2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 * Copyright (c) 2017 Facebook
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of version 2 of the GNU General Public
9 * License as published by the Free Software Foundation.
13 #include <asm/types.h>
14 #include <linux/types.h>
26 #include <sys/capability.h>
28 #include <linux/unistd.h>
29 #include <linux/filter.h>
30 #include <linux/bpf_perf_event.h>
31 #include <linux/bpf.h>
32 #include <linux/if_ether.h>
37 # include "autoconf.h"
39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
40 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
43 #include "bpf_rlimit.h"
45 #include "../../../include/linux/filter.h"
48 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
51 #define MAX_INSNS BPF_MAXINSNS
54 #define POINTER_VALUE 0xcafe4all
55 #define TEST_DATA_LEN 64
57 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
58 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
60 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
61 static bool unpriv_disabled = false;
65 struct bpf_insn insns[MAX_INSNS];
66 int fixup_map1[MAX_FIXUPS];
67 int fixup_map2[MAX_FIXUPS];
68 int fixup_map3[MAX_FIXUPS];
69 int fixup_prog[MAX_FIXUPS];
70 int fixup_map_in_map[MAX_FIXUPS];
72 const char *errstr_unpriv;
78 } result, result_unpriv;
79 enum bpf_prog_type prog_type;
81 __u8 data[TEST_DATA_LEN];
82 void (*fill_helper)(struct bpf_test *self);
85 /* Note we want this to be 64 bit aligned so that the end of our array is
86 * actually the end of the structure.
88 #define MAX_ENTRIES 11
100 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
102 /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
104 unsigned int len = BPF_MAXINSNS;
105 struct bpf_insn *insn = self->insns;
108 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
110 for (j = 0; j < PUSH_CNT; j++) {
111 insn[i++] = BPF_LD_ABS(BPF_B, 0);
112 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
114 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
115 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
116 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
117 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
118 BPF_FUNC_skb_vlan_push),
119 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
123 for (j = 0; j < PUSH_CNT; j++) {
124 insn[i++] = BPF_LD_ABS(BPF_B, 0);
125 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
127 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
128 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
129 BPF_FUNC_skb_vlan_pop),
130 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
136 for (; i < len - 1; i++)
137 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
138 insn[len - 1] = BPF_EXIT_INSN();
141 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
143 struct bpf_insn *insn = self->insns;
144 unsigned int len = BPF_MAXINSNS;
147 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
148 insn[i++] = BPF_LD_ABS(BPF_B, 0);
149 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
152 insn[i++] = BPF_LD_ABS(BPF_B, 1);
153 insn[i] = BPF_EXIT_INSN();
156 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
158 struct bpf_insn *insn = self->insns;
162 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
163 while (i < self->retval) {
164 uint64_t val = bpf_semi_rand_get();
165 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
170 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
172 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
173 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
174 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
175 insn[i] = BPF_EXIT_INSN();
177 self->retval = (uint32_t)res;
180 static struct bpf_test tests[] = {
184 BPF_MOV64_IMM(BPF_REG_1, 1),
185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
186 BPF_MOV64_IMM(BPF_REG_2, 3),
187 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
189 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
190 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
197 "DIV32 by 0, zero check 1",
199 BPF_MOV32_IMM(BPF_REG_0, 42),
200 BPF_MOV32_IMM(BPF_REG_1, 0),
201 BPF_MOV32_IMM(BPF_REG_2, 1),
202 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
209 "DIV32 by 0, zero check 2",
211 BPF_MOV32_IMM(BPF_REG_0, 42),
212 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
213 BPF_MOV32_IMM(BPF_REG_2, 1),
214 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
221 "DIV64 by 0, zero check",
223 BPF_MOV32_IMM(BPF_REG_0, 42),
224 BPF_MOV32_IMM(BPF_REG_1, 0),
225 BPF_MOV32_IMM(BPF_REG_2, 1),
226 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
233 "MOD32 by 0, zero check 1",
235 BPF_MOV32_IMM(BPF_REG_0, 42),
236 BPF_MOV32_IMM(BPF_REG_1, 0),
237 BPF_MOV32_IMM(BPF_REG_2, 1),
238 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
245 "MOD32 by 0, zero check 2",
247 BPF_MOV32_IMM(BPF_REG_0, 42),
248 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
249 BPF_MOV32_IMM(BPF_REG_2, 1),
250 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
257 "MOD64 by 0, zero check",
259 BPF_MOV32_IMM(BPF_REG_0, 42),
260 BPF_MOV32_IMM(BPF_REG_1, 0),
261 BPF_MOV32_IMM(BPF_REG_2, 1),
262 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
269 "DIV32 by 0, zero check ok, cls",
271 BPF_MOV32_IMM(BPF_REG_0, 42),
272 BPF_MOV32_IMM(BPF_REG_1, 2),
273 BPF_MOV32_IMM(BPF_REG_2, 16),
274 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
275 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
278 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
283 "DIV32 by 0, zero check 1, cls",
285 BPF_MOV32_IMM(BPF_REG_1, 0),
286 BPF_MOV32_IMM(BPF_REG_0, 1),
287 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
290 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
295 "DIV32 by 0, zero check 2, cls",
297 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
298 BPF_MOV32_IMM(BPF_REG_0, 1),
299 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
302 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
307 "DIV64 by 0, zero check, cls",
309 BPF_MOV32_IMM(BPF_REG_1, 0),
310 BPF_MOV32_IMM(BPF_REG_0, 1),
311 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
314 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
319 "MOD32 by 0, zero check ok, cls",
321 BPF_MOV32_IMM(BPF_REG_0, 42),
322 BPF_MOV32_IMM(BPF_REG_1, 3),
323 BPF_MOV32_IMM(BPF_REG_2, 5),
324 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
325 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
328 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
333 "MOD32 by 0, zero check 1, cls",
335 BPF_MOV32_IMM(BPF_REG_1, 0),
336 BPF_MOV32_IMM(BPF_REG_0, 1),
337 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
340 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
345 "MOD32 by 0, zero check 2, cls",
347 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
348 BPF_MOV32_IMM(BPF_REG_0, 1),
349 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
352 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
357 "MOD64 by 0, zero check 1, cls",
359 BPF_MOV32_IMM(BPF_REG_1, 0),
360 BPF_MOV32_IMM(BPF_REG_0, 2),
361 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
364 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
369 "MOD64 by 0, zero check 2, cls",
371 BPF_MOV32_IMM(BPF_REG_1, 0),
372 BPF_MOV32_IMM(BPF_REG_0, -1),
373 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
376 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
380 /* Just make sure that JITs used udiv/umod as otherwise we get
381 * an exception from INT_MIN/-1 overflow similarly as with div
385 "DIV32 overflow, check 1",
387 BPF_MOV32_IMM(BPF_REG_1, -1),
388 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
389 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
392 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
397 "DIV32 overflow, check 2",
399 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
400 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
403 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
408 "DIV64 overflow, check 1",
410 BPF_MOV64_IMM(BPF_REG_1, -1),
411 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
412 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
415 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
420 "DIV64 overflow, check 2",
422 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
423 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
431 "MOD32 overflow, check 1",
433 BPF_MOV32_IMM(BPF_REG_1, -1),
434 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
435 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
438 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
443 "MOD32 overflow, check 2",
445 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
446 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
449 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
454 "MOD64 overflow, check 1",
456 BPF_MOV64_IMM(BPF_REG_1, -1),
457 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
458 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
459 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
460 BPF_MOV32_IMM(BPF_REG_0, 0),
461 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
462 BPF_MOV32_IMM(BPF_REG_0, 1),
465 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
470 "MOD64 overflow, check 2",
472 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
473 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
474 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
475 BPF_MOV32_IMM(BPF_REG_0, 0),
476 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
477 BPF_MOV32_IMM(BPF_REG_0, 1),
480 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
485 "xor32 zero extend check",
487 BPF_MOV32_IMM(BPF_REG_2, -1),
488 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
489 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
490 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
491 BPF_MOV32_IMM(BPF_REG_0, 2),
492 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
493 BPF_MOV32_IMM(BPF_REG_0, 1),
496 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
504 .errstr = "unknown opcode 00",
512 .errstr = "R0 !read_ok",
521 .errstr = "unreachable",
527 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
528 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
531 .errstr = "unreachable",
537 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
540 .errstr = "jump out of range",
544 "out of range jump2",
546 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
549 .errstr = "jump out of range",
555 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
556 BPF_LD_IMM64(BPF_REG_0, 0),
557 BPF_LD_IMM64(BPF_REG_0, 0),
558 BPF_LD_IMM64(BPF_REG_0, 1),
559 BPF_LD_IMM64(BPF_REG_0, 1),
560 BPF_MOV64_IMM(BPF_REG_0, 2),
563 .errstr = "invalid BPF_LD_IMM insn",
564 .errstr_unpriv = "R1 pointer comparison",
570 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
571 BPF_LD_IMM64(BPF_REG_0, 0),
572 BPF_LD_IMM64(BPF_REG_0, 0),
573 BPF_LD_IMM64(BPF_REG_0, 1),
574 BPF_LD_IMM64(BPF_REG_0, 1),
577 .errstr = "invalid BPF_LD_IMM insn",
578 .errstr_unpriv = "R1 pointer comparison",
584 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
585 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
586 BPF_LD_IMM64(BPF_REG_0, 0),
587 BPF_LD_IMM64(BPF_REG_0, 0),
588 BPF_LD_IMM64(BPF_REG_0, 1),
589 BPF_LD_IMM64(BPF_REG_0, 1),
592 .errstr = "invalid bpf_ld_imm64 insn",
598 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
601 .errstr = "invalid bpf_ld_imm64 insn",
607 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
609 .errstr = "invalid bpf_ld_imm64 insn",
615 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
616 BPF_RAW_INSN(0, 0, 0, 0, 0),
624 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
625 BPF_RAW_INSN(0, 0, 0, 0, 1),
634 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
635 BPF_RAW_INSN(0, 0, 0, 0, 1),
638 .errstr = "uses reserved fields",
644 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
645 BPF_RAW_INSN(0, 0, 0, 1, 1),
648 .errstr = "invalid bpf_ld_imm64 insn",
654 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
655 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
658 .errstr = "invalid bpf_ld_imm64 insn",
664 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
665 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
668 .errstr = "invalid bpf_ld_imm64 insn",
674 BPF_MOV64_IMM(BPF_REG_1, 0),
675 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
676 BPF_RAW_INSN(0, 0, 0, 0, 1),
679 .errstr = "not pointing to valid bpf_map",
685 BPF_MOV64_IMM(BPF_REG_1, 0),
686 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
687 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
690 .errstr = "invalid bpf_ld_imm64 insn",
696 BPF_MOV64_IMM(BPF_REG_0, 1),
697 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
701 .errstr = "unknown opcode c4",
706 BPF_MOV64_IMM(BPF_REG_0, 1),
707 BPF_MOV64_IMM(BPF_REG_1, 5),
708 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
712 .errstr = "unknown opcode cc",
717 BPF_MOV64_IMM(BPF_REG_0, 1),
718 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
726 BPF_MOV64_IMM(BPF_REG_0, 1),
727 BPF_MOV64_IMM(BPF_REG_1, 5),
728 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
736 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
738 .errstr = "not an exit",
744 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
747 .errstr = "back-edge",
753 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
754 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
755 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
756 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
759 .errstr = "back-edge",
765 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
766 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
767 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
768 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
771 .errstr = "back-edge",
775 "read uninitialized register",
777 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
780 .errstr = "R2 !read_ok",
784 "read invalid register",
786 BPF_MOV64_REG(BPF_REG_0, -1),
789 .errstr = "R15 is invalid",
793 "program doesn't init R0 before exit",
795 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
798 .errstr = "R0 !read_ok",
802 "program doesn't init R0 before exit in all branches",
804 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
805 BPF_MOV64_IMM(BPF_REG_0, 1),
806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
809 .errstr = "R0 !read_ok",
810 .errstr_unpriv = "R1 pointer comparison",
814 "stack out of bounds",
816 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
819 .errstr = "invalid stack",
823 "invalid call insn1",
825 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
828 .errstr = "unknown opcode 8d",
832 "invalid call insn2",
834 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
837 .errstr = "BPF_CALL uses reserved",
841 "invalid function call",
843 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
846 .errstr = "invalid func unknown#1234567",
850 "uninitialized stack1",
852 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
854 BPF_LD_MAP_FD(BPF_REG_1, 0),
855 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
856 BPF_FUNC_map_lookup_elem),
860 .errstr = "invalid indirect read from stack",
864 "uninitialized stack2",
866 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
867 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
870 .errstr = "invalid read from stack",
874 "invalid fp arithmetic",
875 /* If this gets ever changed, make sure JITs can deal with it. */
877 BPF_MOV64_IMM(BPF_REG_0, 0),
878 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
879 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
880 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
883 .errstr = "R1 subtraction from stack pointer",
887 "non-invalid fp arithmetic",
889 BPF_MOV64_IMM(BPF_REG_0, 0),
890 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
896 "invalid argument register",
898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
899 BPF_FUNC_get_cgroup_classid),
900 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
901 BPF_FUNC_get_cgroup_classid),
904 .errstr = "R1 !read_ok",
906 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
909 "non-invalid argument register",
911 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
912 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
913 BPF_FUNC_get_cgroup_classid),
914 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
915 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
916 BPF_FUNC_get_cgroup_classid),
920 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
923 "check valid spill/fill",
925 /* spill R1(ctx) into stack */
926 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
927 /* fill it back into R2 */
928 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
929 /* should be able to access R0 = *(R2 + 8) */
930 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
931 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
934 .errstr_unpriv = "R0 leaks addr",
936 .result_unpriv = REJECT,
937 .retval = POINTER_VALUE,
940 "check valid spill/fill, skb mark",
942 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
943 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
944 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
945 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
946 offsetof(struct __sk_buff, mark)),
950 .result_unpriv = ACCEPT,
953 "check corrupted spill/fill",
955 /* spill R1(ctx) into stack */
956 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
957 /* mess up with R1 pointer on stack */
958 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
959 /* fill back into R0 should fail */
960 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
963 .errstr_unpriv = "attempt to corrupt spilled",
964 .errstr = "corrupted spill",
968 "invalid src register in STX",
970 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
973 .errstr = "R15 is invalid",
977 "invalid dst register in STX",
979 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
982 .errstr = "R14 is invalid",
986 "invalid dst register in ST",
988 BPF_ST_MEM(BPF_B, 14, -1, -1),
991 .errstr = "R14 is invalid",
995 "invalid src register in LDX",
997 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1000 .errstr = "R12 is invalid",
1004 "invalid dst register in LDX",
1006 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1009 .errstr = "R11 is invalid",
1015 BPF_RAW_INSN(0, 0, 0, 0, 0),
1018 .errstr = "unknown opcode 00",
1024 BPF_RAW_INSN(1, 0, 0, 0, 0),
1027 .errstr = "BPF_LDX uses reserved fields",
1033 BPF_RAW_INSN(-1, 0, 0, 0, 0),
1036 .errstr = "unknown opcode ff",
1042 BPF_RAW_INSN(-1, -1, -1, -1, -1),
1045 .errstr = "unknown opcode ff",
1051 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1054 .errstr = "BPF_ALU uses reserved fields",
1058 "misaligned read from stack",
1060 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1061 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1064 .errstr = "misaligned stack access",
1068 "invalid map_fd for function call",
1070 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1071 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1073 BPF_LD_MAP_FD(BPF_REG_1, 0),
1074 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1075 BPF_FUNC_map_delete_elem),
1078 .errstr = "fd 0 is not pointing to valid bpf_map",
1082 "don't check return value before access",
1084 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1085 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1087 BPF_LD_MAP_FD(BPF_REG_1, 0),
1088 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1089 BPF_FUNC_map_lookup_elem),
1090 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1093 .fixup_map1 = { 3 },
1094 .errstr = "R0 invalid mem access 'map_value_or_null'",
1098 "access memory with incorrect alignment",
1100 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1101 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1103 BPF_LD_MAP_FD(BPF_REG_1, 0),
1104 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1105 BPF_FUNC_map_lookup_elem),
1106 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1107 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1110 .fixup_map1 = { 3 },
1111 .errstr = "misaligned value access",
1113 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1116 "sometimes access memory with incorrect alignment",
1118 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1119 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1120 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1121 BPF_LD_MAP_FD(BPF_REG_1, 0),
1122 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1123 BPF_FUNC_map_lookup_elem),
1124 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1125 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1127 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1130 .fixup_map1 = { 3 },
1131 .errstr = "R0 invalid mem access",
1132 .errstr_unpriv = "R0 leaks addr",
1134 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1139 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1140 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1141 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1142 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1143 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1144 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1145 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1146 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1147 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1148 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1149 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1150 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1151 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1152 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1153 BPF_MOV64_IMM(BPF_REG_0, 0),
1156 .errstr_unpriv = "R1 pointer comparison",
1157 .result_unpriv = REJECT,
1163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1164 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1165 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1166 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1168 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1169 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1170 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1171 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1172 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1174 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1175 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1176 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1177 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1178 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1179 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1180 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1181 BPF_MOV64_IMM(BPF_REG_0, 0),
1184 .errstr_unpriv = "R1 pointer comparison",
1185 .result_unpriv = REJECT,
1191 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1192 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1193 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1195 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1196 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1197 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1199 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1200 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1201 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1203 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1204 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1205 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1207 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1208 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1209 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1211 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1212 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1213 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1215 BPF_LD_MAP_FD(BPF_REG_1, 0),
1216 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1217 BPF_FUNC_map_delete_elem),
1220 .fixup_map1 = { 24 },
1221 .errstr_unpriv = "R1 pointer comparison",
1222 .result_unpriv = REJECT,
1229 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1230 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1231 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1233 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1234 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1235 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1237 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1238 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1239 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1240 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1241 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1242 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1243 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1244 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1245 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1246 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1247 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1248 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1250 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1251 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1252 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1257 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1259 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1260 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1261 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1262 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1266 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1269 BPF_MOV64_IMM(BPF_REG_0, 0),
1272 .errstr_unpriv = "R1 pointer comparison",
1273 .result_unpriv = REJECT,
1279 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1280 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1281 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1282 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1283 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1284 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1285 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1286 BPF_MOV64_IMM(BPF_REG_0, 0),
1287 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1288 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1289 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1290 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1291 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1292 BPF_MOV64_IMM(BPF_REG_0, 0),
1293 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1294 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1295 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1296 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1297 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1298 BPF_MOV64_IMM(BPF_REG_0, 0),
1299 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1300 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1301 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1302 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1303 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1304 BPF_MOV64_IMM(BPF_REG_0, 0),
1305 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1306 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1307 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1308 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1309 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1310 BPF_MOV64_IMM(BPF_REG_0, 0),
1313 .errstr_unpriv = "R1 pointer comparison",
1314 .result_unpriv = REJECT,
1318 "access skb fields ok",
1320 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1321 offsetof(struct __sk_buff, len)),
1322 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1323 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1324 offsetof(struct __sk_buff, mark)),
1325 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1326 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1327 offsetof(struct __sk_buff, pkt_type)),
1328 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1329 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1330 offsetof(struct __sk_buff, queue_mapping)),
1331 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1332 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1333 offsetof(struct __sk_buff, protocol)),
1334 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1335 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1336 offsetof(struct __sk_buff, vlan_present)),
1337 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1338 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1339 offsetof(struct __sk_buff, vlan_tci)),
1340 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1341 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1342 offsetof(struct __sk_buff, napi_id)),
1343 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1349 "access skb fields bad1",
1351 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1354 .errstr = "invalid bpf_context access",
1358 "access skb fields bad2",
1360 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1361 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1362 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1364 BPF_LD_MAP_FD(BPF_REG_1, 0),
1365 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1366 BPF_FUNC_map_lookup_elem),
1367 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1369 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1370 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1371 offsetof(struct __sk_buff, pkt_type)),
1374 .fixup_map1 = { 4 },
1375 .errstr = "different pointers",
1376 .errstr_unpriv = "R1 pointer comparison",
1380 "access skb fields bad3",
1382 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1383 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1384 offsetof(struct __sk_buff, pkt_type)),
1386 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1387 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1389 BPF_LD_MAP_FD(BPF_REG_1, 0),
1390 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1391 BPF_FUNC_map_lookup_elem),
1392 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1394 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1395 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1397 .fixup_map1 = { 6 },
1398 .errstr = "different pointers",
1399 .errstr_unpriv = "R1 pointer comparison",
1403 "access skb fields bad4",
1405 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1406 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1407 offsetof(struct __sk_buff, len)),
1408 BPF_MOV64_IMM(BPF_REG_0, 0),
1410 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1411 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1413 BPF_LD_MAP_FD(BPF_REG_1, 0),
1414 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1415 BPF_FUNC_map_lookup_elem),
1416 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1418 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1419 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1421 .fixup_map1 = { 7 },
1422 .errstr = "different pointers",
1423 .errstr_unpriv = "R1 pointer comparison",
1427 "invalid access __sk_buff family",
1429 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1430 offsetof(struct __sk_buff, family)),
1433 .errstr = "invalid bpf_context access",
1437 "invalid access __sk_buff remote_ip4",
1439 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1440 offsetof(struct __sk_buff, remote_ip4)),
1443 .errstr = "invalid bpf_context access",
1447 "invalid access __sk_buff local_ip4",
1449 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1450 offsetof(struct __sk_buff, local_ip4)),
1453 .errstr = "invalid bpf_context access",
1457 "invalid access __sk_buff remote_ip6",
1459 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1460 offsetof(struct __sk_buff, remote_ip6)),
1463 .errstr = "invalid bpf_context access",
1467 "invalid access __sk_buff local_ip6",
1469 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1470 offsetof(struct __sk_buff, local_ip6)),
1473 .errstr = "invalid bpf_context access",
1477 "invalid access __sk_buff remote_port",
1479 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1480 offsetof(struct __sk_buff, remote_port)),
1483 .errstr = "invalid bpf_context access",
1487 "invalid access __sk_buff remote_port",
1489 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1490 offsetof(struct __sk_buff, local_port)),
1493 .errstr = "invalid bpf_context access",
1497 "valid access __sk_buff family",
1499 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1500 offsetof(struct __sk_buff, family)),
1504 .prog_type = BPF_PROG_TYPE_SK_SKB,
1507 "valid access __sk_buff remote_ip4",
1509 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1510 offsetof(struct __sk_buff, remote_ip4)),
1514 .prog_type = BPF_PROG_TYPE_SK_SKB,
1517 "valid access __sk_buff local_ip4",
1519 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1520 offsetof(struct __sk_buff, local_ip4)),
1524 .prog_type = BPF_PROG_TYPE_SK_SKB,
1527 "valid access __sk_buff remote_ip6",
1529 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1530 offsetof(struct __sk_buff, remote_ip6[0])),
1531 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1532 offsetof(struct __sk_buff, remote_ip6[1])),
1533 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1534 offsetof(struct __sk_buff, remote_ip6[2])),
1535 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1536 offsetof(struct __sk_buff, remote_ip6[3])),
1540 .prog_type = BPF_PROG_TYPE_SK_SKB,
1543 "valid access __sk_buff local_ip6",
1545 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1546 offsetof(struct __sk_buff, local_ip6[0])),
1547 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1548 offsetof(struct __sk_buff, local_ip6[1])),
1549 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1550 offsetof(struct __sk_buff, local_ip6[2])),
1551 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1552 offsetof(struct __sk_buff, local_ip6[3])),
1556 .prog_type = BPF_PROG_TYPE_SK_SKB,
1559 "valid access __sk_buff remote_port",
1561 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1562 offsetof(struct __sk_buff, remote_port)),
1566 .prog_type = BPF_PROG_TYPE_SK_SKB,
1569 "valid access __sk_buff remote_port",
1571 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572 offsetof(struct __sk_buff, local_port)),
1576 .prog_type = BPF_PROG_TYPE_SK_SKB,
1579 "invalid access of tc_classid for SK_SKB",
1581 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1582 offsetof(struct __sk_buff, tc_classid)),
1586 .prog_type = BPF_PROG_TYPE_SK_SKB,
1587 .errstr = "invalid bpf_context access",
1590 "invalid access of skb->mark for SK_SKB",
1592 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1593 offsetof(struct __sk_buff, mark)),
1597 .prog_type = BPF_PROG_TYPE_SK_SKB,
1598 .errstr = "invalid bpf_context access",
1601 "check skb->mark is not writeable by SK_SKB",
1603 BPF_MOV64_IMM(BPF_REG_0, 0),
1604 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1605 offsetof(struct __sk_buff, mark)),
1609 .prog_type = BPF_PROG_TYPE_SK_SKB,
1610 .errstr = "invalid bpf_context access",
1613 "check skb->tc_index is writeable by SK_SKB",
1615 BPF_MOV64_IMM(BPF_REG_0, 0),
1616 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1617 offsetof(struct __sk_buff, tc_index)),
1621 .prog_type = BPF_PROG_TYPE_SK_SKB,
1624 "check skb->priority is writeable by SK_SKB",
1626 BPF_MOV64_IMM(BPF_REG_0, 0),
1627 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1628 offsetof(struct __sk_buff, priority)),
1632 .prog_type = BPF_PROG_TYPE_SK_SKB,
1635 "direct packet read for SK_SKB",
1637 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1638 offsetof(struct __sk_buff, data)),
1639 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1640 offsetof(struct __sk_buff, data_end)),
1641 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1642 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1643 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1644 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1645 BPF_MOV64_IMM(BPF_REG_0, 0),
1649 .prog_type = BPF_PROG_TYPE_SK_SKB,
1652 "direct packet write for SK_SKB",
1654 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1655 offsetof(struct __sk_buff, data)),
1656 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1657 offsetof(struct __sk_buff, data_end)),
1658 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1660 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1661 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1662 BPF_MOV64_IMM(BPF_REG_0, 0),
1666 .prog_type = BPF_PROG_TYPE_SK_SKB,
1669 "overlapping checks for direct packet access SK_SKB",
1671 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1672 offsetof(struct __sk_buff, data)),
1673 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1674 offsetof(struct __sk_buff, data_end)),
1675 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1677 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1678 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1679 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1680 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1681 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1682 BPF_MOV64_IMM(BPF_REG_0, 0),
1686 .prog_type = BPF_PROG_TYPE_SK_SKB,
1689 "direct packet read for SK_MSG",
1691 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1692 offsetof(struct sk_msg_md, data)),
1693 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1694 offsetof(struct sk_msg_md, data_end)),
1695 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1696 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1697 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1698 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1699 BPF_MOV64_IMM(BPF_REG_0, 0),
1703 .prog_type = BPF_PROG_TYPE_SK_MSG,
1706 "direct packet write for SK_MSG",
1708 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1709 offsetof(struct sk_msg_md, data)),
1710 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1711 offsetof(struct sk_msg_md, data_end)),
1712 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1714 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1715 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1716 BPF_MOV64_IMM(BPF_REG_0, 0),
1720 .prog_type = BPF_PROG_TYPE_SK_MSG,
1723 "overlapping checks for direct packet access SK_MSG",
1725 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1726 offsetof(struct sk_msg_md, data)),
1727 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1728 offsetof(struct sk_msg_md, data_end)),
1729 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1730 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1731 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1732 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1733 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1734 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1735 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1736 BPF_MOV64_IMM(BPF_REG_0, 0),
1740 .prog_type = BPF_PROG_TYPE_SK_MSG,
1743 "check skb->mark is not writeable by sockets",
1745 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1746 offsetof(struct __sk_buff, mark)),
1749 .errstr = "invalid bpf_context access",
1750 .errstr_unpriv = "R1 leaks addr",
1754 "check skb->tc_index is not writeable by sockets",
1756 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1757 offsetof(struct __sk_buff, tc_index)),
1760 .errstr = "invalid bpf_context access",
1761 .errstr_unpriv = "R1 leaks addr",
1765 "check cb access: byte",
1767 BPF_MOV64_IMM(BPF_REG_0, 0),
1768 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1769 offsetof(struct __sk_buff, cb[0])),
1770 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1771 offsetof(struct __sk_buff, cb[0]) + 1),
1772 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1773 offsetof(struct __sk_buff, cb[0]) + 2),
1774 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1775 offsetof(struct __sk_buff, cb[0]) + 3),
1776 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1777 offsetof(struct __sk_buff, cb[1])),
1778 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1779 offsetof(struct __sk_buff, cb[1]) + 1),
1780 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1781 offsetof(struct __sk_buff, cb[1]) + 2),
1782 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1783 offsetof(struct __sk_buff, cb[1]) + 3),
1784 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1785 offsetof(struct __sk_buff, cb[2])),
1786 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1787 offsetof(struct __sk_buff, cb[2]) + 1),
1788 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1789 offsetof(struct __sk_buff, cb[2]) + 2),
1790 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1791 offsetof(struct __sk_buff, cb[2]) + 3),
1792 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1793 offsetof(struct __sk_buff, cb[3])),
1794 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1795 offsetof(struct __sk_buff, cb[3]) + 1),
1796 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1797 offsetof(struct __sk_buff, cb[3]) + 2),
1798 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1799 offsetof(struct __sk_buff, cb[3]) + 3),
1800 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1801 offsetof(struct __sk_buff, cb[4])),
1802 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1803 offsetof(struct __sk_buff, cb[4]) + 1),
1804 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1805 offsetof(struct __sk_buff, cb[4]) + 2),
1806 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1807 offsetof(struct __sk_buff, cb[4]) + 3),
1808 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1809 offsetof(struct __sk_buff, cb[0])),
1810 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1811 offsetof(struct __sk_buff, cb[0]) + 1),
1812 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1813 offsetof(struct __sk_buff, cb[0]) + 2),
1814 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1815 offsetof(struct __sk_buff, cb[0]) + 3),
1816 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1817 offsetof(struct __sk_buff, cb[1])),
1818 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1819 offsetof(struct __sk_buff, cb[1]) + 1),
1820 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1821 offsetof(struct __sk_buff, cb[1]) + 2),
1822 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1823 offsetof(struct __sk_buff, cb[1]) + 3),
1824 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1825 offsetof(struct __sk_buff, cb[2])),
1826 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1827 offsetof(struct __sk_buff, cb[2]) + 1),
1828 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1829 offsetof(struct __sk_buff, cb[2]) + 2),
1830 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1831 offsetof(struct __sk_buff, cb[2]) + 3),
1832 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1833 offsetof(struct __sk_buff, cb[3])),
1834 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1835 offsetof(struct __sk_buff, cb[3]) + 1),
1836 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1837 offsetof(struct __sk_buff, cb[3]) + 2),
1838 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1839 offsetof(struct __sk_buff, cb[3]) + 3),
1840 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1841 offsetof(struct __sk_buff, cb[4])),
1842 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1843 offsetof(struct __sk_buff, cb[4]) + 1),
1844 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1845 offsetof(struct __sk_buff, cb[4]) + 2),
1846 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1847 offsetof(struct __sk_buff, cb[4]) + 3),
1853 "__sk_buff->hash, offset 0, byte store not permitted",
1855 BPF_MOV64_IMM(BPF_REG_0, 0),
1856 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1857 offsetof(struct __sk_buff, hash)),
1860 .errstr = "invalid bpf_context access",
1864 "__sk_buff->tc_index, offset 3, byte store not permitted",
1866 BPF_MOV64_IMM(BPF_REG_0, 0),
1867 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1868 offsetof(struct __sk_buff, tc_index) + 3),
1871 .errstr = "invalid bpf_context access",
1875 "check skb->hash byte load permitted",
1877 BPF_MOV64_IMM(BPF_REG_0, 0),
1878 #if __BYTE_ORDER == __LITTLE_ENDIAN
1879 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1880 offsetof(struct __sk_buff, hash)),
1882 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1883 offsetof(struct __sk_buff, hash) + 3),
1890 "check skb->hash byte load not permitted 1",
1892 BPF_MOV64_IMM(BPF_REG_0, 0),
1893 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1894 offsetof(struct __sk_buff, hash) + 1),
1897 .errstr = "invalid bpf_context access",
1901 "check skb->hash byte load not permitted 2",
1903 BPF_MOV64_IMM(BPF_REG_0, 0),
1904 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1905 offsetof(struct __sk_buff, hash) + 2),
1908 .errstr = "invalid bpf_context access",
1912 "check skb->hash byte load not permitted 3",
1914 BPF_MOV64_IMM(BPF_REG_0, 0),
1915 #if __BYTE_ORDER == __LITTLE_ENDIAN
1916 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1917 offsetof(struct __sk_buff, hash) + 3),
1919 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1920 offsetof(struct __sk_buff, hash)),
1924 .errstr = "invalid bpf_context access",
1928 "check cb access: byte, wrong type",
1930 BPF_MOV64_IMM(BPF_REG_0, 0),
1931 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1932 offsetof(struct __sk_buff, cb[0])),
1935 .errstr = "invalid bpf_context access",
1937 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1940 "check cb access: half",
1942 BPF_MOV64_IMM(BPF_REG_0, 0),
1943 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1944 offsetof(struct __sk_buff, cb[0])),
1945 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1946 offsetof(struct __sk_buff, cb[0]) + 2),
1947 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1948 offsetof(struct __sk_buff, cb[1])),
1949 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1950 offsetof(struct __sk_buff, cb[1]) + 2),
1951 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1952 offsetof(struct __sk_buff, cb[2])),
1953 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1954 offsetof(struct __sk_buff, cb[2]) + 2),
1955 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1956 offsetof(struct __sk_buff, cb[3])),
1957 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1958 offsetof(struct __sk_buff, cb[3]) + 2),
1959 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1960 offsetof(struct __sk_buff, cb[4])),
1961 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1962 offsetof(struct __sk_buff, cb[4]) + 2),
1963 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1964 offsetof(struct __sk_buff, cb[0])),
1965 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1966 offsetof(struct __sk_buff, cb[0]) + 2),
