struct __sk_buff, data)),
4974 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4975 offsetof(struct __sk_buff, data_end)),
4976 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4977 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4978 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4979 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4980 BPF_MOV64_IMM(BPF_REG_0, 0),
4983 .errstr = "cannot write into packet",
4985 .prog_type = BPF_PROG_TYPE_LWT_IN,
4988 "invalid direct packet write for LWT_OUT",
4990 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4991 offsetof(struct __sk_buff, data)),
4992 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4993 offsetof(struct __sk_buff, data_end)),
4994 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4995 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4996 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4997 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4998 BPF_MOV64_IMM(BPF_REG_0, 0),
5001 .errstr = "cannot write into packet",
5003 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5006 "direct packet write for LWT_XMIT",
5008 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5009 offsetof(struct __sk_buff, data)),
5010 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5011 offsetof(struct __sk_buff, data_end)),
5012 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5014 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5015 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5016 BPF_MOV64_IMM(BPF_REG_0, 0),
5020 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5023 "direct packet read for LWT_IN",
5025 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5026 offsetof(struct __sk_buff, data)),
5027 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5028 offsetof(struct __sk_buff, data_end)),
5029 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5030 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5031 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5032 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5033 BPF_MOV64_IMM(BPF_REG_0, 0),
5037 .prog_type = BPF_PROG_TYPE_LWT_IN,
5040 "direct packet read for LWT_OUT",
5042 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5043 offsetof(struct __sk_buff, data)),
5044 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5045 offsetof(struct __sk_buff, data_end)),
5046 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5047 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5048 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5049 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5050 BPF_MOV64_IMM(BPF_REG_0, 0),
5054 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5057 "direct packet read for LWT_XMIT",
5059 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5060 offsetof(struct __sk_buff, data)),
5061 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5062 offsetof(struct __sk_buff, data_end)),
5063 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5064 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5065 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5066 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5067 BPF_MOV64_IMM(BPF_REG_0, 0),
5071 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5074 "overlapping checks for direct packet access",
5076 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5077 offsetof(struct __sk_buff, data)),
5078 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5079 offsetof(struct __sk_buff, data_end)),
5080 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5082 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
5083 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
5084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
5085 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
5086 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
5087 BPF_MOV64_IMM(BPF_REG_0, 0),
5091 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5094 "make headroom for LWT_XMIT",
5096 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5097 BPF_MOV64_IMM(BPF_REG_2, 34),
5098 BPF_MOV64_IMM(BPF_REG_3, 0),
5099 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5100 /* split for s390 to succeed */
5101 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5102 BPF_MOV64_IMM(BPF_REG_2, 42),
5103 BPF_MOV64_IMM(BPF_REG_3, 0),
5104 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5105 BPF_MOV64_IMM(BPF_REG_0, 0),
5109 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5112 "invalid access of tc_classid for LWT_IN",
5114 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5115 offsetof(struct __sk_buff, tc_classid)),
5119 .errstr = "invalid bpf_context access",
5122 "invalid access of tc_classid for LWT_OUT",
5124 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5125 offsetof(struct __sk_buff, tc_classid)),
5129 .errstr = "invalid bpf_context access",
5132 "invalid access of tc_classid for LWT_XMIT",
5134 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5135 offsetof(struct __sk_buff, tc_classid)),
5139 .errstr = "invalid bpf_context access",
5142 "leak pointer into ctx 1",
5144 BPF_MOV64_IMM(BPF_REG_0, 0),
5145 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5146 offsetof(struct __sk_buff, cb[0])),
5147 BPF_LD_MAP_FD(BPF_REG_2, 0),
5148 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
5149 offsetof(struct __sk_buff, cb[0])),
5152 .fixup_map1 = { 2 },
5153 .errstr_unpriv = "R2 leaks addr into mem",
5154 .result_unpriv = REJECT,
5156 .errstr = "BPF_XADD stores into R1 context is not allowed",
5159 "leak pointer into ctx 2",
5161 BPF_MOV64_IMM(BPF_REG_0, 0),
5162 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5163 offsetof(struct __sk_buff, cb[0])),
5164 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
5165 offsetof(struct __sk_buff, cb[0])),
5168 .errstr_unpriv = "R10 leaks addr into mem",
5169 .result_unpriv = REJECT,
5171 .errstr = "BPF_XADD stores into R1 context is not allowed",
5174 "leak pointer into ctx 3",
5176 BPF_MOV64_IMM(BPF_REG_0, 0),
5177 BPF_LD_MAP_FD(BPF_REG_2, 0),
5178 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
5179 offsetof(struct __sk_buff, cb[0])),
5182 .fixup_map1 = { 1 },
5183 .errstr_unpriv = "R2 leaks addr into ctx",
5184 .result_unpriv = REJECT,
5188 "leak pointer into map val",
5190 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5191 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5192 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5193 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5194 BPF_LD_MAP_FD(BPF_REG_1, 0),
5195 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5196 BPF_FUNC_map_lookup_elem),
5197 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5198 BPF_MOV64_IMM(BPF_REG_3, 0),
5199 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
5200 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
5201 BPF_MOV64_IMM(BPF_REG_0, 0),
5204 .fixup_map1 = { 4 },
5205 .errstr_unpriv = "R6 leaks addr into mem",
5206 .result_unpriv = REJECT,
5210 "helper access to map: full range",
5212 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5213 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5214 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5215 BPF_LD_MAP_FD(BPF_REG_1, 0),
5216 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5217 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5218 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5219 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5220 BPF_MOV64_IMM(BPF_REG_3, 0),
5221 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5224 .fixup_map2 = { 3 },
5226 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5229 "helper access to map: partial range",
5231 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5232 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5233 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5234 BPF_LD_MAP_FD(BPF_REG_1, 0),
5235 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5237 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5238 BPF_MOV64_IMM(BPF_REG_2, 8),
5239 BPF_MOV64_IMM(BPF_REG_3, 0),
5240 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5243 .fixup_map2 = { 3 },
5245 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5248 "helper access to map: empty range",
5250 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5251 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5252 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5253 BPF_LD_MAP_FD(BPF_REG_1, 0),
5254 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5256 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5257 BPF_MOV64_IMM(BPF_REG_2, 0),
5258 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5261 .fixup_map2 = { 3 },
5262 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
5264 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5267 "helper access to map: out-of-bound range",
5269 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5271 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5272 BPF_LD_MAP_FD(BPF_REG_1, 0),
5273 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5274 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5275 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5276 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5277 BPF_MOV64_IMM(BPF_REG_3, 0),
5278 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5281 .fixup_map2 = { 3 },
5282 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
5284 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5287 "helper access to map: negative range",
5289 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5290 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5291 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5292 BPF_LD_MAP_FD(BPF_REG_1, 0),
5293 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5294 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5295 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5296 BPF_MOV64_IMM(BPF_REG_2, -8),
5297 BPF_MOV64_IMM(BPF_REG_3, 0),
5298 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5301 .fixup_map2 = { 3 },
5302 .errstr = "R2 min value is negative",
5304 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5307 "helper access to adjusted map (via const imm): full range",
5309 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5310 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5311 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5312 BPF_LD_MAP_FD(BPF_REG_1, 0),
5313 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5314 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5315 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5316 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5317 offsetof(struct test_val, foo)),
5318 BPF_MOV64_IMM(BPF_REG_2,
5319 sizeof(struct test_val) -
5320 offsetof(struct test_val, foo)),
5321 BPF_MOV64_IMM(BPF_REG_3, 0),
5322 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5325 .fixup_map2 = { 3 },
5327 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5330 "helper access to adjusted map (via const imm): partial range",
5332 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5333 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5334 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5335 BPF_LD_MAP_FD(BPF_REG_1, 0),
5336 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5337 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5340 offsetof(struct test_val, foo)),
5341 BPF_MOV64_IMM(BPF_REG_2, 8),
5342 BPF_MOV64_IMM(BPF_REG_3, 0),
5343 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5346 .fixup_map2 = { 3 },
5348 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5351 "helper access to adjusted map (via const imm): empty range",
5353 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5354 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5355 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5356 BPF_LD_MAP_FD(BPF_REG_1, 0),
5357 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5358 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5359 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5361 offsetof(struct test_val, foo)),
5362 BPF_MOV64_IMM(BPF_REG_2, 0),
5363 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5366 .fixup_map2 = { 3 },
5367 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5369 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5372 "helper access to adjusted map (via const imm): out-of-bound range",
5374 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5375 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5376 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5377 BPF_LD_MAP_FD(BPF_REG_1, 0),
5378 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5379 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5380 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5381 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5382 offsetof(struct test_val, foo)),
5383 BPF_MOV64_IMM(BPF_REG_2,
5384 sizeof(struct test_val) -
5385 offsetof(struct test_val, foo) + 8),
5386 BPF_MOV64_IMM(BPF_REG_3, 0),
5387 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5390 .fixup_map2 = { 3 },
5391 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5393 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5396 "helper access to adjusted map (via const imm): negative range (> adjustment)",
5398 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5399 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5400 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5401 BPF_LD_MAP_FD(BPF_REG_1, 0),
5402 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5403 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5404 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5405 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5406 offsetof(struct test_val, foo)),
5407 BPF_MOV64_IMM(BPF_REG_2, -8),
5408 BPF_MOV64_IMM(BPF_REG_3, 0),
5409 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5412 .fixup_map2 = { 3 },
5413 .errstr = "R2 min value is negative",
5415 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5418 "helper access to adjusted map (via const imm): negative range (< adjustment)",
5420 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5421 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5422 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5423 BPF_LD_MAP_FD(BPF_REG_1, 0),
5424 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5425 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5426 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5427 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5428 offsetof(struct test_val, foo)),
5429 BPF_MOV64_IMM(BPF_REG_2, -1),
5430 BPF_MOV64_IMM(BPF_REG_3, 0),
5431 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5434 .fixup_map2 = { 3 },
5435 .errstr = "R2 min value is negative",
5437 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5440 "helper access to adjusted map (via const reg): full range",
5442 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5443 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5444 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5445 BPF_LD_MAP_FD(BPF_REG_1, 0),
5446 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5447 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5448 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5449 BPF_MOV64_IMM(BPF_REG_3,
5450 offsetof(struct test_val, foo)),
5451 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5452 BPF_MOV64_IMM(BPF_REG_2,
5453 sizeof(struct test_val) -
5454 offsetof(struct test_val, foo)),
5455 BPF_MOV64_IMM(BPF_REG_3, 0),
5456 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5459 .fixup_map2 = { 3 },
5461 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5464 "helper access to adjusted map (via const reg): partial range",
5466 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5467 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5468 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5469 BPF_LD_MAP_FD(BPF_REG_1, 0),
5470 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5471 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5472 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5473 BPF_MOV64_IMM(BPF_REG_3,
5474 offsetof(struct test_val, foo)),
5475 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5476 BPF_MOV64_IMM(BPF_REG_2, 8),
5477 BPF_MOV64_IMM(BPF_REG_3, 0),
5478 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5481 .fixup_map2 = { 3 },
5483 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5486 "helper access to adjusted map (via const reg): empty range",
5488 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5489 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5490 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5491 BPF_LD_MAP_FD(BPF_REG_1, 0),
5492 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5493 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5494 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5495 BPF_MOV64_IMM(BPF_REG_3, 0),
5496 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5497 BPF_MOV64_IMM(BPF_REG_2, 0),
5498 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5501 .fixup_map2 = { 3 },
5502 .errstr = "R1 min value is outside of the array range",
5504 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5507 "helper access to adjusted map (via const reg): out-of-bound range",
5509 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5511 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5512 BPF_LD_MAP_FD(BPF_REG_1, 0),
5513 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5514 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5515 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5516 BPF_MOV64_IMM(BPF_REG_3,
5517 offsetof(struct test_val, foo)),
5518 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5519 BPF_MOV64_IMM(BPF_REG_2,
5520 sizeof(struct test_val) -
5521 offsetof(struct test_val, foo) + 8),
5522 BPF_MOV64_IMM(BPF_REG_3, 0),
5523 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5526 .fixup_map2 = { 3 },
5527 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5529 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5532 "helper access to adjusted map (via const reg): negative range (> adjustment)",
5534 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5536 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5537 BPF_LD_MAP_FD(BPF_REG_1, 0),
5538 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5539 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5540 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5541 BPF_MOV64_IMM(BPF_REG_3,
5542 offsetof(struct test_val, foo)),
5543 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5544 BPF_MOV64_IMM(BPF_REG_2, -8),
5545 BPF_MOV64_IMM(BPF_REG_3, 0),
5546 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5549 .fixup_map2 = { 3 },
5550 .errstr = "R2 min value is negative",
5552 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5555 "helper access to adjusted map (via const reg): negative range (< adjustment)",
5557 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5559 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5560 BPF_LD_MAP_FD(BPF_REG_1, 0),
5561 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5562 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5563 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5564 BPF_MOV64_IMM(BPF_REG_3,
5565 offsetof(struct test_val, foo)),
5566 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5567 BPF_MOV64_IMM(BPF_REG_2, -1),
5568 BPF_MOV64_IMM(BPF_REG_3, 0),
5569 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5572 .fixup_map2 = { 3 },
5573 .errstr = "R2 min value is negative",
5575 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5578 "helper access to adjusted map (via variable): full range",
5580 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5582 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5583 BPF_LD_MAP_FD(BPF_REG_1, 0),
5584 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5585 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5586 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5587 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5588 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5589 offsetof(struct test_val, foo), 4),
5590 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5591 BPF_MOV64_IMM(BPF_REG_2,
5592 sizeof(struct test_val) -
5593 offsetof(struct test_val, foo)),
5594 BPF_MOV64_IMM(BPF_REG_3, 0),
5595 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5598 .fixup_map2 = { 3 },
5600 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5603 "helper access to adjusted map (via variable): partial range",
5605 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5606 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5607 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5608 BPF_LD_MAP_FD(BPF_REG_1, 0),
5609 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5610 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5611 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5612 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5613 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5614 offsetof(struct test_val, foo), 4),
5615 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5616 BPF_MOV64_IMM(BPF_REG_2, 8),
5617 BPF_MOV64_IMM(BPF_REG_3, 0),
5618 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5621 .fixup_map2 = { 3 },
5623 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5626 "helper access to adjusted map (via variable): empty range",
5628 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5629 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5630 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5631 BPF_LD_MAP_FD(BPF_REG_1, 0),
5632 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5633 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5634 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5635 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5636 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5637 offsetof(struct test_val, foo), 3),
5638 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5639 BPF_MOV64_IMM(BPF_REG_2, 0),
5640 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5643 .fixup_map2 = { 3 },
5644 .errstr = "R1 min value is outside of the array range",
5646 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5649 "helper access to adjusted map (via variable): no max check",
5651 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5652 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5653 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5654 BPF_LD_MAP_FD(BPF_REG_1, 0),
5655 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5656 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5657 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5658 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5659 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5660 BPF_MOV64_IMM(BPF_REG_2, 1),
5661 BPF_MOV64_IMM(BPF_REG_3, 0),
5662 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5665 .fixup_map2 = { 3 },
5666 .errstr = "R1 unbounded memory access",
5668 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5671 "helper access to adjusted map (via variable): wrong max check",
5673 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5674 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5675 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5676 BPF_LD_MAP_FD(BPF_REG_1, 0),
5677 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5678 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5679 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5680 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5681 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5682 offsetof(struct test_val, foo), 4),
5683 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5684 BPF_MOV64_IMM(BPF_REG_2,
5685 sizeof(struct test_val) -
5686 offsetof(struct test_val, foo) + 1),
5687 BPF_MOV64_IMM(BPF_REG_3, 0),
5688 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5691 .fixup_map2 = { 3 },
5692 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
5694 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5697 "helper access to map: bounds check using <, good access",
5699 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5700 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5701 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5702 BPF_LD_MAP_FD(BPF_REG_1, 0),
5703 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5704 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5705 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5706 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5707 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5708 BPF_MOV64_IMM(BPF_REG_0, 0),
5710 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5711 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5712 BPF_MOV64_IMM(BPF_REG_0, 0),
5715 .fixup_map2 = { 3 },
5717 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5720 "helper access to map: bounds check using <, bad access",
5722 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5723 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5724 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5725 BPF_LD_MAP_FD(BPF_REG_1, 0),
5726 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5727 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5728 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5729 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5730 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5731 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5732 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5733 BPF_MOV64_IMM(BPF_REG_0, 0),
5735 BPF_MOV64_IMM(BPF_REG_0, 0),
5738 .fixup_map2 = { 3 },
5740 .errstr = "R1 unbounded memory access",
5741 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5744 "helper access to map: bounds check using <=, good access",
5746 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5747 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5748 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5749 BPF_LD_MAP_FD(BPF_REG_1, 0),
5750 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5751 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5752 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5753 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5754 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5755 BPF_MOV64_IMM(BPF_REG_0, 0),
5757 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5758 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5759 BPF_MOV64_IMM(BPF_REG_0, 0),
5762 .fixup_map2 = { 3 },
5764 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5767 "helper access to map: bounds check using <=, bad access",
5769 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5771 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5772 BPF_LD_MAP_FD(BPF_REG_1, 0),
5773 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5775 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5776 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5777 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5778 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5779 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5780 BPF_MOV64_IMM(BPF_REG_0, 0),
5782 BPF_MOV64_IMM(BPF_REG_0, 0),
5785 .fixup_map2 = { 3 },
5787 .errstr = "R1 unbounded memory access",
5788 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5791 "helper access to map: bounds check using s<, good access",
5793 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5794 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5795 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5796 BPF_LD_MAP_FD(BPF_REG_1, 0),
5797 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5798 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5799 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5800 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5801 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5802 BPF_MOV64_IMM(BPF_REG_0, 0),
5804 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5805 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5806 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5807 BPF_MOV64_IMM(BPF_REG_0, 0),
5810 .fixup_map2 = { 3 },
5812 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5815 "helper access to map: bounds check using s<, good access 2",
5817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5819 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5820 BPF_LD_MAP_FD(BPF_REG_1, 0),
5821 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5822 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5823 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5824 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5825 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5826 BPF_MOV64_IMM(BPF_REG_0, 0),
5828 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5829 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5830 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5831 BPF_MOV64_IMM(BPF_REG_0, 0),
5834 .fixup_map2 = { 3 },
5836 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5839 "helper access to map: bounds check using s<, bad access",
5841 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5843 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5844 BPF_LD_MAP_FD(BPF_REG_1, 0),
5845 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5846 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5847 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5848 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5849 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5850 BPF_MOV64_IMM(BPF_REG_0, 0),
5852 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5853 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5854 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5855 BPF_MOV64_IMM(BPF_REG_0, 0),
5858 .fixup_map2 = { 3 },
5860 .errstr = "R1 min value is negative",
5861 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5864 "helper access to map: bounds check using s<=, good access",
5866 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5867 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5868 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5869 BPF_LD_MAP_FD(BPF_REG_1, 0),
5870 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5871 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5872 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5873 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5874 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5875 BPF_MOV64_IMM(BPF_REG_0, 0),
5877 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5878 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5879 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5880 BPF_MOV64_IMM(BPF_REG_0, 0),
5883 .fixup_map2 = { 3 },
5885 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5888 "helper access to map: bounds check using s<=, good access 2",
5890 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5891 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5892 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5893 BPF_LD_MAP_FD(BPF_REG_1, 0),
5894 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5895 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5896 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5897 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5898 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5899 BPF_MOV64_IMM(BPF_REG_0, 0),
5901 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5902 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5903 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5904 BPF_MOV64_IMM(BPF_REG_0, 0),