1967 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1968 offsetof(struct __sk_buff, cb[1])),
1969 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1970 offsetof(struct __sk_buff, cb[1]) + 2),
1971 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1972 offsetof(struct __sk_buff, cb[2])),
1973 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1974 offsetof(struct __sk_buff, cb[2]) + 2),
1975 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1976 offsetof(struct __sk_buff, cb[3])),
1977 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1978 offsetof(struct __sk_buff, cb[3]) + 2),
1979 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1980 offsetof(struct __sk_buff, cb[4])),
1981 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1982 offsetof(struct __sk_buff, cb[4]) + 2),
1988 "check cb access: half, unaligned",
1990 BPF_MOV64_IMM(BPF_REG_0, 0),
1991 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1992 offsetof(struct __sk_buff, cb[0]) + 1),
1995 .errstr = "misaligned context access",
1997 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2000 "check __sk_buff->hash, offset 0, half store not permitted",
2002 BPF_MOV64_IMM(BPF_REG_0, 0),
2003 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2004 offsetof(struct __sk_buff, hash)),
2007 .errstr = "invalid bpf_context access",
2011 "check __sk_buff->tc_index, offset 2, half store not permitted",
2013 BPF_MOV64_IMM(BPF_REG_0, 0),
2014 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2015 offsetof(struct __sk_buff, tc_index) + 2),
2018 .errstr = "invalid bpf_context access",
2022 "check skb->hash half load permitted",
2024 BPF_MOV64_IMM(BPF_REG_0, 0),
2025 #if __BYTE_ORDER == __LITTLE_ENDIAN
2026 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2027 offsetof(struct __sk_buff, hash)),
2029 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2030 offsetof(struct __sk_buff, hash) + 2),
2037 "check skb->hash half load not permitted",
2039 BPF_MOV64_IMM(BPF_REG_0, 0),
2040 #if __BYTE_ORDER == __LITTLE_ENDIAN
2041 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2042 offsetof(struct __sk_buff, hash) + 2),
2044 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2045 offsetof(struct __sk_buff, hash)),
2049 .errstr = "invalid bpf_context access",
2053 "check cb access: half, wrong type",
2055 BPF_MOV64_IMM(BPF_REG_0, 0),
2056 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2057 offsetof(struct __sk_buff, cb[0])),
2060 .errstr = "invalid bpf_context access",
2062 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2065 "check cb access: word",
2067 BPF_MOV64_IMM(BPF_REG_0, 0),
2068 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2069 offsetof(struct __sk_buff, cb[0])),
2070 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2071 offsetof(struct __sk_buff, cb[1])),
2072 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2073 offsetof(struct __sk_buff, cb[2])),
2074 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2075 offsetof(struct __sk_buff, cb[3])),
2076 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2077 offsetof(struct __sk_buff, cb[4])),
2078 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2079 offsetof(struct __sk_buff, cb[0])),
2080 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2081 offsetof(struct __sk_buff, cb[1])),
2082 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2083 offsetof(struct __sk_buff, cb[2])),
2084 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2085 offsetof(struct __sk_buff, cb[3])),
2086 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2087 offsetof(struct __sk_buff, cb[4])),
2093 "check cb access: word, unaligned 1",
2095 BPF_MOV64_IMM(BPF_REG_0, 0),
2096 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2097 offsetof(struct __sk_buff, cb[0]) + 2),
2100 .errstr = "misaligned context access",
2102 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2105 "check cb access: word, unaligned 2",
2107 BPF_MOV64_IMM(BPF_REG_0, 0),
2108 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2109 offsetof(struct __sk_buff, cb[4]) + 1),
2112 .errstr = "misaligned context access",
2114 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2117 "check cb access: word, unaligned 3",
2119 BPF_MOV64_IMM(BPF_REG_0, 0),
2120 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2121 offsetof(struct __sk_buff, cb[4]) + 2),
2124 .errstr = "misaligned context access",
2126 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2129 "check cb access: word, unaligned 4",
2131 BPF_MOV64_IMM(BPF_REG_0, 0),
2132 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2133 offsetof(struct __sk_buff, cb[4]) + 3),
2136 .errstr = "misaligned context access",
2138 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2141 "check cb access: double",
2143 BPF_MOV64_IMM(BPF_REG_0, 0),
2144 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2145 offsetof(struct __sk_buff, cb[0])),
2146 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2147 offsetof(struct __sk_buff, cb[2])),
2148 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2149 offsetof(struct __sk_buff, cb[0])),
2150 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2151 offsetof(struct __sk_buff, cb[2])),
2157 "check cb access: double, unaligned 1",
2159 BPF_MOV64_IMM(BPF_REG_0, 0),
2160 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2161 offsetof(struct __sk_buff, cb[1])),
2164 .errstr = "misaligned context access",
2166 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2169 "check cb access: double, unaligned 2",
2171 BPF_MOV64_IMM(BPF_REG_0, 0),
2172 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2173 offsetof(struct __sk_buff, cb[3])),
2176 .errstr = "misaligned context access",
2178 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2181 "check cb access: double, oob 1",
2183 BPF_MOV64_IMM(BPF_REG_0, 0),
2184 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2185 offsetof(struct __sk_buff, cb[4])),
2188 .errstr = "invalid bpf_context access",
2192 "check cb access: double, oob 2",
2194 BPF_MOV64_IMM(BPF_REG_0, 0),
2195 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2196 offsetof(struct __sk_buff, cb[4])),
2199 .errstr = "invalid bpf_context access",
2203 "check __sk_buff->ifindex dw store not permitted",
2205 BPF_MOV64_IMM(BPF_REG_0, 0),
2206 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2207 offsetof(struct __sk_buff, ifindex)),
2210 .errstr = "invalid bpf_context access",
2214 "check __sk_buff->ifindex dw load not permitted",
2216 BPF_MOV64_IMM(BPF_REG_0, 0),
2217 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2218 offsetof(struct __sk_buff, ifindex)),
2221 .errstr = "invalid bpf_context access",
2225 "check cb access: double, wrong type",
2227 BPF_MOV64_IMM(BPF_REG_0, 0),
2228 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2229 offsetof(struct __sk_buff, cb[0])),
2232 .errstr = "invalid bpf_context access",
2234 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2237 "check out of range skb->cb access",
2239 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2240 offsetof(struct __sk_buff, cb[0]) + 256),
2243 .errstr = "invalid bpf_context access",
2244 .errstr_unpriv = "",
2246 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2249 "write skb fields from socket prog",
2251 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2252 offsetof(struct __sk_buff, cb[4])),
2253 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2254 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2255 offsetof(struct __sk_buff, mark)),
2256 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2257 offsetof(struct __sk_buff, tc_index)),
2258 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2259 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2260 offsetof(struct __sk_buff, cb[0])),
2261 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2262 offsetof(struct __sk_buff, cb[2])),
2266 .errstr_unpriv = "R1 leaks addr",
2267 .result_unpriv = REJECT,
2270 "write skb fields from tc_cls_act prog",
2272 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2273 offsetof(struct __sk_buff, cb[0])),
2274 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2275 offsetof(struct __sk_buff, mark)),
2276 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2277 offsetof(struct __sk_buff, tc_index)),
2278 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2279 offsetof(struct __sk_buff, tc_index)),
2280 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2281 offsetof(struct __sk_buff, cb[3])),
2284 .errstr_unpriv = "",
2285 .result_unpriv = REJECT,
2287 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2290 "PTR_TO_STACK store/load",
2292 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2293 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2294 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2295 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2299 .retval = 0xfaceb00c,
2302 "PTR_TO_STACK store/load - bad alignment on off",
2304 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2305 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2306 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2307 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2311 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2314 "PTR_TO_STACK store/load - bad alignment on reg",
2316 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2318 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2319 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2323 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2326 "PTR_TO_STACK store/load - out of bounds low",
2328 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2329 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2330 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2331 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2335 .errstr = "invalid stack off=-79992 size=8",
2338 "PTR_TO_STACK store/load - out of bounds high",
2340 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2341 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2342 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2343 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2347 .errstr = "invalid stack off=0 size=8",
2350 "unpriv: return pointer",
2352 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2356 .result_unpriv = REJECT,
2357 .errstr_unpriv = "R0 leaks addr",
2358 .retval = POINTER_VALUE,
2361 "unpriv: add const to pointer",
2363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2364 BPF_MOV64_IMM(BPF_REG_0, 0),
2370 "unpriv: add pointer to pointer",
2372 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2373 BPF_MOV64_IMM(BPF_REG_0, 0),
2377 .errstr = "R1 pointer += pointer",
2380 "unpriv: neg pointer",
2382 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2383 BPF_MOV64_IMM(BPF_REG_0, 0),
2387 .result_unpriv = REJECT,
2388 .errstr_unpriv = "R1 pointer arithmetic",
2391 "unpriv: cmp pointer with const",
2393 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2394 BPF_MOV64_IMM(BPF_REG_0, 0),
2398 .result_unpriv = REJECT,
2399 .errstr_unpriv = "R1 pointer comparison",
2402 "unpriv: cmp pointer with pointer",
2404 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2405 BPF_MOV64_IMM(BPF_REG_0, 0),
2409 .result_unpriv = REJECT,
2410 .errstr_unpriv = "R10 pointer comparison",
2413 "unpriv: check that printk is disallowed",
2415 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2416 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2417 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2418 BPF_MOV64_IMM(BPF_REG_2, 8),
2419 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2420 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2421 BPF_FUNC_trace_printk),
2422 BPF_MOV64_IMM(BPF_REG_0, 0),
2425 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2426 .result_unpriv = REJECT,
2430 "unpriv: pass pointer to helper function",
2432 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2433 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2435 BPF_LD_MAP_FD(BPF_REG_1, 0),
2436 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2437 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2438 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2439 BPF_FUNC_map_update_elem),
2440 BPF_MOV64_IMM(BPF_REG_0, 0),
2443 .fixup_map1 = { 3 },
2444 .errstr_unpriv = "R4 leaks addr",
2445 .result_unpriv = REJECT,
2449 "unpriv: indirectly pass pointer on stack to helper function",
2451 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2452 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2454 BPF_LD_MAP_FD(BPF_REG_1, 0),
2455 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2456 BPF_FUNC_map_lookup_elem),
2457 BPF_MOV64_IMM(BPF_REG_0, 0),
2460 .fixup_map1 = { 3 },
2461 .errstr = "invalid indirect read from stack off -8+0 size 8",
2465 "unpriv: mangle pointer on stack 1",
2467 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2468 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2469 BPF_MOV64_IMM(BPF_REG_0, 0),
2472 .errstr_unpriv = "attempt to corrupt spilled",
2473 .result_unpriv = REJECT,
2477 "unpriv: mangle pointer on stack 2",
2479 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2480 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2481 BPF_MOV64_IMM(BPF_REG_0, 0),
2484 .errstr_unpriv = "attempt to corrupt spilled",
2485 .result_unpriv = REJECT,
2489 "unpriv: read pointer from stack in small chunks",
2491 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2492 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2493 BPF_MOV64_IMM(BPF_REG_0, 0),
2496 .errstr = "invalid size",
2500 "unpriv: write pointer into ctx",
2502 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2503 BPF_MOV64_IMM(BPF_REG_0, 0),
2506 .errstr_unpriv = "R1 leaks addr",
2507 .result_unpriv = REJECT,
2508 .errstr = "invalid bpf_context access",
2512 "unpriv: spill/fill of ctx",
2514 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2515 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2516 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2517 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2518 BPF_MOV64_IMM(BPF_REG_0, 0),
2524 "unpriv: spill/fill of ctx 2",
2526 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2527 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2528 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2529 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2530 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2531 BPF_FUNC_get_hash_recalc),
2532 BPF_MOV64_IMM(BPF_REG_0, 0),
2536 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2539 "unpriv: spill/fill of ctx 3",
2541 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2543 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2544 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2545 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2546 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2547 BPF_FUNC_get_hash_recalc),
2551 .errstr = "R1 type=fp expected=ctx",
2552 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2555 "unpriv: spill/fill of ctx 4",
2557 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2559 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2560 BPF_MOV64_IMM(BPF_REG_0, 1),
2561 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2563 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2564 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2565 BPF_FUNC_get_hash_recalc),
2569 .errstr = "R1 type=inv expected=ctx",
2570 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2573 "unpriv: spill/fill of different pointers stx",
2575 BPF_MOV64_IMM(BPF_REG_3, 42),
2576 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2577 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2578 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2579 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2580 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2581 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2582 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2583 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2584 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2585 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2586 offsetof(struct __sk_buff, mark)),
2587 BPF_MOV64_IMM(BPF_REG_0, 0),
2591 .errstr = "same insn cannot be used with different pointers",
2592 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2595 "unpriv: spill/fill of different pointers ldx",
2597 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2598 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2599 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2600 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2601 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2602 -(__s32)offsetof(struct bpf_perf_event_data,
2603 sample_period) - 8),
2604 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2605 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2606 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2607 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2608 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2609 offsetof(struct bpf_perf_event_data,
2611 BPF_MOV64_IMM(BPF_REG_0, 0),
2615 .errstr = "same insn cannot be used with different pointers",
2616 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2619 "unpriv: write pointer into map elem value",
2621 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2622 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2623 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2624 BPF_LD_MAP_FD(BPF_REG_1, 0),
2625 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2626 BPF_FUNC_map_lookup_elem),
2627 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2628 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2631 .fixup_map1 = { 3 },
2632 .errstr_unpriv = "R0 leaks addr",
2633 .result_unpriv = REJECT,
2637 "unpriv: partial copy of pointer",
2639 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2640 BPF_MOV64_IMM(BPF_REG_0, 0),
2643 .errstr_unpriv = "R10 partial copy",
2644 .result_unpriv = REJECT,
2648 "unpriv: pass pointer to tail_call",
2650 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2651 BPF_LD_MAP_FD(BPF_REG_2, 0),
2652 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2653 BPF_FUNC_tail_call),
2654 BPF_MOV64_IMM(BPF_REG_0, 0),
2657 .fixup_prog = { 1 },
2658 .errstr_unpriv = "R3 leaks addr into helper",
2659 .result_unpriv = REJECT,
2663 "unpriv: cmp map pointer with zero",
2665 BPF_MOV64_IMM(BPF_REG_1, 0),
2666 BPF_LD_MAP_FD(BPF_REG_1, 0),
2667 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2668 BPF_MOV64_IMM(BPF_REG_0, 0),
2671 .fixup_map1 = { 1 },
2672 .errstr_unpriv = "R1 pointer comparison",
2673 .result_unpriv = REJECT,
2677 "unpriv: write into frame pointer",
2679 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2680 BPF_MOV64_IMM(BPF_REG_0, 0),
2683 .errstr = "frame pointer is read only",
2687 "unpriv: spill/fill frame pointer",
2689 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2690 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2691 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2692 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2693 BPF_MOV64_IMM(BPF_REG_0, 0),
2696 .errstr = "frame pointer is read only",
2700 "unpriv: cmp of frame pointer",
2702 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2703 BPF_MOV64_IMM(BPF_REG_0, 0),
2706 .errstr_unpriv = "R10 pointer comparison",
2707 .result_unpriv = REJECT,
2711 "unpriv: adding of fp",
2713 BPF_MOV64_IMM(BPF_REG_0, 0),
2714 BPF_MOV64_IMM(BPF_REG_1, 0),
2715 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2716 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2722 "unpriv: cmp of stack pointer",
2724 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2725 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2726 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2727 BPF_MOV64_IMM(BPF_REG_0, 0),
2730 .errstr_unpriv = "R2 pointer comparison",
2731 .result_unpriv = REJECT,
2735 "runtime/jit: tail_call within bounds, prog once",
2737 BPF_MOV64_IMM(BPF_REG_3, 0),
2738 BPF_LD_MAP_FD(BPF_REG_2, 0),
2739 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2740 BPF_FUNC_tail_call),
2741 BPF_MOV64_IMM(BPF_REG_0, 1),
2744 .fixup_prog = { 1 },
2749 "runtime/jit: tail_call within bounds, prog loop",
2751 BPF_MOV64_IMM(BPF_REG_3, 1),
2752 BPF_LD_MAP_FD(BPF_REG_2, 0),
2753 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2754 BPF_FUNC_tail_call),
2755 BPF_MOV64_IMM(BPF_REG_0, 1),
2758 .fixup_prog = { 1 },
2763 "runtime/jit: tail_call within bounds, no prog",
2765 BPF_MOV64_IMM(BPF_REG_3, 2),
2766 BPF_LD_MAP_FD(BPF_REG_2, 0),
2767 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2768 BPF_FUNC_tail_call),
2769 BPF_MOV64_IMM(BPF_REG_0, 1),
2772 .fixup_prog = { 1 },
2777 "runtime/jit: tail_call out of bounds",
2779 BPF_MOV64_IMM(BPF_REG_3, 256),
2780 BPF_LD_MAP_FD(BPF_REG_2, 0),
2781 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2782 BPF_FUNC_tail_call),
2783 BPF_MOV64_IMM(BPF_REG_0, 2),
2786 .fixup_prog = { 1 },
2791 "runtime/jit: pass negative index to tail_call",
2793 BPF_MOV64_IMM(BPF_REG_3, -1),
2794 BPF_LD_MAP_FD(BPF_REG_2, 0),
2795 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2796 BPF_FUNC_tail_call),
2797 BPF_MOV64_IMM(BPF_REG_0, 2),
2800 .fixup_prog = { 1 },
2805 "runtime/jit: pass > 32bit index to tail_call",
2807 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2808 BPF_LD_MAP_FD(BPF_REG_2, 0),
2809 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2810 BPF_FUNC_tail_call),
2811 BPF_MOV64_IMM(BPF_REG_0, 2),
2814 .fixup_prog = { 2 },
2819 "stack pointer arithmetic",
2821 BPF_MOV64_IMM(BPF_REG_1, 4),
2822 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2823 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2825 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2826 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2827 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2828 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2829 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2831 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2832 BPF_MOV64_IMM(BPF_REG_0, 0),
2838 "raw_stack: no skb_load_bytes",
2840 BPF_MOV64_IMM(BPF_REG_2, 4),
2841 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2843 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2844 BPF_MOV64_IMM(BPF_REG_4, 8),
2845 /* Call to skb_load_bytes() omitted. */
2846 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2850 .errstr = "invalid read from stack off -8+0 size 8",
2851 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2854 "raw_stack: skb_load_bytes, negative len",
2856 BPF_MOV64_IMM(BPF_REG_2, 4),
2857 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2858 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2859 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2860 BPF_MOV64_IMM(BPF_REG_4, -8),
2861 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2862 BPF_FUNC_skb_load_bytes),
2863 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2867 .errstr = "R4 min value is negative",
2868 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2871 "raw_stack: skb_load_bytes, negative len 2",
2873 BPF_MOV64_IMM(BPF_REG_2, 4),
2874 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2875 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2876 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2877 BPF_MOV64_IMM(BPF_REG_4, ~0),
2878 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2879 BPF_FUNC_skb_load_bytes),
2880 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2884 .errstr = "R4 min value is negative",
2885 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2888 "raw_stack: skb_load_bytes, zero len",
2890 BPF_MOV64_IMM(BPF_REG_2, 4),
2891 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2892 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2893 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2894 BPF_MOV64_IMM(BPF_REG_4, 0),
2895 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2896 BPF_FUNC_skb_load_bytes),
2897 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2901 .errstr = "invalid stack type R3",
2902 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2905 "raw_stack: skb_load_bytes, no init",
2907 BPF_MOV64_IMM(BPF_REG_2, 4),
2908 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2909 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2910 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2911 BPF_MOV64_IMM(BPF_REG_4, 8),
2912 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2913 BPF_FUNC_skb_load_bytes),
2914 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2918 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2921 "raw_stack: skb_load_bytes, init",
2923 BPF_MOV64_IMM(BPF_REG_2, 4),
2924 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2925 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2926 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2927 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2928 BPF_MOV64_IMM(BPF_REG_4, 8),
2929 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2930 BPF_FUNC_skb_load_bytes),
2931 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2935 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2938 "raw_stack: skb_load_bytes, spilled regs around bounds",
2940 BPF_MOV64_IMM(BPF_REG_2, 4),
2941 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2943 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2944 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2945 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2946 BPF_MOV64_IMM(BPF_REG_4, 8),
2947 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2948 BPF_FUNC_skb_load_bytes),
2949 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2950 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2951 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2952 offsetof(struct __sk_buff, mark)),
2953 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2954 offsetof(struct __sk_buff, priority)),
2955 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2959 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2962 "raw_stack: skb_load_bytes, spilled regs corruption",
2964 BPF_MOV64_IMM(BPF_REG_2, 4),
2965 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2966 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2967 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2968 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2969 BPF_MOV64_IMM(BPF_REG_4, 8),
2970 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2971 BPF_FUNC_skb_load_bytes),
2972 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2973 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2974 offsetof(struct __sk_buff, mark)),
2978 .errstr = "R0 invalid mem access 'inv'",
2979 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2982 "raw_stack: skb_load_bytes, spilled regs corruption 2",
2984 BPF_MOV64_IMM(BPF_REG_2, 4),
2985 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2986 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2987 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2988 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2989 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2990 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2991 BPF_MOV64_IMM(BPF_REG_4, 8),
2992 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2993 BPF_FUNC_skb_load_bytes),
2994 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2995 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2996 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
2997 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2998 offsetof(struct __sk_buff, mark)),
2999 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3000 offsetof(struct __sk_buff, priority)),
3001 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3002 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3003 offsetof(struct __sk_buff, pkt_type)),
3004 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3008 .errstr = "R3 invalid mem access 'inv'",
3009 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3012 "raw_stack: skb_load_bytes, spilled regs + data",
3014 BPF_MOV64_IMM(BPF_REG_2, 4),
3015 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3016 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3017 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3018 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3019 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3020 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3021 BPF_MOV64_IMM(BPF_REG_4, 8),
3022 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3023 BPF_FUNC_skb_load_bytes),
3024 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3025 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3026 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3027 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3028 offsetof(struct __sk_buff, mark)),
3029 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3030 offsetof(struct __sk_buff, priority)),
3031 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3032 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3036 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3039 "raw_stack: skb_load_bytes, invalid access 1",
3041 BPF_MOV64_IMM(BPF_REG_2, 4),
3042 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3043 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3044 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3045 BPF_MOV64_IMM(BPF_REG_4, 8),
3046 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3047 BPF_FUNC_skb_load_bytes),
3048 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3052 .errstr = "invalid stack type R3 off=-513 access_size=8",
3053 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3056 "raw_stack: skb_load_bytes, invalid access 2",
3058 BPF_MOV64_IMM(BPF_REG_2, 4),
3059 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3061 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3062 BPF_MOV64_IMM(BPF_REG_4, 8),
3063 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3064 BPF_FUNC_skb_load_bytes),
3065 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3069 .errstr = "invalid stack type R3 off=-1 access_size=8",
3070 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3073 "raw_stack: skb_load_bytes, invalid access 3",
3075 BPF_MOV64_IMM(BPF_REG_2, 4),
3076 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3077 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3078 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3079 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3080 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3081 BPF_FUNC_skb_load_bytes),
3082 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3086 .errstr = "R4 min value is negative",
3087 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3090 "raw_stack: skb_load_bytes, invalid access 4",
3092 BPF_MOV64_IMM(BPF_REG_2, 4),
3093 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3095 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3096 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3097 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3098 BPF_FUNC_skb_load_bytes),
3099 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3103 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3104 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3107 "raw_stack: skb_load_bytes, invalid access 5",
3109 BPF_MOV64_IMM(BPF_REG_2, 4),
3110 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3112 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3113 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3114 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3115 BPF_FUNC_skb_load_bytes),
3116 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3120 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3121 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3124 "raw_stack: skb_load_bytes, invalid access 6",
3126 BPF_MOV64_IMM(BPF_REG_2, 4),
3127 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3128 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3129 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3130 BPF_MOV64_IMM(BPF_REG_4, 0),
3131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3132 BPF_FUNC_skb_load_bytes),
3133 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3137 .errstr = "invalid stack type R3 off=-512 access_size=0",
3138 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3141 "raw_stack: skb_load_bytes, large access",
3143 BPF_MOV64_IMM(BPF_REG_2, 4),
3144 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3145 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3146 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3147 BPF_MOV64_IMM(BPF_REG_4, 512),
3148 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3149 BPF_FUNC_skb_load_bytes),
3150 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3154 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3157 "context stores via ST",
3159 BPF_MOV64_IMM(BPF_REG_0, 0),
3160 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3163 .errstr = "BPF_ST stores into R1 context is not allowed",
3165 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3168 "context stores via XADD",
3170 BPF_MOV64_IMM(BPF_REG_0, 0),
3171 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3172 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3175 .errstr = "BPF_XADD stores into R1 context is not allowed",
3177 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3180 "direct packet access: test1",
3182 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3183 offsetof(struct __sk_buff, data)),
3184 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3185 offsetof(struct __sk_buff, data_end)),
3186 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3187 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3188 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3189 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3190 BPF_MOV64_IMM(BPF_REG_0, 0),
3194 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3197 "direct packet access: test2",
3199 BPF_MOV64_IMM(BPF_REG_0, 1),
3200 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3201 offsetof(struct __sk_buff, data_end)),
3202 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3203 offsetof(struct __sk_buff, data)),
3204 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3206 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3207 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3208 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3209 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3210 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3211 offsetof(struct __sk_buff, data)),
3212 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3213 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3214 offsetof(struct __sk_buff, len)),
3215 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3216 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3217 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3218 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3220 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3221 offsetof(struct __sk_buff, data_end)),
3222 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3223 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3224 BPF_MOV64_IMM(BPF_REG_0, 0),
3228 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3231 "direct packet access: test3",
3233 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3234 offsetof(struct __sk_buff, data)),
3235 BPF_MOV64_IMM(BPF_REG_0, 0),
3238 .errstr = "invalid bpf_context access off=76",
3240 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3243 "direct packet access: test4 (write)",
3245 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3246 offsetof(struct __sk_buff, data)),
3247 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3248 offsetof(struct __sk_buff, data_end)),
3249 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3251 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3252 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3253 BPF_MOV64_IMM(BPF_REG_0, 0),
3257 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3260 "direct packet access: test5 (pkt_end >= reg, good access)",
3262 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3263 offsetof(struct __sk_buff, data)),
3264 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3265 offsetof(struct __sk_buff, data_end)),
3266 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3267 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3268 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3269 BPF_MOV64_IMM(BPF_REG_0, 1),
3271 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3272 BPF_MOV64_IMM(BPF_REG_0, 0),
3276 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3279 "direct packet access: test6 (pkt_end >= reg, bad access)",
3281 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3282 offsetof(struct __sk_buff, data)),
3283 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3284 offsetof(struct __sk_buff, data_end)),
3285 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3287 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3288 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3289 BPF_MOV64_IMM(BPF_REG_0, 1),
3291 BPF_MOV64_IMM(BPF_REG_0, 0),
3294 .errstr = "invalid access to packet",
3296 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3299 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3301 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3302 offsetof(struct __sk_buff, data)),
3303 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3304 offsetof(struct __sk_buff, data_end)),
3305 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3306 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3307 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3308 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3309 BPF_MOV64_IMM(BPF_REG_0, 1),
3311 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3312 BPF_MOV64_IMM(BPF_REG_0, 0),
3315 .errstr = "invalid access to packet",
3317 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3320 "direct packet access: test8 (double test, variant 1)",
3322 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3323 offsetof(struct __sk_buff, data)),
3324 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3325 offsetof(struct __sk_buff, data_end)),
3326 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3327 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3328 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3329 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3330 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3331 BPF_MOV64_IMM(BPF_REG_0, 1),
3333 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3334 BPF_MOV64_IMM(BPF_REG_0, 0),
3338 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3341 "direct packet access: test9 (double test, variant 2)",
3343 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3344 offsetof(struct __sk_buff, data)),
3345 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3346 offsetof(struct __sk_buff, data_end)),
3347 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3349 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3350 BPF_MOV64_IMM(BPF_REG_0, 1),
3352 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3353 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3354 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3355 BPF_MOV64_IMM(BPF_REG_0, 0),
3359 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3362 "direct packet access: test10 (write invalid)",
3364 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3365 offsetof(struct __sk_buff, data)),
3366 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3367 offsetof(struct __sk_buff, data_end)),
3368 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3369 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3370 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3371 BPF_MOV64_IMM(BPF_REG_0, 0),
3373 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3374 BPF_MOV64_IMM(BPF_REG_0, 0),
3377 .errstr = "invalid access to packet",
3379 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3382 "direct packet access: test11 (shift, good access)",
3384 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3385 offsetof(struct __sk_buff, data)),
3386 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3387 offsetof(struct __sk_buff, data_end)),
3388 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3389 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3390 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3391 BPF_MOV64_IMM(BPF_REG_3, 144),
3392 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3393 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3394 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3395 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3396 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3397 BPF_MOV64_IMM(BPF_REG_0, 1),
3399 BPF_MOV64_IMM(BPF_REG_0, 0),
3403 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3407 "direct packet access: test12 (and, good access)",
3409 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3410 offsetof(struct __sk_buff, data)),
3411 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3412 offsetof(struct __sk_buff, data_end)),
3413 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3414 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3415 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3416 BPF_MOV64_IMM(BPF_REG_3, 144),
3417 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3418 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3419 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3420 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3421 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3422 BPF_MOV64_IMM(BPF_REG_0, 1),
3424 BPF_MOV64_IMM(BPF_REG_0, 0),
3428 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3432 "direct packet access: test13 (branches, good access)",
3434 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3435 offsetof(struct __sk_buff, data)),
3436 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3437 offsetof(struct __sk_buff, data_end)),
3438 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3440 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3441 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3442 offsetof(struct __sk_buff, mark)),
3443 BPF_MOV64_IMM(BPF_REG_4, 1),
3444 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3445 BPF_MOV64_IMM(BPF_REG_3, 14),
3446 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3447 BPF_MOV64_IMM(BPF_REG_3, 24),
3448 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3449 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3450 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3451 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3452 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3453 BPF_MOV64_IMM(BPF_REG_0, 1),
3455 BPF_MOV64_IMM(BPF_REG_0, 0),
3459 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3463 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3465 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3466 offsetof(struct __sk_buff, data)),
3467 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3468 offsetof(struct __sk_buff, data_end)),
3469 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3470 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3471 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3472 BPF_MOV64_IMM(BPF_REG_5, 12),
3473 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3474 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3475 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3476 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3477 BPF_MOV64_IMM(BPF_REG_0, 1),
3479 BPF_MOV64_IMM(BPF_REG_0, 0),
3483 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3487 "direct packet access: test15 (spill with xadd)",
3489 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3490 offsetof(struct __sk_buff, data)),
3491 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3492 offsetof(struct __sk_buff, data_end)),
3493 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3494 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3495 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3496 BPF_MOV64_IMM(BPF_REG_5, 4096),
3497 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3498 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3499 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3500 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3501 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3502 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3503 BPF_MOV64_IMM(BPF_REG_0, 0),
3506 .errstr = "R2 invalid mem access 'inv'",
3508 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3511 "direct packet access: test16 (arith on data_end)",
3513 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3514 offsetof(struct __sk_buff, data)),
3515 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3516 offsetof(struct __sk_buff, data_end)),
3517 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3518 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3519 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3520 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3521 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3522 BPF_MOV64_IMM(BPF_REG_0, 0),
3525 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3527 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3530 "direct packet access: test17 (pruning, alignment)",
3532 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3533 offsetof(struct __sk_buff, data)),
3534 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3535 offsetof(struct __sk_buff, data_end)),
3536 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3537 offsetof(struct __sk_buff, mark)),
3538 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3539 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3540 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3541 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3542 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3543 BPF_MOV64_IMM(BPF_REG_0, 0),
3545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3548 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3550 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3551 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3554 "direct packet access: test18 (imm += pkt_ptr, 1)",
3556 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3557 offsetof(struct __sk_buff, data)),
3558 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3559 offsetof(struct __sk_buff, data_end)),
3560 BPF_MOV64_IMM(BPF_REG_0, 8),
3561 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3562 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3563 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3564 BPF_MOV64_IMM(BPF_REG_0, 0),