5907 .fixup_map2 = { 3 },
5909 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5912 "helper access to map: bounds check using s<=, bad access",
5914 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5916 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5917 BPF_LD_MAP_FD(BPF_REG_1, 0),
5918 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5919 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5920 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5921 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5922 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5923 BPF_MOV64_IMM(BPF_REG_0, 0),
5925 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5926 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5927 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5928 BPF_MOV64_IMM(BPF_REG_0, 0),
5931 .fixup_map2 = { 3 },
5933 .errstr = "R1 min value is negative",
5934 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5937 "map lookup helper access to map",
5939 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5941 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5942 BPF_LD_MAP_FD(BPF_REG_1, 0),
5943 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5944 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5945 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5946 BPF_LD_MAP_FD(BPF_REG_1, 0),
5947 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5950 .fixup_map3 = { 3, 8 },
5952 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5955 "map update helper access to map",
5957 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5958 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5959 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5960 BPF_LD_MAP_FD(BPF_REG_1, 0),
5961 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5962 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5963 BPF_MOV64_IMM(BPF_REG_4, 0),
5964 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5965 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5966 BPF_LD_MAP_FD(BPF_REG_1, 0),
5967 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5970 .fixup_map3 = { 3, 10 },
5972 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5975 "map update helper access to map: wrong size",
5977 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5978 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5979 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5980 BPF_LD_MAP_FD(BPF_REG_1, 0),
5981 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5982 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5983 BPF_MOV64_IMM(BPF_REG_4, 0),
5984 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5985 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5986 BPF_LD_MAP_FD(BPF_REG_1, 0),
5987 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5990 .fixup_map1 = { 3 },
5991 .fixup_map3 = { 10 },
5993 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
5994 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5997 "map helper access to adjusted map (via const imm)",
5999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6001 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6002 BPF_LD_MAP_FD(BPF_REG_1, 0),
6003 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6004 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6005 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6007 offsetof(struct other_val, bar)),
6008 BPF_LD_MAP_FD(BPF_REG_1, 0),
6009 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6012 .fixup_map3 = { 3, 9 },
6014 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6017 "map helper access to adjusted map (via const imm): out-of-bound 1",
6019 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6020 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6021 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6022 BPF_LD_MAP_FD(BPF_REG_1, 0),
6023 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6024 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6025 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6026 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6027 sizeof(struct other_val) - 4),
6028 BPF_LD_MAP_FD(BPF_REG_1, 0),
6029 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6032 .fixup_map3 = { 3, 9 },
6034 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6035 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6038 "map helper access to adjusted map (via const imm): out-of-bound 2",
6040 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6042 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6043 BPF_LD_MAP_FD(BPF_REG_1, 0),
6044 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6045 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6046 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6047 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6048 BPF_LD_MAP_FD(BPF_REG_1, 0),
6049 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6052 .fixup_map3 = { 3, 9 },
6054 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6055 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6058 "map helper access to adjusted map (via const reg)",
6060 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6061 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6062 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6063 BPF_LD_MAP_FD(BPF_REG_1, 0),
6064 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6065 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6066 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6067 BPF_MOV64_IMM(BPF_REG_3,
6068 offsetof(struct other_val, bar)),
6069 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6070 BPF_LD_MAP_FD(BPF_REG_1, 0),
6071 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6074 .fixup_map3 = { 3, 10 },
6076 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6079 "map helper access to adjusted map (via const reg): out-of-bound 1",
6081 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6083 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6084 BPF_LD_MAP_FD(BPF_REG_1, 0),
6085 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6086 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6087 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6088 BPF_MOV64_IMM(BPF_REG_3,
6089 sizeof(struct other_val) - 4),
6090 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6091 BPF_LD_MAP_FD(BPF_REG_1, 0),
6092 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6095 .fixup_map3 = { 3, 10 },
6097 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6098 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6101 "map helper access to adjusted map (via const reg): out-of-bound 2",
6103 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6105 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6106 BPF_LD_MAP_FD(BPF_REG_1, 0),
6107 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6108 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6109 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6110 BPF_MOV64_IMM(BPF_REG_3, -4),
6111 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6112 BPF_LD_MAP_FD(BPF_REG_1, 0),
6113 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6116 .fixup_map3 = { 3, 10 },
6118 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6119 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6122 "map helper access to adjusted map (via variable)",
6124 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6125 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6126 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6127 BPF_LD_MAP_FD(BPF_REG_1, 0),
6128 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6129 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6130 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6131 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6132 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6133 offsetof(struct other_val, bar), 4),
6134 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6135 BPF_LD_MAP_FD(BPF_REG_1, 0),
6136 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6139 .fixup_map3 = { 3, 11 },
6141 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6144 "map helper access to adjusted map (via variable): no max check",
6146 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6147 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6148 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6149 BPF_LD_MAP_FD(BPF_REG_1, 0),
6150 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6151 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6152 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6153 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6154 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6155 BPF_LD_MAP_FD(BPF_REG_1, 0),
6156 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6159 .fixup_map3 = { 3, 10 },
6161 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
6162 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6165 "map helper access to adjusted map (via variable): wrong max check",
6167 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6168 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6169 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6170 BPF_LD_MAP_FD(BPF_REG_1, 0),
6171 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6172 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6173 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6174 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6175 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6176 offsetof(struct other_val, bar) + 1, 4),
6177 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6178 BPF_LD_MAP_FD(BPF_REG_1, 0),
6179 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6182 .fixup_map3 = { 3, 11 },
6184 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
6185 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6188 "map element value is preserved across register spilling",
6190 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6191 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6192 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6193 BPF_LD_MAP_FD(BPF_REG_1, 0),
6194 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6195 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6196 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6197 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6199 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6200 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6201 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6204 .fixup_map2 = { 3 },
6205 .errstr_unpriv = "R0 leaks addr",
6207 .result_unpriv = REJECT,
6210 "map element value or null is marked on register spilling",
6212 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6213 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6214 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6215 BPF_LD_MAP_FD(BPF_REG_1, 0),
6216 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6217 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6218 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
6219 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6220 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6221 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6222 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6225 .fixup_map2 = { 3 },
6226 .errstr_unpriv = "R0 leaks addr",
6228 .result_unpriv = REJECT,
6231 "map element value store of cleared call register",
6233 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6234 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6235 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6236 BPF_LD_MAP_FD(BPF_REG_1, 0),
6237 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6238 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
6239 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
6242 .fixup_map2 = { 3 },
6243 .errstr_unpriv = "R1 !read_ok",
6244 .errstr = "R1 !read_ok",
6246 .result_unpriv = REJECT,
6249 "map element value with unaligned store",
6251 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6253 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6254 BPF_LD_MAP_FD(BPF_REG_1, 0),
6255 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
6257 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6258 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6259 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
6260 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
6261 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6262 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
6263 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
6264 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
6265 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
6266 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
6267 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
6268 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
6269 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
6270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
6271 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
6272 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
6273 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
6276 .fixup_map2 = { 3 },
6277 .errstr_unpriv = "R0 leaks addr",
6279 .result_unpriv = REJECT,
6280 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6283 "map element value with unaligned load",
6285 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6287 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6288 BPF_LD_MAP_FD(BPF_REG_1, 0),
6289 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6290 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6291 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6292 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
6293 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6294 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6295 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
6296 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6297 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
6298 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
6299 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
6300 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6301 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
6304 .fixup_map2 = { 3 },
6305 .errstr_unpriv = "R0 leaks addr",
6307 .result_unpriv = REJECT,
6308 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6311 "map element value illegal alu op, 1",
6313 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6314 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6315 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6316 BPF_LD_MAP_FD(BPF_REG_1, 0),
6317 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6318 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6319 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
6320 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6323 .fixup_map2 = { 3 },
6324 .errstr = "R0 bitwise operator &= on pointer",
6328 "map element value illegal alu op, 2",
6330 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6332 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6333 BPF_LD_MAP_FD(BPF_REG_1, 0),
6334 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6335 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6336 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
6337 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6340 .fixup_map2 = { 3 },
6341 .errstr = "R0 32-bit pointer arithmetic prohibited",
6345 "map element value illegal alu op, 3",
6347 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6349 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6350 BPF_LD_MAP_FD(BPF_REG_1, 0),
6351 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6352 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6353 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
6354 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6357 .fixup_map2 = { 3 },
6358 .errstr = "R0 pointer arithmetic with /= operator",
6362 "map element value illegal alu op, 4",
6364 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6366 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6367 BPF_LD_MAP_FD(BPF_REG_1, 0),
6368 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6369 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6370 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
6371 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6374 .fixup_map2 = { 3 },
6375 .errstr_unpriv = "R0 pointer arithmetic prohibited",
6376 .errstr = "invalid mem access 'inv'",
6378 .result_unpriv = REJECT,
6381 "map element value illegal alu op, 5",
6383 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6384 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6385 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6386 BPF_LD_MAP_FD(BPF_REG_1, 0),
6387 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6388 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6389 BPF_MOV64_IMM(BPF_REG_3, 4096),
6390 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6392 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6393 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
6394 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
6395 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6398 .fixup_map2 = { 3 },
6399 .errstr = "R0 invalid mem access 'inv'",
6403 "map element value is preserved across register spilling",
6405 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6406 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6407 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6408 BPF_LD_MAP_FD(BPF_REG_1, 0),
6409 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6410 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6411 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
6412 offsetof(struct test_val, foo)),
6413 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6414 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6416 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6417 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6418 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6421 .fixup_map2 = { 3 },
6422 .errstr_unpriv = "R0 leaks addr",
6424 .result_unpriv = REJECT,
6425 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6428 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
6430 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6431 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6432 BPF_MOV64_IMM(BPF_REG_0, 0),
6433 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6434 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6435 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6436 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6437 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6438 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6439 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6440 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6441 BPF_MOV64_IMM(BPF_REG_2, 16),
6442 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6443 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6444 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6445 BPF_MOV64_IMM(BPF_REG_4, 0),
6446 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6447 BPF_MOV64_IMM(BPF_REG_3, 0),
6448 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6449 BPF_MOV64_IMM(BPF_REG_0, 0),
6453 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6456 "helper access to variable memory: stack, bitwise AND, zero included",
6458 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6460 BPF_MOV64_IMM(BPF_REG_2, 16),
6461 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6462 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6463 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6464 BPF_MOV64_IMM(BPF_REG_3, 0),
6465 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6468 .errstr = "invalid indirect read from stack off -64+0 size 64",
6470 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6473 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
6475 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6476 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6477 BPF_MOV64_IMM(BPF_REG_2, 16),
6478 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6479 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6480 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
6481 BPF_MOV64_IMM(BPF_REG_4, 0),
6482 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6483 BPF_MOV64_IMM(BPF_REG_3, 0),
6484 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6485 BPF_MOV64_IMM(BPF_REG_0, 0),
6488 .errstr = "invalid stack type R1 off=-64 access_size=65",
6490 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6493 "helper access to variable memory: stack, JMP, correct bounds",
6495 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6496 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6497 BPF_MOV64_IMM(BPF_REG_0, 0),
6498 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6499 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6500 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6501 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6502 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6503 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6504 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6505 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6506 BPF_MOV64_IMM(BPF_REG_2, 16),
6507 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6508 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6509 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
6510 BPF_MOV64_IMM(BPF_REG_4, 0),
6511 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6512 BPF_MOV64_IMM(BPF_REG_3, 0),
6513 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6514 BPF_MOV64_IMM(BPF_REG_0, 0),
6518 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6521 "helper access to variable memory: stack, JMP (signed), correct bounds",
6523 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6525 BPF_MOV64_IMM(BPF_REG_0, 0),
6526 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6527 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6528 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6529 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6530 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6531 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6532 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6533 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6534 BPF_MOV64_IMM(BPF_REG_2, 16),
6535 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6536 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6537 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
6538 BPF_MOV64_IMM(BPF_REG_4, 0),
6539 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6540 BPF_MOV64_IMM(BPF_REG_3, 0),
6541 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6542 BPF_MOV64_IMM(BPF_REG_0, 0),
6546 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6549 "helper access to variable memory: stack, JMP, bounds + offset",
6551 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6552 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6553 BPF_MOV64_IMM(BPF_REG_2, 16),
6554 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6555 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6556 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
6557 BPF_MOV64_IMM(BPF_REG_4, 0),
6558 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
6559 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6560 BPF_MOV64_IMM(BPF_REG_3, 0),
6561 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6562 BPF_MOV64_IMM(BPF_REG_0, 0),
6565 .errstr = "invalid stack type R1 off=-64 access_size=65",
6567 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6570 "helper access to variable memory: stack, JMP, wrong max",
6572 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6573 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6574 BPF_MOV64_IMM(BPF_REG_2, 16),
6575 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6576 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6577 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
6578 BPF_MOV64_IMM(BPF_REG_4, 0),
6579 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6580 BPF_MOV64_IMM(BPF_REG_3, 0),
6581 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6582 BPF_MOV64_IMM(BPF_REG_0, 0),
6585 .errstr = "invalid stack type R1 off=-64 access_size=65",
6587 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6590 "helper access to variable memory: stack, JMP, no max check",
6592 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6593 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6594 BPF_MOV64_IMM(BPF_REG_2, 16),
6595 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6596 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6597 BPF_MOV64_IMM(BPF_REG_4, 0),
6598 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6599 BPF_MOV64_IMM(BPF_REG_3, 0),
6600 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6601 BPF_MOV64_IMM(BPF_REG_0, 0),
6604 /* because max wasn't checked, signed min is negative */
6605 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
6607 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6610 "helper access to variable memory: stack, JMP, no min check",
6612 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6613 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6614 BPF_MOV64_IMM(BPF_REG_2, 16),
6615 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6616 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6617 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
6618 BPF_MOV64_IMM(BPF_REG_3, 0),
6619 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6620 BPF_MOV64_IMM(BPF_REG_0, 0),
6623 .errstr = "invalid indirect read from stack off -64+0 size 64",
6625 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6628 "helper access to variable memory: stack, JMP (signed), no min check",
6630 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6632 BPF_MOV64_IMM(BPF_REG_2, 16),
6633 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6634 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6635 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
6636 BPF_MOV64_IMM(BPF_REG_3, 0),
6637 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6638 BPF_MOV64_IMM(BPF_REG_0, 0),
6641 .errstr = "R2 min value is negative",
6643 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6646 "helper access to variable memory: map, JMP, correct bounds",
6648 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6649 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6650 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6651 BPF_LD_MAP_FD(BPF_REG_1, 0),
6652 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6653 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6654 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6655 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6656 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6657 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6658 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6659 sizeof(struct test_val), 4),
6660 BPF_MOV64_IMM(BPF_REG_4, 0),
6661 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6662 BPF_MOV64_IMM(BPF_REG_3, 0),
6663 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6664 BPF_MOV64_IMM(BPF_REG_0, 0),
6667 .fixup_map2 = { 3 },
6669 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6672 "helper access to variable memory: map, JMP, wrong max",
6674 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6676 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6677 BPF_LD_MAP_FD(BPF_REG_1, 0),
6678 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6679 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6680 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6681 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6682 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6683 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6684 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6685 sizeof(struct test_val) + 1, 4),
6686 BPF_MOV64_IMM(BPF_REG_4, 0),
6687 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6688 BPF_MOV64_IMM(BPF_REG_3, 0),
6689 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6690 BPF_MOV64_IMM(BPF_REG_0, 0),
6693 .fixup_map2 = { 3 },
6694 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
6696 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6699 "helper access to variable memory: map adjusted, JMP, correct bounds",
6701 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6702 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6703 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6704 BPF_LD_MAP_FD(BPF_REG_1, 0),
6705 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6706 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6707 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6709 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6710 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6711 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6712 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6713 sizeof(struct test_val) - 20, 4),
6714 BPF_MOV64_IMM(BPF_REG_4, 0),
6715 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6716 BPF_MOV64_IMM(BPF_REG_3, 0),
6717 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6718 BPF_MOV64_IMM(BPF_REG_0, 0),
6721 .fixup_map2 = { 3 },
6723 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6726 "helper access to variable memory: map adjusted, JMP, wrong max",
6728 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6730 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6731 BPF_LD_MAP_FD(BPF_REG_1, 0),
6732 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6733 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6734 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6735 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6736 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6737 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6738 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6739 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6740 sizeof(struct test_val) - 19, 4),
6741 BPF_MOV64_IMM(BPF_REG_4, 0),
6742 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6743 BPF_MOV64_IMM(BPF_REG_3, 0),
6744 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6745 BPF_MOV64_IMM(BPF_REG_0, 0),
6748 .fixup_map2 = { 3 },
6749 .errstr = "R1 min value is outside of the array range",
6751 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6754 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6756 BPF_MOV64_IMM(BPF_REG_1, 0),
6757 BPF_MOV64_IMM(BPF_REG_2, 0),
6758 BPF_MOV64_IMM(BPF_REG_3, 0),
6759 BPF_MOV64_IMM(BPF_REG_4, 0),
6760 BPF_MOV64_IMM(BPF_REG_5, 0),
6761 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6765 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6768 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6770 BPF_MOV64_IMM(BPF_REG_1, 0),
6771 BPF_MOV64_IMM(BPF_REG_2, 1),
6772 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6773 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6774 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6775 BPF_MOV64_IMM(BPF_REG_3, 0),
6776 BPF_MOV64_IMM(BPF_REG_4, 0),
6777 BPF_MOV64_IMM(BPF_REG_5, 0),
6778 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6781 .errstr = "R1 type=inv expected=fp",
6783 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6786 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6788 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6789 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6790 BPF_MOV64_IMM(BPF_REG_2, 0),
6791 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6792 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
6793 BPF_MOV64_IMM(BPF_REG_3, 0),
6794 BPF_MOV64_IMM(BPF_REG_4, 0),
6795 BPF_MOV64_IMM(BPF_REG_5, 0),
6796 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6800 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6803 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6805 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6806 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6807 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6808 BPF_LD_MAP_FD(BPF_REG_1, 0),
6809 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6810 BPF_FUNC_map_lookup_elem),
6811 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6812 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6813 BPF_MOV64_IMM(BPF_REG_2, 0),
6814 BPF_MOV64_IMM(BPF_REG_3, 0),
6815 BPF_MOV64_IMM(BPF_REG_4, 0),
6816 BPF_MOV64_IMM(BPF_REG_5, 0),
6817 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6820 .fixup_map1 = { 3 },
6822 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6825 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6827 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6828 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6829 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6830 BPF_LD_MAP_FD(BPF_REG_1, 0),
6831 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6832 BPF_FUNC_map_lookup_elem),
6833 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6834 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6835 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
6836 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6838 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6839 BPF_MOV64_IMM(BPF_REG_3, 0),
6840 BPF_MOV64_IMM(BPF_REG_4, 0),
6841 BPF_MOV64_IMM(BPF_REG_5, 0),
6842 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6845 .fixup_map1 = { 3 },
6847 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6850 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6852 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6853 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6854 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6855 BPF_LD_MAP_FD(BPF_REG_1, 0),
6856 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6857 BPF_FUNC_map_lookup_elem),
6858 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6859 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6860 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6861 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6862 BPF_MOV64_IMM(BPF_REG_3, 0),
6863 BPF_MOV64_IMM(BPF_REG_4, 0),
6864 BPF_MOV64_IMM(BPF_REG_5, 0),
6865 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6868 .fixup_map1 = { 3 },
6870 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6873 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
6875 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6876 offsetof(struct __sk_buff, data)),
6877 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6878 offsetof(struct __sk_buff, data_end)),
6879 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
6880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6881 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
6882 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6883 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
6884 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6885 BPF_MOV64_IMM(BPF_REG_3, 0),
6886 BPF_MOV64_IMM(BPF_REG_4, 0),
6887 BPF_MOV64_IMM(BPF_REG_5, 0),
6888 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6892 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6893 .retval = 0 /* csum_diff of 64-byte packet */,
6896 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6898 BPF_MOV64_IMM(BPF_REG_1, 0),
6899 BPF_MOV64_IMM(BPF_REG_2, 0),
6900 BPF_MOV64_IMM(BPF_REG_3, 0),
6901 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6904 .errstr = "R1 type=inv expected=fp",
6906 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6909 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6911 BPF_MOV64_IMM(BPF_REG_1, 0),
6912 BPF_MOV64_IMM(BPF_REG_2, 1),
6913 BPF_MOV64_IMM(BPF_REG_3, 0),
6914 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6917 .errstr = "R1 type=inv expected=fp",
6919 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6922 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6924 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6925 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6926 BPF_MOV64_IMM(BPF_REG_2, 0),
6927 BPF_MOV64_IMM(BPF_REG_3, 0),
6928 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6932 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6935 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6937 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6938 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6939 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6940 BPF_LD_MAP_FD(BPF_REG_1, 0),
6941 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6942 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6943 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6944 BPF_MOV64_IMM(BPF_REG_2, 0),
6945 BPF_MOV64_IMM(BPF_REG_3, 0),
6946 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6949 .fixup_map1 = { 3 },
6951 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6954 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6956 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6957 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6958 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6959 BPF_LD_MAP_FD(BPF_REG_1, 0),
6960 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6961 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6962 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6963 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6964 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6966 BPF_MOV64_IMM(BPF_REG_3, 0),
6967 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6970 .fixup_map1 = { 3 },
6972 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6975 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6977 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6978 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6979 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6980 BPF_LD_MAP_FD(BPF_REG_1, 0),
6981 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6982 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6983 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6984 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6985 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
6986 BPF_MOV64_IMM(BPF_REG_3, 0),
6987 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6990 .fixup_map1 = { 3 },
6992 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6995 "helper access to variable memory: 8 bytes leak",
6997 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6998 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6999 BPF_MOV64_IMM(BPF_REG_0, 0),
7000 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7001 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7002 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7003 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7004 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7005 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7006 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7007 BPF_MOV64_IMM(BPF_REG_2, 1),
7008 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7009 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7010 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
7011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7012 BPF_MOV64_IMM(BPF_REG_3, 0),
7013 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7014 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7017 .errstr = "invalid indirect read from stack off -64+32 size 64",
7019 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7022 "helper access to variable memory: 8 bytes no leak (init memory)",
7024 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7025 BPF_MOV64_IMM(BPF_REG_0, 0),
7026 BPF_MOV64_IMM(BPF_REG_0, 0),
7027 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7028 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7029 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7030 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7031 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7032 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7033 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7034 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7035 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7036 BPF_MOV64_IMM(BPF_REG_2, 0),
7037 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
7038 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
7039 BPF_MOV64_IMM(BPF_REG_3, 0),
7040 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7041 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7045 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7048 "invalid and of negative number",
7050 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7051 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7052 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7053 BPF_LD_MAP_FD(BPF_REG_1, 0),
7054 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7055 BPF_FUNC_map_lookup_elem),
7056 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7057 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7058 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
7059 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
7060 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7061 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7062 offsetof(struct test_val, foo)),
7065 .fixup_map2 = { 3 },
7066 .errstr = "R0 max value is outside of the array range",
7068 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7071 "invalid range check",
7073 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7074 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7075 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7076 BPF_LD_MAP_FD(BPF_REG_1, 0),
7077 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7078 BPF_FUNC_map_lookup_elem),
7079 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
7080 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7081 BPF_MOV64_IMM(BPF_REG_9, 1),
7082 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
7083 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
7084 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
7085 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
7086 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
7087 BPF_MOV32_IMM(BPF_REG_3, 1),
7088 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
7089 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
7090 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
7091 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
7092 BPF_MOV64_REG(BPF_REG_0, 0),
7095 .fixup_map2 = { 3 },
7096 .errstr = "R0 max value is outside of the array range",
7098 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7101 "map in map access",
7103 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7104 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7105 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7106 BPF_LD_MAP_FD(BPF_REG_1, 0),
7107 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7108 BPF_FUNC_map_lookup_elem),
7109 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7110 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7111 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7112 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7113 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7114 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7115 BPF_FUNC_map_lookup_elem),
7116 BPF_MOV64_REG(BPF_REG_0, 0),
7119 .fixup_map_in_map = { 3 },
7123 "invalid inner map pointer",
7125 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7126 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7127 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7128 BPF_LD_MAP_FD(BPF_REG_1, 0),
7129 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7130 BPF_FUNC_map_lookup_elem),
7131 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7132 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7133 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7134 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7135 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7136 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7137 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7138 BPF_FUNC_map_lookup_elem),
7139 BPF_MOV64_REG(BPF_REG_0, 0),
7142 .fixup_map_in_map = { 3 },
7143 .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
7147 "forgot null checking on the inner map pointer",
7149 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7150 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7151 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7152 BPF_LD_MAP_FD(BPF_REG_1, 0),
7153 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7154 BPF_FUNC_map_lookup_elem),
7155 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7156 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7157 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7158 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7159 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7160 BPF_FUNC_map_lookup_elem),
7161 BPF_MOV64_REG(BPF_REG_0, 0),
7164 .fixup_map_in_map = { 3 },
7165 .errstr = "R1 type=map_value_or_null expected=map_ptr",
7169 "ld_abs: check calling conv, r1",
7171 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7172 BPF_MOV64_IMM(BPF_REG_1, 0),
7173 BPF_LD_ABS(BPF_W, -0x200000),
7174 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7177 .errstr = "R1 !read_ok",
7181 "ld_abs: check calling conv, r2",
7183 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7184 BPF_MOV64_IMM(BPF_REG_2, 0),
7185 BPF_LD_ABS(BPF_W, -0x200000),
7186 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7189 .errstr = "R2 !read_ok",
7193 "ld_abs: check calling conv, r3",
7195 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7196 BPF_MOV64_IMM(BPF_REG_3, 0),
7197 BPF_LD_ABS(BPF_W, -0x200000),
7198 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7201 .errstr = "R3 !read_ok",
7205 "ld_abs: check calling conv, r4",
7207 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7208 BPF_MOV64_IMM(BPF_REG_4, 0),
7209 BPF_LD_ABS(BPF_W, -0x200000),
7210 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7213 .errstr = "R4 !read_ok",
7217 "ld_abs: check calling conv, r5",
7219 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7220 BPF_MOV64_IMM(BPF_REG_5, 0),
7221 BPF_LD_ABS(BPF_W, -0x200000),
7222 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7225 .errstr = "R5 !read_ok",
7229 "ld_abs: check calling conv, r7",
7231 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7232 BPF_MOV64_IMM(BPF_REG_7, 0),
7233 BPF_LD_ABS(BPF_W, -0x200000),
7234 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7240 "ld_abs: tests on r6 and skb data reload helper",
7242 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7243 BPF_LD_ABS(BPF_B, 0),
7244 BPF_LD_ABS(BPF_H, 0),
7245 BPF_LD_ABS(BPF_W, 0),
7246 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
7247 BPF_MOV64_IMM(BPF_REG_6, 0),
7248 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
7249 BPF_MOV64_IMM(BPF_REG_2, 1),
7250 BPF_MOV64_IMM(BPF_REG_3, 2),
7251 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7252 BPF_FUNC_skb_vlan_push),
7253 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
7254 BPF_LD_ABS(BPF_B, 0),
7255 BPF_LD_ABS(BPF_H, 0),
7256 BPF_LD_ABS(BPF_W, 0),
7257 BPF_MOV64_IMM(BPF_REG_0, 42),
7260 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7262 .retval = 42 /* ultimate return value */,
7265 "ld_ind: check calling conv, r1",
7267 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7268 BPF_MOV64_IMM(BPF_REG_1, 1),
7269 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
7270 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7273 .errstr = "R1 !read_ok",
7277 "ld_ind: check calling conv, r2",
7279 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7280 BPF_MOV64_IMM(BPF_REG_2, 1),
7281 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
7282 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7285 .errstr = "R2 !read_ok",
7289 "ld_ind: check calling conv, r3",
7291 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7292 BPF_MOV64_IMM(BPF_REG_3, 1),
7293 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
7294 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7297 .errstr = "R3 !read_ok",
7301 "ld_ind: check calling conv, r4",
7303 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7304 BPF_MOV64_IMM(BPF_REG_4, 1),
7305 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
7306 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7309 .errstr = "R4 !read_ok",
7313 "ld_ind: check calling conv, r5",
7315 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7316 BPF_MOV64_IMM(BPF_REG_5, 1),
7317 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
7318 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7321 .errstr = "R5 !read_ok",
7325 "ld_ind: check calling conv, r7",
7327 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7328 BPF_MOV64_IMM(BPF_REG_7, 1),
7329 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
7330 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7337 "check bpf_perf_event_data->sample_period byte load permitted",
7339 BPF_MOV64_IMM(BPF_REG_0, 0),
7340 #if __BYTE_ORDER == __LITTLE_ENDIAN
7341 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7342 offsetof(struct bpf_perf_event_data, sample_period)),
7344 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7345 offsetof(struct bpf_perf_event_data, sample_period) + 7),
7350 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7353 "check bpf_perf_event_data->sample_period half load permitted",
7355 BPF_MOV64_IMM(BPF_REG_0, 0),
7356 #if __BYTE_ORDER == __LITTLE_ENDIAN
7357 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7358 offsetof(struct bpf_perf_event_data, sample_period)),
7360 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7361 offsetof(struct bpf_perf_event_data, sample_period) + 6),
7366 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7369 "check bpf_perf_event_data->sample_period word load permitted",
7371 BPF_MOV64_IMM(BPF_REG_0, 0),
7372 #if __BYTE_ORDER == __LITTLE_ENDIAN
7373 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7374 offsetof(struct bpf_perf_event_data, sample_period)),
7376 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7377 offsetof(struct bpf_perf_event_data, sample_period) + 4),
7382 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7385 "check bpf_perf_event_data->sample_period dword load permitted",
7387 BPF_MOV64_IMM(BPF_REG_0, 0),
7388 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
7389 offsetof(struct bpf_perf_event_data, sample_period)),
7393 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7396 "check skb->data half load not permitted",
7398 BPF_MOV64_IMM(BPF_REG_0, 0),
7399 #if __BYTE_ORDER == __LITTLE_ENDIAN
7400 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7401 offsetof(struct __sk_buff, data)),
7403 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7404 offsetof(struct __sk_buff, data) + 2),
7409 .errstr = "invalid bpf_context access",
7412 "check skb->tc_classid half load not permitted for lwt prog",
7414 BPF_MOV64_IMM(BPF_REG_0, 0),
7415 #if __BYTE_ORDER == __LITTLE_ENDIAN
7416 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7417 offsetof(struct __sk_buff, tc_classid)),
7419 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7420 offsetof(struct __sk_buff, tc_classid) + 2),
7425 .errstr = "invalid bpf_context access",
7426 .prog_type = BPF_PROG_TYPE_LWT_IN,
7429 "bounds checks mixing signed and unsigned, positive bounds",
7431 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7432 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7433 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7434 BPF_LD_MAP_FD(BPF_REG_1, 0),
7435 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7436 BPF_FUNC_map_lookup_elem),
7437 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7438 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7439 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7440 BPF_MOV64_IMM(BPF_REG_2, 2),
7441 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
7442 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
7443 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7444 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7445 BPF_MOV64_IMM(BPF_REG_0, 0),
7448 .fixup_map1 = { 3 },
7449 .errstr = "unbounded min value",
7453 "bounds checks mixing signed and unsigned",
7455 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7456 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7457 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7458 BPF_LD_MAP_FD(BPF_REG_1, 0),
7459 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7460 BPF_FUNC_map_lookup_elem),
7461 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7462 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7463 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7464 BPF_MOV64_IMM(BPF_REG_2, -1),
7465 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7466 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7467 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7468 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7469 BPF_MOV64_IMM(BPF_REG_0, 0),
7472 .fixup_map1 = { 3 },
7473 .errstr = "unbounded min value",
7477 "bounds checks mixing signed and unsigned, variant 2",
7479 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7480 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7482 BPF_LD_MAP_FD(BPF_REG_1, 0),
7483 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7484 BPF_FUNC_map_lookup_elem),
7485 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7486 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7487 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7488 BPF_MOV64_IMM(BPF_REG_2, -1),
7489 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7490 BPF_MOV64_IMM(BPF_REG_8, 0),
7491 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
7492 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7493 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7494 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7495 BPF_MOV64_IMM(BPF_REG_0, 0),
7498 .fixup_map1 = { 3 },
7499 .errstr = "unbounded min value",
7503 "bounds checks mixing signed and unsigned, variant 3",
7505 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7506 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7507 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7508 BPF_LD_MAP_FD(BPF_REG_1, 0),
7509 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7510 BPF_FUNC_map_lookup_elem),
7511 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7512 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7513 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7514 BPF_MOV64_IMM(BPF_REG_2, -1),
7515 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
7516 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
7517 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7518 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7519 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7520 BPF_MOV64_IMM(BPF_REG_0, 0),
7523 .fixup_map1 = { 3 },
7524 .errstr = "unbounded min value",
7528 "bounds checks mixing signed and unsigned, variant 4",
7530 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7531 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7533 BPF_LD_MAP_FD(BPF_REG_1, 0),
7534 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7535 BPF_FUNC_map_lookup_elem),
7536 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7537 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7538 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7539 BPF_MOV64_IMM(BPF_REG_2, 1),
7540 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
7541 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7542 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7543 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7544 BPF_MOV64_IMM(BPF_REG_0, 0),
7547 .fixup_map1 = { 3 },
7551 "bounds checks mixing signed and unsigned, variant 5",
7553 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7554 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7555 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7556 BPF_LD_MAP_FD(BPF_REG_1, 0),
7557 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7558 BPF_FUNC_map_lookup_elem),
7559 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7560 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7561 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7562 BPF_MOV64_IMM(BPF_REG_2, -1),
7563 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7564 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
7565 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
7566 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7567 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7568 BPF_MOV64_IMM(BPF_REG_0, 0),
7571 .fixup_map1 = { 3 },
7572 .errstr = "unbounded min value",
7576 "bounds checks mixing signed and unsigned, variant 6",
7578 BPF_MOV64_IMM(BPF_REG_2, 0),
7579 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
7580 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
7581 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7582 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
7583 BPF_MOV64_IMM(BPF_REG_6, -1),
7584 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
7585 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
7586 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7587 BPF_MOV64_IMM(BPF_REG_5, 0),
7588 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
7589 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7590 BPF_FUNC_skb_load_bytes),
7591 BPF_MOV64_IMM(BPF_REG_0, 0),
7594 .errstr = "R4 min value is negative, either use unsigned",
7598 "bounds checks mixing signed and unsigned, variant 7",
7600 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7601 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7603 BPF_LD_MAP_FD(BPF_REG_1, 0),
7604 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7605 BPF_FUNC_map_lookup_elem),
7606 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7607 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7608 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7609 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
7610 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7611 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7612 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7613 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7614 BPF_MOV64_IMM(BPF_REG_0, 0),
7617 .fixup_map1 = { 3 },
7621 "bounds checks mixing signed and unsigned, variant 8",
7623 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7624 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7625 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7626 BPF_LD_MAP_FD(BPF_REG_1, 0),
7627 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7628 BPF_FUNC_map_lookup_elem),
7629 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7630 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7631 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7632 BPF_MOV64_IMM(BPF_REG_2, -1),
7633 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7634 BPF_MOV64_IMM(BPF_REG_0, 0),
7636 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7637 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7638 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7639 BPF_MOV64_IMM(BPF_REG_0, 0),
7642 .fixup_map1 = { 3 },
7643 .errstr = "unbounded min value",
7647 "bounds checks mixing signed and unsigned, variant 9",
7649 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7650 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7651 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7652 BPF_LD_MAP_FD(BPF_REG_1, 0),
7653 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7654 BPF_FUNC_map_lookup_elem),
7655 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7656 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7657 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7658 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
7659 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7660 BPF_MOV64_IMM(BPF_REG_0, 0),
7662 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7663 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7664 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7665 BPF_MOV64_IMM(BPF_REG_0, 0),
7668 .fixup_map1 = { 3 },
7672 "bounds checks mixing signed and unsigned, variant 10",
7674 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7675 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7677 BPF_LD_MAP_FD(BPF_REG_1, 0),
7678 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7679 BPF_FUNC_map_lookup_elem),
7680 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7681 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7682 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7683 BPF_MOV64_IMM(BPF_REG_2, 0),
7684 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7685 BPF_MOV64_IMM(BPF_REG_0, 0),
7687 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7688 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7689 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7690 BPF_MOV64_IMM(BPF_REG_0, 0),
7693 .fixup_map1 = { 3 },
7694 .errstr = "unbounded min value",
7698 "bounds checks mixing signed and unsigned, variant 11",
7700 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7701 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7702 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7703 BPF_LD_MAP_FD(BPF_REG_1, 0),
7704 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7705 BPF_FUNC_map_lookup_elem),
7706 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7707 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7708 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7709 BPF_MOV64_IMM(BPF_REG_2, -1),
7710 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7712 BPF_MOV64_IMM(BPF_REG_0, 0),
7714 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7715 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7716 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7717 BPF_MOV64_IMM(BPF_REG_0, 0),
7720 .fixup_map1 = { 3 },
7721 .errstr = "unbounded min value",
7725 "bounds checks mixing signed and unsigned, variant 12",
7727 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7728 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7730 BPF_LD_MAP_FD(BPF_REG_1, 0),
7731 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7732 BPF_FUNC_map_lookup_elem),
7733 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7734 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7735 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7736 BPF_MOV64_IMM(BPF_REG_2, -6),
7737 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7738 BPF_MOV64_IMM(BPF_REG_0, 0),
7740 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7741 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7742 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7743 BPF_MOV64_IMM(BPF_REG_0, 0),
7746 .fixup_map1 = { 3 },
7747 .errstr = "unbounded min value",
7751 "bounds checks mixing signed and unsigned, variant 13",
7753 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7754 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7756 BPF_LD_MAP_FD(BPF_REG_1, 0),
7757 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7758 BPF_FUNC_map_lookup_elem),