3568 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3571 "direct packet access: test19 (imm += pkt_ptr, 2)",
3573 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3574 offsetof(struct __sk_buff, data)),
3575 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3576 offsetof(struct __sk_buff, data_end)),
3577 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3578 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3579 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3580 BPF_MOV64_IMM(BPF_REG_4, 4),
3581 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3582 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3583 BPF_MOV64_IMM(BPF_REG_0, 0),
3587 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3590 "direct packet access: test20 (x += pkt_ptr, 1)",
3592 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3593 offsetof(struct __sk_buff, data)),
3594 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3595 offsetof(struct __sk_buff, data_end)),
3596 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3597 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3598 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3599 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3600 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3601 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3602 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3604 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3605 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3606 BPF_MOV64_IMM(BPF_REG_0, 0),
3609 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3613 "direct packet access: test21 (x += pkt_ptr, 2)",
3615 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3616 offsetof(struct __sk_buff, data)),
3617 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3618 offsetof(struct __sk_buff, data_end)),
3619 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3620 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3621 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3622 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3623 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3624 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3625 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3626 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3627 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3629 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3630 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3631 BPF_MOV64_IMM(BPF_REG_0, 0),
3634 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3638 "direct packet access: test22 (x += pkt_ptr, 3)",
3640 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3641 offsetof(struct __sk_buff, data)),
3642 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3643 offsetof(struct __sk_buff, data_end)),
3644 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3645 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3646 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3647 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3648 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3649 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3650 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3651 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3652 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3653 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3654 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3655 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3656 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3657 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3658 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3659 BPF_MOV64_IMM(BPF_REG_2, 1),
3660 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3661 BPF_MOV64_IMM(BPF_REG_0, 0),
3664 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3668 "direct packet access: test23 (x += pkt_ptr, 4)",
3670 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3671 offsetof(struct __sk_buff, data)),
3672 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3673 offsetof(struct __sk_buff, data_end)),
3674 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3675 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3676 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3677 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3678 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3679 BPF_MOV64_IMM(BPF_REG_0, 31),
3680 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3681 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3682 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3683 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3684 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3685 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3686 BPF_MOV64_IMM(BPF_REG_0, 0),
3689 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3691 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3694 "direct packet access: test24 (x += pkt_ptr, 5)",
3696 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3697 offsetof(struct __sk_buff, data)),
3698 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3699 offsetof(struct __sk_buff, data_end)),
3700 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3701 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3702 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3703 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3704 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3705 BPF_MOV64_IMM(BPF_REG_0, 64),
3706 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3707 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3708 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3709 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3710 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3711 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3712 BPF_MOV64_IMM(BPF_REG_0, 0),
3715 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3719 "direct packet access: test25 (marking on <, good access)",
3721 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3722 offsetof(struct __sk_buff, data)),
3723 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3724 offsetof(struct __sk_buff, data_end)),
3725 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3727 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3728 BPF_MOV64_IMM(BPF_REG_0, 0),
3730 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3731 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3734 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3737 "direct packet access: test26 (marking on <, bad access)",
3739 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3740 offsetof(struct __sk_buff, data)),
3741 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3742 offsetof(struct __sk_buff, data_end)),
3743 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3745 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3746 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3747 BPF_MOV64_IMM(BPF_REG_0, 0),
3749 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3752 .errstr = "invalid access to packet",
3753 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3756 "direct packet access: test27 (marking on <=, good access)",
3758 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3759 offsetof(struct __sk_buff, data)),
3760 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3761 offsetof(struct __sk_buff, data_end)),
3762 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3763 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3764 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3765 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3766 BPF_MOV64_IMM(BPF_REG_0, 1),
3770 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3774 "direct packet access: test28 (marking on <=, bad access)",
3776 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3777 offsetof(struct __sk_buff, data)),
3778 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3779 offsetof(struct __sk_buff, data_end)),
3780 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3781 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3782 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3783 BPF_MOV64_IMM(BPF_REG_0, 1),
3785 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3786 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3789 .errstr = "invalid access to packet",
3790 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3793 "helper access to packet: test1, valid packet_ptr range",
3795 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3796 offsetof(struct xdp_md, data)),
3797 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3798 offsetof(struct xdp_md, data_end)),
3799 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3800 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3801 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3802 BPF_LD_MAP_FD(BPF_REG_1, 0),
3803 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3804 BPF_MOV64_IMM(BPF_REG_4, 0),
3805 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3806 BPF_FUNC_map_update_elem),
3807 BPF_MOV64_IMM(BPF_REG_0, 0),
3810 .fixup_map1 = { 5 },
3811 .result_unpriv = ACCEPT,
3813 .prog_type = BPF_PROG_TYPE_XDP,
3816 "helper access to packet: test2, unchecked packet_ptr",
3818 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3819 offsetof(struct xdp_md, data)),
3820 BPF_LD_MAP_FD(BPF_REG_1, 0),
3821 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3822 BPF_FUNC_map_lookup_elem),
3823 BPF_MOV64_IMM(BPF_REG_0, 0),
3826 .fixup_map1 = { 1 },
3828 .errstr = "invalid access to packet",
3829 .prog_type = BPF_PROG_TYPE_XDP,
3832 "helper access to packet: test3, variable add",
3834 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3835 offsetof(struct xdp_md, data)),
3836 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3837 offsetof(struct xdp_md, data_end)),
3838 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3839 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3840 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3841 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3842 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3843 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3844 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3846 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3847 BPF_LD_MAP_FD(BPF_REG_1, 0),
3848 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3849 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3850 BPF_FUNC_map_lookup_elem),
3851 BPF_MOV64_IMM(BPF_REG_0, 0),
3854 .fixup_map1 = { 11 },
3856 .prog_type = BPF_PROG_TYPE_XDP,
3859 "helper access to packet: test4, packet_ptr with bad range",
3861 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3862 offsetof(struct xdp_md, data)),
3863 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3864 offsetof(struct xdp_md, data_end)),
3865 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3866 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3867 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3868 BPF_MOV64_IMM(BPF_REG_0, 0),
3870 BPF_LD_MAP_FD(BPF_REG_1, 0),
3871 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3872 BPF_FUNC_map_lookup_elem),
3873 BPF_MOV64_IMM(BPF_REG_0, 0),
3876 .fixup_map1 = { 7 },
3878 .errstr = "invalid access to packet",
3879 .prog_type = BPF_PROG_TYPE_XDP,
3882 "helper access to packet: test5, packet_ptr with too short range",
3884 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3885 offsetof(struct xdp_md, data)),
3886 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3887 offsetof(struct xdp_md, data_end)),
3888 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3889 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3891 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3892 BPF_LD_MAP_FD(BPF_REG_1, 0),
3893 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3894 BPF_FUNC_map_lookup_elem),
3895 BPF_MOV64_IMM(BPF_REG_0, 0),
3898 .fixup_map1 = { 6 },
3900 .errstr = "invalid access to packet",
3901 .prog_type = BPF_PROG_TYPE_XDP,
3904 "helper access to packet: test6, cls valid packet_ptr range",
3906 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3907 offsetof(struct __sk_buff, data)),
3908 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3909 offsetof(struct __sk_buff, data_end)),
3910 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3911 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3912 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3913 BPF_LD_MAP_FD(BPF_REG_1, 0),
3914 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3915 BPF_MOV64_IMM(BPF_REG_4, 0),
3916 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3917 BPF_FUNC_map_update_elem),
3918 BPF_MOV64_IMM(BPF_REG_0, 0),
3921 .fixup_map1 = { 5 },
3923 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3926 "helper access to packet: test7, cls unchecked packet_ptr",
3928 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3929 offsetof(struct __sk_buff, data)),
3930 BPF_LD_MAP_FD(BPF_REG_1, 0),
3931 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3932 BPF_FUNC_map_lookup_elem),
3933 BPF_MOV64_IMM(BPF_REG_0, 0),
3936 .fixup_map1 = { 1 },
3938 .errstr = "invalid access to packet",
3939 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3942 "helper access to packet: test8, cls variable add",
3944 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3945 offsetof(struct __sk_buff, data)),
3946 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3947 offsetof(struct __sk_buff, data_end)),
3948 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3949 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3950 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3951 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3952 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3953 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3954 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3956 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3957 BPF_LD_MAP_FD(BPF_REG_1, 0),
3958 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3959 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3960 BPF_FUNC_map_lookup_elem),
3961 BPF_MOV64_IMM(BPF_REG_0, 0),
3964 .fixup_map1 = { 11 },
3966 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3969 "helper access to packet: test9, cls packet_ptr with bad range",
3971 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3972 offsetof(struct __sk_buff, data)),
3973 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3974 offsetof(struct __sk_buff, data_end)),
3975 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3976 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3977 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3978 BPF_MOV64_IMM(BPF_REG_0, 0),
3980 BPF_LD_MAP_FD(BPF_REG_1, 0),
3981 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3982 BPF_FUNC_map_lookup_elem),
3983 BPF_MOV64_IMM(BPF_REG_0, 0),
3986 .fixup_map1 = { 7 },
3988 .errstr = "invalid access to packet",
3989 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3992 "helper access to packet: test10, cls packet_ptr with too short range",
3994 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3995 offsetof(struct __sk_buff, data)),
3996 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3997 offsetof(struct __sk_buff, data_end)),
3998 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3999 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4001 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4002 BPF_LD_MAP_FD(BPF_REG_1, 0),
4003 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4004 BPF_FUNC_map_lookup_elem),
4005 BPF_MOV64_IMM(BPF_REG_0, 0),
4008 .fixup_map1 = { 6 },
4010 .errstr = "invalid access to packet",
4011 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4014 "helper access to packet: test11, cls unsuitable helper 1",
4016 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4017 offsetof(struct __sk_buff, data)),
4018 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4019 offsetof(struct __sk_buff, data_end)),
4020 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4021 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4022 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4023 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4024 BPF_MOV64_IMM(BPF_REG_2, 0),
4025 BPF_MOV64_IMM(BPF_REG_4, 42),
4026 BPF_MOV64_IMM(BPF_REG_5, 0),
4027 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4028 BPF_FUNC_skb_store_bytes),
4029 BPF_MOV64_IMM(BPF_REG_0, 0),
4033 .errstr = "helper access to the packet",
4034 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4037 "helper access to packet: test12, cls unsuitable helper 2",
4039 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4040 offsetof(struct __sk_buff, data)),
4041 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4042 offsetof(struct __sk_buff, data_end)),
4043 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4044 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4045 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4046 BPF_MOV64_IMM(BPF_REG_2, 0),
4047 BPF_MOV64_IMM(BPF_REG_4, 4),
4048 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4049 BPF_FUNC_skb_load_bytes),
4050 BPF_MOV64_IMM(BPF_REG_0, 0),
4054 .errstr = "helper access to the packet",
4055 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4058 "helper access to packet: test13, cls helper ok",
4060 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4061 offsetof(struct __sk_buff, data)),
4062 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4063 offsetof(struct __sk_buff, data_end)),
4064 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4065 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4067 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4068 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4069 BPF_MOV64_IMM(BPF_REG_2, 4),
4070 BPF_MOV64_IMM(BPF_REG_3, 0),
4071 BPF_MOV64_IMM(BPF_REG_4, 0),
4072 BPF_MOV64_IMM(BPF_REG_5, 0),
4073 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4074 BPF_FUNC_csum_diff),
4075 BPF_MOV64_IMM(BPF_REG_0, 0),
4079 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4082 "helper access to packet: test14, cls helper ok sub",
4084 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4085 offsetof(struct __sk_buff, data)),
4086 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4087 offsetof(struct __sk_buff, data_end)),
4088 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4089 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4090 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4091 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4092 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4093 BPF_MOV64_IMM(BPF_REG_2, 4),
4094 BPF_MOV64_IMM(BPF_REG_3, 0),
4095 BPF_MOV64_IMM(BPF_REG_4, 0),
4096 BPF_MOV64_IMM(BPF_REG_5, 0),
4097 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4098 BPF_FUNC_csum_diff),
4099 BPF_MOV64_IMM(BPF_REG_0, 0),
4103 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4106 "helper access to packet: test15, cls helper fail sub",
4108 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4109 offsetof(struct __sk_buff, data)),
4110 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4111 offsetof(struct __sk_buff, data_end)),
4112 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4113 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4115 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4116 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4117 BPF_MOV64_IMM(BPF_REG_2, 4),
4118 BPF_MOV64_IMM(BPF_REG_3, 0),
4119 BPF_MOV64_IMM(BPF_REG_4, 0),
4120 BPF_MOV64_IMM(BPF_REG_5, 0),
4121 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4122 BPF_FUNC_csum_diff),
4123 BPF_MOV64_IMM(BPF_REG_0, 0),
4127 .errstr = "invalid access to packet",
4128 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4131 "helper access to packet: test16, cls helper fail range 1",
4133 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4134 offsetof(struct __sk_buff, data)),
4135 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4136 offsetof(struct __sk_buff, data_end)),
4137 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4138 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4139 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4140 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4141 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4142 BPF_MOV64_IMM(BPF_REG_2, 8),
4143 BPF_MOV64_IMM(BPF_REG_3, 0),
4144 BPF_MOV64_IMM(BPF_REG_4, 0),
4145 BPF_MOV64_IMM(BPF_REG_5, 0),
4146 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4147 BPF_FUNC_csum_diff),
4148 BPF_MOV64_IMM(BPF_REG_0, 0),
4152 .errstr = "invalid access to packet",
4153 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4156 "helper access to packet: test17, cls helper fail range 2",
4158 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4159 offsetof(struct __sk_buff, data)),
4160 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4161 offsetof(struct __sk_buff, data_end)),
4162 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4163 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4164 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4165 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4166 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4167 BPF_MOV64_IMM(BPF_REG_2, -9),
4168 BPF_MOV64_IMM(BPF_REG_3, 0),
4169 BPF_MOV64_IMM(BPF_REG_4, 0),
4170 BPF_MOV64_IMM(BPF_REG_5, 0),
4171 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4172 BPF_FUNC_csum_diff),
4173 BPF_MOV64_IMM(BPF_REG_0, 0),
4177 .errstr = "R2 min value is negative",
4178 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4181 "helper access to packet: test18, cls helper fail range 3",
4183 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4184 offsetof(struct __sk_buff, data)),
4185 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4186 offsetof(struct __sk_buff, data_end)),
4187 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4188 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4189 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4190 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4191 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4192 BPF_MOV64_IMM(BPF_REG_2, ~0),
4193 BPF_MOV64_IMM(BPF_REG_3, 0),
4194 BPF_MOV64_IMM(BPF_REG_4, 0),
4195 BPF_MOV64_IMM(BPF_REG_5, 0),
4196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4197 BPF_FUNC_csum_diff),
4198 BPF_MOV64_IMM(BPF_REG_0, 0),
4202 .errstr = "R2 min value is negative",
4203 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4206 "helper access to packet: test19, cls helper range zero",
4208 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4209 offsetof(struct __sk_buff, data)),
4210 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4211 offsetof(struct __sk_buff, data_end)),
4212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4213 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4215 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4216 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4217 BPF_MOV64_IMM(BPF_REG_2, 0),
4218 BPF_MOV64_IMM(BPF_REG_3, 0),
4219 BPF_MOV64_IMM(BPF_REG_4, 0),
4220 BPF_MOV64_IMM(BPF_REG_5, 0),
4221 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4222 BPF_FUNC_csum_diff),
4223 BPF_MOV64_IMM(BPF_REG_0, 0),
4227 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4230 "helper access to packet: test20, pkt end as input",
4232 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4233 offsetof(struct __sk_buff, data)),
4234 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4235 offsetof(struct __sk_buff, data_end)),
4236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4237 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4239 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4240 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4241 BPF_MOV64_IMM(BPF_REG_2, 4),
4242 BPF_MOV64_IMM(BPF_REG_3, 0),
4243 BPF_MOV64_IMM(BPF_REG_4, 0),
4244 BPF_MOV64_IMM(BPF_REG_5, 0),
4245 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4246 BPF_FUNC_csum_diff),
4247 BPF_MOV64_IMM(BPF_REG_0, 0),
4251 .errstr = "R1 type=pkt_end expected=fp",
4252 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4255 "helper access to packet: test21, wrong reg",
4257 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4258 offsetof(struct __sk_buff, data)),
4259 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4260 offsetof(struct __sk_buff, data_end)),
4261 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4262 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4264 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4265 BPF_MOV64_IMM(BPF_REG_2, 4),
4266 BPF_MOV64_IMM(BPF_REG_3, 0),
4267 BPF_MOV64_IMM(BPF_REG_4, 0),
4268 BPF_MOV64_IMM(BPF_REG_5, 0),
4269 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4270 BPF_FUNC_csum_diff),
4271 BPF_MOV64_IMM(BPF_REG_0, 0),
4275 .errstr = "invalid access to packet",
4276 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4279 "valid map access into an array with a constant",
4281 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4282 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4283 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4284 BPF_LD_MAP_FD(BPF_REG_1, 0),
4285 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4286 BPF_FUNC_map_lookup_elem),
4287 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4288 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4289 offsetof(struct test_val, foo)),
4292 .fixup_map2 = { 3 },
4293 .errstr_unpriv = "R0 leaks addr",
4294 .result_unpriv = REJECT,
4298 "valid map access into an array with a register",
4300 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4301 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4302 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4303 BPF_LD_MAP_FD(BPF_REG_1, 0),
4304 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4305 BPF_FUNC_map_lookup_elem),
4306 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4307 BPF_MOV64_IMM(BPF_REG_1, 4),
4308 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4309 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4310 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4311 offsetof(struct test_val, foo)),
4314 .fixup_map2 = { 3 },
4315 .errstr_unpriv = "R0 leaks addr",
4316 .result_unpriv = REJECT,
4318 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4321 "valid map access into an array with a variable",
4323 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4324 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4326 BPF_LD_MAP_FD(BPF_REG_1, 0),
4327 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4328 BPF_FUNC_map_lookup_elem),
4329 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4330 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4331 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4332 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4333 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4334 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4335 offsetof(struct test_val, foo)),
4338 .fixup_map2 = { 3 },
4339 .errstr_unpriv = "R0 leaks addr",
4340 .result_unpriv = REJECT,
4342 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4345 "valid map access into an array with a signed variable",
4347 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4348 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4349 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4350 BPF_LD_MAP_FD(BPF_REG_1, 0),
4351 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4352 BPF_FUNC_map_lookup_elem),
4353 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4354 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4355 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4356 BPF_MOV32_IMM(BPF_REG_1, 0),
4357 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4358 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4359 BPF_MOV32_IMM(BPF_REG_1, 0),
4360 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4361 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4362 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4363 offsetof(struct test_val, foo)),
4366 .fixup_map2 = { 3 },
4367 .errstr_unpriv = "R0 leaks addr",
4368 .result_unpriv = REJECT,
4370 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4373 "invalid map access into an array with a constant",
4375 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4376 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4377 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4378 BPF_LD_MAP_FD(BPF_REG_1, 0),
4379 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4380 BPF_FUNC_map_lookup_elem),
4381 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4382 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4383 offsetof(struct test_val, foo)),
4386 .fixup_map2 = { 3 },
4387 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4391 "invalid map access into an array with a register",
4393 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4394 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4395 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4396 BPF_LD_MAP_FD(BPF_REG_1, 0),
4397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4398 BPF_FUNC_map_lookup_elem),
4399 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4400 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4401 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4402 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4403 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4404 offsetof(struct test_val, foo)),
4407 .fixup_map2 = { 3 },
4408 .errstr = "R0 min value is outside of the array range",
4410 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4413 "invalid map access into an array with a variable",
4415 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4416 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4417 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4418 BPF_LD_MAP_FD(BPF_REG_1, 0),
4419 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4420 BPF_FUNC_map_lookup_elem),
4421 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4422 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4423 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4424 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4425 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4426 offsetof(struct test_val, foo)),
4429 .fixup_map2 = { 3 },
4430 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4432 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4435 "invalid map access into an array with no floor check",
4437 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4438 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4440 BPF_LD_MAP_FD(BPF_REG_1, 0),
4441 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4442 BPF_FUNC_map_lookup_elem),
4443 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4444 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4445 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4446 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4447 BPF_MOV32_IMM(BPF_REG_1, 0),
4448 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4449 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4450 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4451 offsetof(struct test_val, foo)),
4454 .fixup_map2 = { 3 },
4455 .errstr_unpriv = "R0 leaks addr",
4456 .errstr = "R0 unbounded memory access",
4457 .result_unpriv = REJECT,
4459 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4462 "invalid map access into an array with a invalid max check",
4464 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4465 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4466 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4467 BPF_LD_MAP_FD(BPF_REG_1, 0),
4468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4469 BPF_FUNC_map_lookup_elem),
4470 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4471 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4472 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4473 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4474 BPF_MOV32_IMM(BPF_REG_1, 0),
4475 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4476 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4477 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4478 offsetof(struct test_val, foo)),
4481 .fixup_map2 = { 3 },
4482 .errstr_unpriv = "R0 leaks addr",
4483 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
4484 .result_unpriv = REJECT,
4486 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4489 "invalid map access into an array with a invalid max check",
4491 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4492 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4494 BPF_LD_MAP_FD(BPF_REG_1, 0),
4495 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4496 BPF_FUNC_map_lookup_elem),
4497 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4498 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4499 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4500 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4501 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4502 BPF_LD_MAP_FD(BPF_REG_1, 0),
4503 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4504 BPF_FUNC_map_lookup_elem),
4505 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4506 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4507 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4508 offsetof(struct test_val, foo)),
4511 .fixup_map2 = { 3, 11 },
4512 .errstr = "R0 pointer += pointer",
4514 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4517 "multiple registers share map_lookup_elem result",
4519 BPF_MOV64_IMM(BPF_REG_1, 10),
4520 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4521 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4522 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4523 BPF_LD_MAP_FD(BPF_REG_1, 0),
4524 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4525 BPF_FUNC_map_lookup_elem),
4526 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4527 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4528 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4531 .fixup_map1 = { 4 },
4533 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4536 "alu ops on ptr_to_map_value_or_null, 1",
4538 BPF_MOV64_IMM(BPF_REG_1, 10),
4539 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4540 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4541 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4542 BPF_LD_MAP_FD(BPF_REG_1, 0),
4543 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4544 BPF_FUNC_map_lookup_elem),
4545 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4546 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4547 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4548 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4549 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4552 .fixup_map1 = { 4 },
4553 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4555 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4558 "alu ops on ptr_to_map_value_or_null, 2",
4560 BPF_MOV64_IMM(BPF_REG_1, 10),
4561 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4562 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4564 BPF_LD_MAP_FD(BPF_REG_1, 0),
4565 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4566 BPF_FUNC_map_lookup_elem),
4567 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4568 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4569 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4570 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4573 .fixup_map1 = { 4 },
4574 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4576 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4579 "alu ops on ptr_to_map_value_or_null, 3",
4581 BPF_MOV64_IMM(BPF_REG_1, 10),
4582 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4583 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4584 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4585 BPF_LD_MAP_FD(BPF_REG_1, 0),
4586 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4587 BPF_FUNC_map_lookup_elem),
4588 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4589 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4590 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4591 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4594 .fixup_map1 = { 4 },
4595 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4597 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4600 "invalid memory access with multiple map_lookup_elem calls",
4602 BPF_MOV64_IMM(BPF_REG_1, 10),
4603 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4604 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4606 BPF_LD_MAP_FD(BPF_REG_1, 0),
4607 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4608 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4609 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4610 BPF_FUNC_map_lookup_elem),
4611 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4612 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4613 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4614 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4615 BPF_FUNC_map_lookup_elem),
4616 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4617 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4620 .fixup_map1 = { 4 },
4622 .errstr = "R4 !read_ok",
4623 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4626 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4628 BPF_MOV64_IMM(BPF_REG_1, 10),
4629 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4630 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4632 BPF_LD_MAP_FD(BPF_REG_1, 0),
4633 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4634 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4635 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4636 BPF_FUNC_map_lookup_elem),
4637 BPF_MOV64_IMM(BPF_REG_2, 10),
4638 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4639 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4640 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4641 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4642 BPF_FUNC_map_lookup_elem),
4643 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4644 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4645 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4648 .fixup_map1 = { 4 },
4650 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4653 "invalid map access from else condition",
4655 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4656 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4657 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4658 BPF_LD_MAP_FD(BPF_REG_1, 0),
4659 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4660 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4661 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4662 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4663 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4664 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4665 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4666 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4669 .fixup_map2 = { 3 },
4670 .errstr = "R0 unbounded memory access",
4672 .errstr_unpriv = "R0 leaks addr",
4673 .result_unpriv = REJECT,
4674 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4677 "constant register |= constant should keep constant type",
4679 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4680 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4681 BPF_MOV64_IMM(BPF_REG_2, 34),
4682 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4683 BPF_MOV64_IMM(BPF_REG_3, 0),
4684 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4688 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4691 "constant register |= constant should not bypass stack boundary checks",
4693 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4694 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4695 BPF_MOV64_IMM(BPF_REG_2, 34),
4696 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4697 BPF_MOV64_IMM(BPF_REG_3, 0),
4698 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4701 .errstr = "invalid stack type R1 off=-48 access_size=58",
4703 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4706 "constant register |= constant register should keep constant type",
4708 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4709 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4710 BPF_MOV64_IMM(BPF_REG_2, 34),
4711 BPF_MOV64_IMM(BPF_REG_4, 13),
4712 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4713 BPF_MOV64_IMM(BPF_REG_3, 0),
4714 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4718 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4721 "constant register |= constant register should not bypass stack boundary checks",
4723 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4725 BPF_MOV64_IMM(BPF_REG_2, 34),
4726 BPF_MOV64_IMM(BPF_REG_4, 24),
4727 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4728 BPF_MOV64_IMM(BPF_REG_3, 0),
4729 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4732 .errstr = "invalid stack type R1 off=-48 access_size=58",
4734 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4737 "invalid direct packet write for LWT_IN",
4739 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4740 offsetof(struct __sk_buff, data)),
4741 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4742 offsetof(struct __sk_buff, data_end)),
4743 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4745 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4746 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4747 BPF_MOV64_IMM(BPF_REG_0, 0),
4750 .errstr = "cannot write into packet",
4752 .prog_type = BPF_PROG_TYPE_LWT_IN,
4755 "invalid direct packet write for LWT_OUT",
4757 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4758 offsetof(struct __sk_buff, data)),
4759 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4760 offsetof(struct __sk_buff, data_end)),
4761 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4762 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4763 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4764 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4765 BPF_MOV64_IMM(BPF_REG_0, 0),
4768 .errstr = "cannot write into packet",
4770 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4773 "direct packet write for LWT_XMIT",
4775 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4776 offsetof(struct __sk_buff, data)),
4777 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4778 offsetof(struct __sk_buff, data_end)),
4779 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4780 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4781 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4782 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4783 BPF_MOV64_IMM(BPF_REG_0, 0),
4787 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4790 "direct packet read for LWT_IN",
4792 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4793 offsetof(struct __sk_buff, data)),
4794 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4795 offsetof(struct __sk_buff, data_end)),
4796 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4797 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4798 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4799 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4800 BPF_MOV64_IMM(BPF_REG_0, 0),
4804 .prog_type = BPF_PROG_TYPE_LWT_IN,
4807 "direct packet read for LWT_OUT",
4809 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4810 offsetof(struct __sk_buff, data)),
4811 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4812 offsetof(struct __sk_buff, data_end)),
4813 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4815 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4816 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4817 BPF_MOV64_IMM(BPF_REG_0, 0),
4821 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4824 "direct packet read for LWT_XMIT",
4826 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4827 offsetof(struct __sk_buff, data)),
4828 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4829 offsetof(struct __sk_buff, data_end)),
4830 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4832 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4833 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4834 BPF_MOV64_IMM(BPF_REG_0, 0),
4838 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4841 "overlapping checks for direct packet access",
4843 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4844 offsetof(struct __sk_buff, data)),
4845 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4846 offsetof(struct __sk_buff, data_end)),
4847 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4849 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4850 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4851 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4852 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4853 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4854 BPF_MOV64_IMM(BPF_REG_0, 0),
4858 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4861 "invalid access of tc_classid for LWT_IN",
4863 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4864 offsetof(struct __sk_buff, tc_classid)),
4868 .errstr = "invalid bpf_context access",
4871 "invalid access of tc_classid for LWT_OUT",
4873 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4874 offsetof(struct __sk_buff, tc_classid)),
4878 .errstr = "invalid bpf_context access",
4881 "invalid access of tc_classid for LWT_XMIT",
4883 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4884 offsetof(struct __sk_buff, tc_classid)),
4888 .errstr = "invalid bpf_context access",
4891 "leak pointer into ctx 1",
4893 BPF_MOV64_IMM(BPF_REG_0, 0),
4894 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4895 offsetof(struct __sk_buff, cb[0])),
4896 BPF_LD_MAP_FD(BPF_REG_2, 0),
4897 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
4898 offsetof(struct __sk_buff, cb[0])),
4901 .fixup_map1 = { 2 },
4902 .errstr_unpriv = "R2 leaks addr into mem",
4903 .result_unpriv = REJECT,
4905 .errstr = "BPF_XADD stores into R1 context is not allowed",
4908 "leak pointer into ctx 2",
4910 BPF_MOV64_IMM(BPF_REG_0, 0),
4911 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4912 offsetof(struct __sk_buff, cb[0])),
4913 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
4914 offsetof(struct __sk_buff, cb[0])),
4917 .errstr_unpriv = "R10 leaks addr into mem",
4918 .result_unpriv = REJECT,
4920 .errstr = "BPF_XADD stores into R1 context is not allowed",
4923 "leak pointer into ctx 3",
4925 BPF_MOV64_IMM(BPF_REG_0, 0),
4926 BPF_LD_MAP_FD(BPF_REG_2, 0),
4927 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
4928 offsetof(struct __sk_buff, cb[0])),
4931 .fixup_map1 = { 1 },
4932 .errstr_unpriv = "R2 leaks addr into ctx",
4933 .result_unpriv = REJECT,
4937 "leak pointer into map val",
4939 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
4940 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4941 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4943 BPF_LD_MAP_FD(BPF_REG_1, 0),
4944 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4945 BPF_FUNC_map_lookup_elem),
4946 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4947 BPF_MOV64_IMM(BPF_REG_3, 0),
4948 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
4949 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
4950 BPF_MOV64_IMM(BPF_REG_0, 0),
4953 .fixup_map1 = { 4 },
4954 .errstr_unpriv = "R6 leaks addr into mem",
4955 .result_unpriv = REJECT,
4959 "helper access to map: full range",
4961 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4962 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4963 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4964 BPF_LD_MAP_FD(BPF_REG_1, 0),
4965 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4966 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4967 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4968 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4969 BPF_MOV64_IMM(BPF_REG_3, 0),
4970 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4973 .fixup_map2 = { 3 },
4975 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4978 "helper access to map: partial range",
4980 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4982 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4983 BPF_LD_MAP_FD(BPF_REG_1, 0),
4984 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4985 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4986 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4987 BPF_MOV64_IMM(BPF_REG_2, 8),
4988 BPF_MOV64_IMM(BPF_REG_3, 0),
4989 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4992 .fixup_map2 = { 3 },
4994 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4997 "helper access to map: empty range",
4999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5001 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5002 BPF_LD_MAP_FD(BPF_REG_1, 0),
5003 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5004 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5005 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5006 BPF_MOV64_IMM(BPF_REG_2, 0),
5007 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5010 .fixup_map2 = { 3 },
5011 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
5013 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5016 "helper access to map: out-of-bound range",
5018 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5019 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5020 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5021 BPF_LD_MAP_FD(BPF_REG_1, 0),
5022 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5023 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5024 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5025 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5026 BPF_MOV64_IMM(BPF_REG_3, 0),
5027 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5030 .fixup_map2 = { 3 },
5031 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
5033 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5036 "helper access to map: negative range",
5038 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5039 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5040 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5041 BPF_LD_MAP_FD(BPF_REG_1, 0),
5042 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5043 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5044 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5045 BPF_MOV64_IMM(BPF_REG_2, -8),
5046 BPF_MOV64_IMM(BPF_REG_3, 0),
5047 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5050 .fixup_map2 = { 3 },
5051 .errstr = "R2 min value is negative",
5053 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5056 "helper access to adjusted map (via const imm): full range",
5058 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5059 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5060 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5061 BPF_LD_MAP_FD(BPF_REG_1, 0),
5062 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5063 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5064 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5066 offsetof(struct test_val, foo)),
5067 BPF_MOV64_IMM(BPF_REG_2,
5068 sizeof(struct test_val) -
5069 offsetof(struct test_val, foo)),
5070 BPF_MOV64_IMM(BPF_REG_3, 0),
5071 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5074 .fixup_map2 = { 3 },
5076 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5079 "helper access to adjusted map (via const imm): partial range",
5081 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5083 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5084 BPF_LD_MAP_FD(BPF_REG_1, 0),
5085 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5086 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5087 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5088 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5089 offsetof(struct test_val, foo)),
5090 BPF_MOV64_IMM(BPF_REG_2, 8),
5091 BPF_MOV64_IMM(BPF_REG_3, 0),
5092 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5095 .fixup_map2 = { 3 },
5097 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5100 "helper access to adjusted map (via const imm): empty range",
5102 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5104 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5105 BPF_LD_MAP_FD(BPF_REG_1, 0),
5106 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5107 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5108 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5109 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5110 offsetof(struct test_val, foo)),
5111 BPF_MOV64_IMM(BPF_REG_2, 0),
5112 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5115 .fixup_map2 = { 3 },
5116 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5118 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5121 "helper access to adjusted map (via const imm): out-of-bound range",
5123 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5124 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5125 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5126 BPF_LD_MAP_FD(BPF_REG_1, 0),
5127 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5128 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5129 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5131 offsetof(struct test_val, foo)),
5132 BPF_MOV64_IMM(BPF_REG_2,
5133 sizeof(struct test_val) -
5134 offsetof(struct test_val, foo) + 8),
5135 BPF_MOV64_IMM(BPF_REG_3, 0),
5136 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5139 .fixup_map2 = { 3 },
5140 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5142 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5145 "helper access to adjusted map (via const imm): negative range (> adjustment)",
5147 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5148 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5149 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5150 BPF_LD_MAP_FD(BPF_REG_1, 0),
5151 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5152 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5153 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5154 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5155 offsetof(struct test_val, foo)),
5156 BPF_MOV64_IMM(BPF_REG_2, -8),
5157 BPF_MOV64_IMM(BPF_REG_3, 0),
5158 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5161 .fixup_map2 = { 3 },
5162 .errstr = "R2 min value is negative",
5164 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5167 "helper access to adjusted map (via const imm): negative range (< adjustment)",
5169 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5170 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5171 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5172 BPF_LD_MAP_FD(BPF_REG_1, 0),
5173 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5174 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5175 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5177 offsetof(struct test_val, foo)),
5178 BPF_MOV64_IMM(BPF_REG_2, -1),
5179 BPF_MOV64_IMM(BPF_REG_3, 0),
5180 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5183 .fixup_map2 = { 3 },
5184 .errstr = "R2 min value is negative",
5186 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5189 "helper access to adjusted map (via const reg): full range",
5191 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5193 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5194 BPF_LD_MAP_FD(BPF_REG_1, 0),
5195 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5196 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5197 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5198 BPF_MOV64_IMM(BPF_REG_3,
5199 offsetof(struct test_val, foo)),
5200 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5201 BPF_MOV64_IMM(BPF_REG_2,
5202 sizeof(struct test_val) -
5203 offsetof(struct test_val, foo)),
5204 BPF_MOV64_IMM(BPF_REG_3, 0),
5205 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5208 .fixup_map2 = { 3 },
5210 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5213 "helper access to adjusted map (via const reg): partial range",
5215 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5217 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5218 BPF_LD_MAP_FD(BPF_REG_1, 0),
5219 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5220 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5221 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5222 BPF_MOV64_IMM(BPF_REG_3,
5223 offsetof(struct test_val, foo)),
5224 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5225 BPF_MOV64_IMM(BPF_REG_2, 8),
5226 BPF_MOV64_IMM(BPF_REG_3, 0),
5227 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5230 .fixup_map2 = { 3 },
5232 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5235 "helper access to adjusted map (via const reg): empty range",
5237 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5239 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5240 BPF_LD_MAP_FD(BPF_REG_1, 0),
5241 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5242 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5243 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5244 BPF_MOV64_IMM(BPF_REG_3, 0),
5245 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5246 BPF_MOV64_IMM(BPF_REG_2, 0),
5247 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5250 .fixup_map2 = { 3 },
5251 .errstr = "R1 min value is outside of the array range",
5253 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5256 "helper access to adjusted map (via const reg): out-of-bound range",
5258 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5259 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5260 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5261 BPF_LD_MAP_FD(BPF_REG_1, 0),
5262 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5264 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5265 BPF_MOV64_IMM(BPF_REG_3,
5266 offsetof(struct test_val, foo)),
5267 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5268 BPF_MOV64_IMM(BPF_REG_2,
5269 sizeof(struct test_val) -
5270 offsetof(struct test_val, foo) + 8),
5271 BPF_MOV64_IMM(BPF_REG_3, 0),
5272 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5275 .fixup_map2 = { 3 },
5276 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5278 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5281 "helper access to adjusted map (via const reg): negative range (> adjustment)",
5283 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5284 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5285 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5286 BPF_LD_MAP_FD(BPF_REG_1, 0),
5287 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5288 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5289 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5290 BPF_MOV64_IMM(BPF_REG_3,
5291 offsetof(struct test_val, foo)),
5292 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5293 BPF_MOV64_IMM(BPF_REG_2, -8),
5294 BPF_MOV64_IMM(BPF_REG_3, 0),
5295 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5298 .fixup_map2 = { 3 },
5299 .errstr = "R2 min value is negative",
5301 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5304 "helper access to adjusted map (via const reg): negative range (< adjustment)",
5306 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5308 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5309 BPF_LD_MAP_FD(BPF_REG_1, 0),
5310 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5311 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5312 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5313 BPF_MOV64_IMM(BPF_REG_3,
5314 offsetof(struct test_val, foo)),
5315 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5316 BPF_MOV64_IMM(BPF_REG_2, -1),
5317 BPF_MOV64_IMM(BPF_REG_3, 0),
5318 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5321 .fixup_map2 = { 3 },
5322 .errstr = "R2 min value is negative",
5324 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5327 "helper access to adjusted map (via variable): full range",
5329 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5331 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5332 BPF_LD_MAP_FD(BPF_REG_1, 0),
5333 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5334 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5335 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5336 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5337 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5338 offsetof(struct test_val, foo), 4),
5339 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5340 BPF_MOV64_IMM(BPF_REG_2,
5341 sizeof(struct test_val) -
5342 offsetof(struct test_val, foo)),
5343 BPF_MOV64_IMM(BPF_REG_3, 0),
5344 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5347 .fixup_map2 = { 3 },
5349 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5352 "helper access to adjusted map (via variable): partial range",
5354 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5355 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5356 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5357 BPF_LD_MAP_FD(BPF_REG_1, 0),
5358 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5359 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5360 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5361 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5362 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5363 offsetof(struct test_val, foo), 4),
5364 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5365 BPF_MOV64_IMM(BPF_REG_2, 8),
5366 BPF_MOV64_IMM(BPF_REG_3, 0),
5367 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5370 .fixup_map2 = { 3 },
5372 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5375 "helper access to adjusted map (via variable): empty range",
5377 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5379 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5380 BPF_LD_MAP_FD(BPF_REG_1, 0),
5381 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5382 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5383 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5384 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5385 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5386 offsetof(struct test_val, foo), 3),
5387 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5388 BPF_MOV64_IMM(BPF_REG_2, 0),
5389 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5392 .fixup_map2 = { 3 },
5393 .errstr = "R1 min value is outside of the array range",
5395 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5398 "helper access to adjusted map (via variable): no max check",
5400 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5401 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5402 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5403 BPF_LD_MAP_FD(BPF_REG_1, 0),
5404 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5405 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5406 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5407 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5408 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5409 BPF_MOV64_IMM(BPF_REG_2, 1),
5410 BPF_MOV64_IMM(BPF_REG_3, 0),
5411 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5414 .fixup_map2 = { 3 },
5415 .errstr = "R1 unbounded memory access",
5417 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5420 "helper access to adjusted map (via variable): wrong max check",
5422 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5423 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5424 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5425 BPF_LD_MAP_FD(BPF_REG_1, 0),
5426 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5427 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5428 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5429 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5430 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5431 offsetof(struct test_val, foo), 4),
5432 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5433 BPF_MOV64_IMM(BPF_REG_2,
5434 sizeof(struct test_val) -
5435 offsetof(struct test_val, foo) + 1),
5436 BPF_MOV64_IMM(BPF_REG_3, 0),
5437 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5440 .fixup_map2 = { 3 },
5441 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
5443 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5446 "helper access to map: bounds check using <, good access",
5448 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5449 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5450 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5451 BPF_LD_MAP_FD(BPF_REG_1, 0),
5452 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5453 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5454 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5455 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5456 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5457 BPF_MOV64_IMM(BPF_REG_0, 0),
5459 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5460 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5461 BPF_MOV64_IMM(BPF_REG_0, 0),
5464 .fixup_map2 = { 3 },
5466 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5469 "helper access to map: bounds check using <, bad access",
5471 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5472 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5473 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5474 BPF_LD_MAP_FD(BPF_REG_1, 0),
5475 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5476 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5477 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5478 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5479 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5480 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5481 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5482 BPF_MOV64_IMM(BPF_REG_0, 0),
5484 BPF_MOV64_IMM(BPF_REG_0, 0),
5487 .fixup_map2 = { 3 },
5489 .errstr = "R1 unbounded memory access",
5490 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5493 "helper access to map: bounds check using <=, good access",
5495 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5496 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5497 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5498 BPF_LD_MAP_FD(BPF_REG_1, 0),
5499 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5500 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5501 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5502 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5503 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5504 BPF_MOV64_IMM(BPF_REG_0, 0),
5506 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5507 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5508 BPF_MOV64_IMM(BPF_REG_0, 0),
5511 .fixup_map2 = { 3 },
5513 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5516 "helper access to map: bounds check using <=, bad access",
5518 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5519 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5520 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5521 BPF_LD_MAP_FD(BPF_REG_1, 0),
5522 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5523 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5524 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5525 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5526 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5527 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5528 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5529 BPF_MOV64_IMM(BPF_REG_0, 0),
5531 BPF_MOV64_IMM(BPF_REG_0, 0),
5534 .fixup_map2 = { 3 },
5536 .errstr = "R1 unbounded memory access",
5537 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5540 "helper access to map: bounds check using s<, good access",
5542 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5543 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5544 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5545 BPF_LD_MAP_FD(BPF_REG_1, 0),
5546 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5547 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5548 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5549 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5550 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5551 BPF_MOV64_IMM(BPF_REG_0, 0),
5553 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5554 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5555 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5556 BPF_MOV64_IMM(BPF_REG_0, 0),
5559 .fixup_map2 = { 3 },
5561 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5564 "helper access to map: bounds check using s<, good access 2",
5566 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5567 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5568 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5569 BPF_LD_MAP_FD(BPF_REG_1, 0),
5570 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5571 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5572 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5573 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5574 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5575 BPF_MOV64_IMM(BPF_REG_0, 0),
5577 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5578 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5579 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5580 BPF_MOV64_IMM(BPF_REG_0, 0),
5583 .fixup_map2 = { 3 },
5585 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5588 "helper access to map: bounds check using s<, bad access",
5590 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5591 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5592 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5593 BPF_LD_MAP_FD(BPF_REG_1, 0),
5594 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5595 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5596 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5597 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5598 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5599 BPF_MOV64_IMM(BPF_REG_0, 0),
5601 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5602 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5603 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5604 BPF_MOV64_IMM(BPF_REG_0, 0),
5607 .fixup_map2 = { 3 },
5609 .errstr = "R1 min value is negative",
5610 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5613 "helper access to map: bounds check using s<=, good access",
5615 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5616 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5617 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5618 BPF_LD_MAP_FD(BPF_REG_1, 0),
5619 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5620 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5621 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5622 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5623 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5624 BPF_MOV64_IMM(BPF_REG_0, 0),
5626 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5627 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5628 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5629 BPF_MOV64_IMM(BPF_REG_0, 0),
5632 .fixup_map2 = { 3 },
5634 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5637 "helper access to map: bounds check using s<=, good access 2",
5639 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5641 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5642 BPF_LD_MAP_FD(BPF_REG_1, 0),
5643 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5644 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5645 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5646 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5647 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5648 BPF_MOV64_IMM(BPF_REG_0, 0),
5650 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5651 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5652 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5653 BPF_MOV64_IMM(BPF_REG_0, 0),
5656 .fixup_map2 = { 3 },
5658 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5661 "helper access to map: bounds check using s<=, bad access",
5663 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5665 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5666 BPF_LD_MAP_FD(BPF_REG_1, 0),
5667 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5668 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5669 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5670 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5671 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5672 BPF_MOV64_IMM(BPF_REG_0, 0),
5674 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5675 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5676 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5677 BPF_MOV64_IMM(BPF_REG_0, 0),
5680 .fixup_map2 = { 3 },
5682 .errstr = "R1 min value is negative",
5683 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5686 "map lookup helper access to map",
5688 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5689 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5690 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5691 BPF_LD_MAP_FD(BPF_REG_1, 0),
5692 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5693 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5694 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5695 BPF_LD_MAP_FD(BPF_REG_1, 0),
5696 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5699 .fixup_map3 = { 3, 8 },
5701 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5704 "map update helper access to map",
5706 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5707 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5708 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5709 BPF_LD_MAP_FD(BPF_REG_1, 0),
5710 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5711 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5712 BPF_MOV64_IMM(BPF_REG_4, 0),
5713 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5714 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5715 BPF_LD_MAP_FD(BPF_REG_1, 0),
5716 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5719 .fixup_map3 = { 3, 10 },
5721 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5724 "map update helper access to map: wrong size",
5726 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5728 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5729 BPF_LD_MAP_FD(BPF_REG_1, 0),
5730 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5731 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5732 BPF_MOV64_IMM(BPF_REG_4, 0),
5733 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5734 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5735 BPF_LD_MAP_FD(BPF_REG_1, 0),
5736 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5739 .fixup_map1 = { 3 },
5740 .fixup_map3 = { 10 },
5742 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
5743 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5746 "map helper access to adjusted map (via const imm)",
5748 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5749 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5750 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5751 BPF_LD_MAP_FD(BPF_REG_1, 0),
5752 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5753 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5754 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
5756 offsetof(struct other_val, bar)),
5757 BPF_LD_MAP_FD(BPF_REG_1, 0),
5758 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5761 .fixup_map3 = { 3, 9 },
5763 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5766 "map helper access to adjusted map (via const imm): out-of-bound 1",
5768 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5769 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5770 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5771 BPF_LD_MAP_FD(BPF_REG_1, 0),
5772 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5773 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5774 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5775 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
5776 sizeof(struct other_val) - 4),
5777 BPF_LD_MAP_FD(BPF_REG_1, 0),
5778 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5781 .fixup_map3 = { 3, 9 },
5783 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
5784 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5787 "map helper access to adjusted map (via const imm): out-of-bound 2",
5789 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5790 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5791 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5792 BPF_LD_MAP_FD(BPF_REG_1, 0),
5793 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5795 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5796 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5797 BPF_LD_MAP_FD(BPF_REG_1, 0),
5798 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5801 .fixup_map3 = { 3, 9 },
5803 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
5804 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5807 "map helper access to adjusted map (via const reg)",
5809 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5810 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5811 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5812 BPF_LD_MAP_FD(BPF_REG_1, 0),
5813 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5814 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5815 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5816 BPF_MOV64_IMM(BPF_REG_3,
5817 offsetof(struct other_val, bar)),
5818 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5819 BPF_LD_MAP_FD(BPF_REG_1, 0),
5820 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5823 .fixup_map3 = { 3, 10 },
5825 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5828 "map helper access to adjusted map (via const reg): out-of-bound 1",
5830 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5832 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5833 BPF_LD_MAP_FD(BPF_REG_1, 0),
5834 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5835 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5837 BPF_MOV64_IMM(BPF_REG_3,
5838 sizeof(struct other_val) - 4),
5839 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5840 BPF_LD_MAP_FD(BPF_REG_1, 0),
5841 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5844 .fixup_map3 = { 3, 10 },
5846 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
5847 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5850 "map helper access to adjusted map (via const reg): out-of-bound 2",
5852 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5854 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5855 BPF_LD_MAP_FD(BPF_REG_1, 0),
5856 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5857 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5858 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5859 BPF_MOV64_IMM(BPF_REG_3, -4),
5860 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5861 BPF_LD_MAP_FD(BPF_REG_1, 0),
5862 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5865 .fixup_map3 = { 3, 10 },
5867 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
5868 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5871 "map helper access to adjusted map (via variable)",
5873 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5874 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5875 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5876 BPF_LD_MAP_FD(BPF_REG_1, 0),
5877 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5878 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5879 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5880 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5881 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5882 offsetof(struct other_val, bar), 4),
5883 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5884 BPF_LD_MAP_FD(BPF_REG_1, 0),
5885 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5888 .fixup_map3 = { 3, 11 },
5890 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5893 "map helper access to adjusted map (via variable): no max check",
5895 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5897 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5898 BPF_LD_MAP_FD(BPF_REG_1, 0),
5899 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5900 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5901 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5902 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5903 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5904 BPF_LD_MAP_FD(BPF_REG_1, 0),
5905 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5908 .fixup_map3 = { 3, 10 },
5910 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
5911 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5914 "map helper access to adjusted map (via variable): wrong max check",
5916 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5918 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5919 BPF_LD_MAP_FD(BPF_REG_1, 0),
5920 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5921 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5922 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5923 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5924 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5925 offsetof(struct other_val, bar) + 1, 4),
5926 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5927 BPF_LD_MAP_FD(BPF_REG_1, 0),
5928 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5931 .fixup_map3 = { 3, 11 },
5933 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
5934 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5937 "map element value is preserved across register spilling",
5939 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5941 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5942 BPF_LD_MAP_FD(BPF_REG_1, 0),
5943 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5944 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5945 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5946 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5947 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5948 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5949 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5950 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5953 .fixup_map2 = { 3 },
5954 .errstr_unpriv = "R0 leaks addr",
5956 .result_unpriv = REJECT,
5959 "map element value or null is marked on register spilling",
5961 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5962 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5963 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5964 BPF_LD_MAP_FD(BPF_REG_1, 0),
5965 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5966 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
5968 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5969 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5970 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5971 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5974 .fixup_map2 = { 3 },
5975 .errstr_unpriv = "R0 leaks addr",
5977 .result_unpriv = REJECT,
5980 "map element value store of cleared call register",
5982 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5984 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5985 BPF_LD_MAP_FD(BPF_REG_1, 0),
5986 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5987 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5988 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
5991 .fixup_map2 = { 3 },
5992 .errstr_unpriv = "R1 !read_ok",
5993 .errstr = "R1 !read_ok",
5995 .result_unpriv = REJECT,
5998 "map element value with unaligned store",
6000 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6001 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6002 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6003 BPF_LD_MAP_FD(BPF_REG_1, 0),
6004 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6005 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
6006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6007 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6008 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
6009 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
6010 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6011 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
6012 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
6013 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
6014 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
6015 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
6016 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
6017 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
6018 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
6019 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
6020 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
6021 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
6022 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
6025 .fixup_map2 = { 3 },
6026 .errstr_unpriv = "R0 leaks addr",
6028 .result_unpriv = REJECT,
6029 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6032 "map element value with unaligned load",
6034 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6035 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6036 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6037 BPF_LD_MAP_FD(BPF_REG_1, 0),
6038 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6039 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6040 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6041 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
6042 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6043 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6044 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
6045 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6046 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
6047 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
6048 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
6049 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6050 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
6053 .fixup_map2 = { 3 },
6054 .errstr_unpriv = "R0 leaks addr",
6056 .result_unpriv = REJECT,
6057 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6060 "map element value illegal alu op, 1",
6062 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6063 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6064 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6065 BPF_LD_MAP_FD(BPF_REG_1, 0),
6066 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6067 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6068 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
6069 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6072 .fixup_map2 = { 3 },
6073 .errstr = "R0 bitwise operator &= on pointer",
6077 "map element value illegal alu op, 2",
6079 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6081 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6082 BPF_LD_MAP_FD(BPF_REG_1, 0),
6083 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6084 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6085 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
6086 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6089 .fixup_map2 = { 3 },
6090 .errstr = "R0 32-bit pointer arithmetic prohibited",
6094 "map element value illegal alu op, 3",
6096 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6098 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6099 BPF_LD_MAP_FD(BPF_REG_1, 0),
6100 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6101 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6102 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
6103 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6106 .fixup_map2 = { 3 },
6107 .errstr = "R0 pointer arithmetic with /= operator",
6111 "map element value illegal alu op, 4",
6113 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6115 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6116 BPF_LD_MAP_FD(BPF_REG_1, 0),
6117 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6118 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6119 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
6120 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6123 .fixup_map2 = { 3 },
6124 .errstr_unpriv = "R0 pointer arithmetic prohibited",
6125 .errstr = "invalid mem access 'inv'",
6127 .result_unpriv = REJECT,
6130 "map element value illegal alu op, 5",
6132 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6134 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6135 BPF_LD_MAP_FD(BPF_REG_1, 0),
6136 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6137 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6138 BPF_MOV64_IMM(BPF_REG_3, 4096),
6139 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6140 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6141 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6142 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
6143 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
6144 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6147 .fixup_map2 = { 3 },
6148 .errstr = "R0 invalid mem access 'inv'",
6152 "map element value is preserved across register spilling",
6154 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6155 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6156 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6157 BPF_LD_MAP_FD(BPF_REG_1, 0),
6158 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6159 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
6161 offsetof(struct test_val, foo)),
6162 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6163 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6164 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6165 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6166 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6167 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6170 .fixup_map2 = { 3 },
6171 .errstr_unpriv = "R0 leaks addr",
6173 .result_unpriv = REJECT,
6174 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6177 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
6179 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6180 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6181 BPF_MOV64_IMM(BPF_REG_0, 0),
6182 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6183 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6184 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6185 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6186 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6187 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6188 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6189 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6190 BPF_MOV64_IMM(BPF_REG_2, 16),
6191 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6192 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6193 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6194 BPF_MOV64_IMM(BPF_REG_4, 0),
6195 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6196 BPF_MOV64_IMM(BPF_REG_3, 0),
6197 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6198 BPF_MOV64_IMM(BPF_REG_0, 0),
6202 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6205 "helper access to variable memory: stack, bitwise AND, zero included",
6207 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6209 BPF_MOV64_IMM(BPF_REG_2, 16),
6210 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6211 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6212 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6213 BPF_MOV64_IMM(BPF_REG_3, 0),
6214 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6217 .errstr = "invalid indirect read from stack off -64+0 size 64",
6219 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6222 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
6224 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6226 BPF_MOV64_IMM(BPF_REG_2, 16),
6227 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6228 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6229 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
6230 BPF_MOV64_IMM(BPF_REG_4, 0),
6231 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6232 BPF_MOV64_IMM(BPF_REG_3, 0),
6233 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6234 BPF_MOV64_IMM(BPF_REG_0, 0),
6237 .errstr = "invalid stack type R1 off=-64 access_size=65",
6239 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6242 "helper access to variable memory: stack, JMP, correct bounds",
6244 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6245 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6246 BPF_MOV64_IMM(BPF_REG_0, 0),
6247 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6248 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6249 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6250 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6251 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6252 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6253 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6254 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6255 BPF_MOV64_IMM(BPF_REG_2, 16),