7759 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7760 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7761 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7762 BPF_MOV64_IMM(BPF_REG_2, 2),
7763 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7764 BPF_MOV64_IMM(BPF_REG_7, 1),
7765 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
7766 BPF_MOV64_IMM(BPF_REG_0, 0),
7768 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
7769 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
7770 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
7771 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7772 BPF_MOV64_IMM(BPF_REG_0, 0),
7775 .fixup_map1 = { 3 },
7776 .errstr = "unbounded min value",
7780 "bounds checks mixing signed and unsigned, variant 14",
7782 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
7783 offsetof(struct __sk_buff, mark)),
7784 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7785 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7786 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7787 BPF_LD_MAP_FD(BPF_REG_1, 0),
7788 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7789 BPF_FUNC_map_lookup_elem),
7790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7791 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7792 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7793 BPF_MOV64_IMM(BPF_REG_2, -1),
7794 BPF_MOV64_IMM(BPF_REG_8, 2),
7795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
7796 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
7797 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7798 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7799 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7800 BPF_MOV64_IMM(BPF_REG_0, 0),
7802 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
7803 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
7805 .fixup_map1 = { 4 },
7806 .errstr = "R0 invalid mem access 'inv'",
7810 "bounds checks mixing signed and unsigned, variant 15",
7812 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7813 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7815 BPF_LD_MAP_FD(BPF_REG_1, 0),
7816 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7817 BPF_FUNC_map_lookup_elem),
7818 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7819 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7820 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7821 BPF_MOV64_IMM(BPF_REG_2, -6),
7822 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7823 BPF_MOV64_IMM(BPF_REG_0, 0),
7825 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7826 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
7827 BPF_MOV64_IMM(BPF_REG_0, 0),
7829 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7830 BPF_MOV64_IMM(BPF_REG_0, 0),
7833 .fixup_map1 = { 3 },
7834 .errstr = "unbounded min value",
7836 .result_unpriv = REJECT,
7839 "subtraction bounds (map value) variant 1",
7841 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7842 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7844 BPF_LD_MAP_FD(BPF_REG_1, 0),
7845 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7846 BPF_FUNC_map_lookup_elem),
7847 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7848 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7849 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
7850 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7851 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
7852 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7853 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
7854 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7855 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7857 BPF_MOV64_IMM(BPF_REG_0, 0),
7860 .fixup_map1 = { 3 },
7861 .errstr = "R0 max value is outside of the array range",
7865 "subtraction bounds (map value) variant 2",
7867 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7868 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7870 BPF_LD_MAP_FD(BPF_REG_1, 0),
7871 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7872 BPF_FUNC_map_lookup_elem),
7873 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7874 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7875 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
7876 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7877 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
7878 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7879 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7880 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7882 BPF_MOV64_IMM(BPF_REG_0, 0),
7885 .fixup_map1 = { 3 },
7886 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
7890 "bounds check based on zero-extended MOV",
7892 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7893 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7894 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7895 BPF_LD_MAP_FD(BPF_REG_1, 0),
7896 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7897 BPF_FUNC_map_lookup_elem),
7898 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7899 /* r2 = 0x0000'0000'ffff'ffff */
7900 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
7902 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7904 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7905 /* access at offset 0 */
7906 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7908 BPF_MOV64_IMM(BPF_REG_0, 0),
7911 .fixup_map1 = { 3 },
7915 "bounds check based on sign-extended MOV. test1",
7917 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7918 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7920 BPF_LD_MAP_FD(BPF_REG_1, 0),
7921 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7922 BPF_FUNC_map_lookup_elem),
7923 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7924 /* r2 = 0xffff'ffff'ffff'ffff */
7925 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7926 /* r2 = 0xffff'ffff */
7927 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7928 /* r0 = <oob pointer> */
7929 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7930 /* access to OOB pointer */
7931 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7933 BPF_MOV64_IMM(BPF_REG_0, 0),
7936 .fixup_map1 = { 3 },
7937 .errstr = "map_value pointer and 4294967295",
7941 "bounds check based on sign-extended MOV. test2",
7943 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7944 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7945 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7946 BPF_LD_MAP_FD(BPF_REG_1, 0),
7947 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7948 BPF_FUNC_map_lookup_elem),
7949 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7950 /* r2 = 0xffff'ffff'ffff'ffff */
7951 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7952 /* r2 = 0xfff'ffff */
7953 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
7954 /* r0 = <oob pointer> */
7955 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7956 /* access to OOB pointer */
7957 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7959 BPF_MOV64_IMM(BPF_REG_0, 0),
7962 .fixup_map1 = { 3 },
7963 .errstr = "R0 min value is outside of the array range",
7967 "bounds check based on reg_off + var_off + insn_off. test1",
7969 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7970 offsetof(struct __sk_buff, mark)),
7971 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7972 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7973 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7974 BPF_LD_MAP_FD(BPF_REG_1, 0),
7975 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7976 BPF_FUNC_map_lookup_elem),
7977 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7978 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7979 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
7980 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7982 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7983 BPF_MOV64_IMM(BPF_REG_0, 0),
7986 .fixup_map1 = { 4 },
7987 .errstr = "value_size=8 off=1073741825",
7989 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7992 "bounds check based on reg_off + var_off + insn_off. test2",
7994 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7995 offsetof(struct __sk_buff, mark)),
7996 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7997 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7998 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7999 BPF_LD_MAP_FD(BPF_REG_1, 0),
8000 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8001 BPF_FUNC_map_lookup_elem),
8002 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8003 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8004 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
8005 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8007 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8008 BPF_MOV64_IMM(BPF_REG_0, 0),
8011 .fixup_map1 = { 4 },
8012 .errstr = "value 1073741823",
8014 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8017 "bounds check after truncation of non-boundary-crossing range",
8019 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8020 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8021 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8022 BPF_LD_MAP_FD(BPF_REG_1, 0),
8023 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8024 BPF_FUNC_map_lookup_elem),
8025 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8026 /* r1 = [0x00, 0xff] */
8027 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8028 BPF_MOV64_IMM(BPF_REG_2, 1),
8029 /* r2 = 0x10'0000'0000 */
8030 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
8031 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
8032 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8033 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
8034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8035 /* r1 = [0x00, 0xff] */
8036 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
8038 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8040 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8041 /* access at offset 0 */
8042 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8044 BPF_MOV64_IMM(BPF_REG_0, 0),
8047 .fixup_map1 = { 3 },
8051 "bounds check after truncation of boundary-crossing range (1)",
8053 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8054 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8055 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8056 BPF_LD_MAP_FD(BPF_REG_1, 0),
8057 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8058 BPF_FUNC_map_lookup_elem),
8059 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8060 /* r1 = [0x00, 0xff] */
8061 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8062 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8063 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8064 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8065 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8066 * [0x0000'0000, 0x0000'007f]
8068 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
8069 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8070 /* r1 = [0x00, 0xff] or
8071 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8073 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8075 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8077 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8078 /* no-op or OOB pointer computation */
8079 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8080 /* potentially OOB access */
8081 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8083 BPF_MOV64_IMM(BPF_REG_0, 0),
8086 .fixup_map1 = { 3 },
8087 /* not actually fully unbounded, but the bound is very high */
8088 .errstr = "R0 unbounded memory access",
8092 "bounds check after truncation of boundary-crossing range (2)",
8094 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8095 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8096 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8097 BPF_LD_MAP_FD(BPF_REG_1, 0),
8098 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8099 BPF_FUNC_map_lookup_elem),
8100 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8101 /* r1 = [0x00, 0xff] */
8102 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8104 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8105 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8106 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8107 * [0x0000'0000, 0x0000'007f]
8108 * difference to previous test: truncation via MOV32
8111 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
8112 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8113 /* r1 = [0x00, 0xff] or
8114 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8116 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8118 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8120 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8121 /* no-op or OOB pointer computation */
8122 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8123 /* potentially OOB access */
8124 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8126 BPF_MOV64_IMM(BPF_REG_0, 0),
8129 .fixup_map1 = { 3 },
8130 /* not actually fully unbounded, but the bound is very high */
8131 .errstr = "R0 unbounded memory access",
8135 "bounds check after wrapping 32-bit addition",
8137 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8138 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8139 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8140 BPF_LD_MAP_FD(BPF_REG_1, 0),
8141 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8142 BPF_FUNC_map_lookup_elem),
8143 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8144 /* r1 = 0x7fff'ffff */
8145 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
8146 /* r1 = 0xffff'fffe */
8147 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8149 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
8151 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8152 /* access at offset 0 */
8153 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8155 BPF_MOV64_IMM(BPF_REG_0, 0),
8158 .fixup_map1 = { 3 },
8162 "bounds check after shift with oversized count operand",
8164 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8165 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8166 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8167 BPF_LD_MAP_FD(BPF_REG_1, 0),
8168 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8169 BPF_FUNC_map_lookup_elem),
8170 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8171 BPF_MOV64_IMM(BPF_REG_2, 32),
8172 BPF_MOV64_IMM(BPF_REG_1, 1),
8173 /* r1 = (u32)1 << (u32)32 = ? */
8174 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
8175 /* r1 = [0x0000, 0xffff] */
8176 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
8177 /* computes unknown pointer, potentially OOB */
8178 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8179 /* potentially OOB access */
8180 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8182 BPF_MOV64_IMM(BPF_REG_0, 0),
8185 .fixup_map1 = { 3 },
8186 .errstr = "R0 max value is outside of the array range",
8190 "bounds check after right shift of maybe-negative number",
8192 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8193 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8195 BPF_LD_MAP_FD(BPF_REG_1, 0),
8196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8197 BPF_FUNC_map_lookup_elem),
8198 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8199 /* r1 = [0x00, 0xff] */
8200 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8201 /* r1 = [-0x01, 0xfe] */
8202 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
8203 /* r1 = 0 or 0xff'ffff'ffff'ffff */
8204 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8205 /* r1 = 0 or 0xffff'ffff'ffff */
8206 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8207 /* computes unknown pointer, potentially OOB */
8208 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8209 /* potentially OOB access */
8210 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8212 BPF_MOV64_IMM(BPF_REG_0, 0),
8215 .fixup_map1 = { 3 },
8216 .errstr = "R0 unbounded memory access",
8220 "bounds check map access with off+size signed 32bit overflow. test1",
8222 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8223 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8224 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8225 BPF_LD_MAP_FD(BPF_REG_1, 0),
8226 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8227 BPF_FUNC_map_lookup_elem),
8228 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
8231 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8235 .fixup_map1 = { 3 },
8236 .errstr = "map_value pointer and 2147483646",
8240 "bounds check map access with off+size signed 32bit overflow. test2",
8242 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8243 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8244 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8245 BPF_LD_MAP_FD(BPF_REG_1, 0),
8246 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8247 BPF_FUNC_map_lookup_elem),
8248 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8251 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8253 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8257 .fixup_map1 = { 3 },
8258 .errstr = "pointer offset 1073741822",
8262 "bounds check map access with off+size signed 32bit overflow. test3",
8264 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8265 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8266 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8267 BPF_LD_MAP_FD(BPF_REG_1, 0),
8268 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8269 BPF_FUNC_map_lookup_elem),
8270 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8272 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8273 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8274 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8278 .fixup_map1 = { 3 },
8279 .errstr = "pointer offset -1073741822",
8283 "bounds check map access with off+size signed 32bit overflow. test4",
8285 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8286 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8287 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8288 BPF_LD_MAP_FD(BPF_REG_1, 0),
8289 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8290 BPF_FUNC_map_lookup_elem),
8291 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8293 BPF_MOV64_IMM(BPF_REG_1, 1000000),
8294 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
8295 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8296 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8300 .fixup_map1 = { 3 },
8301 .errstr = "map_value pointer and 1000000000000",
8305 "pointer/scalar confusion in state equality check (way 1)",
8307 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8308 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8309 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8310 BPF_LD_MAP_FD(BPF_REG_1, 0),
8311 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8312 BPF_FUNC_map_lookup_elem),
8313 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8314 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8316 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8320 .fixup_map1 = { 3 },
8322 .retval = POINTER_VALUE,
8323 .result_unpriv = REJECT,
8324 .errstr_unpriv = "R0 leaks addr as return value"
8327 "pointer/scalar confusion in state equality check (way 2)",
8329 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8330 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8332 BPF_LD_MAP_FD(BPF_REG_1, 0),
8333 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8334 BPF_FUNC_map_lookup_elem),
8335 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
8336 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8338 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8341 .fixup_map1 = { 3 },
8343 .retval = POINTER_VALUE,
8344 .result_unpriv = REJECT,
8345 .errstr_unpriv = "R0 leaks addr as return value"
8348 "variable-offset ctx access",
8350 /* Get an unknown value */
8351 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8352 /* Make it small and 4-byte aligned */
8353 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8354 /* add it to skb. We now have either &skb->len or
8355 * &skb->pkt_type, but we don't know which
8357 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8358 /* dereference it */
8359 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8362 .errstr = "variable ctx access var_off=(0x0; 0x4)",
8364 .prog_type = BPF_PROG_TYPE_LWT_IN,
8367 "variable-offset stack access",
8369 /* Fill the top 8 bytes of the stack */
8370 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8371 /* Get an unknown value */
8372 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8373 /* Make it small and 4-byte aligned */
8374 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8375 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8376 /* add it to fp. We now have either fp-4 or fp-8, but
8377 * we don't know which
8379 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8380 /* dereference it */
8381 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
8384 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
8386 .prog_type = BPF_PROG_TYPE_LWT_IN,
8389 "indirect variable-offset stack access",
8391 /* Fill the top 8 bytes of the stack */
8392 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8393 /* Get an unknown value */
8394 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8395 /* Make it small and 4-byte aligned */
8396 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8397 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8398 /* add it to fp. We now have either fp-4 or fp-8, but
8399 * we don't know which
8401 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8402 /* dereference it indirectly */
8403 BPF_LD_MAP_FD(BPF_REG_1, 0),
8404 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8405 BPF_FUNC_map_lookup_elem),
8406 BPF_MOV64_IMM(BPF_REG_0, 0),
8409 .fixup_map1 = { 5 },
8410 .errstr = "variable stack read R2",
8412 .prog_type = BPF_PROG_TYPE_LWT_IN,
8415 "direct stack access with 32-bit wraparound. test1",
8417 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8418 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8420 BPF_MOV32_IMM(BPF_REG_0, 0),
8421 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8424 .errstr = "fp pointer and 2147483647",
8428 "direct stack access with 32-bit wraparound. test2",
8430 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8431 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8433 BPF_MOV32_IMM(BPF_REG_0, 0),
8434 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8437 .errstr = "fp pointer and 1073741823",
8441 "direct stack access with 32-bit wraparound. test3",
8443 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8445 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8446 BPF_MOV32_IMM(BPF_REG_0, 0),
8447 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8450 .errstr = "fp pointer offset 1073741822",
8454 "liveness pruning and write screening",
8456 /* Get an unknown value */
8457 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8458 /* branch conditions teach us nothing about R2 */
8459 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8460 BPF_MOV64_IMM(BPF_REG_0, 0),
8461 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8462 BPF_MOV64_IMM(BPF_REG_0, 0),
8465 .errstr = "R0 !read_ok",
8467 .prog_type = BPF_PROG_TYPE_LWT_IN,
8470 "varlen_map_value_access pruning",
8472 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8473 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8474 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8475 BPF_LD_MAP_FD(BPF_REG_1, 0),
8476 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8477 BPF_FUNC_map_lookup_elem),
8478 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8479 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
8480 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
8481 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
8482 BPF_MOV32_IMM(BPF_REG_1, 0),
8483 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
8484 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8485 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
8486 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
8487 offsetof(struct test_val, foo)),
8490 .fixup_map2 = { 3 },
8491 .errstr_unpriv = "R0 leaks addr",
8492 .errstr = "R0 unbounded memory access",
8493 .result_unpriv = REJECT,
8495 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8498 "invalid 64-bit BPF_END",
8500 BPF_MOV32_IMM(BPF_REG_0, 0),
8502 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
8503 .dst_reg = BPF_REG_0,
8510 .errstr = "unknown opcode d7",
8514 "XDP, using ifindex from netdev",
8516 BPF_MOV64_IMM(BPF_REG_0, 0),
8517 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8518 offsetof(struct xdp_md, ingress_ifindex)),
8519 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
8520 BPF_MOV64_IMM(BPF_REG_0, 1),
8524 .prog_type = BPF_PROG_TYPE_XDP,
8528 "meta access, test1",
8530 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8531 offsetof(struct xdp_md, data_meta)),
8532 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8533 offsetof(struct xdp_md, data)),
8534 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8536 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8537 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8538 BPF_MOV64_IMM(BPF_REG_0, 0),
8542 .prog_type = BPF_PROG_TYPE_XDP,
8545 "meta access, test2",
8547 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8548 offsetof(struct xdp_md, data_meta)),
8549 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8550 offsetof(struct xdp_md, data)),
8551 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8552 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
8553 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8554 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8555 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8556 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8557 BPF_MOV64_IMM(BPF_REG_0, 0),
8561 .errstr = "invalid access to packet, off=-8",
8562 .prog_type = BPF_PROG_TYPE_XDP,
8565 "meta access, test3",
8567 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8568 offsetof(struct xdp_md, data_meta)),
8569 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8570 offsetof(struct xdp_md, data_end)),
8571 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8572 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8573 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8574 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8575 BPF_MOV64_IMM(BPF_REG_0, 0),
8579 .errstr = "invalid access to packet",
8580 .prog_type = BPF_PROG_TYPE_XDP,
8583 "meta access, test4",
8585 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8586 offsetof(struct xdp_md, data_meta)),
8587 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8588 offsetof(struct xdp_md, data_end)),
8589 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8590 offsetof(struct xdp_md, data)),
8591 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8593 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8594 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8595 BPF_MOV64_IMM(BPF_REG_0, 0),
8599 .errstr = "invalid access to packet",
8600 .prog_type = BPF_PROG_TYPE_XDP,
8603 "meta access, test5",
8605 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8606 offsetof(struct xdp_md, data_meta)),
8607 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8608 offsetof(struct xdp_md, data)),
8609 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8610 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8611 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
8612 BPF_MOV64_IMM(BPF_REG_2, -8),
8613 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8614 BPF_FUNC_xdp_adjust_meta),
8615 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8616 BPF_MOV64_IMM(BPF_REG_0, 0),
8620 .errstr = "R3 !read_ok",
8621 .prog_type = BPF_PROG_TYPE_XDP,
8624 "meta access, test6",
8626 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8627 offsetof(struct xdp_md, data_meta)),
8628 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8629 offsetof(struct xdp_md, data)),
8630 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8632 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8633 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8634 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
8635 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8636 BPF_MOV64_IMM(BPF_REG_0, 0),
8640 .errstr = "invalid access to packet",
8641 .prog_type = BPF_PROG_TYPE_XDP,
8644 "meta access, test7",
8646 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8647 offsetof(struct xdp_md, data_meta)),
8648 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8649 offsetof(struct xdp_md, data)),
8650 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8651 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8652 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8653 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8654 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8655 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8656 BPF_MOV64_IMM(BPF_REG_0, 0),
8660 .prog_type = BPF_PROG_TYPE_XDP,
8663 "meta access, test8",
8665 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8666 offsetof(struct xdp_md, data_meta)),
8667 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8668 offsetof(struct xdp_md, data)),
8669 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8670 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8671 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8672 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8673 BPF_MOV64_IMM(BPF_REG_0, 0),
8677 .prog_type = BPF_PROG_TYPE_XDP,
8680 "meta access, test9",
8682 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8683 offsetof(struct xdp_md, data_meta)),
8684 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8685 offsetof(struct xdp_md, data)),
8686 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8688 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8689 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8690 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8691 BPF_MOV64_IMM(BPF_REG_0, 0),
8695 .errstr = "invalid access to packet",
8696 .prog_type = BPF_PROG_TYPE_XDP,
8699 "meta access, test10",
8701 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8702 offsetof(struct xdp_md, data_meta)),
8703 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8704 offsetof(struct xdp_md, data)),
8705 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8706 offsetof(struct xdp_md, data_end)),
8707 BPF_MOV64_IMM(BPF_REG_5, 42),
8708 BPF_MOV64_IMM(BPF_REG_6, 24),
8709 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8710 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8711 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8712 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8713 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
8714 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8715 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8717 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
8718 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
8719 BPF_MOV64_IMM(BPF_REG_0, 0),
8723 .errstr = "invalid access to packet",
8724 .prog_type = BPF_PROG_TYPE_XDP,
8727 "meta access, test11",
8729 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8730 offsetof(struct xdp_md, data_meta)),
8731 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8732 offsetof(struct xdp_md, data)),
8733 BPF_MOV64_IMM(BPF_REG_5, 42),