6256 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6257 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6258 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
6259 BPF_MOV64_IMM(BPF_REG_4, 0),
6260 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6261 BPF_MOV64_IMM(BPF_REG_3, 0),
6262 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6263 BPF_MOV64_IMM(BPF_REG_0, 0),
6267 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6270 "helper access to variable memory: stack, JMP (signed), correct bounds",
6272 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6273 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6274 BPF_MOV64_IMM(BPF_REG_0, 0),
6275 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6276 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6277 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6278 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6279 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6280 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6281 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6282 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6283 BPF_MOV64_IMM(BPF_REG_2, 16),
6284 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6285 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6286 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
6287 BPF_MOV64_IMM(BPF_REG_4, 0),
6288 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6289 BPF_MOV64_IMM(BPF_REG_3, 0),
6290 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6291 BPF_MOV64_IMM(BPF_REG_0, 0),
6295 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6298 "helper access to variable memory: stack, JMP, bounds + offset",
6300 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6301 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6302 BPF_MOV64_IMM(BPF_REG_2, 16),
6303 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6304 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6305 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
6306 BPF_MOV64_IMM(BPF_REG_4, 0),
6307 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
6308 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6309 BPF_MOV64_IMM(BPF_REG_3, 0),
6310 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6311 BPF_MOV64_IMM(BPF_REG_0, 0),
6314 .errstr = "invalid stack type R1 off=-64 access_size=65",
6316 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6319 "helper access to variable memory: stack, JMP, wrong max",
6321 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6322 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6323 BPF_MOV64_IMM(BPF_REG_2, 16),
6324 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6325 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6326 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
6327 BPF_MOV64_IMM(BPF_REG_4, 0),
6328 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6329 BPF_MOV64_IMM(BPF_REG_3, 0),
6330 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6331 BPF_MOV64_IMM(BPF_REG_0, 0),
6334 .errstr = "invalid stack type R1 off=-64 access_size=65",
6336 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6339 "helper access to variable memory: stack, JMP, no max check",
6341 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6342 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6343 BPF_MOV64_IMM(BPF_REG_2, 16),
6344 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6345 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6346 BPF_MOV64_IMM(BPF_REG_4, 0),
6347 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6348 BPF_MOV64_IMM(BPF_REG_3, 0),
6349 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6350 BPF_MOV64_IMM(BPF_REG_0, 0),
6353 /* because max wasn't checked, signed min is negative */
6354 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
6356 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6359 "helper access to variable memory: stack, JMP, no min check",
6361 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6363 BPF_MOV64_IMM(BPF_REG_2, 16),
6364 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6365 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6366 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
6367 BPF_MOV64_IMM(BPF_REG_3, 0),
6368 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6369 BPF_MOV64_IMM(BPF_REG_0, 0),
6372 .errstr = "invalid indirect read from stack off -64+0 size 64",
6374 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6377 "helper access to variable memory: stack, JMP (signed), no min check",
6379 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6380 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6381 BPF_MOV64_IMM(BPF_REG_2, 16),
6382 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6383 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6384 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
6385 BPF_MOV64_IMM(BPF_REG_3, 0),
6386 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6387 BPF_MOV64_IMM(BPF_REG_0, 0),
6390 .errstr = "R2 min value is negative",
6392 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6395 "helper access to variable memory: map, JMP, correct bounds",
6397 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6399 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6400 BPF_LD_MAP_FD(BPF_REG_1, 0),
6401 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6402 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6403 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6404 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6405 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6406 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6407 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6408 sizeof(struct test_val), 4),
6409 BPF_MOV64_IMM(BPF_REG_4, 0),
6410 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6411 BPF_MOV64_IMM(BPF_REG_3, 0),
6412 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6413 BPF_MOV64_IMM(BPF_REG_0, 0),
6416 .fixup_map2 = { 3 },
6418 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6421 "helper access to variable memory: map, JMP, wrong max",
6423 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6425 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6426 BPF_LD_MAP_FD(BPF_REG_1, 0),
6427 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6428 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6429 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6430 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6431 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6432 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6433 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6434 sizeof(struct test_val) + 1, 4),
6435 BPF_MOV64_IMM(BPF_REG_4, 0),
6436 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6437 BPF_MOV64_IMM(BPF_REG_3, 0),
6438 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6439 BPF_MOV64_IMM(BPF_REG_0, 0),
6442 .fixup_map2 = { 3 },
6443 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
6445 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6448 "helper access to variable memory: map adjusted, JMP, correct bounds",
6450 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6451 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6452 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6453 BPF_LD_MAP_FD(BPF_REG_1, 0),
6454 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6455 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6456 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6457 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6458 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6459 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6460 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6461 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6462 sizeof(struct test_val) - 20, 4),
6463 BPF_MOV64_IMM(BPF_REG_4, 0),
6464 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6465 BPF_MOV64_IMM(BPF_REG_3, 0),
6466 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6467 BPF_MOV64_IMM(BPF_REG_0, 0),
6470 .fixup_map2 = { 3 },
6472 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6475 "helper access to variable memory: map adjusted, JMP, wrong max",
6477 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6479 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6480 BPF_LD_MAP_FD(BPF_REG_1, 0),
6481 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6482 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6483 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6484 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6485 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6486 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6487 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6488 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6489 sizeof(struct test_val) - 19, 4),
6490 BPF_MOV64_IMM(BPF_REG_4, 0),
6491 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6492 BPF_MOV64_IMM(BPF_REG_3, 0),
6493 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6494 BPF_MOV64_IMM(BPF_REG_0, 0),
6497 .fixup_map2 = { 3 },
6498 .errstr = "R1 min value is outside of the array range",
6500 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6503 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6505 BPF_MOV64_IMM(BPF_REG_1, 0),
6506 BPF_MOV64_IMM(BPF_REG_2, 0),
6507 BPF_MOV64_IMM(BPF_REG_3, 0),
6508 BPF_MOV64_IMM(BPF_REG_4, 0),
6509 BPF_MOV64_IMM(BPF_REG_5, 0),
6510 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6514 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6517 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6519 BPF_MOV64_IMM(BPF_REG_1, 0),
6520 BPF_MOV64_IMM(BPF_REG_2, 1),
6521 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6522 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6523 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6524 BPF_MOV64_IMM(BPF_REG_3, 0),
6525 BPF_MOV64_IMM(BPF_REG_4, 0),
6526 BPF_MOV64_IMM(BPF_REG_5, 0),
6527 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6530 .errstr = "R1 type=inv expected=fp",
6532 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6535 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6537 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6539 BPF_MOV64_IMM(BPF_REG_2, 0),
6540 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6541 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
6542 BPF_MOV64_IMM(BPF_REG_3, 0),
6543 BPF_MOV64_IMM(BPF_REG_4, 0),
6544 BPF_MOV64_IMM(BPF_REG_5, 0),
6545 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6549 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6552 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6554 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6555 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6557 BPF_LD_MAP_FD(BPF_REG_1, 0),
6558 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6559 BPF_FUNC_map_lookup_elem),
6560 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6561 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6562 BPF_MOV64_IMM(BPF_REG_2, 0),
6563 BPF_MOV64_IMM(BPF_REG_3, 0),
6564 BPF_MOV64_IMM(BPF_REG_4, 0),
6565 BPF_MOV64_IMM(BPF_REG_5, 0),
6566 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6569 .fixup_map1 = { 3 },
6571 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6574 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6576 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6577 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6578 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6579 BPF_LD_MAP_FD(BPF_REG_1, 0),
6580 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6581 BPF_FUNC_map_lookup_elem),
6582 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6583 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6584 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
6585 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6586 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6587 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6588 BPF_MOV64_IMM(BPF_REG_3, 0),
6589 BPF_MOV64_IMM(BPF_REG_4, 0),
6590 BPF_MOV64_IMM(BPF_REG_5, 0),
6591 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6594 .fixup_map1 = { 3 },
6596 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6599 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6601 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6602 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6604 BPF_LD_MAP_FD(BPF_REG_1, 0),
6605 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6606 BPF_FUNC_map_lookup_elem),
6607 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6608 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6609 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6610 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6611 BPF_MOV64_IMM(BPF_REG_3, 0),
6612 BPF_MOV64_IMM(BPF_REG_4, 0),
6613 BPF_MOV64_IMM(BPF_REG_5, 0),
6614 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6617 .fixup_map1 = { 3 },
6619 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6622 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
6624 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6625 offsetof(struct __sk_buff, data)),
6626 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6627 offsetof(struct __sk_buff, data_end)),
6628 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
6629 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6630 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
6631 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6632 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
6633 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6634 BPF_MOV64_IMM(BPF_REG_3, 0),
6635 BPF_MOV64_IMM(BPF_REG_4, 0),
6636 BPF_MOV64_IMM(BPF_REG_5, 0),
6637 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6641 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6642 .retval = 0 /* csum_diff of 64-byte packet */,
6645 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6647 BPF_MOV64_IMM(BPF_REG_1, 0),
6648 BPF_MOV64_IMM(BPF_REG_2, 0),
6649 BPF_MOV64_IMM(BPF_REG_3, 0),
6650 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6653 .errstr = "R1 type=inv expected=fp",
6655 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6658 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6660 BPF_MOV64_IMM(BPF_REG_1, 0),
6661 BPF_MOV64_IMM(BPF_REG_2, 1),
6662 BPF_MOV64_IMM(BPF_REG_3, 0),
6663 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6666 .errstr = "R1 type=inv expected=fp",
6668 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6671 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6673 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6674 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6675 BPF_MOV64_IMM(BPF_REG_2, 0),
6676 BPF_MOV64_IMM(BPF_REG_3, 0),
6677 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6681 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6684 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6686 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6687 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6688 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6689 BPF_LD_MAP_FD(BPF_REG_1, 0),
6690 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6691 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6692 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6693 BPF_MOV64_IMM(BPF_REG_2, 0),
6694 BPF_MOV64_IMM(BPF_REG_3, 0),
6695 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6698 .fixup_map1 = { 3 },
6700 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6703 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6705 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6706 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6707 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6708 BPF_LD_MAP_FD(BPF_REG_1, 0),
6709 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6710 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6711 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6712 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6713 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6714 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6715 BPF_MOV64_IMM(BPF_REG_3, 0),
6716 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6719 .fixup_map1 = { 3 },
6721 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6724 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6726 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6727 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6728 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6729 BPF_LD_MAP_FD(BPF_REG_1, 0),
6730 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6731 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6732 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6733 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6734 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
6735 BPF_MOV64_IMM(BPF_REG_3, 0),
6736 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6739 .fixup_map1 = { 3 },
6741 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6744 "helper access to variable memory: 8 bytes leak",
6746 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6747 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6748 BPF_MOV64_IMM(BPF_REG_0, 0),
6749 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6750 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6751 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6752 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6753 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6754 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6755 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6756 BPF_MOV64_IMM(BPF_REG_2, 1),
6757 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6758 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6759 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
6760 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6761 BPF_MOV64_IMM(BPF_REG_3, 0),
6762 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6763 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6766 .errstr = "invalid indirect read from stack off -64+32 size 64",
6768 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6771 "helper access to variable memory: 8 bytes no leak (init memory)",
6773 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6774 BPF_MOV64_IMM(BPF_REG_0, 0),
6775 BPF_MOV64_IMM(BPF_REG_0, 0),
6776 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6777 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6778 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6779 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6780 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6781 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6782 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6783 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6784 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6785 BPF_MOV64_IMM(BPF_REG_2, 0),
6786 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
6787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
6788 BPF_MOV64_IMM(BPF_REG_3, 0),
6789 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6790 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6794 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6797 "invalid and of negative number",
6799 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6800 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6801 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6802 BPF_LD_MAP_FD(BPF_REG_1, 0),
6803 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6804 BPF_FUNC_map_lookup_elem),
6805 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6806 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6807 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
6808 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
6809 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6810 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
6811 offsetof(struct test_val, foo)),
6814 .fixup_map2 = { 3 },
6815 .errstr = "R0 max value is outside of the array range",
6817 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6820 "invalid range check",
6822 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6823 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6825 BPF_LD_MAP_FD(BPF_REG_1, 0),
6826 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6827 BPF_FUNC_map_lookup_elem),
6828 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
6829 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6830 BPF_MOV64_IMM(BPF_REG_9, 1),
6831 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
6832 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
6833 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
6834 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
6835 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
6836 BPF_MOV32_IMM(BPF_REG_3, 1),
6837 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
6838 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
6839 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
6840 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
6841 BPF_MOV64_REG(BPF_REG_0, 0),
6844 .fixup_map2 = { 3 },
6845 .errstr = "R0 max value is outside of the array range",
6847 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6850 "map in map access",
6852 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6853 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6854 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6855 BPF_LD_MAP_FD(BPF_REG_1, 0),
6856 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6857 BPF_FUNC_map_lookup_elem),
6858 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6859 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6860 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6861 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6862 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6863 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6864 BPF_FUNC_map_lookup_elem),
6865 BPF_MOV64_REG(BPF_REG_0, 0),
6868 .fixup_map_in_map = { 3 },
6872 "invalid inner map pointer",
6874 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6875 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6876 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6877 BPF_LD_MAP_FD(BPF_REG_1, 0),
6878 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6879 BPF_FUNC_map_lookup_elem),
6880 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6881 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6882 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6884 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6885 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
6886 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6887 BPF_FUNC_map_lookup_elem),
6888 BPF_MOV64_REG(BPF_REG_0, 0),
6891 .fixup_map_in_map = { 3 },
6892 .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
6896 "forgot null checking on the inner map pointer",
6898 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6899 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6901 BPF_LD_MAP_FD(BPF_REG_1, 0),
6902 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6903 BPF_FUNC_map_lookup_elem),
6904 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6905 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6906 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6907 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6908 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6909 BPF_FUNC_map_lookup_elem),
6910 BPF_MOV64_REG(BPF_REG_0, 0),
6913 .fixup_map_in_map = { 3 },
6914 .errstr = "R1 type=map_value_or_null expected=map_ptr",
6918 "ld_abs: check calling conv, r1",
6920 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6921 BPF_MOV64_IMM(BPF_REG_1, 0),
6922 BPF_LD_ABS(BPF_W, -0x200000),
6923 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6926 .errstr = "R1 !read_ok",
6930 "ld_abs: check calling conv, r2",
6932 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6933 BPF_MOV64_IMM(BPF_REG_2, 0),
6934 BPF_LD_ABS(BPF_W, -0x200000),
6935 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6938 .errstr = "R2 !read_ok",
6942 "ld_abs: check calling conv, r3",
6944 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6945 BPF_MOV64_IMM(BPF_REG_3, 0),
6946 BPF_LD_ABS(BPF_W, -0x200000),
6947 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6950 .errstr = "R3 !read_ok",
6954 "ld_abs: check calling conv, r4",
6956 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6957 BPF_MOV64_IMM(BPF_REG_4, 0),
6958 BPF_LD_ABS(BPF_W, -0x200000),
6959 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6962 .errstr = "R4 !read_ok",
6966 "ld_abs: check calling conv, r5",
6968 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6969 BPF_MOV64_IMM(BPF_REG_5, 0),
6970 BPF_LD_ABS(BPF_W, -0x200000),
6971 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6974 .errstr = "R5 !read_ok",
6978 "ld_abs: check calling conv, r7",
6980 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6981 BPF_MOV64_IMM(BPF_REG_7, 0),
6982 BPF_LD_ABS(BPF_W, -0x200000),
6983 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6989 "ld_abs: tests on r6 and skb data reload helper",
6991 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6992 BPF_LD_ABS(BPF_B, 0),
6993 BPF_LD_ABS(BPF_H, 0),
6994 BPF_LD_ABS(BPF_W, 0),
6995 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
6996 BPF_MOV64_IMM(BPF_REG_6, 0),
6997 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
6998 BPF_MOV64_IMM(BPF_REG_2, 1),
6999 BPF_MOV64_IMM(BPF_REG_3, 2),
7000 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7001 BPF_FUNC_skb_vlan_push),
7002 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
7003 BPF_LD_ABS(BPF_B, 0),
7004 BPF_LD_ABS(BPF_H, 0),
7005 BPF_LD_ABS(BPF_W, 0),
7006 BPF_MOV64_IMM(BPF_REG_0, 42),
7009 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7011 .retval = 42 /* ultimate return value */,
7014 "ld_ind: check calling conv, r1",
7016 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7017 BPF_MOV64_IMM(BPF_REG_1, 1),
7018 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
7019 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7022 .errstr = "R1 !read_ok",
7026 "ld_ind: check calling conv, r2",
7028 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7029 BPF_MOV64_IMM(BPF_REG_2, 1),
7030 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
7031 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7034 .errstr = "R2 !read_ok",
7038 "ld_ind: check calling conv, r3",
7040 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7041 BPF_MOV64_IMM(BPF_REG_3, 1),
7042 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
7043 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7046 .errstr = "R3 !read_ok",
7050 "ld_ind: check calling conv, r4",
7052 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7053 BPF_MOV64_IMM(BPF_REG_4, 1),
7054 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
7055 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7058 .errstr = "R4 !read_ok",
7062 "ld_ind: check calling conv, r5",
7064 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7065 BPF_MOV64_IMM(BPF_REG_5, 1),
7066 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
7067 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7070 .errstr = "R5 !read_ok",
7074 "ld_ind: check calling conv, r7",
7076 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7077 BPF_MOV64_IMM(BPF_REG_7, 1),
7078 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
7079 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7086 "check bpf_perf_event_data->sample_period byte load permitted",
7088 BPF_MOV64_IMM(BPF_REG_0, 0),
7089 #if __BYTE_ORDER == __LITTLE_ENDIAN
7090 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7091 offsetof(struct bpf_perf_event_data, sample_period)),
7093 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7094 offsetof(struct bpf_perf_event_data, sample_period) + 7),
7099 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7102 "check bpf_perf_event_data->sample_period half load permitted",
7104 BPF_MOV64_IMM(BPF_REG_0, 0),
7105 #if __BYTE_ORDER == __LITTLE_ENDIAN
7106 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7107 offsetof(struct bpf_perf_event_data, sample_period)),
7109 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7110 offsetof(struct bpf_perf_event_data, sample_period) + 6),
7115 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7118 "check bpf_perf_event_data->sample_period word load permitted",
7120 BPF_MOV64_IMM(BPF_REG_0, 0),
7121 #if __BYTE_ORDER == __LITTLE_ENDIAN
7122 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7123 offsetof(struct bpf_perf_event_data, sample_period)),
7125 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7126 offsetof(struct bpf_perf_event_data, sample_period) + 4),
7131 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7134 "check bpf_perf_event_data->sample_period dword load permitted",
7136 BPF_MOV64_IMM(BPF_REG_0, 0),
7137 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
7138 offsetof(struct bpf_perf_event_data, sample_period)),
7142 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7145 "check skb->data half load not permitted",
7147 BPF_MOV64_IMM(BPF_REG_0, 0),
7148 #if __BYTE_ORDER == __LITTLE_ENDIAN
7149 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7150 offsetof(struct __sk_buff, data)),
7152 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7153 offsetof(struct __sk_buff, data) + 2),
7158 .errstr = "invalid bpf_context access",
7161 "check skb->tc_classid half load not permitted for lwt prog",
7163 BPF_MOV64_IMM(BPF_REG_0, 0),
7164 #if __BYTE_ORDER == __LITTLE_ENDIAN
7165 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7166 offsetof(struct __sk_buff, tc_classid)),
7168 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7169 offsetof(struct __sk_buff, tc_classid) + 2),
7174 .errstr = "invalid bpf_context access",
7175 .prog_type = BPF_PROG_TYPE_LWT_IN,
7178 "bounds checks mixing signed and unsigned, positive bounds",
7180 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7181 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7183 BPF_LD_MAP_FD(BPF_REG_1, 0),
7184 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7185 BPF_FUNC_map_lookup_elem),
7186 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7187 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7188 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7189 BPF_MOV64_IMM(BPF_REG_2, 2),
7190 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
7191 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
7192 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7193 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7194 BPF_MOV64_IMM(BPF_REG_0, 0),
7197 .fixup_map1 = { 3 },
7198 .errstr = "unbounded min value",
7202 "bounds checks mixing signed and unsigned",
7204 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7207 BPF_LD_MAP_FD(BPF_REG_1, 0),
7208 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7209 BPF_FUNC_map_lookup_elem),
7210 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7211 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7212 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7213 BPF_MOV64_IMM(BPF_REG_2, -1),
7214 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7215 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7216 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7217 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7218 BPF_MOV64_IMM(BPF_REG_0, 0),
7221 .fixup_map1 = { 3 },
7222 .errstr = "unbounded min value",
7226 "bounds checks mixing signed and unsigned, variant 2",
7228 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7229 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7231 BPF_LD_MAP_FD(BPF_REG_1, 0),
7232 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7233 BPF_FUNC_map_lookup_elem),
7234 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7235 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7236 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7237 BPF_MOV64_IMM(BPF_REG_2, -1),
7238 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7239 BPF_MOV64_IMM(BPF_REG_8, 0),
7240 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
7241 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7242 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7243 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7244 BPF_MOV64_IMM(BPF_REG_0, 0),
7247 .fixup_map1 = { 3 },
7248 .errstr = "unbounded min value",
7252 "bounds checks mixing signed and unsigned, variant 3",
7254 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7255 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7256 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7257 BPF_LD_MAP_FD(BPF_REG_1, 0),
7258 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7259 BPF_FUNC_map_lookup_elem),
7260 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7261 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7262 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7263 BPF_MOV64_IMM(BPF_REG_2, -1),
7264 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
7265 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
7266 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7267 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7268 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7269 BPF_MOV64_IMM(BPF_REG_0, 0),
7272 .fixup_map1 = { 3 },
7273 .errstr = "unbounded min value",
7277 "bounds checks mixing signed and unsigned, variant 4",
7279 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7280 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7282 BPF_LD_MAP_FD(BPF_REG_1, 0),
7283 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7284 BPF_FUNC_map_lookup_elem),
7285 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7286 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7287 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7288 BPF_MOV64_IMM(BPF_REG_2, 1),
7289 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
7290 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7291 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7292 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7293 BPF_MOV64_IMM(BPF_REG_0, 0),
7296 .fixup_map1 = { 3 },
7300 "bounds checks mixing signed and unsigned, variant 5",
7302 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7303 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7305 BPF_LD_MAP_FD(BPF_REG_1, 0),
7306 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7307 BPF_FUNC_map_lookup_elem),
7308 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7309 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7310 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7311 BPF_MOV64_IMM(BPF_REG_2, -1),
7312 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7313 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
7314 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
7315 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7316 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7317 BPF_MOV64_IMM(BPF_REG_0, 0),
7320 .fixup_map1 = { 3 },
7321 .errstr = "unbounded min value",
7325 "bounds checks mixing signed and unsigned, variant 6",
7327 BPF_MOV64_IMM(BPF_REG_2, 0),
7328 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
7329 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
7330 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7331 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
7332 BPF_MOV64_IMM(BPF_REG_6, -1),
7333 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
7334 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
7335 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7336 BPF_MOV64_IMM(BPF_REG_5, 0),
7337 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
7338 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7339 BPF_FUNC_skb_load_bytes),
7340 BPF_MOV64_IMM(BPF_REG_0, 0),
7343 .errstr = "R4 min value is negative, either use unsigned",
7347 "bounds checks mixing signed and unsigned, variant 7",
7349 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7350 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7351 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7352 BPF_LD_MAP_FD(BPF_REG_1, 0),
7353 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7354 BPF_FUNC_map_lookup_elem),
7355 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7356 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7357 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7358 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
7359 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7360 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7361 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7362 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7363 BPF_MOV64_IMM(BPF_REG_0, 0),
7366 .fixup_map1 = { 3 },
7370 "bounds checks mixing signed and unsigned, variant 8",
7372 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7373 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7374 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7375 BPF_LD_MAP_FD(BPF_REG_1, 0),
7376 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7377 BPF_FUNC_map_lookup_elem),
7378 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7379 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7380 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7381 BPF_MOV64_IMM(BPF_REG_2, -1),
7382 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7383 BPF_MOV64_IMM(BPF_REG_0, 0),
7385 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7386 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7387 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7388 BPF_MOV64_IMM(BPF_REG_0, 0),
7391 .fixup_map1 = { 3 },
7392 .errstr = "unbounded min value",
7396 "bounds checks mixing signed and unsigned, variant 9",
7398 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7399 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7401 BPF_LD_MAP_FD(BPF_REG_1, 0),
7402 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7403 BPF_FUNC_map_lookup_elem),
7404 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7405 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7406 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7407 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
7408 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7409 BPF_MOV64_IMM(BPF_REG_0, 0),
7411 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7412 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7413 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7414 BPF_MOV64_IMM(BPF_REG_0, 0),
7417 .fixup_map1 = { 3 },
7421 "bounds checks mixing signed and unsigned, variant 10",
7423 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7424 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7425 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7426 BPF_LD_MAP_FD(BPF_REG_1, 0),
7427 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7428 BPF_FUNC_map_lookup_elem),
7429 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7430 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7431 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7432 BPF_MOV64_IMM(BPF_REG_2, 0),
7433 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7434 BPF_MOV64_IMM(BPF_REG_0, 0),
7436 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7437 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7438 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7439 BPF_MOV64_IMM(BPF_REG_0, 0),
7442 .fixup_map1 = { 3 },
7443 .errstr = "unbounded min value",
7447 "bounds checks mixing signed and unsigned, variant 11",
7449 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7450 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7451 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7452 BPF_LD_MAP_FD(BPF_REG_1, 0),
7453 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7454 BPF_FUNC_map_lookup_elem),
7455 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7456 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7457 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7458 BPF_MOV64_IMM(BPF_REG_2, -1),
7459 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7461 BPF_MOV64_IMM(BPF_REG_0, 0),
7463 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7464 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7465 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7466 BPF_MOV64_IMM(BPF_REG_0, 0),
7469 .fixup_map1 = { 3 },
7470 .errstr = "unbounded min value",
7474 "bounds checks mixing signed and unsigned, variant 12",
7476 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7477 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7479 BPF_LD_MAP_FD(BPF_REG_1, 0),
7480 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7481 BPF_FUNC_map_lookup_elem),
7482 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7483 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7484 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7485 BPF_MOV64_IMM(BPF_REG_2, -6),
7486 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7487 BPF_MOV64_IMM(BPF_REG_0, 0),
7489 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7490 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7491 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7492 BPF_MOV64_IMM(BPF_REG_0, 0),
7495 .fixup_map1 = { 3 },
7496 .errstr = "unbounded min value",
7500 "bounds checks mixing signed and unsigned, variant 13",
7502 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7503 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7504 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7505 BPF_LD_MAP_FD(BPF_REG_1, 0),
7506 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7507 BPF_FUNC_map_lookup_elem),
7508 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7509 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7510 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7511 BPF_MOV64_IMM(BPF_REG_2, 2),
7512 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7513 BPF_MOV64_IMM(BPF_REG_7, 1),
7514 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
7515 BPF_MOV64_IMM(BPF_REG_0, 0),
7517 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
7518 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
7519 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
7520 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7521 BPF_MOV64_IMM(BPF_REG_0, 0),
7524 .fixup_map1 = { 3 },
7525 .errstr = "unbounded min value",
7529 "bounds checks mixing signed and unsigned, variant 14",
7531 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
7532 offsetof(struct __sk_buff, mark)),
7533 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7534 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7536 BPF_LD_MAP_FD(BPF_REG_1, 0),
7537 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7538 BPF_FUNC_map_lookup_elem),
7539 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7540 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7541 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7542 BPF_MOV64_IMM(BPF_REG_2, -1),
7543 BPF_MOV64_IMM(BPF_REG_8, 2),
7544 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
7545 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
7546 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7547 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7548 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7549 BPF_MOV64_IMM(BPF_REG_0, 0),
7551 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
7552 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
7554 .fixup_map1 = { 4 },
7555 .errstr = "R0 invalid mem access 'inv'",
7559 "bounds checks mixing signed and unsigned, variant 15",
7561 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7562 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7564 BPF_LD_MAP_FD(BPF_REG_1, 0),
7565 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7566 BPF_FUNC_map_lookup_elem),
7567 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7568 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7569 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7570 BPF_MOV64_IMM(BPF_REG_2, -6),
7571 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7572 BPF_MOV64_IMM(BPF_REG_0, 0),
7574 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7575 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
7576 BPF_MOV64_IMM(BPF_REG_0, 0),
7578 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7579 BPF_MOV64_IMM(BPF_REG_0, 0),
7582 .fixup_map1 = { 3 },
7583 .errstr = "unbounded min value",
7585 .result_unpriv = REJECT,
7588 "subtraction bounds (map value) variant 1",
7590 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7591 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7593 BPF_LD_MAP_FD(BPF_REG_1, 0),
7594 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7595 BPF_FUNC_map_lookup_elem),
7596 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7597 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7598 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
7599 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7600 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
7601 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7602 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
7603 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7604 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7606 BPF_MOV64_IMM(BPF_REG_0, 0),
7609 .fixup_map1 = { 3 },
7610 .errstr = "R0 max value is outside of the array range",
7614 "subtraction bounds (map value) variant 2",
7616 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7617 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7618 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7619 BPF_LD_MAP_FD(BPF_REG_1, 0),
7620 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7621 BPF_FUNC_map_lookup_elem),
7622 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7623 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7624 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
7625 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7626 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
7627 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7628 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7629 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7631 BPF_MOV64_IMM(BPF_REG_0, 0),
7634 .fixup_map1 = { 3 },
7635 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
7639 "bounds check based on zero-extended MOV",
7641 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7642 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7643 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7644 BPF_LD_MAP_FD(BPF_REG_1, 0),
7645 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7646 BPF_FUNC_map_lookup_elem),
7647 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7648 /* r2 = 0x0000'0000'ffff'ffff */
7649 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
7651 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7653 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7654 /* access at offset 0 */
7655 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7657 BPF_MOV64_IMM(BPF_REG_0, 0),
7660 .fixup_map1 = { 3 },
7664 "bounds check based on sign-extended MOV. test1",
7666 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7667 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7668 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7669 BPF_LD_MAP_FD(BPF_REG_1, 0),
7670 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7671 BPF_FUNC_map_lookup_elem),
7672 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7673 /* r2 = 0xffff'ffff'ffff'ffff */
7674 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7675 /* r2 = 0xffff'ffff */
7676 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7677 /* r0 = <oob pointer> */
7678 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7679 /* access to OOB pointer */
7680 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7682 BPF_MOV64_IMM(BPF_REG_0, 0),
7685 .fixup_map1 = { 3 },
7686 .errstr = "map_value pointer and 4294967295",
7690 "bounds check based on sign-extended MOV. test2",
7692 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7693 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7694 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7695 BPF_LD_MAP_FD(BPF_REG_1, 0),
7696 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7697 BPF_FUNC_map_lookup_elem),
7698 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7699 /* r2 = 0xffff'ffff'ffff'ffff */
7700 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7701 /* r2 = 0xfff'ffff */
7702 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
7703 /* r0 = <oob pointer> */
7704 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7705 /* access to OOB pointer */
7706 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7708 BPF_MOV64_IMM(BPF_REG_0, 0),
7711 .fixup_map1 = { 3 },
7712 .errstr = "R0 min value is outside of the array range",
7716 "bounds check based on reg_off + var_off + insn_off. test1",
7718 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7719 offsetof(struct __sk_buff, mark)),
7720 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7721 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7722 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7723 BPF_LD_MAP_FD(BPF_REG_1, 0),
7724 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7725 BPF_FUNC_map_lookup_elem),
7726 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7727 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7728 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
7729 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7730 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7731 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7732 BPF_MOV64_IMM(BPF_REG_0, 0),
7735 .fixup_map1 = { 4 },
7736 .errstr = "value_size=8 off=1073741825",
7738 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7741 "bounds check based on reg_off + var_off + insn_off. test2",
7743 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7744 offsetof(struct __sk_buff, mark)),
7745 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7746 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7747 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7748 BPF_LD_MAP_FD(BPF_REG_1, 0),
7749 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7750 BPF_FUNC_map_lookup_elem),
7751 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7752 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
7754 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7756 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7757 BPF_MOV64_IMM(BPF_REG_0, 0),
7760 .fixup_map1 = { 4 },
7761 .errstr = "value 1073741823",
7763 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7766 "bounds check after truncation of non-boundary-crossing range",
7768 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7769 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7771 BPF_LD_MAP_FD(BPF_REG_1, 0),
7772 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7773 BPF_FUNC_map_lookup_elem),
7774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7775 /* r1 = [0x00, 0xff] */
7776 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7777 BPF_MOV64_IMM(BPF_REG_2, 1),
7778 /* r2 = 0x10'0000'0000 */
7779 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
7780 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
7781 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
7782 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
7783 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7784 /* r1 = [0x00, 0xff] */
7785 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
7787 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7789 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7790 /* access at offset 0 */
7791 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7793 BPF_MOV64_IMM(BPF_REG_0, 0),
7796 .fixup_map1 = { 3 },
7800 "bounds check after truncation of boundary-crossing range (1)",
7802 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7803 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7804 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7805 BPF_LD_MAP_FD(BPF_REG_1, 0),
7806 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7807 BPF_FUNC_map_lookup_elem),
7808 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7809 /* r1 = [0x00, 0xff] */
7810 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7812 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
7813 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7814 /* r1 = [0xffff'ff80, 0xffff'ffff] or
7815 * [0x0000'0000, 0x0000'007f]
7817 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
7818 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7819 /* r1 = [0x00, 0xff] or
7820 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7822 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7824 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7826 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7827 /* no-op or OOB pointer computation */
7828 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7829 /* potentially OOB access */
7830 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7832 BPF_MOV64_IMM(BPF_REG_0, 0),
7835 .fixup_map1 = { 3 },
7836 /* not actually fully unbounded, but the bound is very high */
7837 .errstr = "R0 unbounded memory access",
7841 "bounds check after truncation of boundary-crossing range (2)",
7843 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7844 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7846 BPF_LD_MAP_FD(BPF_REG_1, 0),
7847 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7848 BPF_FUNC_map_lookup_elem),
7849 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7850 /* r1 = [0x00, 0xff] */
7851 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7853 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
7854 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7855 /* r1 = [0xffff'ff80, 0xffff'ffff] or
7856 * [0x0000'0000, 0x0000'007f]
7857 * difference to previous test: truncation via MOV32
7860 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
7861 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7862 /* r1 = [0x00, 0xff] or
7863 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7865 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7867 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7869 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7870 /* no-op or OOB pointer computation */
7871 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7872 /* potentially OOB access */
7873 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7875 BPF_MOV64_IMM(BPF_REG_0, 0),
7878 .fixup_map1 = { 3 },
7879 /* not actually fully unbounded, but the bound is very high */
7880 .errstr = "R0 unbounded memory access",
7884 "bounds check after wrapping 32-bit addition",
7886 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7887 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7888 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7889 BPF_LD_MAP_FD(BPF_REG_1, 0),
7890 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7891 BPF_FUNC_map_lookup_elem),
7892 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7893 /* r1 = 0x7fff'ffff */
7894 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
7895 /* r1 = 0xffff'fffe */
7896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7898 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
7900 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7901 /* access at offset 0 */
7902 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7904 BPF_MOV64_IMM(BPF_REG_0, 0),
7907 .fixup_map1 = { 3 },
7911 "bounds check after shift with oversized count operand",
7913 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7914 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7916 BPF_LD_MAP_FD(BPF_REG_1, 0),
7917 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7918 BPF_FUNC_map_lookup_elem),
7919 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7920 BPF_MOV64_IMM(BPF_REG_2, 32),
7921 BPF_MOV64_IMM(BPF_REG_1, 1),
7922 /* r1 = (u32)1 << (u32)32 = ? */
7923 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
7924 /* r1 = [0x0000, 0xffff] */
7925 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
7926 /* computes unknown pointer, potentially OOB */
7927 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7928 /* potentially OOB access */
7929 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7931 BPF_MOV64_IMM(BPF_REG_0, 0),
7934 .fixup_map1 = { 3 },
7935 .errstr = "R0 max value is outside of the array range",
7939 "bounds check after right shift of maybe-negative number",
7941 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7944 BPF_LD_MAP_FD(BPF_REG_1, 0),
7945 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7946 BPF_FUNC_map_lookup_elem),
7947 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7948 /* r1 = [0x00, 0xff] */
7949 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7950 /* r1 = [-0x01, 0xfe] */
7951 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
7952 /* r1 = 0 or 0xff'ffff'ffff'ffff */
7953 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7954 /* r1 = 0 or 0xffff'ffff'ffff */
7955 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7956 /* computes unknown pointer, potentially OOB */
7957 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7958 /* potentially OOB access */
7959 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7961 BPF_MOV64_IMM(BPF_REG_0, 0),
7964 .fixup_map1 = { 3 },
7965 .errstr = "R0 unbounded memory access",
7969 "bounds check map access with off+size signed 32bit overflow. test1",
7971 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7972 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7973 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7974 BPF_LD_MAP_FD(BPF_REG_1, 0),
7975 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7976 BPF_FUNC_map_lookup_elem),
7977 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7979 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
7980 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7984 .fixup_map1 = { 3 },
7985 .errstr = "map_value pointer and 2147483646",
7989 "bounds check map access with off+size signed 32bit overflow. test2",
7991 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7992 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7994 BPF_LD_MAP_FD(BPF_REG_1, 0),
7995 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7996 BPF_FUNC_map_lookup_elem),
7997 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7999 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8001 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8002 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8006 .fixup_map1 = { 3 },
8007 .errstr = "pointer offset 1073741822",
8011 "bounds check map access with off+size signed 32bit overflow. test3",
8013 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8014 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8015 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8016 BPF_LD_MAP_FD(BPF_REG_1, 0),
8017 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8018 BPF_FUNC_map_lookup_elem),
8019 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8021 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8022 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8023 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8027 .fixup_map1 = { 3 },
8028 .errstr = "pointer offset -1073741822",
8032 "bounds check map access with off+size signed 32bit overflow. test4",
8034 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8035 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8036 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8037 BPF_LD_MAP_FD(BPF_REG_1, 0),
8038 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8039 BPF_FUNC_map_lookup_elem),
8040 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8042 BPF_MOV64_IMM(BPF_REG_1, 1000000),
8043 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
8044 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8045 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8049 .fixup_map1 = { 3 },
8050 .errstr = "map_value pointer and 1000000000000",
8054 "pointer/scalar confusion in state equality check (way 1)",
8056 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8057 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8059 BPF_LD_MAP_FD(BPF_REG_1, 0),
8060 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8061 BPF_FUNC_map_lookup_elem),
8062 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8063 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8065 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8069 .fixup_map1 = { 3 },
8071 .retval = POINTER_VALUE,
8072 .result_unpriv = REJECT,
8073 .errstr_unpriv = "R0 leaks addr as return value"
8076 "pointer/scalar confusion in state equality check (way 2)",
8078 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8079 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8081 BPF_LD_MAP_FD(BPF_REG_1, 0),
8082 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8083 BPF_FUNC_map_lookup_elem),
8084 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
8085 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8087 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8090 .fixup_map1 = { 3 },
8092 .retval = POINTER_VALUE,
8093 .result_unpriv = REJECT,
8094 .errstr_unpriv = "R0 leaks addr as return value"
8097 "variable-offset ctx access",
8099 /* Get an unknown value */
8100 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8101 /* Make it small and 4-byte aligned */
8102 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8103 /* add it to skb. We now have either &skb->len or
8104 * &skb->pkt_type, but we don't know which
8106 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8107 /* dereference it */
8108 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8111 .errstr = "variable ctx access var_off=(0x0; 0x4)",
8113 .prog_type = BPF_PROG_TYPE_LWT_IN,
8116 "variable-offset stack access",
8118 /* Fill the top 8 bytes of the stack */
8119 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8120 /* Get an unknown value */
8121 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8122 /* Make it small and 4-byte aligned */
8123 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8124 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8125 /* add it to fp. We now have either fp-4 or fp-8, but
8126 * we don't know which
8128 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8129 /* dereference it */
8130 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
8133 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
8135 .prog_type = BPF_PROG_TYPE_LWT_IN,
8138 "indirect variable-offset stack access",
8140 /* Fill the top 8 bytes of the stack */
8141 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8142 /* Get an unknown value */
8143 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8144 /* Make it small and 4-byte aligned */
8145 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8146 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8147 /* add it to fp. We now have either fp-4 or fp-8, but
8148 * we don't know which
8150 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8151 /* dereference it indirectly */
8152 BPF_LD_MAP_FD(BPF_REG_1, 0),
8153 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8154 BPF_FUNC_map_lookup_elem),
8155 BPF_MOV64_IMM(BPF_REG_0, 0),
8158 .fixup_map1 = { 5 },
8159 .errstr = "variable stack read R2",
8161 .prog_type = BPF_PROG_TYPE_LWT_IN,
8164 "direct stack access with 32-bit wraparound. test1",
8166 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8167 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8168 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8169 BPF_MOV32_IMM(BPF_REG_0, 0),
8170 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8173 .errstr = "fp pointer and 2147483647",
8177 "direct stack access with 32-bit wraparound. test2",
8179 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8180 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8182 BPF_MOV32_IMM(BPF_REG_0, 0),
8183 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8186 .errstr = "fp pointer and 1073741823",
8190 "direct stack access with 32-bit wraparound. test3",
8192 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8193 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8195 BPF_MOV32_IMM(BPF_REG_0, 0),
8196 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8199 .errstr = "fp pointer offset 1073741822",
8203 "liveness pruning and write screening",
8205 /* Get an unknown value */
8206 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8207 /* branch conditions teach us nothing about R2 */
8208 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8209 BPF_MOV64_IMM(BPF_REG_0, 0),
8210 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8211 BPF_MOV64_IMM(BPF_REG_0, 0),
8214 .errstr = "R0 !read_ok",
8216 .prog_type = BPF_PROG_TYPE_LWT_IN,
8219 "varlen_map_value_access pruning",
8221 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8222 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8224 BPF_LD_MAP_FD(BPF_REG_1, 0),
8225 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8226 BPF_FUNC_map_lookup_elem),
8227 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8228 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
8229 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
8230 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
8231 BPF_MOV32_IMM(BPF_REG_1, 0),
8232 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
8233 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8234 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
8235 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
8236 offsetof(struct test_val, foo)),
8239 .fixup_map2 = { 3 },
8240 .errstr_unpriv = "R0 leaks addr",
8241 .errstr = "R0 unbounded memory access",
8242 .result_unpriv = REJECT,
8244 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8247 "invalid 64-bit BPF_END",
8249 BPF_MOV32_IMM(BPF_REG_0, 0),
8251 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
8252 .dst_reg = BPF_REG_0,
8259 .errstr = "unknown opcode d7",
8263 "XDP, using ifindex from netdev",
8265 BPF_MOV64_IMM(BPF_REG_0, 0),
8266 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8267 offsetof(struct xdp_md, ingress_ifindex)),
8268 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
8269 BPF_MOV64_IMM(BPF_REG_0, 1),
8273 .prog_type = BPF_PROG_TYPE_XDP,
8277 "meta access, test1",
8279 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8280 offsetof(struct xdp_md, data_meta)),
8281 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8282 offsetof(struct xdp_md, data)),
8283 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8284 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8285 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8286 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8287 BPF_MOV64_IMM(BPF_REG_0, 0),
8291 .prog_type = BPF_PROG_TYPE_XDP,
8294 "meta access, test2",
8296 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8297 offsetof(struct xdp_md, data_meta)),
8298 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8299 offsetof(struct xdp_md, data)),
8300 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8301 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
8302 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8303 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8304 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8305 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8306 BPF_MOV64_IMM(BPF_REG_0, 0),
8310 .errstr = "invalid access to packet, off=-8",
8311 .prog_type = BPF_PROG_TYPE_XDP,
8314 "meta access, test3",
8316 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8317 offsetof(struct xdp_md, data_meta)),
8318 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8319 offsetof(struct xdp_md, data_end)),
8320 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8321 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8322 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8323 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8324 BPF_MOV64_IMM(BPF_REG_0, 0),
8328 .errstr = "invalid access to packet",
8329 .prog_type = BPF_PROG_TYPE_XDP,
8332 "meta access, test4",
8334 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8335 offsetof(struct xdp_md, data_meta)),
8336 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8337 offsetof(struct xdp_md, data_end)),
8338 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8339 offsetof(struct xdp_md, data)),
8340 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8341 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8342 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8343 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8344 BPF_MOV64_IMM(BPF_REG_0, 0),
8348 .errstr = "invalid access to packet",
8349 .prog_type = BPF_PROG_TYPE_XDP,
8352 "meta access, test5",
8354 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8355 offsetof(struct xdp_md, data_meta)),
8356 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8357 offsetof(struct xdp_md, data)),
8358 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8360 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
8361 BPF_MOV64_IMM(BPF_REG_2, -8),
8362 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8363 BPF_FUNC_xdp_adjust_meta),
8364 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8365 BPF_MOV64_IMM(BPF_REG_0, 0),
8369 .errstr = "R3 !read_ok",
8370 .prog_type = BPF_PROG_TYPE_XDP,
8373 "meta access, test6",
8375 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8376 offsetof(struct xdp_md, data_meta)),
8377 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8378 offsetof(struct xdp_md, data)),
8379 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8380 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8381 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8382 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8383 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
8384 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8385 BPF_MOV64_IMM(BPF_REG_0, 0),
8389 .errstr = "invalid access to packet",
8390 .prog_type = BPF_PROG_TYPE_XDP,
8393 "meta access, test7",
8395 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8396 offsetof(struct xdp_md, data_meta)),
8397 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8398 offsetof(struct xdp_md, data)),
8399 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8401 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8403 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8404 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8405 BPF_MOV64_IMM(BPF_REG_0, 0),
8409 .prog_type = BPF_PROG_TYPE_XDP,
8412 "meta access, test8",
8414 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8415 offsetof(struct xdp_md, data_meta)),
8416 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8417 offsetof(struct xdp_md, data)),
8418 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8420 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8421 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8422 BPF_MOV64_IMM(BPF_REG_0, 0),
8426 .prog_type = BPF_PROG_TYPE_XDP,
8429 "meta access, test9",
8431 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8432 offsetof(struct xdp_md, data_meta)),
8433 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8434 offsetof(struct xdp_md, data)),
8435 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8437 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8438 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8439 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8440 BPF_MOV64_IMM(BPF_REG_0, 0),
8444 .errstr = "invalid access to packet",
8445 .prog_type = BPF_PROG_TYPE_XDP,
8448 "meta access, test10",
8450 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8451 offsetof(struct xdp_md, data_meta)),
8452 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8453 offsetof(struct xdp_md, data)),
8454 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8455 offsetof(struct xdp_md, data_end)),
8456 BPF_MOV64_IMM(BPF_REG_5, 42),
8457 BPF_MOV64_IMM(BPF_REG_6, 24),
8458 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8459 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8460 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8461 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8462 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
8463 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8464 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8465 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8466 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
8467 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
8468 BPF_MOV64_IMM(BPF_REG_0, 0),
8472 .errstr = "invalid access to packet",
8473 .prog_type = BPF_PROG_TYPE_XDP,
8476 "meta access, test11",
8478 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8479 offsetof(struct xdp_md, data_meta)),
8480 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8481 offsetof(struct xdp_md, data)),
8482 BPF_MOV64_IMM(BPF_REG_5, 42),
8483 BPF_MOV64_IMM(BPF_REG_6, 24),
8484 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8485 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8486 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8487 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8488 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
8489 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8490 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8492 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
8493 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
8494 BPF_MOV64_IMM(BPF_REG_0, 0),
8498 .prog_type = BPF_PROG_TYPE_XDP,
8501 "meta access, test12",
8503 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8504 offsetof(struct xdp_md, data_meta)),
8505 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8506 offsetof(struct xdp_md, data)),
8507 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8508 offsetof(struct xdp_md, data_end)),
8509 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8511 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
8512 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8513 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8514 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8515 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
8516 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8517 BPF_MOV64_IMM(BPF_REG_0, 0),
8521 .prog_type = BPF_PROG_TYPE_XDP,
8524 "arithmetic ops make PTR_TO_CTX unusable",
8526 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
8527 offsetof(struct __sk_buff, data) -
8528 offsetof(struct __sk_buff, mark)),
8529 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8530 offsetof(struct __sk_buff, mark)),
8533 .errstr = "dereference of modified ctx ptr R1 off=68+8, ctx+const is allowed, ctx+const+const is not",
8535 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8538 "pkt_end - pkt_start is allowed",
8540 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8541 offsetof(struct __sk_buff, data_end)),
8542 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8543 offsetof(struct __sk_buff, data)),
8544 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
8548 .retval = TEST_DATA_LEN,
8549 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8552 "XDP pkt read, pkt_end mangling, bad access 1",
8554 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8555 offsetof(struct xdp_md, data)),
8556 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8557 offsetof(struct xdp_md, data_end)),
8558 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8559 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8560 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
8561 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8562 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8563 BPF_MOV64_IMM(BPF_REG_0, 0),
8566 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8568 .prog_type = BPF_PROG_TYPE_XDP,
8571 "XDP pkt read, pkt_end mangling, bad access 2",
8573 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8574 offsetof(struct xdp_md, data)),
8575 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8576 offsetof(struct xdp_md, data_end)),
8577 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8578 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8579 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
8580 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8581 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8582 BPF_MOV64_IMM(BPF_REG_0, 0),
8585 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8587 .prog_type = BPF_PROG_TYPE_XDP,
8590 "XDP pkt read, pkt_data' > pkt_end, good access",
8592 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8593 offsetof(struct xdp_md, data)),
8594 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8595 offsetof(struct xdp_md, data_end)),
8596 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8597 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8598 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8599 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8600 BPF_MOV64_IMM(BPF_REG_0, 0),
8604 .prog_type = BPF_PROG_TYPE_XDP,
8607 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
8609 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8610 offsetof(struct xdp_md, data)),
8611 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8612 offsetof(struct xdp_md, data_end)),
8613 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8615 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8616 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8617 BPF_MOV64_IMM(BPF_REG_0, 0),
8620 .errstr = "R1 offset is outside of the packet",
8622 .prog_type = BPF_PROG_TYPE_XDP,
8623 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8626 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
8628 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8629 offsetof(struct xdp_md, data)),
8630 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8631 offsetof(struct xdp_md, data_end)),
8632 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8633 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8634 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8635 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8636 BPF_MOV64_IMM(BPF_REG_0, 0),
8639 .errstr = "R1 offset is outside of the packet",
8641 .prog_type = BPF_PROG_TYPE_XDP,
8644 "XDP pkt read, pkt_end > pkt_data', good access",
8646 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8647 offsetof(struct xdp_md, data)),
8648 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8649 offsetof(struct xdp_md, data_end)),
8650 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8651 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8652 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8653 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8654 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8655 BPF_MOV64_IMM(BPF_REG_0, 0),
8659 .prog_type = BPF_PROG_TYPE_XDP,
8660 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8663 "XDP pkt read, pkt_end > pkt_data', bad access 1",
8665 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8666 offsetof(struct xdp_md, data)),
8667 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8668 offsetof(struct xdp_md, data_end)),
8669 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8670 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8671 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8672 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8673 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8674 BPF_MOV64_IMM(BPF_REG_0, 0),
8677 .errstr = "R1 offset is outside of the packet",
8679 .prog_type = BPF_PROG_TYPE_XDP,
8682 "XDP pkt read, pkt_end > pkt_data', bad access 2",
8684 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8685 offsetof(struct xdp_md, data)),
8686 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8687 offsetof(struct xdp_md, data_end)),
8688 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8689 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8690 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8691 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8692 BPF_MOV64_IMM(BPF_REG_0, 0),
8695 .errstr = "R1 offset is outside of the packet",
8697 .prog_type = BPF_PROG_TYPE_XDP,
8700 "XDP pkt read, pkt_data' < pkt_end, good access",
8702 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8703 offsetof(struct xdp_md, data)),
8704 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8705 offsetof(struct xdp_md, data_end)),
8706 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8707 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8708 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8709 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8710 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8711 BPF_MOV64_IMM(BPF_REG_0, 0),
8715 .prog_type = BPF_PROG_TYPE_XDP,
8716 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8719 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
8721 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8722 offsetof(struct xdp_md, data)),
8723 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8724 offsetof(struct xdp_md, data_end)),
8725 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8727 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8728 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8729 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8730 BPF_MOV64_IMM(BPF_REG_0, 0),
8733 .errstr = "R1 offset is outside of the packet",
8735 .prog_type = BPF_PROG_TYPE_XDP,
8738 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
8740 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8741 offsetof(struct xdp_md, data)),
8742 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8743 offsetof(struct xdp_md, data_end)),
8744 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8745 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8746 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8747 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8748 BPF_MOV64_IMM(BPF_REG_0, 0),
8751 .errstr = "R1 offset is outside of the packet",
8753 .prog_type = BPF_PROG_TYPE_XDP,
8756 "XDP pkt read, pkt_end < pkt_data', good access",
8758 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8759 offsetof(struct xdp_md, data)),
8760 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8761 offsetof(struct xdp_md, data_end)),
8762 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8763 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8764 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8765 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8766 BPF_MOV64_IMM(BPF_REG_0, 0),
8770 .prog_type = BPF_PROG_TYPE_XDP,
8773 "XDP pkt read, pkt_end < pkt_data', bad access 1",
8775 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8776 offsetof(struct xdp_md, data)),
8777 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8778 offsetof(struct xdp_md, data_end)),
8779 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8780 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8781 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8782 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8783 BPF_MOV64_IMM(BPF_REG_0, 0),
8786 .errstr = "R1 offset is outside of the packet",
8788 .prog_type = BPF_PROG_TYPE_XDP,
8789 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8792 "XDP pkt read, pkt_end < pkt_data', bad access 2",
8794 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8795 offsetof(struct xdp_md, data)),
8796 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8797 offsetof(struct xdp_md, data_end)),
8798 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8800 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
8801 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8802 BPF_MOV64_IMM(BPF_REG_0, 0),
8805 .errstr = "R1 offset is outside of the packet",
8807 .prog_type = BPF_PROG_TYPE_XDP,
8810 "XDP pkt read, pkt_data' >= pkt_end, good access",
8812 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8813 offsetof(struct xdp_md, data)),
8814 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8815 offsetof(struct xdp_md, data_end)),
8816 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8818 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8819 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8820 BPF_MOV64_IMM(BPF_REG_0, 0),
8824 .prog_type = BPF_PROG_TYPE_XDP,
8825 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8828 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
8830 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8831 offsetof(struct xdp_md, data)),
8832 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8833 offsetof(struct xdp_md, data_end)),
8834 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8835 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8836 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8837 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8838 BPF_MOV64_IMM(BPF_REG_0, 0),
8841 .errstr = "R1 offset is outside of the packet",
8843 .prog_type = BPF_PROG_TYPE_XDP,
8846 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
8848 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8849 offsetof(struct xdp_md, data)),
8850 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8851 offsetof(struct xdp_md, data_end)),
8852 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8854 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
8855 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8856 BPF_MOV64_IMM(BPF_REG_0, 0),
8859 .errstr = "R1 offset is outside of the packet",
8861 .prog_type = BPF_PROG_TYPE_XDP,
8862 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8865 "XDP pkt read, pkt_end >= pkt_data', good access",
8867 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8868 offsetof(struct xdp_md, data)),
8869 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8870 offsetof(struct xdp_md, data_end)),
8871 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8873 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8874 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8875 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8876 BPF_MOV64_IMM(BPF_REG_0, 0),
8880 .prog_type = BPF_PROG_TYPE_XDP,
8883 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
8885 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8886 offsetof(struct xdp_md, data)),
8887 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8888 offsetof(struct xdp_md, data_end)),
8889 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8891 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8892 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8893 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8894 BPF_MOV64_IMM(BPF_REG_0, 0),
8897 .errstr = "R1 offset is outside of the packet",
8899 .prog_type = BPF_PROG_TYPE_XDP,
8900 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8903 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
8905 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8906 offsetof(struct xdp_md, data)),
8907 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8908 offsetof(struct xdp_md, data_end)),
8909 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8910 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8911 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8912 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8913 BPF_MOV64_IMM(BPF_REG_0, 0),
8916 .errstr = "R1 offset is outside of the packet",
8918 .prog_type = BPF_PROG_TYPE_XDP,
8921 "XDP pkt read, pkt_data' <= pkt_end, good access",
8923 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8924 offsetof(struct xdp_md, data)),
8925 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8926 offsetof(struct xdp_md, data_end)),
8927 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8929 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8930 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8931 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8932 BPF_MOV64_IMM(BPF_REG_0, 0),
8936 .prog_type = BPF_PROG_TYPE_XDP,
8939 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
8941 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8942 offsetof(struct xdp_md, data)),
8943 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8944 offsetof(struct xdp_md, data_end)),
8945 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8946 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8947 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8948 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8949 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8950 BPF_MOV64_IMM(BPF_REG_0, 0),
8953 .errstr = "R1 offset is outside of the packet",
8955 .prog_type = BPF_PROG_TYPE_XDP,
8956 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8959 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
8961 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8962 offsetof(struct xdp_md, data)),
8963 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8964 offsetof(struct xdp_md, data_end)),
8965 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8966 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8967 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8968 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8969 BPF_MOV64_IMM(BPF_REG_0, 0),
8972 .errstr = "R1 offset is outside of the packet",
8974 .prog_type = BPF_PROG_TYPE_XDP,
8977 "XDP pkt read, pkt_end <= pkt_data', good access",
8979 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8980 offsetof(struct xdp_md, data)),
8981 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8982 offsetof(struct xdp_md, data_end)),
8983 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8984 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8985 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8986 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8987 BPF_MOV64_IMM(BPF_REG_0, 0),
8991 .prog_type = BPF_PROG_TYPE_XDP,
8992 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8995 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
8997 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8998 offsetof(struct xdp_md, data)),
8999 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9000 offsetof(struct xdp_md, data_end)),
9001 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9003 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9004 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9005 BPF_MOV64_IMM(BPF_REG_0, 0),
9008 .errstr = "R1 offset is outside of the packet",
9010 .prog_type = BPF_PROG_TYPE_XDP,
9013 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
9015 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9016 offsetof(struct xdp_md, data)),
9017 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9018 offsetof(struct xdp_md, data_end)),
9019 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9020 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9021 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9022 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9023 BPF_MOV64_IMM(BPF_REG_0, 0),
9026 .errstr = "R1 offset is outside of the packet",
9028 .prog_type = BPF_PROG_TYPE_XDP,
9029 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9032 "XDP pkt read, pkt_meta' > pkt_data, good access",
9034 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9035 offsetof(struct xdp_md, data_meta)),
9036 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9037 offsetof(struct xdp_md, data)),
9038 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9039 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9040 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9041 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9042 BPF_MOV64_IMM(BPF_REG_0, 0),
9046 .prog_type = BPF_PROG_TYPE_XDP,
9049 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
9051 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9052 offsetof(struct xdp_md, data_meta)),
9053 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9054 offsetof(struct xdp_md, data)),
9055 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9056 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9057 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9058 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9059 BPF_MOV64_IMM(BPF_REG_0, 0),
9062 .errstr = "R1 offset is outside of the packet",
9064 .prog_type = BPF_PROG_TYPE_XDP,
9065 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9068 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
9070 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9071 offsetof(struct xdp_md, data_meta)),
9072 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9073 offsetof(struct xdp_md, data)),
9074 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9075 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9076 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9077 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9078 BPF_MOV64_IMM(BPF_REG_0, 0),
9081 .errstr = "R1 offset is outside of the packet",
9083 .prog_type = BPF_PROG_TYPE_XDP,
9086 "XDP pkt read, pkt_data > pkt_meta', good access",
9088 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9089 offsetof(struct xdp_md, data_meta)),
9090 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9091 offsetof(struct xdp_md, data)),
9092 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9093 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9094 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9095 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9096 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9097 BPF_MOV64_IMM(BPF_REG_0, 0),
9101 .prog_type = BPF_PROG_TYPE_XDP,