8734 BPF_MOV64_IMM(BPF_REG_6, 24),
8735 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8736 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8737 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8738 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8739 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
8740 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8741 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8743 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
8744 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
8745 BPF_MOV64_IMM(BPF_REG_0, 0),
8749 .prog_type = BPF_PROG_TYPE_XDP,
8752 "meta access, test12",
8754 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8755 offsetof(struct xdp_md, data_meta)),
8756 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8757 offsetof(struct xdp_md, data)),
8758 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8759 offsetof(struct xdp_md, data_end)),
8760 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8762 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
8763 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8764 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8765 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8766 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
8767 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8768 BPF_MOV64_IMM(BPF_REG_0, 0),
8772 .prog_type = BPF_PROG_TYPE_XDP,
8775 "arithmetic ops make PTR_TO_CTX unusable",
8777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
8778 offsetof(struct __sk_buff, data) -
8779 offsetof(struct __sk_buff, mark)),
8780 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8781 offsetof(struct __sk_buff, mark)),
8784 .errstr = "dereference of modified ctx ptr",
8786 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8789 "pkt_end - pkt_start is allowed",
8791 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8792 offsetof(struct __sk_buff, data_end)),
8793 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8794 offsetof(struct __sk_buff, data)),
8795 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
8799 .retval = TEST_DATA_LEN,
8800 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8803 "XDP pkt read, pkt_end mangling, bad access 1",
8805 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8806 offsetof(struct xdp_md, data)),
8807 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8808 offsetof(struct xdp_md, data_end)),
8809 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8810 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
8812 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8813 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8814 BPF_MOV64_IMM(BPF_REG_0, 0),
8817 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8819 .prog_type = BPF_PROG_TYPE_XDP,
8822 "XDP pkt read, pkt_end mangling, bad access 2",
8824 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8825 offsetof(struct xdp_md, data)),
8826 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8827 offsetof(struct xdp_md, data_end)),
8828 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8829 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8830 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
8831 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8832 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8833 BPF_MOV64_IMM(BPF_REG_0, 0),
8836 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8838 .prog_type = BPF_PROG_TYPE_XDP,
8841 "XDP pkt read, pkt_data' > pkt_end, good access",
8843 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8844 offsetof(struct xdp_md, data)),
8845 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8846 offsetof(struct xdp_md, data_end)),
8847 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8849 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8850 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8851 BPF_MOV64_IMM(BPF_REG_0, 0),
8855 .prog_type = BPF_PROG_TYPE_XDP,
8858 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
8860 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8861 offsetof(struct xdp_md, data)),
8862 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8863 offsetof(struct xdp_md, data_end)),
8864 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8865 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8866 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8867 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8868 BPF_MOV64_IMM(BPF_REG_0, 0),
8871 .errstr = "R1 offset is outside of the packet",
8873 .prog_type = BPF_PROG_TYPE_XDP,
8874 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8877 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
8879 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8880 offsetof(struct xdp_md, data)),
8881 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8882 offsetof(struct xdp_md, data_end)),
8883 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8884 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8885 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8886 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8887 BPF_MOV64_IMM(BPF_REG_0, 0),
8890 .errstr = "R1 offset is outside of the packet",
8892 .prog_type = BPF_PROG_TYPE_XDP,
8895 "XDP pkt read, pkt_end > pkt_data', good access",
8897 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8898 offsetof(struct xdp_md, data)),
8899 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8900 offsetof(struct xdp_md, data_end)),
8901 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8902 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8903 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8904 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8905 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8906 BPF_MOV64_IMM(BPF_REG_0, 0),
8910 .prog_type = BPF_PROG_TYPE_XDP,
8911 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8914 "XDP pkt read, pkt_end > pkt_data', bad access 1",
8916 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8917 offsetof(struct xdp_md, data)),
8918 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8919 offsetof(struct xdp_md, data_end)),
8920 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8921 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8922 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8923 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8924 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8925 BPF_MOV64_IMM(BPF_REG_0, 0),
8928 .errstr = "R1 offset is outside of the packet",
8930 .prog_type = BPF_PROG_TYPE_XDP,
8933 "XDP pkt read, pkt_end > pkt_data', bad access 2",
8935 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8936 offsetof(struct xdp_md, data)),
8937 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8938 offsetof(struct xdp_md, data_end)),
8939 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8941 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8942 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8943 BPF_MOV64_IMM(BPF_REG_0, 0),
8946 .errstr = "R1 offset is outside of the packet",
8948 .prog_type = BPF_PROG_TYPE_XDP,
8951 "XDP pkt read, pkt_data' < pkt_end, good access",
8953 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8954 offsetof(struct xdp_md, data)),
8955 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8956 offsetof(struct xdp_md, data_end)),
8957 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8958 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8959 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8960 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8961 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8962 BPF_MOV64_IMM(BPF_REG_0, 0),
8966 .prog_type = BPF_PROG_TYPE_XDP,
8967 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8970 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
8972 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8973 offsetof(struct xdp_md, data)),
8974 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8975 offsetof(struct xdp_md, data_end)),
8976 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8977 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8978 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8979 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8980 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8981 BPF_MOV64_IMM(BPF_REG_0, 0),
8984 .errstr = "R1 offset is outside of the packet",
8986 .prog_type = BPF_PROG_TYPE_XDP,
8989 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
8991 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8992 offsetof(struct xdp_md, data)),
8993 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8994 offsetof(struct xdp_md, data_end)),
8995 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8996 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8997 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8998 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8999 BPF_MOV64_IMM(BPF_REG_0, 0),
9002 .errstr = "R1 offset is outside of the packet",
9004 .prog_type = BPF_PROG_TYPE_XDP,
9007 "XDP pkt read, pkt_end < pkt_data', good access",
9009 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9010 offsetof(struct xdp_md, data)),
9011 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9012 offsetof(struct xdp_md, data_end)),
9013 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9014 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9015 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9016 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9017 BPF_MOV64_IMM(BPF_REG_0, 0),
9021 .prog_type = BPF_PROG_TYPE_XDP,
9024 "XDP pkt read, pkt_end < pkt_data', bad access 1",
9026 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9027 offsetof(struct xdp_md, data)),
9028 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9029 offsetof(struct xdp_md, data_end)),
9030 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9032 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9033 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9034 BPF_MOV64_IMM(BPF_REG_0, 0),
9037 .errstr = "R1 offset is outside of the packet",
9039 .prog_type = BPF_PROG_TYPE_XDP,
9040 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9043 "XDP pkt read, pkt_end < pkt_data', bad access 2",
9045 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9046 offsetof(struct xdp_md, data)),
9047 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9048 offsetof(struct xdp_md, data_end)),
9049 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9050 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9051 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9052 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9053 BPF_MOV64_IMM(BPF_REG_0, 0),
9056 .errstr = "R1 offset is outside of the packet",
9058 .prog_type = BPF_PROG_TYPE_XDP,
9061 "XDP pkt read, pkt_data' >= pkt_end, good access",
9063 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9064 offsetof(struct xdp_md, data)),
9065 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9066 offsetof(struct xdp_md, data_end)),
9067 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9068 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9069 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9070 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9071 BPF_MOV64_IMM(BPF_REG_0, 0),
9075 .prog_type = BPF_PROG_TYPE_XDP,
9076 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9079 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
9081 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9082 offsetof(struct xdp_md, data)),
9083 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9084 offsetof(struct xdp_md, data_end)),
9085 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9087 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9088 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9089 BPF_MOV64_IMM(BPF_REG_0, 0),
9092 .errstr = "R1 offset is outside of the packet",
9094 .prog_type = BPF_PROG_TYPE_XDP,
9097 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
9099 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9100 offsetof(struct xdp_md, data)),
9101 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9102 offsetof(struct xdp_md, data_end)),
9103 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9105 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9106 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9107 BPF_MOV64_IMM(BPF_REG_0, 0),
9110 .errstr = "R1 offset is outside of the packet",
9112 .prog_type = BPF_PROG_TYPE_XDP,
9113 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9116 "XDP pkt read, pkt_end >= pkt_data', good access",
9118 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9119 offsetof(struct xdp_md, data)),
9120 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9121 offsetof(struct xdp_md, data_end)),
9122 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9123 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9124 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9125 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9126 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9127 BPF_MOV64_IMM(BPF_REG_0, 0),
9131 .prog_type = BPF_PROG_TYPE_XDP,
9134 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
9136 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9137 offsetof(struct xdp_md, data)),
9138 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9139 offsetof(struct xdp_md, data_end)),
9140 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9141 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9142 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9143 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9144 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9145 BPF_MOV64_IMM(BPF_REG_0, 0),
9148 .errstr = "R1 offset is outside of the packet",
9150 .prog_type = BPF_PROG_TYPE_XDP,
9151 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9154 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
9156 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9157 offsetof(struct xdp_md, data)),
9158 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9159 offsetof(struct xdp_md, data_end)),
9160 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9161 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9162 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9163 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9164 BPF_MOV64_IMM(BPF_REG_0, 0),
9167 .errstr = "R1 offset is outside of the packet",
9169 .prog_type = BPF_PROG_TYPE_XDP,
9172 "XDP pkt read, pkt_data' <= pkt_end, good access",
9174 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9175 offsetof(struct xdp_md, data)),
9176 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9177 offsetof(struct xdp_md, data_end)),
9178 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9180 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9181 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9182 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9183 BPF_MOV64_IMM(BPF_REG_0, 0),
9187 .prog_type = BPF_PROG_TYPE_XDP,
9190 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
9192 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9193 offsetof(struct xdp_md, data)),
9194 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9195 offsetof(struct xdp_md, data_end)),
9196 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9198 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9199 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9200 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9201 BPF_MOV64_IMM(BPF_REG_0, 0),
9204 .errstr = "R1 offset is outside of the packet",
9206 .prog_type = BPF_PROG_TYPE_XDP,
9207 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9210 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
9212 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9213 offsetof(struct xdp_md, data)),
9214 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9215 offsetof(struct xdp_md, data_end)),
9216 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9217 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9218 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9219 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9220 BPF_MOV64_IMM(BPF_REG_0, 0),
9223 .errstr = "R1 offset is outside of the packet",
9225 .prog_type = BPF_PROG_TYPE_XDP,
9228 "XDP pkt read, pkt_end <= pkt_data', good access",
9230 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9231 offsetof(struct xdp_md, data)),
9232 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9233 offsetof(struct xdp_md, data_end)),
9234 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9235 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9236 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9237 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9238 BPF_MOV64_IMM(BPF_REG_0, 0),
9242 .prog_type = BPF_PROG_TYPE_XDP,
9243 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9246 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
9248 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9249 offsetof(struct xdp_md, data)),
9250 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9251 offsetof(struct xdp_md, data_end)),
9252 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9253 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9254 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9255 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9256 BPF_MOV64_IMM(BPF_REG_0, 0),
9259 .errstr = "R1 offset is outside of the packet",
9261 .prog_type = BPF_PROG_TYPE_XDP,
9264 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
9266 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9267 offsetof(struct xdp_md, data)),
9268 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9269 offsetof(struct xdp_md, data_end)),
9270 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9271 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9272 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9273 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9274 BPF_MOV64_IMM(BPF_REG_0, 0),
9277 .errstr = "R1 offset is outside of the packet",
9279 .prog_type = BPF_PROG_TYPE_XDP,
9280 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9283 "XDP pkt read, pkt_meta' > pkt_data, good access",
9285 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9286 offsetof(struct xdp_md, data_meta)),
9287 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9288 offsetof(struct xdp_md, data)),
9289 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9290 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9291 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9292 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9293 BPF_MOV64_IMM(BPF_REG_0, 0),
9297 .prog_type = BPF_PROG_TYPE_XDP,
9300 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
9302 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9303 offsetof(struct xdp_md, data_meta)),
9304 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9305 offsetof(struct xdp_md, data)),
9306 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9308 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9309 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9310 BPF_MOV64_IMM(BPF_REG_0, 0),
9313 .errstr = "R1 offset is outside of the packet",
9315 .prog_type = BPF_PROG_TYPE_XDP,
9316 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9319 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
9321 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9322 offsetof(struct xdp_md, data_meta)),
9323 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9324 offsetof(struct xdp_md, data)),
9325 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9326 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9327 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9328 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9329 BPF_MOV64_IMM(BPF_REG_0, 0),
9332 .errstr = "R1 offset is outside of the packet",
9334 .prog_type = BPF_PROG_TYPE_XDP,
9337 "XDP pkt read, pkt_data > pkt_meta', good access",
9339 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9340 offsetof(struct xdp_md, data_meta)),
9341 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9342 offsetof(struct xdp_md, data)),
9343 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9344 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9345 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9346 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9347 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9348 BPF_MOV64_IMM(BPF_REG_0, 0),
9352 .prog_type = BPF_PROG_TYPE_XDP,
9353 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9356 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
9358 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9359 offsetof(struct xdp_md, data_meta)),
9360 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9361 offsetof(struct xdp_md, data)),
9362 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9364 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9365 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9366 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9367 BPF_MOV64_IMM(BPF_REG_0, 0),
9370 .errstr = "R1 offset is outside of the packet",
9372 .prog_type = BPF_PROG_TYPE_XDP,
9375 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
9377 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9378 offsetof(struct xdp_md, data_meta)),
9379 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9380 offsetof(struct xdp_md, data)),
9381 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9382 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9383 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9384 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9385 BPF_MOV64_IMM(BPF_REG_0, 0),
9388 .errstr = "R1 offset is outside of the packet",
9390 .prog_type = BPF_PROG_TYPE_XDP,
9393 "XDP pkt read, pkt_meta' < pkt_data, good access",
9395 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9396 offsetof(struct xdp_md, data_meta)),
9397 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9398 offsetof(struct xdp_md, data)),
9399 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9401 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9402 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9403 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9404 BPF_MOV64_IMM(BPF_REG_0, 0),
9408 .prog_type = BPF_PROG_TYPE_XDP,
9409 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9412 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
9414 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9415 offsetof(struct xdp_md, data_meta)),
9416 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9417 offsetof(struct xdp_md, data)),
9418 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9420 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9421 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9422 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9423 BPF_MOV64_IMM(BPF_REG_0, 0),
9426 .errstr = "R1 offset is outside of the packet",
9428 .prog_type = BPF_PROG_TYPE_XDP,
9431 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
9433 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9434 offsetof(struct xdp_md, data_meta)),
9435 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9436 offsetof(struct xdp_md, data)),
9437 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9439 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9440 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9441 BPF_MOV64_IMM(BPF_REG_0, 0),
9444 .errstr = "R1 offset is outside of the packet",
9446 .prog_type = BPF_PROG_TYPE_XDP,
9449 "XDP pkt read, pkt_data < pkt_meta', good access",
9451 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9452 offsetof(struct xdp_md, data_meta)),
9453 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9454 offsetof(struct xdp_md, data)),
9455 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9457 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9458 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9459 BPF_MOV64_IMM(BPF_REG_0, 0),
9463 .prog_type = BPF_PROG_TYPE_XDP,
9466 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
9468 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9469 offsetof(struct xdp_md, data_meta)),
9470 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9471 offsetof(struct xdp_md, data)),
9472 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9474 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9475 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9476 BPF_MOV64_IMM(BPF_REG_0, 0),
9479 .errstr = "R1 offset is outside of the packet",
9481 .prog_type = BPF_PROG_TYPE_XDP,
9482 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9485 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
9487 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9488 offsetof(struct xdp_md, data_meta)),
9489 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9490 offsetof(struct xdp_md, data)),
9491 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9492 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9493 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9494 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9495 BPF_MOV64_IMM(BPF_REG_0, 0),
9498 .errstr = "R1 offset is outside of the packet",
9500 .prog_type = BPF_PROG_TYPE_XDP,
9503 "XDP pkt read, pkt_meta' >= pkt_data, good access",
9505 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9506 offsetof(struct xdp_md, data_meta)),
9507 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9508 offsetof(struct xdp_md, data)),
9509 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9511 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9512 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9513 BPF_MOV64_IMM(BPF_REG_0, 0),
9517 .prog_type = BPF_PROG_TYPE_XDP,
9518 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9521 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
9523 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9524 offsetof(struct xdp_md, data_meta)),
9525 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9526 offsetof(struct xdp_md, data)),
9527 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9528 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9529 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9530 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9531 BPF_MOV64_IMM(BPF_REG_0, 0),
9534 .errstr = "R1 offset is outside of the packet",
9536 .prog_type = BPF_PROG_TYPE_XDP,
9539 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
9541 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9542 offsetof(struct xdp_md, data_meta)),
9543 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9544 offsetof(struct xdp_md, data)),
9545 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9546 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9547 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9548 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9549 BPF_MOV64_IMM(BPF_REG_0, 0),
9552 .errstr = "R1 offset is outside of the packet",
9554 .prog_type = BPF_PROG_TYPE_XDP,
9555 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9558 "XDP pkt read, pkt_data >= pkt_meta', good access",
9560 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9561 offsetof(struct xdp_md, data_meta)),
9562 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9563 offsetof(struct xdp_md, data)),
9564 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9565 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9566 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9567 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9568 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9569 BPF_MOV64_IMM(BPF_REG_0, 0),
9573 .prog_type = BPF_PROG_TYPE_XDP,
9576 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
9578 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9579 offsetof(struct xdp_md, data_meta)),
9580 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9581 offsetof(struct xdp_md, data)),
9582 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9584 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9585 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9586 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9587 BPF_MOV64_IMM(BPF_REG_0, 0),
9590 .errstr = "R1 offset is outside of the packet",
9592 .prog_type = BPF_PROG_TYPE_XDP,
9593 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9596 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
9598 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9599 offsetof(struct xdp_md, data_meta)),
9600 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9601 offsetof(struct xdp_md, data)),
9602 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9604 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9605 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9606 BPF_MOV64_IMM(BPF_REG_0, 0),
9609 .errstr = "R1 offset is outside of the packet",
9611 .prog_type = BPF_PROG_TYPE_XDP,
9614 "XDP pkt read, pkt_meta' <= pkt_data, good access",
9616 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9617 offsetof(struct xdp_md, data_meta)),
9618 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9619 offsetof(struct xdp_md, data)),
9620 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9621 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9622 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9623 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9624 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9625 BPF_MOV64_IMM(BPF_REG_0, 0),
9629 .prog_type = BPF_PROG_TYPE_XDP,
9632 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
9634 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9635 offsetof(struct xdp_md, data_meta)),
9636 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9637 offsetof(struct xdp_md, data)),
9638 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9639 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9640 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9641 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9642 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9643 BPF_MOV64_IMM(BPF_REG_0, 0),
9646 .errstr = "R1 offset is outside of the packet",
9648 .prog_type = BPF_PROG_TYPE_XDP,
9649 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9652 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
9654 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9655 offsetof(struct xdp_md, data_meta)),
9656 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9657 offsetof(struct xdp_md, data)),
9658 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9660 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9661 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9662 BPF_MOV64_IMM(BPF_REG_0, 0),
9665 .errstr = "R1 offset is outside of the packet",
9667 .prog_type = BPF_PROG_TYPE_XDP,
9670 "XDP pkt read, pkt_data <= pkt_meta', good access",
9672 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9673 offsetof(struct xdp_md, data_meta)),
9674 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9675 offsetof(struct xdp_md, data)),
9676 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9677 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9678 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9679 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9680 BPF_MOV64_IMM(BPF_REG_0, 0),
9684 .prog_type = BPF_PROG_TYPE_XDP,
9685 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9688 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
9690 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9691 offsetof(struct xdp_md, data_meta)),
9692 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9693 offsetof(struct xdp_md, data)),