9102 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9105 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
9107 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9108 offsetof(struct xdp_md, data_meta)),
9109 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9110 offsetof(struct xdp_md, data)),
9111 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9112 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9113 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9114 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9115 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9116 BPF_MOV64_IMM(BPF_REG_0, 0),
9119 .errstr = "R1 offset is outside of the packet",
9121 .prog_type = BPF_PROG_TYPE_XDP,
9124 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
9126 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9127 offsetof(struct xdp_md, data_meta)),
9128 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9129 offsetof(struct xdp_md, data)),
9130 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9132 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9133 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9134 BPF_MOV64_IMM(BPF_REG_0, 0),
9137 .errstr = "R1 offset is outside of the packet",
9139 .prog_type = BPF_PROG_TYPE_XDP,
9142 "XDP pkt read, pkt_meta' < pkt_data, good access",
9144 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9145 offsetof(struct xdp_md, data_meta)),
9146 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9147 offsetof(struct xdp_md, data)),
9148 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9149 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9150 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9151 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9152 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9153 BPF_MOV64_IMM(BPF_REG_0, 0),
9157 .prog_type = BPF_PROG_TYPE_XDP,
9158 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9161 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
9163 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9164 offsetof(struct xdp_md, data_meta)),
9165 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9166 offsetof(struct xdp_md, data)),
9167 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9168 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9169 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9170 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9171 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9172 BPF_MOV64_IMM(BPF_REG_0, 0),
9175 .errstr = "R1 offset is outside of the packet",
9177 .prog_type = BPF_PROG_TYPE_XDP,
9180 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
9182 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9183 offsetof(struct xdp_md, data_meta)),
9184 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9185 offsetof(struct xdp_md, data)),
9186 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9187 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9188 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9189 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9190 BPF_MOV64_IMM(BPF_REG_0, 0),
9193 .errstr = "R1 offset is outside of the packet",
9195 .prog_type = BPF_PROG_TYPE_XDP,
9198 "XDP pkt read, pkt_data < pkt_meta', good access",
9200 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9201 offsetof(struct xdp_md, data_meta)),
9202 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9203 offsetof(struct xdp_md, data)),
9204 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9206 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9207 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9208 BPF_MOV64_IMM(BPF_REG_0, 0),
9212 .prog_type = BPF_PROG_TYPE_XDP,
9215 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
9217 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9218 offsetof(struct xdp_md, data_meta)),
9219 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9220 offsetof(struct xdp_md, data)),
9221 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9223 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9224 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9225 BPF_MOV64_IMM(BPF_REG_0, 0),
9228 .errstr = "R1 offset is outside of the packet",
9230 .prog_type = BPF_PROG_TYPE_XDP,
9231 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9234 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
9236 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9237 offsetof(struct xdp_md, data_meta)),
9238 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9239 offsetof(struct xdp_md, data)),
9240 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9241 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9242 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9243 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9244 BPF_MOV64_IMM(BPF_REG_0, 0),
9247 .errstr = "R1 offset is outside of the packet",
9249 .prog_type = BPF_PROG_TYPE_XDP,
9252 "XDP pkt read, pkt_meta' >= pkt_data, good access",
9254 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9255 offsetof(struct xdp_md, data_meta)),
9256 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9257 offsetof(struct xdp_md, data)),
9258 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9259 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9260 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9261 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9262 BPF_MOV64_IMM(BPF_REG_0, 0),
9266 .prog_type = BPF_PROG_TYPE_XDP,
9267 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9270 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
9272 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9273 offsetof(struct xdp_md, data_meta)),
9274 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9275 offsetof(struct xdp_md, data)),
9276 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9277 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9278 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9279 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9280 BPF_MOV64_IMM(BPF_REG_0, 0),
9283 .errstr = "R1 offset is outside of the packet",
9285 .prog_type = BPF_PROG_TYPE_XDP,
9288 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
9290 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9291 offsetof(struct xdp_md, data_meta)),
9292 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9293 offsetof(struct xdp_md, data)),
9294 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9295 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9296 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9297 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9298 BPF_MOV64_IMM(BPF_REG_0, 0),
9301 .errstr = "R1 offset is outside of the packet",
9303 .prog_type = BPF_PROG_TYPE_XDP,
9304 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9307 "XDP pkt read, pkt_data >= pkt_meta', good access",
9309 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9310 offsetof(struct xdp_md, data_meta)),
9311 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9312 offsetof(struct xdp_md, data)),
9313 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9314 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9315 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9316 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9317 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9318 BPF_MOV64_IMM(BPF_REG_0, 0),
9322 .prog_type = BPF_PROG_TYPE_XDP,
9325 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
9327 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9328 offsetof(struct xdp_md, data_meta)),
9329 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9330 offsetof(struct xdp_md, data)),
9331 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9333 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9334 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9335 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9336 BPF_MOV64_IMM(BPF_REG_0, 0),
9339 .errstr = "R1 offset is outside of the packet",
9341 .prog_type = BPF_PROG_TYPE_XDP,
9342 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9345 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
9347 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9348 offsetof(struct xdp_md, data_meta)),
9349 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9350 offsetof(struct xdp_md, data)),
9351 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9352 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9353 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9354 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9355 BPF_MOV64_IMM(BPF_REG_0, 0),
9358 .errstr = "R1 offset is outside of the packet",
9360 .prog_type = BPF_PROG_TYPE_XDP,
9363 "XDP pkt read, pkt_meta' <= pkt_data, good access",
9365 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9366 offsetof(struct xdp_md, data_meta)),
9367 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9368 offsetof(struct xdp_md, data)),
9369 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9370 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9371 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9372 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9373 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9374 BPF_MOV64_IMM(BPF_REG_0, 0),
9378 .prog_type = BPF_PROG_TYPE_XDP,
9381 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
9383 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9384 offsetof(struct xdp_md, data_meta)),
9385 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9386 offsetof(struct xdp_md, data)),
9387 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9389 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9390 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9391 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9392 BPF_MOV64_IMM(BPF_REG_0, 0),
9395 .errstr = "R1 offset is outside of the packet",
9397 .prog_type = BPF_PROG_TYPE_XDP,
9398 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9401 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
9403 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9404 offsetof(struct xdp_md, data_meta)),
9405 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9406 offsetof(struct xdp_md, data)),
9407 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9409 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9410 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9411 BPF_MOV64_IMM(BPF_REG_0, 0),
9414 .errstr = "R1 offset is outside of the packet",
9416 .prog_type = BPF_PROG_TYPE_XDP,
9419 "XDP pkt read, pkt_data <= pkt_meta', good access",
9421 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9422 offsetof(struct xdp_md, data_meta)),
9423 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9424 offsetof(struct xdp_md, data)),
9425 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9426 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9427 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9428 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9429 BPF_MOV64_IMM(BPF_REG_0, 0),
9433 .prog_type = BPF_PROG_TYPE_XDP,
9434 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9437 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
9439 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9440 offsetof(struct xdp_md, data_meta)),
9441 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9442 offsetof(struct xdp_md, data)),
9443 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9445 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9446 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9447 BPF_MOV64_IMM(BPF_REG_0, 0),
9450 .errstr = "R1 offset is outside of the packet",
9452 .prog_type = BPF_PROG_TYPE_XDP,
9455 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
9457 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9458 offsetof(struct xdp_md, data_meta)),
9459 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9460 offsetof(struct xdp_md, data)),
9461 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9462 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9463 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9464 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9465 BPF_MOV64_IMM(BPF_REG_0, 0),
9468 .errstr = "R1 offset is outside of the packet",
9470 .prog_type = BPF_PROG_TYPE_XDP,
9471 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9474 "check deducing bounds from const, 1",
9476 BPF_MOV64_IMM(BPF_REG_0, 1),
9477 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
9478 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9482 .errstr = "R0 tried to subtract pointer from scalar",
9485 "check deducing bounds from const, 2",
9487 BPF_MOV64_IMM(BPF_REG_0, 1),
9488 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
9490 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
9492 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9499 "check deducing bounds from const, 3",
9501 BPF_MOV64_IMM(BPF_REG_0, 0),
9502 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9503 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9507 .errstr = "R0 tried to subtract pointer from scalar",
9510 "check deducing bounds from const, 4",
9512 BPF_MOV64_IMM(BPF_REG_0, 0),
9513 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
9515 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9517 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9523 "check deducing bounds from const, 5",
9525 BPF_MOV64_IMM(BPF_REG_0, 0),
9526 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9527 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9531 .errstr = "R0 tried to subtract pointer from scalar",
9534 "check deducing bounds from const, 6",
9536 BPF_MOV64_IMM(BPF_REG_0, 0),
9537 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9539 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9543 .errstr = "R0 tried to subtract pointer from scalar",
9546 "check deducing bounds from const, 7",
9548 BPF_MOV64_IMM(BPF_REG_0, ~0),
9549 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9550 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9551 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9552 offsetof(struct __sk_buff, mark)),
9556 .errstr = "dereference of modified ctx ptr",
9559 "check deducing bounds from const, 8",
9561 BPF_MOV64_IMM(BPF_REG_0, ~0),
9562 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9563 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
9564 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9565 offsetof(struct __sk_buff, mark)),
9569 .errstr = "dereference of modified ctx ptr",
9572 "check deducing bounds from const, 9",
9574 BPF_MOV64_IMM(BPF_REG_0, 0),
9575 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9576 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9580 .errstr = "R0 tried to subtract pointer from scalar",
9583 "check deducing bounds from const, 10",
9585 BPF_MOV64_IMM(BPF_REG_0, 0),
9586 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9587 /* Marks reg as unknown. */
9588 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
9589 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9593 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
9596 "bpf_exit with invalid return code. test1",
9598 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9601 .errstr = "R0 has value (0x0; 0xffffffff)",
9603 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9606 "bpf_exit with invalid return code. test2",
9608 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9609 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
9613 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9616 "bpf_exit with invalid return code. test3",
9618 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9619 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
9622 .errstr = "R0 has value (0x0; 0x3)",
9624 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9627 "bpf_exit with invalid return code. test4",
9629 BPF_MOV64_IMM(BPF_REG_0, 1),
9633 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9636 "bpf_exit with invalid return code. test5",
9638 BPF_MOV64_IMM(BPF_REG_0, 2),
9641 .errstr = "R0 has value (0x2; 0x0)",
9643 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9646 "bpf_exit with invalid return code. test6",
9648 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9651 .errstr = "R0 is not a known value (ctx)",
9653 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9656 "bpf_exit with invalid return code. test7",
9658 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9659 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
9660 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
9663 .errstr = "R0 has unknown scalar value",
9665 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9668 "calls: basic sanity",
9670 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9671 BPF_MOV64_IMM(BPF_REG_0, 1),
9673 BPF_MOV64_IMM(BPF_REG_0, 2),
9676 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9680 "calls: not on unpriviledged",
9682 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9683 BPF_MOV64_IMM(BPF_REG_0, 1),
9685 BPF_MOV64_IMM(BPF_REG_0, 2),
9688 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
9689 .result_unpriv = REJECT,
9694 "calls: div by 0 in subprog",
9696 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9697 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9698 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9699 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9700 offsetof(struct __sk_buff, data_end)),
9701 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9702 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9703 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9704 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9705 BPF_MOV64_IMM(BPF_REG_0, 1),
9707 BPF_MOV32_IMM(BPF_REG_2, 0),
9708 BPF_MOV32_IMM(BPF_REG_3, 1),
9709 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
9710 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9711 offsetof(struct __sk_buff, data)),
9714 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9719 "calls: multiple ret types in subprog 1",
9721 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9722 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9723 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9724 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9725 offsetof(struct __sk_buff, data_end)),
9726 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9728 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9729 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9730 BPF_MOV64_IMM(BPF_REG_0, 1),
9732 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9733 offsetof(struct __sk_buff, data)),
9734 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9735 BPF_MOV32_IMM(BPF_REG_0, 42),
9738 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9740 .errstr = "R0 invalid mem access 'inv'",
9743 "calls: multiple ret types in subprog 2",
9745 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9746 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9747 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9748 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9749 offsetof(struct __sk_buff, data_end)),
9750 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9752 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9753 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9754 BPF_MOV64_IMM(BPF_REG_0, 1),
9756 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9757 offsetof(struct __sk_buff, data)),
9758 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9759 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
9760 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9761 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9762 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9763 BPF_LD_MAP_FD(BPF_REG_1, 0),
9764 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9765 BPF_FUNC_map_lookup_elem),
9766 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9767 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
9768 offsetof(struct __sk_buff, data)),
9769 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
9772 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9773 .fixup_map1 = { 16 },
9775 .errstr = "R0 min value is outside of the array range",
9778 "calls: overlapping caller/callee",
9780 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
9781 BPF_MOV64_IMM(BPF_REG_0, 1),
9784 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9785 .errstr = "last insn is not an exit or jmp",
9789 "calls: wrong recursive calls",
9791 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9792 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9793 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9794 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9795 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9796 BPF_MOV64_IMM(BPF_REG_0, 1),
9799 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9800 .errstr = "jump out of range",
9804 "calls: wrong src reg",
9806 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
9807 BPF_MOV64_IMM(BPF_REG_0, 1),
9810 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9811 .errstr = "BPF_CALL uses reserved fields",
9815 "calls: wrong off value",
9817 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
9818 BPF_MOV64_IMM(BPF_REG_0, 1),
9820 BPF_MOV64_IMM(BPF_REG_0, 2),
9823 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9824 .errstr = "BPF_CALL uses reserved fields",
9828 "calls: jump back loop",
9830 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
9831 BPF_MOV64_IMM(BPF_REG_0, 1),
9834 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9835 .errstr = "back-edge from insn 0 to 0",
9839 "calls: conditional call",
9841 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9842 offsetof(struct __sk_buff, mark)),
9843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9844 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9845 BPF_MOV64_IMM(BPF_REG_0, 1),
9847 BPF_MOV64_IMM(BPF_REG_0, 2),
9850 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9851 .errstr = "jump out of range",
9855 "calls: conditional call 2",
9857 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9858 offsetof(struct __sk_buff, mark)),
9859 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9860 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9861 BPF_MOV64_IMM(BPF_REG_0, 1),
9863 BPF_MOV64_IMM(BPF_REG_0, 2),
9865 BPF_MOV64_IMM(BPF_REG_0, 3),
9868 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9872 "calls: conditional call 3",
9874 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9875 offsetof(struct __sk_buff, mark)),
9876 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9877 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9878 BPF_MOV64_IMM(BPF_REG_0, 1),
9880 BPF_MOV64_IMM(BPF_REG_0, 1),
9881 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9882 BPF_MOV64_IMM(BPF_REG_0, 3),
9883 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9885 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9886 .errstr = "back-edge from insn",
9890 "calls: conditional call 4",
9892 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9893 offsetof(struct __sk_buff, mark)),
9894 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9895 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9896 BPF_MOV64_IMM(BPF_REG_0, 1),
9898 BPF_MOV64_IMM(BPF_REG_0, 1),
9899 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
9900 BPF_MOV64_IMM(BPF_REG_0, 3),
9903 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9907 "calls: conditional call 5",
9909 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9910 offsetof(struct __sk_buff, mark)),
9911 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9912 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9913 BPF_MOV64_IMM(BPF_REG_0, 1),
9915 BPF_MOV64_IMM(BPF_REG_0, 1),
9916 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9917 BPF_MOV64_IMM(BPF_REG_0, 3),
9920 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9921 .errstr = "back-edge from insn",
9925 "calls: conditional call 6",
9927 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9928 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
9930 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9931 offsetof(struct __sk_buff, mark)),
9934 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9935 .errstr = "back-edge from insn",
9939 "calls: using r0 returned by callee",
9941 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9943 BPF_MOV64_IMM(BPF_REG_0, 2),
9946 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9950 "calls: using uninit r0 from callee",
9952 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9956 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9957 .errstr = "!read_ok",
9961 "calls: callee is using r1",
9963 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9965 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9966 offsetof(struct __sk_buff, len)),
9969 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
9971 .retval = TEST_DATA_LEN,
9974 "calls: callee using args1",
9976 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9978 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9981 .errstr_unpriv = "allowed for root only",
9982 .result_unpriv = REJECT,
9984 .retval = POINTER_VALUE,
9987 "calls: callee using wrong args2",
9989 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9991 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9994 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9995 .errstr = "R2 !read_ok",
9999 "calls: callee using two args",
10001 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10002 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
10003 offsetof(struct __sk_buff, len)),
10004 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
10005 offsetof(struct __sk_buff, len)),
10006 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10008 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10009 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
10012 .errstr_unpriv = "allowed for root only",
10013 .result_unpriv = REJECT,
10015 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
10018 "calls: callee changing pkt pointers",
10020 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
10021 offsetof(struct xdp_md, data)),
10022 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
10023 offsetof(struct xdp_md, data_end)),
10024 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
10025 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
10026 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
10027 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10028 /* clear_all_pkt_pointers() has to walk all frames
10029 * to make sure that pkt pointers in the caller
10030 * are cleared when callee is calling a helper that
10031 * adjusts packet size
10033 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10034 BPF_MOV32_IMM(BPF_REG_0, 0),
10036 BPF_MOV64_IMM(BPF_REG_2, 0),
10037 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10038 BPF_FUNC_xdp_adjust_head),
10042 .errstr = "R6 invalid mem access 'inv'",
10043 .prog_type = BPF_PROG_TYPE_XDP,
10046 "calls: two calls with args",
10048 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10050 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10051 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10052 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10053 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10054 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10055 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10056 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10058 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10059 offsetof(struct __sk_buff, len)),
10062 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10064 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
10067 "calls: calls with stack arith",
10069 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10070 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10071 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10073 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10074 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10076 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10077 BPF_MOV64_IMM(BPF_REG_0, 42),
10078 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10081 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10086 "calls: calls with misaligned stack access",
10088 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10089 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10090 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10092 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
10093 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10096 BPF_MOV64_IMM(BPF_REG_0, 42),
10097 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10100 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10101 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
10102 .errstr = "misaligned stack access",
10106 "calls: calls control flow, jump test",
10108 BPF_MOV64_IMM(BPF_REG_0, 42),
10109 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10110 BPF_MOV64_IMM(BPF_REG_0, 43),
10111 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10112 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10115 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10120 "calls: calls control flow, jump test 2",
10122 BPF_MOV64_IMM(BPF_REG_0, 42),
10123 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10124 BPF_MOV64_IMM(BPF_REG_0, 43),
10125 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10126 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10129 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10130 .errstr = "jump out of range from insn 1 to 4",
10134 "calls: two calls with bad jump",
10136 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10138 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10139 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10140 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10141 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10142 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10143 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10144 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10146 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10147 offsetof(struct __sk_buff, len)),
10148 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
10151 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10152 .errstr = "jump out of range from insn 11 to 9",
10156 "calls: recursive call. test1",
10158 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10160 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10163 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10164 .errstr = "back-edge",
10168 "calls: recursive call. test2",
10170 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10172 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10175 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10176 .errstr = "back-edge",
10180 "calls: unreachable code",
10182 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10184 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10186 BPF_MOV64_IMM(BPF_REG_0, 0),
10188 BPF_MOV64_IMM(BPF_REG_0, 0),
10191 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10192 .errstr = "unreachable insn 6",
10196 "calls: invalid call",
10198 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10200 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
10203 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10204 .errstr = "invalid destination",
10208 "calls: invalid call 2",
10210 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10212 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
10215 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10216 .errstr = "invalid destination",
10220 "calls: jumping across function bodies. test1",
10222 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10223 BPF_MOV64_IMM(BPF_REG_0, 0),
10225 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
10228 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10229 .errstr = "jump out of range",
10233 "calls: jumping across function bodies. test2",
10235 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
10236 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10237 BPF_MOV64_IMM(BPF_REG_0, 0),
10241 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10242 .errstr = "jump out of range",
10246 "calls: call without exit",
10248 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10250 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10252 BPF_MOV64_IMM(BPF_REG_0, 0),
10253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
10255 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10256 .errstr = "not an exit",
10260 "calls: call into middle of ld_imm64",
10262 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10263 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10264 BPF_MOV64_IMM(BPF_REG_0, 0),
10266 BPF_LD_IMM64(BPF_REG_0, 0),
10269 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10270 .errstr = "last insn",
10274 "calls: call into middle of other call",
10276 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10277 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10278 BPF_MOV64_IMM(BPF_REG_0, 0),
10280 BPF_MOV64_IMM(BPF_REG_0, 0),
10281 BPF_MOV64_IMM(BPF_REG_0, 0),
10284 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10285 .errstr = "last insn",
10289 "calls: ld_abs with changing ctx data in callee",
10291 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10292 BPF_LD_ABS(BPF_B, 0),
10293 BPF_LD_ABS(BPF_H, 0),
10294 BPF_LD_ABS(BPF_W, 0),
10295 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
10296 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10297 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
10298 BPF_LD_ABS(BPF_B, 0),
10299 BPF_LD_ABS(BPF_H, 0),
10300 BPF_LD_ABS(BPF_W, 0),
10302 BPF_MOV64_IMM(BPF_REG_2, 1),
10303 BPF_MOV64_IMM(BPF_REG_3, 2),
10304 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10305 BPF_FUNC_skb_vlan_push),
10308 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10309 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
10313 "calls: two calls with bad fallthrough",
10315 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10317 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10318 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10319 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10320 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10321 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10322 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10323 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10324 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
10325 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10326 offsetof(struct __sk_buff, len)),
10329 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10330 .errstr = "not an exit",
10334 "calls: two calls with stack read",
10336 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10337 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10339 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10341 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10342 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10343 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10344 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10345 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10346 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10347 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10349 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10352 .prog_type = BPF_PROG_TYPE_XDP,
10356 "calls: two calls with stack write",
10359 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10360 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10362 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10364 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10365 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10369 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10370 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10371 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
10372 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
10373 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10374 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10375 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
10376 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
10377 /* write into stack frame of main prog */
10378 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10382 /* read from stack frame of main prog */
10383 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10386 .prog_type = BPF_PROG_TYPE_XDP,
10390 "calls: stack overflow using two frames (pre-call access)",
10393 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10394 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
10398 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10399 BPF_MOV64_IMM(BPF_REG_0, 0),
10402 .prog_type = BPF_PROG_TYPE_XDP,
10403 .errstr = "combined stack size",
10407 "calls: stack overflow using two frames (post-call access)",
10410 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
10411 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10415 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10416 BPF_MOV64_IMM(BPF_REG_0, 0),
10419 .prog_type = BPF_PROG_TYPE_XDP,
10420 .errstr = "combined stack size",
10424 "calls: stack depth check using three frames. test1",
10427 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10428 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10429 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10430 BPF_MOV64_IMM(BPF_REG_0, 0),
10433 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10436 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10437 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10440 .prog_type = BPF_PROG_TYPE_XDP,
10441 /* stack_main=32, stack_A=256, stack_B=64
10442 * and max(main+A, main+A+B) < 512
10447 "calls: stack depth check using three frames. test2",
10450 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10451 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10452 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10453 BPF_MOV64_IMM(BPF_REG_0, 0),
10456 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10459 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10460 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10463 .prog_type = BPF_PROG_TYPE_XDP,
10464 /* stack_main=32, stack_A=64, stack_B=256
10465 * and max(main+A, main+A+B) < 512
10470 "calls: stack depth check using three frames. test3",
10473 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10474 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10475 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10476 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
10477 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
10478 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10479 BPF_MOV64_IMM(BPF_REG_0, 0),
10482 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
10484 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
10485 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10487 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
10488 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
10489 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10492 .prog_type = BPF_PROG_TYPE_XDP,
10493 /* stack_main=64, stack_A=224, stack_B=256
10494 * and max(main+A, main+A+B) > 512
10496 .errstr = "combined stack",
10500 "calls: stack depth check using three frames. test4",
10501 /* void main(void) {
10506 * void func1(int alloc_or_recurse) {
10507 * if (alloc_or_recurse) {
10508 * frame_pointer[-300] = 1;
10510 * func2(alloc_or_recurse);
10513 * void func2(int alloc_or_recurse) {
10514 * if (alloc_or_recurse) {
10515 * frame_pointer[-300] = 1;
10521 BPF_MOV64_IMM(BPF_REG_1, 0),
10522 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10523 BPF_MOV64_IMM(BPF_REG_1, 1),
10524 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10525 BPF_MOV64_IMM(BPF_REG_1, 1),
10526 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
10527 BPF_MOV64_IMM(BPF_REG_0, 0),
10530 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
10531 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10533 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10536 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10537 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10540 .prog_type = BPF_PROG_TYPE_XDP,
10542 .errstr = "combined stack",
10545 "calls: stack depth check using three frames. test5",
10548 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
10551 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10554 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
10557 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
10560 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
10563 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
10566 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
10569 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
10572 BPF_MOV64_IMM(BPF_REG_0, 0),
10575 .prog_type = BPF_PROG_TYPE_XDP,
10576 .errstr = "call stack",
10580 "calls: spill into caller stack frame",
10582 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10583 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10584 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10585 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10587 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
10588 BPF_MOV64_IMM(BPF_REG_0, 0),
10591 .prog_type = BPF_PROG_TYPE_XDP,
10592 .errstr = "cannot spill",
10596 "calls: write into caller stack frame",
10598 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10599 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10600 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10601 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10602 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10604 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
10605 BPF_MOV64_IMM(BPF_REG_0, 0),
10608 .prog_type = BPF_PROG_TYPE_XDP,
10613 "calls: write into callee stack frame",
10615 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10616 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
10618 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10619 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
10622 .prog_type = BPF_PROG_TYPE_XDP,
10623 .errstr = "cannot return stack pointer",
10627 "calls: two calls with stack write and void return",
10630 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10631 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10632 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10633 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10634 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10635 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10636 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10640 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10641 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10642 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10643 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10644 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10648 /* write into stack frame of main prog */
10649 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
10650 BPF_EXIT_INSN(), /* void return */
10652 .prog_type = BPF_PROG_TYPE_XDP,
10656 "calls: ambiguous return value",
10658 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10659 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10660 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10661 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10662 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10663 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10665 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10666 BPF_MOV64_IMM(BPF_REG_0, 0),
10669 .errstr_unpriv = "allowed for root only",
10670 .result_unpriv = REJECT,
10671 .errstr = "R0 !read_ok",
10675 "calls: two calls that return map_value",
10678 /* pass fp-16, fp-8 into a function */
10679 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10680 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10681 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10682 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10683 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10685 /* fetch map_value_ptr from the stack of this function */
10686 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
10687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10688 /* write into map value */
10689 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10690 /* fetch secound map_value_ptr from the stack */
10691 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10692 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10693 /* write into map value */
10694 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10695 BPF_MOV64_IMM(BPF_REG_0, 0),
10699 /* call 3rd function twice */
10700 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10701 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10702 /* first time with fp-8 */
10703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10704 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10705 /* second time with fp-16 */
10706 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10710 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10711 /* lookup from map */
10712 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10713 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10714 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10715 BPF_LD_MAP_FD(BPF_REG_1, 0),
10716 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10717 BPF_FUNC_map_lookup_elem),
10718 /* write map_value_ptr into stack frame of main prog */
10719 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10720 BPF_MOV64_IMM(BPF_REG_0, 0),
10721 BPF_EXIT_INSN(), /* return 0 */
10723 .prog_type = BPF_PROG_TYPE_XDP,
10724 .fixup_map1 = { 23 },
10728 "calls: two calls that return map_value with bool condition",
10731 /* pass fp-16, fp-8 into a function */
10732 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10733 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10734 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10735 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10736 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10737 BPF_MOV64_IMM(BPF_REG_0, 0),
10741 /* call 3rd function twice */
10742 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10743 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10744 /* first time with fp-8 */
10745 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10746 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10747 /* fetch map_value_ptr from the stack of this function */