9694 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9696 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9697 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9698 BPF_MOV64_IMM(BPF_REG_0, 0),
9701 .errstr = "R1 offset is outside of the packet",
9703 .prog_type = BPF_PROG_TYPE_XDP,
9706 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
9708 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9709 offsetof(struct xdp_md, data_meta)),
9710 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9711 offsetof(struct xdp_md, data)),
9712 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9714 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9715 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9716 BPF_MOV64_IMM(BPF_REG_0, 0),
9719 .errstr = "R1 offset is outside of the packet",
9721 .prog_type = BPF_PROG_TYPE_XDP,
9722 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9725 "check deducing bounds from const, 1",
9727 BPF_MOV64_IMM(BPF_REG_0, 1),
9728 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
9729 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9733 .errstr = "R0 tried to subtract pointer from scalar",
9736 "check deducing bounds from const, 2",
9738 BPF_MOV64_IMM(BPF_REG_0, 1),
9739 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
9741 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
9743 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9750 "check deducing bounds from const, 3",
9752 BPF_MOV64_IMM(BPF_REG_0, 0),
9753 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9754 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9758 .errstr = "R0 tried to subtract pointer from scalar",
9761 "check deducing bounds from const, 4",
9763 BPF_MOV64_IMM(BPF_REG_0, 0),
9764 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
9766 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9768 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9774 "check deducing bounds from const, 5",
9776 BPF_MOV64_IMM(BPF_REG_0, 0),
9777 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9778 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9782 .errstr = "R0 tried to subtract pointer from scalar",
9785 "check deducing bounds from const, 6",
9787 BPF_MOV64_IMM(BPF_REG_0, 0),
9788 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9790 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9794 .errstr = "R0 tried to subtract pointer from scalar",
9797 "check deducing bounds from const, 7",
9799 BPF_MOV64_IMM(BPF_REG_0, ~0),
9800 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9801 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9802 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9803 offsetof(struct __sk_buff, mark)),
9807 .errstr = "dereference of modified ctx ptr",
9810 "check deducing bounds from const, 8",
9812 BPF_MOV64_IMM(BPF_REG_0, ~0),
9813 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9814 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
9815 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9816 offsetof(struct __sk_buff, mark)),
9820 .errstr = "dereference of modified ctx ptr",
9823 "check deducing bounds from const, 9",
9825 BPF_MOV64_IMM(BPF_REG_0, 0),
9826 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9827 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9831 .errstr = "R0 tried to subtract pointer from scalar",
9834 "check deducing bounds from const, 10",
9836 BPF_MOV64_IMM(BPF_REG_0, 0),
9837 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9838 /* Marks reg as unknown. */
9839 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
9840 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9844 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
9847 "bpf_exit with invalid return code. test1",
9849 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9852 .errstr = "R0 has value (0x0; 0xffffffff)",
9854 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9857 "bpf_exit with invalid return code. test2",
9859 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9860 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
9864 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9867 "bpf_exit with invalid return code. test3",
9869 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9870 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
9873 .errstr = "R0 has value (0x0; 0x3)",
9875 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9878 "bpf_exit with invalid return code. test4",
9880 BPF_MOV64_IMM(BPF_REG_0, 1),
9884 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9887 "bpf_exit with invalid return code. test5",
9889 BPF_MOV64_IMM(BPF_REG_0, 2),
9892 .errstr = "R0 has value (0x2; 0x0)",
9894 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9897 "bpf_exit with invalid return code. test6",
9899 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9902 .errstr = "R0 is not a known value (ctx)",
9904 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9907 "bpf_exit with invalid return code. test7",
9909 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9910 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
9911 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
9914 .errstr = "R0 has unknown scalar value",
9916 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9919 "calls: basic sanity",
9921 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9922 BPF_MOV64_IMM(BPF_REG_0, 1),
9924 BPF_MOV64_IMM(BPF_REG_0, 2),
9927 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9931 "calls: not on unpriviledged",
9933 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9934 BPF_MOV64_IMM(BPF_REG_0, 1),
9936 BPF_MOV64_IMM(BPF_REG_0, 2),
9939 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
9940 .result_unpriv = REJECT,
9945 "calls: div by 0 in subprog",
9947 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9948 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9949 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9950 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9951 offsetof(struct __sk_buff, data_end)),
9952 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9953 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9954 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9955 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9956 BPF_MOV64_IMM(BPF_REG_0, 1),
9958 BPF_MOV32_IMM(BPF_REG_2, 0),
9959 BPF_MOV32_IMM(BPF_REG_3, 1),
9960 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
9961 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9962 offsetof(struct __sk_buff, data)),
9965 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9970 "calls: multiple ret types in subprog 1",
9972 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9973 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9974 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9975 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9976 offsetof(struct __sk_buff, data_end)),
9977 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9978 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9979 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9980 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9981 BPF_MOV64_IMM(BPF_REG_0, 1),
9983 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9984 offsetof(struct __sk_buff, data)),
9985 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9986 BPF_MOV32_IMM(BPF_REG_0, 42),
9989 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9991 .errstr = "R0 invalid mem access 'inv'",
9994 "calls: multiple ret types in subprog 2",
9996 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9997 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9998 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9999 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10000 offsetof(struct __sk_buff, data_end)),
10001 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10003 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10004 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10005 BPF_MOV64_IMM(BPF_REG_0, 1),
10007 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10008 offsetof(struct __sk_buff, data)),
10009 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10010 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
10011 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10012 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10014 BPF_LD_MAP_FD(BPF_REG_1, 0),
10015 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10016 BPF_FUNC_map_lookup_elem),
10017 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10018 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
10019 offsetof(struct __sk_buff, data)),
10020 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
10023 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10024 .fixup_map1 = { 16 },
10026 .errstr = "R0 min value is outside of the array range",
10029 "calls: overlapping caller/callee",
10031 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
10032 BPF_MOV64_IMM(BPF_REG_0, 1),
10035 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10036 .errstr = "last insn is not an exit or jmp",
10040 "calls: wrong recursive calls",
10042 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10043 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10044 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10045 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10046 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10047 BPF_MOV64_IMM(BPF_REG_0, 1),
10050 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10051 .errstr = "jump out of range",
10055 "calls: wrong src reg",
10057 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
10058 BPF_MOV64_IMM(BPF_REG_0, 1),
10061 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10062 .errstr = "BPF_CALL uses reserved fields",
10066 "calls: wrong off value",
10068 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
10069 BPF_MOV64_IMM(BPF_REG_0, 1),
10071 BPF_MOV64_IMM(BPF_REG_0, 2),
10074 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10075 .errstr = "BPF_CALL uses reserved fields",
10079 "calls: jump back loop",
10081 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10082 BPF_MOV64_IMM(BPF_REG_0, 1),
10085 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10086 .errstr = "back-edge from insn 0 to 0",
10090 "calls: conditional call",
10092 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10093 offsetof(struct __sk_buff, mark)),
10094 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10095 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10096 BPF_MOV64_IMM(BPF_REG_0, 1),
10098 BPF_MOV64_IMM(BPF_REG_0, 2),
10101 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10102 .errstr = "jump out of range",
10106 "calls: conditional call 2",
10108 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10109 offsetof(struct __sk_buff, mark)),
10110 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10111 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10112 BPF_MOV64_IMM(BPF_REG_0, 1),
10114 BPF_MOV64_IMM(BPF_REG_0, 2),
10116 BPF_MOV64_IMM(BPF_REG_0, 3),
10119 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10123 "calls: conditional call 3",
10125 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10126 offsetof(struct __sk_buff, mark)),
10127 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10128 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10129 BPF_MOV64_IMM(BPF_REG_0, 1),
10131 BPF_MOV64_IMM(BPF_REG_0, 1),
10132 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10133 BPF_MOV64_IMM(BPF_REG_0, 3),
10134 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10136 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10137 .errstr = "back-edge from insn",
10141 "calls: conditional call 4",
10143 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10144 offsetof(struct __sk_buff, mark)),
10145 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10146 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10147 BPF_MOV64_IMM(BPF_REG_0, 1),
10149 BPF_MOV64_IMM(BPF_REG_0, 1),
10150 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
10151 BPF_MOV64_IMM(BPF_REG_0, 3),
10154 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10158 "calls: conditional call 5",
10160 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10161 offsetof(struct __sk_buff, mark)),
10162 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10163 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10164 BPF_MOV64_IMM(BPF_REG_0, 1),
10166 BPF_MOV64_IMM(BPF_REG_0, 1),
10167 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10168 BPF_MOV64_IMM(BPF_REG_0, 3),
10171 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10172 .errstr = "back-edge from insn",
10176 "calls: conditional call 6",
10178 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10179 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
10181 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10182 offsetof(struct __sk_buff, mark)),
10185 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10186 .errstr = "back-edge from insn",
10190 "calls: using r0 returned by callee",
10192 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10194 BPF_MOV64_IMM(BPF_REG_0, 2),
10197 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10201 "calls: using uninit r0 from callee",
10203 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10207 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10208 .errstr = "!read_ok",
10212 "calls: callee is using r1",
10214 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10216 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10217 offsetof(struct __sk_buff, len)),
10220 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
10222 .retval = TEST_DATA_LEN,
10225 "calls: callee using args1",
10227 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10229 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10232 .errstr_unpriv = "allowed for root only",
10233 .result_unpriv = REJECT,
10235 .retval = POINTER_VALUE,
10238 "calls: callee using wrong args2",
10240 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10242 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10245 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10246 .errstr = "R2 !read_ok",
10250 "calls: callee using two args",
10252 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10253 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
10254 offsetof(struct __sk_buff, len)),
10255 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
10256 offsetof(struct __sk_buff, len)),
10257 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10259 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10260 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
10263 .errstr_unpriv = "allowed for root only",
10264 .result_unpriv = REJECT,
10266 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
10269 "calls: callee changing pkt pointers",
10271 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
10272 offsetof(struct xdp_md, data)),
10273 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
10274 offsetof(struct xdp_md, data_end)),
10275 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
10276 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
10277 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
10278 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10279 /* clear_all_pkt_pointers() has to walk all frames
10280 * to make sure that pkt pointers in the caller
10281 * are cleared when callee is calling a helper that
10282 * adjusts packet size
10284 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10285 BPF_MOV32_IMM(BPF_REG_0, 0),
10287 BPF_MOV64_IMM(BPF_REG_2, 0),
10288 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10289 BPF_FUNC_xdp_adjust_head),
10293 .errstr = "R6 invalid mem access 'inv'",
10294 .prog_type = BPF_PROG_TYPE_XDP,
10297 "calls: two calls with args",
10299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10301 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10302 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10303 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10304 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10305 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10306 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10307 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10309 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10310 offsetof(struct __sk_buff, len)),
10313 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10315 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
10318 "calls: calls with stack arith",
10320 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10321 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10322 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10324 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10325 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10327 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10328 BPF_MOV64_IMM(BPF_REG_0, 42),
10329 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10332 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10337 "calls: calls with misaligned stack access",
10339 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10340 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10341 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10343 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
10344 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10346 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10347 BPF_MOV64_IMM(BPF_REG_0, 42),
10348 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10351 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10352 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
10353 .errstr = "misaligned stack access",
10357 "calls: calls control flow, jump test",
10359 BPF_MOV64_IMM(BPF_REG_0, 42),
10360 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10361 BPF_MOV64_IMM(BPF_REG_0, 43),
10362 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10363 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10366 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10371 "calls: calls control flow, jump test 2",
10373 BPF_MOV64_IMM(BPF_REG_0, 42),
10374 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10375 BPF_MOV64_IMM(BPF_REG_0, 43),
10376 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10377 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10380 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10381 .errstr = "jump out of range from insn 1 to 4",
10385 "calls: two calls with bad jump",
10387 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10389 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10390 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10391 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10392 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10393 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10394 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10395 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10397 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10398 offsetof(struct __sk_buff, len)),
10399 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
10402 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10403 .errstr = "jump out of range from insn 11 to 9",
10407 "calls: recursive call. test1",
10409 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10411 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10414 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10415 .errstr = "back-edge",
10419 "calls: recursive call. test2",
10421 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10423 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10426 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10427 .errstr = "back-edge",
10431 "calls: unreachable code",
10433 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10435 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10437 BPF_MOV64_IMM(BPF_REG_0, 0),
10439 BPF_MOV64_IMM(BPF_REG_0, 0),
10442 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10443 .errstr = "unreachable insn 6",
10447 "calls: invalid call",
10449 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10451 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
10454 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10455 .errstr = "invalid destination",
10459 "calls: invalid call 2",
10461 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10463 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
10466 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10467 .errstr = "invalid destination",
10471 "calls: jumping across function bodies. test1",
10473 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10474 BPF_MOV64_IMM(BPF_REG_0, 0),
10476 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
10479 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10480 .errstr = "jump out of range",
10484 "calls: jumping across function bodies. test2",
10486 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
10487 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10488 BPF_MOV64_IMM(BPF_REG_0, 0),
10492 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10493 .errstr = "jump out of range",
10497 "calls: call without exit",
10499 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10501 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10503 BPF_MOV64_IMM(BPF_REG_0, 0),
10504 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
10506 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10507 .errstr = "not an exit",
10511 "calls: call into middle of ld_imm64",
10513 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10514 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10515 BPF_MOV64_IMM(BPF_REG_0, 0),
10517 BPF_LD_IMM64(BPF_REG_0, 0),
10520 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10521 .errstr = "last insn",
10525 "calls: call into middle of other call",
10527 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10528 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10529 BPF_MOV64_IMM(BPF_REG_0, 0),
10531 BPF_MOV64_IMM(BPF_REG_0, 0),
10532 BPF_MOV64_IMM(BPF_REG_0, 0),
10535 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10536 .errstr = "last insn",
10540 "calls: ld_abs with changing ctx data in callee",
10542 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10543 BPF_LD_ABS(BPF_B, 0),
10544 BPF_LD_ABS(BPF_H, 0),
10545 BPF_LD_ABS(BPF_W, 0),
10546 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
10547 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10548 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
10549 BPF_LD_ABS(BPF_B, 0),
10550 BPF_LD_ABS(BPF_H, 0),
10551 BPF_LD_ABS(BPF_W, 0),
10553 BPF_MOV64_IMM(BPF_REG_2, 1),
10554 BPF_MOV64_IMM(BPF_REG_3, 2),
10555 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10556 BPF_FUNC_skb_vlan_push),
10559 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10560 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
10564 "calls: two calls with bad fallthrough",
10566 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10568 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10569 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10570 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10571 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10572 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10573 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10574 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10575 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
10576 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10577 offsetof(struct __sk_buff, len)),
10580 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10581 .errstr = "not an exit",
10585 "calls: two calls with stack read",
10587 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10588 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10589 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10590 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10592 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10593 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10594 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10595 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10596 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10597 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10598 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10600 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10603 .prog_type = BPF_PROG_TYPE_XDP,
10607 "calls: two calls with stack write",
10610 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10611 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10612 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10613 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10615 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10616 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10620 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10621 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10622 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
10623 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
10624 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10625 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10626 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
10627 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
10628 /* write into stack frame of main prog */
10629 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10633 /* read from stack frame of main prog */
10634 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10637 .prog_type = BPF_PROG_TYPE_XDP,
10641 "calls: stack overflow using two frames (pre-call access)",
10644 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10645 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
10649 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10650 BPF_MOV64_IMM(BPF_REG_0, 0),
10653 .prog_type = BPF_PROG_TYPE_XDP,
10654 .errstr = "combined stack size",
10658 "calls: stack overflow using two frames (post-call access)",
10661 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
10662 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10666 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10667 BPF_MOV64_IMM(BPF_REG_0, 0),
10670 .prog_type = BPF_PROG_TYPE_XDP,
10671 .errstr = "combined stack size",
10675 "calls: stack depth check using three frames. test1",
10678 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10679 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10680 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10681 BPF_MOV64_IMM(BPF_REG_0, 0),
10684 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10687 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10688 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10691 .prog_type = BPF_PROG_TYPE_XDP,
10692 /* stack_main=32, stack_A=256, stack_B=64
10693 * and max(main+A, main+A+B) < 512
10698 "calls: stack depth check using three frames. test2",
10701 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10702 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10703 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10704 BPF_MOV64_IMM(BPF_REG_0, 0),
10707 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10710 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10711 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10714 .prog_type = BPF_PROG_TYPE_XDP,
10715 /* stack_main=32, stack_A=64, stack_B=256
10716 * and max(main+A, main+A+B) < 512
10721 "calls: stack depth check using three frames. test3",
10724 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10725 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10726 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10727 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
10728 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
10729 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10730 BPF_MOV64_IMM(BPF_REG_0, 0),
10733 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
10735 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
10736 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10738 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
10739 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
10740 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10743 .prog_type = BPF_PROG_TYPE_XDP,
10744 /* stack_main=64, stack_A=224, stack_B=256
10745 * and max(main+A, main+A+B) > 512
10747 .errstr = "combined stack",
10751 "calls: stack depth check using three frames. test4",
10752 /* void main(void) {
10757 * void func1(int alloc_or_recurse) {
10758 * if (alloc_or_recurse) {
10759 * frame_pointer[-300] = 1;
10761 * func2(alloc_or_recurse);
10764 * void func2(int alloc_or_recurse) {
10765 * if (alloc_or_recurse) {
10766 * frame_pointer[-300] = 1;
10772 BPF_MOV64_IMM(BPF_REG_1, 0),
10773 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10774 BPF_MOV64_IMM(BPF_REG_1, 1),
10775 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10776 BPF_MOV64_IMM(BPF_REG_1, 1),
10777 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
10778 BPF_MOV64_IMM(BPF_REG_0, 0),
10781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
10782 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10784 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10788 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10791 .prog_type = BPF_PROG_TYPE_XDP,
10793 .errstr = "combined stack",
10796 "calls: stack depth check using three frames. test5",
10799 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
10802 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10805 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
10808 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
10811 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
10814 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
10817 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
10820 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
10823 BPF_MOV64_IMM(BPF_REG_0, 0),
10826 .prog_type = BPF_PROG_TYPE_XDP,
10827 .errstr = "call stack",
10831 "calls: spill into caller stack frame",
10833 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10834 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10835 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10836 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10838 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
10839 BPF_MOV64_IMM(BPF_REG_0, 0),
10842 .prog_type = BPF_PROG_TYPE_XDP,
10843 .errstr = "cannot spill",
10847 "calls: write into caller stack frame",
10849 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10851 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10852 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10853 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10855 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
10856 BPF_MOV64_IMM(BPF_REG_0, 0),
10859 .prog_type = BPF_PROG_TYPE_XDP,
10864 "calls: write into callee stack frame",
10866 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10867 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
10869 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10870 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
10873 .prog_type = BPF_PROG_TYPE_XDP,
10874 .errstr = "cannot return stack pointer",
10878 "calls: two calls with stack write and void return",
10881 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10882 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10884 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10885 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10886 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10887 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10891 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10892 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10893 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10894 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10895 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10899 /* write into stack frame of main prog */
10900 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
10901 BPF_EXIT_INSN(), /* void return */
10903 .prog_type = BPF_PROG_TYPE_XDP,
10907 "calls: ambiguous return value",
10909 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10911 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10912 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10913 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10914 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10916 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10917 BPF_MOV64_IMM(BPF_REG_0, 0),
10920 .errstr_unpriv = "allowed for root only",
10921 .result_unpriv = REJECT,
10922 .errstr = "R0 !read_ok",
10926 "calls: two calls that return map_value",
10929 /* pass fp-16, fp-8 into a function */
10930 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10932 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10933 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10934 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10936 /* fetch map_value_ptr from the stack of this function */
10937 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
10938 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10939 /* write into map value */
10940 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10941 /* fetch secound map_value_ptr from the stack */
10942 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10943 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10944 /* write into map value */
10945 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10946 BPF_MOV64_IMM(BPF_REG_0, 0),
10950 /* call 3rd function twice */
10951 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10952 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10953 /* first time with fp-8 */
10954 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10955 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10956 /* second time with fp-16 */
10957 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10961 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10962 /* lookup from map */
10963 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10964 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10966 BPF_LD_MAP_FD(BPF_REG_1, 0),
10967 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10968 BPF_FUNC_map_lookup_elem),
10969 /* write map_value_ptr into stack frame of main prog */
10970 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10971 BPF_MOV64_IMM(BPF_REG_0, 0),
10972 BPF_EXIT_INSN(), /* return 0 */
10974 .prog_type = BPF_PROG_TYPE_XDP,
10975 .fixup_map1 = { 23 },
10979 "calls: two calls that return map_value with bool condition",
10982 /* pass fp-16, fp-8 into a function */
10983 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10984 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10985 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10986 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10987 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10988 BPF_MOV64_IMM(BPF_REG_0, 0),
10992 /* call 3rd function twice */
10993 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10994 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10995 /* first time with fp-8 */
10996 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10997 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10998 /* fetch map_value_ptr from the stack of this function */
10999 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11000 /* write into map value */
11001 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11002 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11003 /* second time with fp-16 */
11004 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11005 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11006 /* fetch secound map_value_ptr from the stack */
11007 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11008 /* write into map value */
11009 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11013 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11014 /* lookup from map */
11015 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11016 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11018 BPF_LD_MAP_FD(BPF_REG_1, 0),
11019 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11020 BPF_FUNC_map_lookup_elem),
11021 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11022 BPF_MOV64_IMM(BPF_REG_0, 0),
11023 BPF_EXIT_INSN(), /* return 0 */
11024 /* write map_value_ptr into stack frame of main prog */
11025 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11026 BPF_MOV64_IMM(BPF_REG_0, 1),
11027 BPF_EXIT_INSN(), /* return 1 */
11029 .prog_type = BPF_PROG_TYPE_XDP,
11030 .fixup_map1 = { 23 },
11034 "calls: two calls that return map_value with incorrect bool check",
11037 /* pass fp-16, fp-8 into a function */
11038 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11039 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11040 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11042 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11043 BPF_MOV64_IMM(BPF_REG_0, 0),
11047 /* call 3rd function twice */
11048 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11049 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11050 /* first time with fp-8 */
11051 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11052 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11053 /* fetch map_value_ptr from the stack of this function */
11054 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11055 /* write into map value */
11056 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11057 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11058 /* second time with fp-16 */
11059 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11060 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11061 /* fetch secound map_value_ptr from the stack */
11062 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11063 /* write into map value */
11064 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11068 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11069 /* lookup from map */
11070 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11071 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11073 BPF_LD_MAP_FD(BPF_REG_1, 0),
11074 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11075 BPF_FUNC_map_lookup_elem),
11076 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11077 BPF_MOV64_IMM(BPF_REG_0, 0),
11078 BPF_EXIT_INSN(), /* return 0 */
11079 /* write map_value_ptr into stack frame of main prog */
11080 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11081 BPF_MOV64_IMM(BPF_REG_0, 1),
11082 BPF_EXIT_INSN(), /* return 1 */
11084 .prog_type = BPF_PROG_TYPE_XDP,
11085 .fixup_map1 = { 23 },
11087 .errstr = "invalid read from stack off -16+0 size 8",
11090 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
11093 /* pass fp-16, fp-8 into a function */
11094 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11096 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11098 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11099 BPF_MOV64_IMM(BPF_REG_0, 0),
11103 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11104 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11105 /* 1st lookup from map */
11106 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11107 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11108 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11109 BPF_LD_MAP_FD(BPF_REG_1, 0),
11110 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11111 BPF_FUNC_map_lookup_elem),
11112 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11113 BPF_MOV64_IMM(BPF_REG_8, 0),
11114 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11115 /* write map_value_ptr into stack frame of main prog at fp-8 */
11116 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11117 BPF_MOV64_IMM(BPF_REG_8, 1),
11119 /* 2nd lookup from map */
11120 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11122 BPF_LD_MAP_FD(BPF_REG_1, 0),
11123 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11124 BPF_FUNC_map_lookup_elem),
11125 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11126 BPF_MOV64_IMM(BPF_REG_9, 0),
11127 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11128 /* write map_value_ptr into stack frame of main prog at fp-16 */
11129 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11130 BPF_MOV64_IMM(BPF_REG_9, 1),
11132 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11133 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11134 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11135 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11136 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11137 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11141 /* if arg2 == 1 do *arg1 = 0 */
11142 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11143 /* fetch map_value_ptr from the stack of this function */
11144 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11145 /* write into map value */
11146 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11148 /* if arg4 == 1 do *arg3 = 0 */
11149 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11150 /* fetch map_value_ptr from the stack of this function */
11151 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11152 /* write into map value */
11153 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11156 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11157 .fixup_map1 = { 12, 22 },
11159 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11162 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
11165 /* pass fp-16, fp-8 into a function */
11166 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11167 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11168 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11169 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11170 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11171 BPF_MOV64_IMM(BPF_REG_0, 0),
11175 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11176 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11177 /* 1st lookup from map */
11178 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11179 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11180 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11181 BPF_LD_MAP_FD(BPF_REG_1, 0),
11182 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11183 BPF_FUNC_map_lookup_elem),
11184 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11185 BPF_MOV64_IMM(BPF_REG_8, 0),
11186 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11187 /* write map_value_ptr into stack frame of main prog at fp-8 */
11188 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11189 BPF_MOV64_IMM(BPF_REG_8, 1),
11191 /* 2nd lookup from map */
11192 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11193 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11194 BPF_LD_MAP_FD(BPF_REG_1, 0),
11195 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11196 BPF_FUNC_map_lookup_elem),
11197 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11198 BPF_MOV64_IMM(BPF_REG_9, 0),
11199 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11200 /* write map_value_ptr into stack frame of main prog at fp-16 */
11201 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11202 BPF_MOV64_IMM(BPF_REG_9, 1),
11204 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11205 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11206 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11207 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11208 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11209 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11213 /* if arg2 == 1 do *arg1 = 0 */
11214 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11215 /* fetch map_value_ptr from the stack of this function */
11216 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11217 /* write into map value */
11218 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11220 /* if arg4 == 1 do *arg3 = 0 */
11221 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11222 /* fetch map_value_ptr from the stack of this function */
11223 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11224 /* write into map value */
11225 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11228 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11229 .fixup_map1 = { 12, 22 },
11233 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
11236 /* pass fp-16, fp-8 into a function */
11237 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11239 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11240 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11241 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11242 BPF_MOV64_IMM(BPF_REG_0, 0),
11246 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11247 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11248 /* 1st lookup from map */
11249 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
11250 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11251 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11252 BPF_LD_MAP_FD(BPF_REG_1, 0),
11253 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11254 BPF_FUNC_map_lookup_elem),
11255 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11256 BPF_MOV64_IMM(BPF_REG_8, 0),
11257 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11258 /* write map_value_ptr into stack frame of main prog at fp-8 */
11259 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11260 BPF_MOV64_IMM(BPF_REG_8, 1),
11262 /* 2nd lookup from map */
11263 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11265 BPF_LD_MAP_FD(BPF_REG_1, 0),
11266 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11267 BPF_FUNC_map_lookup_elem),
11268 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11269 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
11270 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11271 /* write map_value_ptr into stack frame of main prog at fp-16 */
11272 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11273 BPF_MOV64_IMM(BPF_REG_9, 1),
11275 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11276 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
11277 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11278 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11279 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11280 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
11281 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
11284 /* if arg2 == 1 do *arg1 = 0 */
11285 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11286 /* fetch map_value_ptr from the stack of this function */
11287 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11288 /* write into map value */
11289 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11291 /* if arg4 == 1 do *arg3 = 0 */
11292 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11293 /* fetch map_value_ptr from the stack of this function */
11294 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11295 /* write into map value */
11296 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11297 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
11299 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11300 .fixup_map1 = { 12, 22 },
11302 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11305 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
11308 /* pass fp-16, fp-8 into a function */
11309 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11310 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11311 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11312 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11313 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11314 BPF_MOV64_IMM(BPF_REG_0, 0),
11318 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11319 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11320 /* 1st lookup from map */
11321 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11322 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11323 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11324 BPF_LD_MAP_FD(BPF_REG_1, 0),
11325 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11326 BPF_FUNC_map_lookup_elem),
11327 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11328 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11329 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11330 BPF_MOV64_IMM(BPF_REG_8, 0),
11331 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11332 BPF_MOV64_IMM(BPF_REG_8, 1),
11334 /* 2nd lookup from map */
11335 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11337 BPF_LD_MAP_FD(BPF_REG_1, 0),
11338 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11339 BPF_FUNC_map_lookup_elem),
11340 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11341 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11342 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11343 BPF_MOV64_IMM(BPF_REG_9, 0),
11344 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11345 BPF_MOV64_IMM(BPF_REG_9, 1),
11347 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11348 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11349 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11350 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11351 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11356 /* if arg2 == 1 do *arg1 = 0 */
11357 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11358 /* fetch map_value_ptr from the stack of this function */
11359 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11360 /* write into map value */
11361 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11363 /* if arg4 == 1 do *arg3 = 0 */
11364 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11365 /* fetch map_value_ptr from the stack of this function */
11366 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11367 /* write into map value */
11368 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11371 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11372 .fixup_map1 = { 12, 22 },
11376 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
11379 /* pass fp-16, fp-8 into a function */
11380 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11381 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11382 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11384 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11385 BPF_MOV64_IMM(BPF_REG_0, 0),
11389 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11390 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11391 /* 1st lookup from map */
11392 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11393 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11394 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11395 BPF_LD_MAP_FD(BPF_REG_1, 0),
11396 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11397 BPF_FUNC_map_lookup_elem),
11398 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11399 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11400 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11401 BPF_MOV64_IMM(BPF_REG_8, 0),
11402 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11403 BPF_MOV64_IMM(BPF_REG_8, 1),
11405 /* 2nd lookup from map */
11406 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11408 BPF_LD_MAP_FD(BPF_REG_1, 0),
11409 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11410 BPF_FUNC_map_lookup_elem),
11411 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11412 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11413 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11414 BPF_MOV64_IMM(BPF_REG_9, 0),
11415 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11416 BPF_MOV64_IMM(BPF_REG_9, 1),
11418 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11419 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11420 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11421 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11422 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11423 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11427 /* if arg2 == 1 do *arg1 = 0 */
11428 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11429 /* fetch map_value_ptr from the stack of this function */
11430 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11431 /* write into map value */
11432 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11434 /* if arg4 == 0 do *arg3 = 0 */
11435 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
11436 /* fetch map_value_ptr from the stack of this function */
11437 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11438 /* write into map value */
11439 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11442 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11443 .fixup_map1 = { 12, 22 },
11445 .errstr = "R0 invalid mem access 'inv'",
11448 "calls: pkt_ptr spill into caller stack",
11450 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11451 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11452 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11456 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11457 offsetof(struct __sk_buff, data)),
11458 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11459 offsetof(struct __sk_buff, data_end)),
11460 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11462 /* spill unchecked pkt_ptr into stack of caller */
11463 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11464 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11465 /* now the pkt range is verified, read pkt_ptr from stack */
11466 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11467 /* write 4 bytes into packet */
11468 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11472 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11473 .retval = POINTER_VALUE,
11476 "calls: pkt_ptr spill into caller stack 2",
11478 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11480 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11481 /* Marking is still kept, but not in all cases safe. */
11482 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11483 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11487 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11488 offsetof(struct __sk_buff, data)),
11489 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11490 offsetof(struct __sk_buff, data_end)),
11491 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11492 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11493 /* spill unchecked pkt_ptr into stack of caller */
11494 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11495 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11496 /* now the pkt range is verified, read pkt_ptr from stack */
11497 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11498 /* write 4 bytes into packet */
11499 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11502 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11503 .errstr = "invalid access to packet",
11507 "calls: pkt_ptr spill into caller stack 3",
11509 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11511 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11512 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11513 /* Marking is still kept and safe here. */
11514 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11515 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11519 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11520 offsetof(struct __sk_buff, data)),
11521 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11522 offsetof(struct __sk_buff, data_end)),
11523 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11525 /* spill unchecked pkt_ptr into stack of caller */
11526 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11527 BPF_MOV64_IMM(BPF_REG_5, 0),
11528 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11529 BPF_MOV64_IMM(BPF_REG_5, 1),
11530 /* now the pkt range is verified, read pkt_ptr from stack */
11531 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11532 /* write 4 bytes into packet */
11533 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11534 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11537 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11542 "calls: pkt_ptr spill into caller stack 4",
11544 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11546 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11547 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11548 /* Check marking propagated. */
11549 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11550 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11554 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11555 offsetof(struct __sk_buff, data)),
11556 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11557 offsetof(struct __sk_buff, data_end)),
11558 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11559 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11560 /* spill unchecked pkt_ptr into stack of caller */
11561 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11562 BPF_MOV64_IMM(BPF_REG_5, 0),
11563 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11564 BPF_MOV64_IMM(BPF_REG_5, 1),
11565 /* don't read back pkt_ptr from stack here */
11566 /* write 4 bytes into packet */
11567 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11568 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11571 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11576 "calls: pkt_ptr spill into caller stack 5",
11578 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11579 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11580 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
11581 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11582 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11583 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11587 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11588 offsetof(struct __sk_buff, data)),
11589 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11590 offsetof(struct __sk_buff, data_end)),
11591 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11593 BPF_MOV64_IMM(BPF_REG_5, 0),
11594 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11595 /* spill checked pkt_ptr into stack of caller */
11596 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11597 BPF_MOV64_IMM(BPF_REG_5, 1),
11598 /* don't read back pkt_ptr from stack here */
11599 /* write 4 bytes into packet */
11600 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11601 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11604 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11605 .errstr = "same insn cannot be used with different",
11609 "calls: pkt_ptr spill into caller stack 6",
11611 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11612 offsetof(struct __sk_buff, data_end)),
11613 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11615 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11616 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11617 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11618 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11622 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11623 offsetof(struct __sk_buff, data)),
11624 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11625 offsetof(struct __sk_buff, data_end)),
11626 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11627 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11628 BPF_MOV64_IMM(BPF_REG_5, 0),
11629 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11630 /* spill checked pkt_ptr into stack of caller */
11631 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11632 BPF_MOV64_IMM(BPF_REG_5, 1),
11633 /* don't read back pkt_ptr from stack here */
11634 /* write 4 bytes into packet */
11635 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11636 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11639 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11640 .errstr = "R4 invalid mem access",
11644 "calls: pkt_ptr spill into caller stack 7",
11646 BPF_MOV64_IMM(BPF_REG_2, 0),
11647 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11649 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11650 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11651 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11652 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11656 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11657 offsetof(struct __sk_buff, data)),
11658 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11659 offsetof(struct __sk_buff, data_end)),
11660 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11662 BPF_MOV64_IMM(BPF_REG_5, 0),
11663 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11664 /* spill checked pkt_ptr into stack of caller */
11665 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11666 BPF_MOV64_IMM(BPF_REG_5, 1),
11667 /* don't read back pkt_ptr from stack here */
11668 /* write 4 bytes into packet */
11669 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11670 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11673 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11674 .errstr = "R4 invalid mem access",
11678 "calls: pkt_ptr spill into caller stack 8",
11680 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11681 offsetof(struct __sk_buff, data)),
11682 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11683 offsetof(struct __sk_buff, data_end)),
11684 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11685 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11686 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11688 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11689 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11690 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11691 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11692 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11693 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11697 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11698 offsetof(struct __sk_buff, data)),
11699 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11700 offsetof(struct __sk_buff, data_end)),
11701 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11702 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11703 BPF_MOV64_IMM(BPF_REG_5, 0),
11704 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11705 /* spill checked pkt_ptr into stack of caller */
11706 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11707 BPF_MOV64_IMM(BPF_REG_5, 1),
11708 /* don't read back pkt_ptr from stack here */
11709 /* write 4 bytes into packet */
11710 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11711 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11714 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11718 "calls: pkt_ptr spill into caller stack 9",
11720 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11721 offsetof(struct __sk_buff, data)),
11722 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11723 offsetof(struct __sk_buff, data_end)),
11724 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11725 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11726 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11728 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11730 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11731 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11732 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11733 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11737 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11738 offsetof(struct __sk_buff, data)),
11739 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11740 offsetof(struct __sk_buff, data_end)),
11741 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11743 BPF_MOV64_IMM(BPF_REG_5, 0),
11744 /* spill unchecked pkt_ptr into stack of caller */
11745 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11746 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11747 BPF_MOV64_IMM(BPF_REG_5, 1),
11748 /* don't read back pkt_ptr from stack here */
11749 /* write 4 bytes into packet */
11750 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11751 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11754 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11755 .errstr = "invalid access to packet",
11759 "calls: caller stack init to zero or map_value_or_null",
11761 BPF_MOV64_IMM(BPF_REG_0, 0),
11762 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11763 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11764 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11765 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11766 /* fetch map_value_or_null or const_zero from stack */
11767 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11768 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11769 /* store into map_value */
11770 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
11774 /* if (ctx == 0) return; */
11775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
11776 /* else bpf_map_lookup() and *(fp - 8) = r0 */
11777 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
11778 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11780 BPF_LD_MAP_FD(BPF_REG_1, 0),
11781 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11782 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11783 BPF_FUNC_map_lookup_elem),
11784 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11785 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11788 .fixup_map1 = { 13 },
11790 .prog_type = BPF_PROG_TYPE_XDP,
11793 "calls: stack init to zero and pruning",
11795 /* first make allocated_stack 16 byte */
11796 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
11797 /* now fork the execution such that the false branch
11798 * of JGT insn will be verified second and it skisp zero
11799 * init of fp-8 stack slot. If stack liveness marking
11800 * is missing live_read marks from call map_lookup
11801 * processing then pruning will incorrectly assume
11802 * that fp-8 stack slot was unused in the fall-through
11803 * branch and will accept the program incorrectly
11805 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
11806 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11807 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
11808 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11809 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11810 BPF_LD_MAP_FD(BPF_REG_1, 0),
11811 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11812 BPF_FUNC_map_lookup_elem),
11815 .fixup_map2 = { 6 },
11816 .errstr = "invalid indirect read from stack off -8+0 size 8",
11818 .prog_type = BPF_PROG_TYPE_XDP,
11821 "calls: two calls returning different map pointers for lookup (hash, array)",
11824 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11826 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11828 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11829 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11830 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11832 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11833 BPF_FUNC_map_lookup_elem),
11834 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11835 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11836 offsetof(struct test_val, foo)),
11837 BPF_MOV64_IMM(BPF_REG_0, 1),
11840 BPF_LD_MAP_FD(BPF_REG_0, 0),
11843 BPF_LD_MAP_FD(BPF_REG_0, 0),
11846 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11847 .fixup_map2 = { 13 },
11848 .fixup_map4 = { 16 },
11853 "calls: two calls returning different map pointers for lookup (hash, map in map)",
11856 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11858 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11860 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11861 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11862 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11863 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11864 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11865 BPF_FUNC_map_lookup_elem),
11866 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11867 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11868 offsetof(struct test_val, foo)),
11869 BPF_MOV64_IMM(BPF_REG_0, 1),
11872 BPF_LD_MAP_FD(BPF_REG_0, 0),
11875 BPF_LD_MAP_FD(BPF_REG_0, 0),
11878 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11879 .fixup_map_in_map = { 16 },
11880 .fixup_map4 = { 13 },
11882 .errstr = "R0 invalid mem access 'map_ptr'",
11885 "cond: two branches returning different map pointers for lookup (tail, tail)",
11887 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11888 offsetof(struct __sk_buff, mark)),
11889 BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
11890 BPF_LD_MAP_FD(BPF_REG_2, 0),
11891 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11892 BPF_LD_MAP_FD(BPF_REG_2, 0),
11893 BPF_MOV64_IMM(BPF_REG_3, 7),
11894 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11895 BPF_FUNC_tail_call),
11896 BPF_MOV64_IMM(BPF_REG_0, 1),
11899 .fixup_prog1 = { 5 },
11900 .fixup_prog2 = { 2 },
11901 .result_unpriv = REJECT,
11902 .errstr_unpriv = "tail_call abusing map_ptr",
11907 "cond: two branches returning same map pointers for lookup (tail, tail)",
11909 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11910 offsetof(struct __sk_buff, mark)),
11911 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
11912 BPF_LD_MAP_FD(BPF_REG_2, 0),
11913 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11914 BPF_LD_MAP_FD(BPF_REG_2, 0),
11915 BPF_MOV64_IMM(BPF_REG_3, 7),
11916 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11917 BPF_FUNC_tail_call),
11918 BPF_MOV64_IMM(BPF_REG_0, 1),
11921 .fixup_prog2 = { 2, 5 },
11922 .result_unpriv = ACCEPT,
11927 "search pruning: all branches should be verified (nop operation)",
11929 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11930 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11931 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11932 BPF_LD_MAP_FD(BPF_REG_1, 0),
11933 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11934 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
11935 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11936 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11937 BPF_MOV64_IMM(BPF_REG_4, 0),
11939 BPF_MOV64_IMM(BPF_REG_4, 1),
11940 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11941 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11942 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11943 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
11944 BPF_MOV64_IMM(BPF_REG_6, 0),
11945 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
11948 .fixup_map1 = { 3 },
11949 .errstr = "R6 invalid mem access 'inv'",
11951 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11954 "search pruning: all branches should be verified (invalid stack access)",
11956 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11957 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11958 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11959 BPF_LD_MAP_FD(BPF_REG_1, 0),
11960 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11961 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
11962 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11963 BPF_MOV64_IMM(BPF_REG_4, 0),
11964 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11965 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11967 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
11968 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11969 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11972 .fixup_map1 = { 3 },
11973 .errstr = "invalid read from stack off -16+0 size 8",
11975 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11978 "jit: lsh, rsh, arsh by 1",
11980 BPF_MOV64_IMM(BPF_REG_0, 1),
11981 BPF_MOV64_IMM(BPF_REG_1, 0xff),
11982 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
11983 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
11984 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
11986 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
11987 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
11988 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
11990 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
11991 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
11993 BPF_MOV64_IMM(BPF_REG_0, 2),
12000 "jit: mov32 for ldimm64, 1",
12002 BPF_MOV64_IMM(BPF_REG_0, 2),
12003 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
12004 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
12005 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
12006 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12007 BPF_MOV64_IMM(BPF_REG_0, 1),
12014 "jit: mov32 for ldimm64, 2",
12016 BPF_MOV64_IMM(BPF_REG_0, 1),
12017 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
12018 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
12019 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12020 BPF_MOV64_IMM(BPF_REG_0, 2),
12027 "jit: various mul tests",
12029 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12030 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12031 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
12032 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12033 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12034 BPF_MOV64_IMM(BPF_REG_0, 1),
12036 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12037 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12038 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12039 BPF_MOV64_IMM(BPF_REG_0, 1),
12041 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
12042 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12043 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12044 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12045 BPF_MOV64_IMM(BPF_REG_0, 1),
12047 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12048 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12049 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12050 BPF_MOV64_IMM(BPF_REG_0, 1),
12052 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
12053 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
12054 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12055 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
12056 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
12057 BPF_MOV64_IMM(BPF_REG_0, 1),
12059 BPF_MOV64_IMM(BPF_REG_0, 2),
12066 "xadd/w check unaligned stack",
12068 BPF_MOV64_IMM(BPF_REG_0, 1),
12069 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12070 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
12071 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12075 .errstr = "misaligned stack access off",
12076 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12079 "xadd/w check unaligned map",
12081 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12082 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12084 BPF_LD_MAP_FD(BPF_REG_1, 0),
12085 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12086 BPF_FUNC_map_lookup_elem),
12087 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
12089 BPF_MOV64_IMM(BPF_REG_1, 1),
12090 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
12091 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
12094 .fixup_map1 = { 3 },
12096 .errstr = "misaligned value access off",
12097 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12100 "xadd/w check unaligned pkt",
12102 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12103 offsetof(struct xdp_md, data)),
12104 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12105 offsetof(struct xdp_md, data_end)),
12106 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
12107 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
12108 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
12109 BPF_MOV64_IMM(BPF_REG_0, 99),
12110 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
12111 BPF_MOV64_IMM(BPF_REG_0, 1),
12112 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12113 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
12114 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
12115 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
12116 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
12120 .errstr = "BPF_XADD stores into R2 packet",
12121 .prog_type = BPF_PROG_TYPE_XDP,
12124 "bpf_get_stack return R0 within range",
12126 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12127 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12128 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12130 BPF_LD_MAP_FD(BPF_REG_1, 0),
12131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12132 BPF_FUNC_map_lookup_elem),
12133 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
12134 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12135 BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
12136 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12137 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12138 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
12139 BPF_MOV64_IMM(BPF_REG_4, 256),
12140 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12141 BPF_MOV64_IMM(BPF_REG_1, 0),
12142 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
12143 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
12144 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
12145 BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
12146 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
12147 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12148 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
12149 BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
12150 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
12151 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
12152 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
12153 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
12154 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12155 BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
12156 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
12157 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
12158 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12159 BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
12160 BPF_MOV64_IMM(BPF_REG_4, 0),
12161 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12164 .fixup_map2 = { 4 },
12166 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12169 "ld_abs: invalid op 1",
12171 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12172 BPF_LD_ABS(BPF_DW, 0),
12175 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12177 .errstr = "unknown opcode",
12180 "ld_abs: invalid op 2",
12182 BPF_MOV32_IMM(BPF_REG_0, 256),
12183 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12184 BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
12187 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12189 .errstr = "unknown opcode",
12192 "ld_abs: nmap reduced",
12194 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12195 BPF_LD_ABS(BPF_H, 12),
12196 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
12197 BPF_LD_ABS(BPF_H, 12),
12198 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
12199 BPF_MOV32_IMM(BPF_REG_0, 18),
12200 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
12201 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
12202 BPF_LD_IND(BPF_W, BPF_REG_7, 14),
12203 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
12204 BPF_MOV32_IMM(BPF_REG_0, 280971478),
12205 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12206 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12207 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
12208 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12209 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
12210 BPF_LD_ABS(BPF_H, 12),
12211 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
12212 BPF_MOV32_IMM(BPF_REG_0, 22),
12213 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12214 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12215 BPF_LD_IND(BPF_H, BPF_REG_7, 14),
12216 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
12217 BPF_MOV32_IMM(BPF_REG_0, 17366),
12218 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
12219 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
12220 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
12221 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12222 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12223 BPF_MOV32_IMM(BPF_REG_0, 256),
12225 BPF_MOV32_IMM(BPF_REG_0, 0),
12229 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
12230 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
12231 0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
12233 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12238 "ld_abs: div + abs, test 1",
12240 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12241 BPF_LD_ABS(BPF_B, 3),
12242 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12243 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12244 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12245 BPF_LD_ABS(BPF_B, 4),
12246 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12247 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12251 10, 20, 30, 40, 50,
12253 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12258 "ld_abs: div + abs, test 2",
12260 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12261 BPF_LD_ABS(BPF_B, 3),
12262 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12263 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12264 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12265 BPF_LD_ABS(BPF_B, 128),
12266 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12267 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12271 10, 20, 30, 40, 50,
12273 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12278 "ld_abs: div + abs, test 3",
12280 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12281 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12282 BPF_LD_ABS(BPF_B, 3),
12283 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12287 10, 20, 30, 40, 50,
12289 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12294 "ld_abs: div + abs, test 4",
12296 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12297 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12298 BPF_LD_ABS(BPF_B, 256),
12299 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12303 10, 20, 30, 40, 50,
12305 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12310 "ld_abs: vlan + abs, test 1",
12315 .fill_helper = bpf_fill_ld_abs_vlan_push_pop,
12316 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12321 "ld_abs: vlan + abs, test 2",
12323 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12324 BPF_LD_ABS(BPF_B, 0),
12325 BPF_LD_ABS(BPF_H, 0),
12326 BPF_LD_ABS(BPF_W, 0),
12327 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
12328 BPF_MOV64_IMM(BPF_REG_6, 0),
12329 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12330 BPF_MOV64_IMM(BPF_REG_2, 1),
12331 BPF_MOV64_IMM(BPF_REG_3, 2),
12332 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12333 BPF_FUNC_skb_vlan_push),
12334 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
12335 BPF_LD_ABS(BPF_B, 0),
12336 BPF_LD_ABS(BPF_H, 0),
12337 BPF_LD_ABS(BPF_W, 0),
12338 BPF_MOV64_IMM(BPF_REG_0, 42),
12344 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12349 "ld_abs: jump around ld_abs",
12354 .fill_helper = bpf_fill_jump_around_ld_abs,
12355 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12360 "ld_dw: xor semi-random 64 bit imms, test 1",
12363 .fill_helper = bpf_fill_rand_ld_dw,
12364 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12369 "ld_dw: xor semi-random 64 bit imms, test 2",
12372 .fill_helper = bpf_fill_rand_ld_dw,
12373 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12378 "ld_dw: xor semi-random 64 bit imms, test 3",
12381 .fill_helper = bpf_fill_rand_ld_dw,
12382 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12387 "ld_dw: xor semi-random 64 bit imms, test 4",
12390 .fill_helper = bpf_fill_rand_ld_dw,
12391 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12396 "pass unmodified ctx pointer to helper",
12398 BPF_MOV64_IMM(BPF_REG_2, 0),
12399 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12400 BPF_FUNC_csum_update),
12401 BPF_MOV64_IMM(BPF_REG_0, 0),
12404 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12408 "pass modified ctx pointer to helper, 1",
12410 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
12411 BPF_MOV64_IMM(BPF_REG_2, 0),
12412 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12413 BPF_FUNC_csum_update),
12414 BPF_MOV64_IMM(BPF_REG_0, 0),
12417 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12419 .errstr = "dereference of modified ctx ptr",
12422 "pass modified ctx pointer to helper, 2",
12424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
12425 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12426 BPF_FUNC_get_socket_cookie),
12427 BPF_MOV64_IMM(BPF_REG_0, 0),
12430 .result_unpriv = REJECT,
12432 .errstr_unpriv = "dereference of modified ctx ptr",
12433 .errstr = "dereference of modified ctx ptr",
12436 "pass modified ctx pointer to helper, 3",
12438 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
12439 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
12440 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
12441 BPF_MOV64_IMM(BPF_REG_2, 0),
12442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12443 BPF_FUNC_csum_update),
12444 BPF_MOV64_IMM(BPF_REG_0, 0),
12447 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12449 .errstr = "variable ctx access var_off=(0x0; 0x4)",
12452 "mov64 src == dst",
12454 BPF_MOV64_IMM(BPF_REG_2, 0),
12455 BPF_MOV64_REG(BPF_REG_2, BPF_REG_2),
12456 // Check bounds are OK
12457 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
12458 BPF_MOV64_IMM(BPF_REG_0, 0),
12461 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12465 "mov64 src != dst",
12467 BPF_MOV64_IMM(BPF_REG_3, 0),
12468 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
12469 // Check bounds are OK
12470 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
12471 BPF_MOV64_IMM(BPF_REG_0, 0),
12474 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12479 static int probe_filter_length(const struct bpf_insn *fp)
12483 for (len = MAX_INSNS - 1; len > 0; --len)
12484 if (fp[len].code != 0 || fp[len].imm != 0)
12489 static int create_map(uint32_t type, uint32_t size_key,
12490 uint32_t size_value, uint32_t max_elem)
12494 fd = bpf_create_map(type, size_key, size_value, max_elem,
12495 type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
12497 printf("Failed to create hash map '%s'!\n", strerror(errno));
12502 static int create_prog_dummy1(void)
12504 struct bpf_insn prog[] = {
12505 BPF_MOV64_IMM(BPF_REG_0, 42),
12509 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12510 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12513 static int create_prog_dummy2(int mfd, int idx)
12515 struct bpf_insn prog[] = {
12516 BPF_MOV64_IMM(BPF_REG_3, idx),
12517 BPF_LD_MAP_FD(BPF_REG_2, mfd),
12518 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12519 BPF_FUNC_tail_call),
12520 BPF_MOV64_IMM(BPF_REG_0, 41),
12524 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12525 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12528 static int create_prog_array(uint32_t max_elem, int p1key)
12531 int mfd, p1fd, p2fd;
12533 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
12534 sizeof(int), max_elem, 0);
12536 printf("Failed to create prog array '%s'!\n", strerror(errno));
12540 p1fd = create_prog_dummy1();
12541 p2fd = create_prog_dummy2(mfd, p2key);
12542 if (p1fd < 0 || p2fd < 0)
12544 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
12546 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
12559 static int create_map_in_map(void)
12561 int inner_map_fd, outer_map_fd;
12563 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12564 sizeof(int), 1, 0);
12565 if (inner_map_fd < 0) {
12566 printf("Failed to create array '%s'!\n", strerror(errno));
12567 return inner_map_fd;
12570 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
12571 sizeof(int), inner_map_fd, 1, 0);
12572 if (outer_map_fd < 0)
12573 printf("Failed to create array of maps '%s'!\n",
12576 close(inner_map_fd);
12578 return outer_map_fd;
12581 static int create_cgroup_storage(void)
12585 fd = bpf_create_map(BPF_MAP_TYPE_CGROUP_STORAGE,
12586 sizeof(struct bpf_cgroup_storage_key),
12587 TEST_DATA_LEN, 0, 0);
12589 printf("Failed to create array '%s'!\n", strerror(errno));
12594 static char bpf_vlog[UINT_MAX >> 8];
12596 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
12599 int *fixup_map1 = test->fixup_map1;
12600 int *fixup_map2 = test->fixup_map2;
12601 int *fixup_map3 = test->fixup_map3;
12602 int *fixup_map4 = test->fixup_map4;
12603 int *fixup_prog1 = test->fixup_prog1;
12604 int *fixup_prog2 = test->fixup_prog2;
12605 int *fixup_map_in_map = test->fixup_map_in_map;
12606 int *fixup_cgroup_storage = test->fixup_cgroup_storage;
12608 if (test->fill_helper)
12609 test->fill_helper(test);
12611 /* Allocating HTs with 1 elem is fine here, since we only test
12612 * for verifier and not do a runtime lookup, so the only thing
12613 * that really matters is value size in this case.
12616 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12617 sizeof(long long), 1);
12619 prog[*fixup_map1].imm = map_fds[0];
12621 } while (*fixup_map1);
12625 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12626 sizeof(struct test_val), 1);
12628 prog[*fixup_map2].imm = map_fds[1];
12630 } while (*fixup_map2);
12634 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12635 sizeof(struct other_val), 1);
12637 prog[*fixup_map3].imm = map_fds[2];
12639 } while (*fixup_map3);
12643 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12644 sizeof(struct test_val), 1);
12646 prog[*fixup_map4].imm = map_fds[3];
12648 } while (*fixup_map4);
12651 if (*fixup_prog1) {
12652 map_fds[4] = create_prog_array(4, 0);
12654 prog[*fixup_prog1].imm = map_fds[4];
12656 } while (*fixup_prog1);
12659 if (*fixup_prog2) {
12660 map_fds[5] = create_prog_array(8, 7);
12662 prog[*fixup_prog2].imm = map_fds[5];
12664 } while (*fixup_prog2);
12667 if (*fixup_map_in_map) {
12668 map_fds[6] = create_map_in_map();
12670 prog[*fixup_map_in_map].imm = map_fds[6];
12671 fixup_map_in_map++;
12672 } while (*fixup_map_in_map);
12675 if (*fixup_cgroup_storage) {
12676 map_fds[7] = create_cgroup_storage();
12678 prog[*fixup_cgroup_storage].imm = map_fds[7];
12679 fixup_cgroup_storage++;
12680 } while (*fixup_cgroup_storage);
12684 static void do_test_single(struct bpf_test *test, bool unpriv,
12685 int *passes, int *errors)
12687 int fd_prog, expected_ret, reject_from_alignment;
12688 int prog_len, prog_type = test->prog_type;
12689 struct bpf_insn *prog = test->insns;
12690 int map_fds[MAX_NR_MAPS];
12691 const char *expected_err;
12695 for (i = 0; i < MAX_NR_MAPS; i++)
12698 do_test_fixup(test, prog, map_fds);
12699 prog_len = probe_filter_length(prog);
12701 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
12702 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
12703 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
12705 expected_ret = unpriv && test->result_unpriv != UNDEF ?
12706 test->result_unpriv : test->result;
12707 expected_err = unpriv && test->errstr_unpriv ?
12708 test->errstr_unpriv : test->errstr;
12710 reject_from_alignment = fd_prog < 0 &&
12711 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
12712 strstr(bpf_vlog, "Unknown alignment.");
12713 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
12714 if (reject_from_alignment) {
12715 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
12720 if (expected_ret == ACCEPT) {
12721 if (fd_prog < 0 && !reject_from_alignment) {
12722 printf("FAIL\nFailed to load prog '%s'!\n",
12727 if (fd_prog >= 0) {
12728 printf("FAIL\nUnexpected success to load!\n");
12731 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
12732 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
12733 expected_err, bpf_vlog);
12738 if (fd_prog >= 0) {
12739 __u8 tmp[TEST_DATA_LEN << 2];
12740 __u32 size_tmp = sizeof(tmp);
12742 err = bpf_prog_test_run(fd_prog, 1, test->data,
12743 sizeof(test->data), tmp, &size_tmp,
12745 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
12746 printf("Unexpected bpf_prog_test_run error\n");
12749 if (!err && retval != test->retval &&
12750 test->retval != POINTER_VALUE) {
12751 printf("FAIL retval %d != %d\n", retval, test->retval);
12756 printf("OK%s\n", reject_from_alignment ?
12757 " (NOTE: reject due to unknown alignment)" : "");
12760 for (i = 0; i < MAX_NR_MAPS; i++)
12766 printf("%s", bpf_vlog);
12770 static bool is_admin(void)
12773 cap_flag_value_t sysadmin = CAP_CLEAR;
12774 const cap_value_t cap_val = CAP_SYS_ADMIN;
12776 #ifdef CAP_IS_SUPPORTED
12777 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
12778 perror("cap_get_flag");
12782 caps = cap_get_proc();
12784 perror("cap_get_proc");
12787 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
12788 perror("cap_get_flag");
12789 if (cap_free(caps))
12790 perror("cap_free");
12791 return (sysadmin == CAP_SET);
12794 static int set_admin(bool admin)
12797 const cap_value_t cap_val = CAP_SYS_ADMIN;
12800 caps = cap_get_proc();
12802 perror("cap_get_proc");
12805 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
12806 admin ? CAP_SET : CAP_CLEAR)) {
12807 perror("cap_set_flag");
12810 if (cap_set_proc(caps)) {
12811 perror("cap_set_proc");
12816 if (cap_free(caps))
12817 perror("cap_free");
12821 static void get_unpriv_disabled()
12826 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
12828 perror("fopen /proc/sys/"UNPRIV_SYSCTL);
12829 unpriv_disabled = true;
12832 if (fgets(buf, 2, fd) == buf && atoi(buf))
12833 unpriv_disabled = true;
12837 static int do_test(bool unpriv, unsigned int from, unsigned int to)
12839 int i, passes = 0, errors = 0, skips = 0;
12841 for (i = from; i < to; i++) {
12842 struct bpf_test *test = &tests[i];
12844 /* Program types that are not supported by non-root we
12847 if (!test->prog_type && unpriv_disabled) {
12848 printf("#%d/u %s SKIP\n", i, test->descr);
12850 } else if (!test->prog_type) {
12853 printf("#%d/u %s ", i, test->descr);
12854 do_test_single(test, true, &passes, &errors);
12860 printf("#%d/p %s SKIP\n", i, test->descr);
12863 printf("#%d/p %s ", i, test->descr);
12864 do_test_single(test, false, &passes, &errors);
12868 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
12870 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
12873 int main(int argc, char **argv)
12875 unsigned int from = 0, to = ARRAY_SIZE(tests);
12876 bool unpriv = !is_admin();
12879 unsigned int l = atoi(argv[argc - 2]);
12880 unsigned int u = atoi(argv[argc - 1]);
12882 if (l < to && u < to) {
12886 } else if (argc == 2) {
12887 unsigned int t = atoi(argv[argc - 1]);
12895 get_unpriv_disabled();
12896 if (unpriv && unpriv_disabled) {
12897 printf("Cannot run as unprivileged user with sysctl %s.\n",
12899 return EXIT_FAILURE;
12902 bpf_semi_rand_init();
12903 return do_test(unpriv, from, to);
projects / linux.git / blob