10748 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10749 /* write into map value */
10750 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10751 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10752 /* second time with fp-16 */
10753 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10754 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10755 /* fetch secound map_value_ptr from the stack */
10756 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
10757 /* write into map value */
10758 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10762 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10763 /* lookup from map */
10764 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10765 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10766 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10767 BPF_LD_MAP_FD(BPF_REG_1, 0),
10768 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10769 BPF_FUNC_map_lookup_elem),
10770 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10771 BPF_MOV64_IMM(BPF_REG_0, 0),
10772 BPF_EXIT_INSN(), /* return 0 */
10773 /* write map_value_ptr into stack frame of main prog */
10774 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10775 BPF_MOV64_IMM(BPF_REG_0, 1),
10776 BPF_EXIT_INSN(), /* return 1 */
10778 .prog_type = BPF_PROG_TYPE_XDP,
10779 .fixup_map1 = { 23 },
10783 "calls: two calls that return map_value with incorrect bool check",
10786 /* pass fp-16, fp-8 into a function */
10787 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10789 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10790 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10791 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10792 BPF_MOV64_IMM(BPF_REG_0, 0),
10796 /* call 3rd function twice */
10797 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10798 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10799 /* first time with fp-8 */
10800 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10801 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10802 /* fetch map_value_ptr from the stack of this function */
10803 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10804 /* write into map value */
10805 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10806 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10807 /* second time with fp-16 */
10808 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10809 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10810 /* fetch secound map_value_ptr from the stack */
10811 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
10812 /* write into map value */
10813 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10817 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10818 /* lookup from map */
10819 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10820 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10821 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10822 BPF_LD_MAP_FD(BPF_REG_1, 0),
10823 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10824 BPF_FUNC_map_lookup_elem),
10825 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10826 BPF_MOV64_IMM(BPF_REG_0, 0),
10827 BPF_EXIT_INSN(), /* return 0 */
10828 /* write map_value_ptr into stack frame of main prog */
10829 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10830 BPF_MOV64_IMM(BPF_REG_0, 1),
10831 BPF_EXIT_INSN(), /* return 1 */
10833 .prog_type = BPF_PROG_TYPE_XDP,
10834 .fixup_map1 = { 23 },
10836 .errstr = "invalid read from stack off -16+0 size 8",
10839 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
10842 /* pass fp-16, fp-8 into a function */
10843 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10845 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10846 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10847 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10848 BPF_MOV64_IMM(BPF_REG_0, 0),
10852 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10853 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10854 /* 1st lookup from map */
10855 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10856 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10857 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10858 BPF_LD_MAP_FD(BPF_REG_1, 0),
10859 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10860 BPF_FUNC_map_lookup_elem),
10861 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10862 BPF_MOV64_IMM(BPF_REG_8, 0),
10863 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10864 /* write map_value_ptr into stack frame of main prog at fp-8 */
10865 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10866 BPF_MOV64_IMM(BPF_REG_8, 1),
10868 /* 2nd lookup from map */
10869 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
10870 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10871 BPF_LD_MAP_FD(BPF_REG_1, 0),
10872 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
10873 BPF_FUNC_map_lookup_elem),
10874 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10875 BPF_MOV64_IMM(BPF_REG_9, 0),
10876 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10877 /* write map_value_ptr into stack frame of main prog at fp-16 */
10878 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10879 BPF_MOV64_IMM(BPF_REG_9, 1),
10881 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10882 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
10883 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10884 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10885 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10886 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
10890 /* if arg2 == 1 do *arg1 = 0 */
10891 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10892 /* fetch map_value_ptr from the stack of this function */
10893 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10894 /* write into map value */
10895 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10897 /* if arg4 == 1 do *arg3 = 0 */
10898 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10899 /* fetch map_value_ptr from the stack of this function */
10900 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10901 /* write into map value */
10902 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
10905 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10906 .fixup_map1 = { 12, 22 },
10908 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
10911 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
10914 /* pass fp-16, fp-8 into a function */
10915 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10917 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10919 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10920 BPF_MOV64_IMM(BPF_REG_0, 0),
10924 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10925 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10926 /* 1st lookup from map */
10927 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10928 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10929 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10930 BPF_LD_MAP_FD(BPF_REG_1, 0),
10931 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10932 BPF_FUNC_map_lookup_elem),
10933 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10934 BPF_MOV64_IMM(BPF_REG_8, 0),
10935 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10936 /* write map_value_ptr into stack frame of main prog at fp-8 */
10937 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10938 BPF_MOV64_IMM(BPF_REG_8, 1),
10940 /* 2nd lookup from map */
10941 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
10942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10943 BPF_LD_MAP_FD(BPF_REG_1, 0),
10944 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
10945 BPF_FUNC_map_lookup_elem),
10946 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10947 BPF_MOV64_IMM(BPF_REG_9, 0),
10948 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10949 /* write map_value_ptr into stack frame of main prog at fp-16 */
10950 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10951 BPF_MOV64_IMM(BPF_REG_9, 1),
10953 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10954 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
10955 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10956 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10957 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10958 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
10962 /* if arg2 == 1 do *arg1 = 0 */
10963 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10964 /* fetch map_value_ptr from the stack of this function */
10965 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10966 /* write into map value */
10967 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10969 /* if arg4 == 1 do *arg3 = 0 */
10970 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10971 /* fetch map_value_ptr from the stack of this function */
10972 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10973 /* write into map value */
10974 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10977 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10978 .fixup_map1 = { 12, 22 },
10982 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
10985 /* pass fp-16, fp-8 into a function */
10986 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10987 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10988 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10989 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10990 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
10991 BPF_MOV64_IMM(BPF_REG_0, 0),
10995 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10996 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10997 /* 1st lookup from map */
10998 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
10999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11001 BPF_LD_MAP_FD(BPF_REG_1, 0),
11002 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11003 BPF_FUNC_map_lookup_elem),
11004 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11005 BPF_MOV64_IMM(BPF_REG_8, 0),
11006 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11007 /* write map_value_ptr into stack frame of main prog at fp-8 */
11008 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11009 BPF_MOV64_IMM(BPF_REG_8, 1),
11011 /* 2nd lookup from map */
11012 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11014 BPF_LD_MAP_FD(BPF_REG_1, 0),
11015 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11016 BPF_FUNC_map_lookup_elem),
11017 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11018 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
11019 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11020 /* write map_value_ptr into stack frame of main prog at fp-16 */
11021 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11022 BPF_MOV64_IMM(BPF_REG_9, 1),
11024 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11025 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
11026 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11027 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11028 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11029 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
11030 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
11033 /* if arg2 == 1 do *arg1 = 0 */
11034 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11035 /* fetch map_value_ptr from the stack of this function */
11036 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11037 /* write into map value */
11038 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11040 /* if arg4 == 1 do *arg3 = 0 */
11041 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11042 /* fetch map_value_ptr from the stack of this function */
11043 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11044 /* write into map value */
11045 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11046 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
11048 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11049 .fixup_map1 = { 12, 22 },
11051 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11054 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
11057 /* pass fp-16, fp-8 into a function */
11058 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11059 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11060 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11061 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11062 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11063 BPF_MOV64_IMM(BPF_REG_0, 0),
11067 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11068 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11069 /* 1st lookup from map */
11070 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11071 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11073 BPF_LD_MAP_FD(BPF_REG_1, 0),
11074 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11075 BPF_FUNC_map_lookup_elem),
11076 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11077 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11078 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11079 BPF_MOV64_IMM(BPF_REG_8, 0),
11080 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11081 BPF_MOV64_IMM(BPF_REG_8, 1),
11083 /* 2nd lookup from map */
11084 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11085 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11086 BPF_LD_MAP_FD(BPF_REG_1, 0),
11087 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11088 BPF_FUNC_map_lookup_elem),
11089 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11090 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11091 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11092 BPF_MOV64_IMM(BPF_REG_9, 0),
11093 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11094 BPF_MOV64_IMM(BPF_REG_9, 1),
11096 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11097 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11098 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11099 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11100 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11101 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11105 /* if arg2 == 1 do *arg1 = 0 */
11106 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11107 /* fetch map_value_ptr from the stack of this function */
11108 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11109 /* write into map value */
11110 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11112 /* if arg4 == 1 do *arg3 = 0 */
11113 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11114 /* fetch map_value_ptr from the stack of this function */
11115 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11116 /* write into map value */
11117 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11120 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11121 .fixup_map1 = { 12, 22 },
11125 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
11128 /* pass fp-16, fp-8 into a function */
11129 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11131 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11132 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11133 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11134 BPF_MOV64_IMM(BPF_REG_0, 0),
11138 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11139 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11140 /* 1st lookup from map */
11141 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11142 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11143 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11144 BPF_LD_MAP_FD(BPF_REG_1, 0),
11145 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11146 BPF_FUNC_map_lookup_elem),
11147 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11148 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11149 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11150 BPF_MOV64_IMM(BPF_REG_8, 0),
11151 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11152 BPF_MOV64_IMM(BPF_REG_8, 1),
11154 /* 2nd lookup from map */
11155 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11156 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11157 BPF_LD_MAP_FD(BPF_REG_1, 0),
11158 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11159 BPF_FUNC_map_lookup_elem),
11160 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11161 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11162 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11163 BPF_MOV64_IMM(BPF_REG_9, 0),
11164 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11165 BPF_MOV64_IMM(BPF_REG_9, 1),
11167 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11168 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11169 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11170 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11171 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11172 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11176 /* if arg2 == 1 do *arg1 = 0 */
11177 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11178 /* fetch map_value_ptr from the stack of this function */
11179 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11180 /* write into map value */
11181 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11183 /* if arg4 == 0 do *arg3 = 0 */
11184 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
11185 /* fetch map_value_ptr from the stack of this function */
11186 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11187 /* write into map value */
11188 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11191 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11192 .fixup_map1 = { 12, 22 },
11194 .errstr = "R0 invalid mem access 'inv'",
11197 "calls: pkt_ptr spill into caller stack",
11199 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11200 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11201 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11205 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11206 offsetof(struct __sk_buff, data)),
11207 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11208 offsetof(struct __sk_buff, data_end)),
11209 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11211 /* spill unchecked pkt_ptr into stack of caller */
11212 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11213 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11214 /* now the pkt range is verified, read pkt_ptr from stack */
11215 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11216 /* write 4 bytes into packet */
11217 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11221 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11222 .retval = POINTER_VALUE,
11225 "calls: pkt_ptr spill into caller stack 2",
11227 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11228 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11229 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11230 /* Marking is still kept, but not in all cases safe. */
11231 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11232 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11236 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11237 offsetof(struct __sk_buff, data)),
11238 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11239 offsetof(struct __sk_buff, data_end)),
11240 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11241 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11242 /* spill unchecked pkt_ptr into stack of caller */
11243 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11244 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11245 /* now the pkt range is verified, read pkt_ptr from stack */
11246 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11247 /* write 4 bytes into packet */
11248 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11251 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11252 .errstr = "invalid access to packet",
11256 "calls: pkt_ptr spill into caller stack 3",
11258 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11259 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11260 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11261 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11262 /* Marking is still kept and safe here. */
11263 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11264 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11268 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11269 offsetof(struct __sk_buff, data)),
11270 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11271 offsetof(struct __sk_buff, data_end)),
11272 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11273 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11274 /* spill unchecked pkt_ptr into stack of caller */
11275 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11276 BPF_MOV64_IMM(BPF_REG_5, 0),
11277 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11278 BPF_MOV64_IMM(BPF_REG_5, 1),
11279 /* now the pkt range is verified, read pkt_ptr from stack */
11280 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11281 /* write 4 bytes into packet */
11282 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11283 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11286 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11291 "calls: pkt_ptr spill into caller stack 4",
11293 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11294 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11295 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11296 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11297 /* Check marking propagated. */
11298 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11299 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11303 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11304 offsetof(struct __sk_buff, data)),
11305 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11306 offsetof(struct __sk_buff, data_end)),
11307 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11308 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11309 /* spill unchecked pkt_ptr into stack of caller */
11310 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11311 BPF_MOV64_IMM(BPF_REG_5, 0),
11312 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11313 BPF_MOV64_IMM(BPF_REG_5, 1),
11314 /* don't read back pkt_ptr from stack here */
11315 /* write 4 bytes into packet */
11316 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11317 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11320 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11325 "calls: pkt_ptr spill into caller stack 5",
11327 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11329 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
11330 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11331 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11332 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11336 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11337 offsetof(struct __sk_buff, data)),
11338 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11339 offsetof(struct __sk_buff, data_end)),
11340 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11341 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11342 BPF_MOV64_IMM(BPF_REG_5, 0),
11343 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11344 /* spill checked pkt_ptr into stack of caller */
11345 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11346 BPF_MOV64_IMM(BPF_REG_5, 1),
11347 /* don't read back pkt_ptr from stack here */
11348 /* write 4 bytes into packet */
11349 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11350 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11353 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11354 .errstr = "same insn cannot be used with different",
11358 "calls: pkt_ptr spill into caller stack 6",
11360 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11361 offsetof(struct __sk_buff, data_end)),
11362 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11364 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11365 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11366 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11367 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11371 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11372 offsetof(struct __sk_buff, data)),
11373 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11374 offsetof(struct __sk_buff, data_end)),
11375 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11377 BPF_MOV64_IMM(BPF_REG_5, 0),
11378 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11379 /* spill checked pkt_ptr into stack of caller */
11380 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11381 BPF_MOV64_IMM(BPF_REG_5, 1),
11382 /* don't read back pkt_ptr from stack here */
11383 /* write 4 bytes into packet */
11384 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11385 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11388 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11389 .errstr = "R4 invalid mem access",
11393 "calls: pkt_ptr spill into caller stack 7",
11395 BPF_MOV64_IMM(BPF_REG_2, 0),
11396 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11397 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11398 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11399 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11400 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11401 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11405 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11406 offsetof(struct __sk_buff, data)),
11407 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11408 offsetof(struct __sk_buff, data_end)),
11409 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11410 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11411 BPF_MOV64_IMM(BPF_REG_5, 0),
11412 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11413 /* spill checked pkt_ptr into stack of caller */
11414 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11415 BPF_MOV64_IMM(BPF_REG_5, 1),
11416 /* don't read back pkt_ptr from stack here */
11417 /* write 4 bytes into packet */
11418 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11419 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11422 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11423 .errstr = "R4 invalid mem access",
11427 "calls: pkt_ptr spill into caller stack 8",
11429 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11430 offsetof(struct __sk_buff, data)),
11431 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11432 offsetof(struct __sk_buff, data_end)),
11433 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11435 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11437 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11439 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11440 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11441 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11442 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11446 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11447 offsetof(struct __sk_buff, data)),
11448 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11449 offsetof(struct __sk_buff, data_end)),
11450 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11451 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11452 BPF_MOV64_IMM(BPF_REG_5, 0),
11453 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11454 /* spill checked pkt_ptr into stack of caller */
11455 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11456 BPF_MOV64_IMM(BPF_REG_5, 1),
11457 /* don't read back pkt_ptr from stack here */
11458 /* write 4 bytes into packet */
11459 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11460 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11463 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11467 "calls: pkt_ptr spill into caller stack 9",
11469 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11470 offsetof(struct __sk_buff, data)),
11471 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11472 offsetof(struct __sk_buff, data_end)),
11473 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11474 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11475 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11477 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11479 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11480 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11481 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11482 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11486 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11487 offsetof(struct __sk_buff, data)),
11488 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11489 offsetof(struct __sk_buff, data_end)),
11490 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11492 BPF_MOV64_IMM(BPF_REG_5, 0),
11493 /* spill unchecked pkt_ptr into stack of caller */
11494 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11495 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11496 BPF_MOV64_IMM(BPF_REG_5, 1),
11497 /* don't read back pkt_ptr from stack here */
11498 /* write 4 bytes into packet */
11499 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11500 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11503 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11504 .errstr = "invalid access to packet",
11508 "calls: caller stack init to zero or map_value_or_null",
11510 BPF_MOV64_IMM(BPF_REG_0, 0),
11511 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11512 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11514 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11515 /* fetch map_value_or_null or const_zero from stack */
11516 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11517 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11518 /* store into map_value */
11519 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
11523 /* if (ctx == 0) return; */
11524 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
11525 /* else bpf_map_lookup() and *(fp - 8) = r0 */
11526 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
11527 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11528 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11529 BPF_LD_MAP_FD(BPF_REG_1, 0),
11530 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11531 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11532 BPF_FUNC_map_lookup_elem),
11533 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11534 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11537 .fixup_map1 = { 13 },
11539 .prog_type = BPF_PROG_TYPE_XDP,
11542 "calls: stack init to zero and pruning",
11544 /* first make allocated_stack 16 byte */
11545 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
11546 /* now fork the execution such that the false branch
11547 * of JGT insn will be verified second and it skisp zero
11548 * init of fp-8 stack slot. If stack liveness marking
11549 * is missing live_read marks from call map_lookup
11550 * processing then pruning will incorrectly assume
11551 * that fp-8 stack slot was unused in the fall-through
11552 * branch and will accept the program incorrectly
11554 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
11555 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11556 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
11557 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11559 BPF_LD_MAP_FD(BPF_REG_1, 0),
11560 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11561 BPF_FUNC_map_lookup_elem),
11564 .fixup_map2 = { 6 },
11565 .errstr = "invalid indirect read from stack off -8+0 size 8",
11567 .prog_type = BPF_PROG_TYPE_XDP,
11570 "search pruning: all branches should be verified (nop operation)",
11572 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11573 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11574 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11575 BPF_LD_MAP_FD(BPF_REG_1, 0),
11576 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11577 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
11578 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11579 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11580 BPF_MOV64_IMM(BPF_REG_4, 0),
11582 BPF_MOV64_IMM(BPF_REG_4, 1),
11583 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11584 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11585 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11586 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
11587 BPF_MOV64_IMM(BPF_REG_6, 0),
11588 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
11591 .fixup_map1 = { 3 },
11592 .errstr = "R6 invalid mem access 'inv'",
11594 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11597 "search pruning: all branches should be verified (invalid stack access)",
11599 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11600 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11601 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11602 BPF_LD_MAP_FD(BPF_REG_1, 0),
11603 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11604 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
11605 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11606 BPF_MOV64_IMM(BPF_REG_4, 0),
11607 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11608 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11610 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
11611 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11612 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11615 .fixup_map1 = { 3 },
11616 .errstr = "invalid read from stack off -16+0 size 8",
11618 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11621 "jit: lsh, rsh, arsh by 1",
11623 BPF_MOV64_IMM(BPF_REG_0, 1),
11624 BPF_MOV64_IMM(BPF_REG_1, 0xff),
11625 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
11626 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
11627 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
11629 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
11630 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
11631 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
11633 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
11634 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
11636 BPF_MOV64_IMM(BPF_REG_0, 2),
11643 "jit: mov32 for ldimm64, 1",
11645 BPF_MOV64_IMM(BPF_REG_0, 2),
11646 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
11647 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
11648 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
11649 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
11650 BPF_MOV64_IMM(BPF_REG_0, 1),
11657 "jit: mov32 for ldimm64, 2",
11659 BPF_MOV64_IMM(BPF_REG_0, 1),
11660 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
11661 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
11662 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
11663 BPF_MOV64_IMM(BPF_REG_0, 2),
11670 "jit: various mul tests",
11672 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
11673 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
11674 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
11675 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
11676 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
11677 BPF_MOV64_IMM(BPF_REG_0, 1),
11679 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
11680 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
11681 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
11682 BPF_MOV64_IMM(BPF_REG_0, 1),
11684 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
11685 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
11686 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
11687 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
11688 BPF_MOV64_IMM(BPF_REG_0, 1),
11690 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
11691 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
11692 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
11693 BPF_MOV64_IMM(BPF_REG_0, 1),
11695 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
11696 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
11697 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
11698 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
11699 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
11700 BPF_MOV64_IMM(BPF_REG_0, 1),
11702 BPF_MOV64_IMM(BPF_REG_0, 2),
11709 "xadd/w check unaligned stack",
11711 BPF_MOV64_IMM(BPF_REG_0, 1),
11712 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11713 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
11714 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11718 .errstr = "misaligned stack access off",
11719 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11722 "xadd/w check unaligned map",
11724 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11725 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11727 BPF_LD_MAP_FD(BPF_REG_1, 0),
11728 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11729 BPF_FUNC_map_lookup_elem),
11730 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
11732 BPF_MOV64_IMM(BPF_REG_1, 1),
11733 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
11734 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
11737 .fixup_map1 = { 3 },
11739 .errstr = "misaligned value access off",
11740 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11743 "xadd/w check unaligned pkt",
11745 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11746 offsetof(struct xdp_md, data)),
11747 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11748 offsetof(struct xdp_md, data_end)),
11749 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11751 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
11752 BPF_MOV64_IMM(BPF_REG_0, 99),
11753 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
11754 BPF_MOV64_IMM(BPF_REG_0, 1),
11755 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11756 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
11757 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
11758 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
11759 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
11763 .errstr = "BPF_XADD stores into R2 packet",
11764 .prog_type = BPF_PROG_TYPE_XDP,
11767 "bpf_get_stack return R0 within range",
11769 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11770 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11771 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11772 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11773 BPF_LD_MAP_FD(BPF_REG_1, 0),
11774 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11775 BPF_FUNC_map_lookup_elem),
11776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
11777 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11778 BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
11779 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11780 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
11781 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
11782 BPF_MOV64_IMM(BPF_REG_4, 256),
11783 BPF_EMIT_CALL(BPF_FUNC_get_stack),
11784 BPF_MOV64_IMM(BPF_REG_1, 0),
11785 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
11786 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
11787 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
11788 BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
11789 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
11790 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
11791 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
11792 BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
11793 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
11794 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
11795 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
11796 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
11797 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11798 BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
11799 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
11800 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
11801 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11802 BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
11803 BPF_MOV64_IMM(BPF_REG_4, 0),
11804 BPF_EMIT_CALL(BPF_FUNC_get_stack),
11807 .fixup_map2 = { 4 },
11809 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11812 "ld_abs: invalid op 1",
11814 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11815 BPF_LD_ABS(BPF_DW, 0),
11818 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11820 .errstr = "unknown opcode",
11823 "ld_abs: invalid op 2",
11825 BPF_MOV32_IMM(BPF_REG_0, 256),
11826 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11827 BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
11830 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11832 .errstr = "unknown opcode",
11835 "ld_abs: nmap reduced",
11837 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11838 BPF_LD_ABS(BPF_H, 12),
11839 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
11840 BPF_LD_ABS(BPF_H, 12),
11841 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
11842 BPF_MOV32_IMM(BPF_REG_0, 18),
11843 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
11844 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
11845 BPF_LD_IND(BPF_W, BPF_REG_7, 14),
11846 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
11847 BPF_MOV32_IMM(BPF_REG_0, 280971478),
11848 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
11849 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
11850 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
11851 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
11852 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
11853 BPF_LD_ABS(BPF_H, 12),
11854 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
11855 BPF_MOV32_IMM(BPF_REG_0, 22),
11856 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
11857 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
11858 BPF_LD_IND(BPF_H, BPF_REG_7, 14),
11859 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
11860 BPF_MOV32_IMM(BPF_REG_0, 17366),
11861 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
11862 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
11863 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
11864 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
11865 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11866 BPF_MOV32_IMM(BPF_REG_0, 256),
11868 BPF_MOV32_IMM(BPF_REG_0, 0),
11872 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
11873 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
11874 0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
11876 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11881 "ld_abs: div + abs, test 1",
11883 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
11884 BPF_LD_ABS(BPF_B, 3),
11885 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
11886 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
11887 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
11888 BPF_LD_ABS(BPF_B, 4),
11889 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
11890 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
11894 10, 20, 30, 40, 50,
11896 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11901 "ld_abs: div + abs, test 2",
11903 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
11904 BPF_LD_ABS(BPF_B, 3),
11905 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
11906 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
11907 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
11908 BPF_LD_ABS(BPF_B, 128),
11909 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
11910 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
11914 10, 20, 30, 40, 50,
11916 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11921 "ld_abs: div + abs, test 3",
11923 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
11924 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
11925 BPF_LD_ABS(BPF_B, 3),
11926 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
11930 10, 20, 30, 40, 50,
11932 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11937 "ld_abs: div + abs, test 4",
11939 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
11940 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
11941 BPF_LD_ABS(BPF_B, 256),
11942 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
11946 10, 20, 30, 40, 50,
11948 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11953 "ld_abs: vlan + abs, test 1",
11958 .fill_helper = bpf_fill_ld_abs_vlan_push_pop,
11959 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11964 "ld_abs: vlan + abs, test 2",
11966 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11967 BPF_LD_ABS(BPF_B, 0),
11968 BPF_LD_ABS(BPF_H, 0),
11969 BPF_LD_ABS(BPF_W, 0),
11970 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
11971 BPF_MOV64_IMM(BPF_REG_6, 0),
11972 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11973 BPF_MOV64_IMM(BPF_REG_2, 1),
11974 BPF_MOV64_IMM(BPF_REG_3, 2),
11975 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11976 BPF_FUNC_skb_vlan_push),
11977 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
11978 BPF_LD_ABS(BPF_B, 0),
11979 BPF_LD_ABS(BPF_H, 0),
11980 BPF_LD_ABS(BPF_W, 0),
11981 BPF_MOV64_IMM(BPF_REG_0, 42),
11987 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11992 "ld_abs: jump around ld_abs",
11997 .fill_helper = bpf_fill_jump_around_ld_abs,
11998 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12003 "ld_dw: xor semi-random 64 bit imms, test 1",
12006 .fill_helper = bpf_fill_rand_ld_dw,
12007 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12012 "ld_dw: xor semi-random 64 bit imms, test 2",
12015 .fill_helper = bpf_fill_rand_ld_dw,
12016 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12021 "ld_dw: xor semi-random 64 bit imms, test 3",
12024 .fill_helper = bpf_fill_rand_ld_dw,
12025 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12030 "ld_dw: xor semi-random 64 bit imms, test 4",
12033 .fill_helper = bpf_fill_rand_ld_dw,
12034 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12040 static int probe_filter_length(const struct bpf_insn *fp)
12044 for (len = MAX_INSNS - 1; len > 0; --len)
12045 if (fp[len].code != 0 || fp[len].imm != 0)
12050 static int create_map(uint32_t size_value, uint32_t max_elem)
12054 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12055 size_value, max_elem, BPF_F_NO_PREALLOC);
12057 printf("Failed to create hash map '%s'!\n", strerror(errno));
12062 static int create_prog_dummy1(void)
12064 struct bpf_insn prog[] = {
12065 BPF_MOV64_IMM(BPF_REG_0, 42),
12069 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12070 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12073 static int create_prog_dummy2(int mfd, int idx)
12075 struct bpf_insn prog[] = {
12076 BPF_MOV64_IMM(BPF_REG_3, idx),
12077 BPF_LD_MAP_FD(BPF_REG_2, mfd),
12078 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12079 BPF_FUNC_tail_call),
12080 BPF_MOV64_IMM(BPF_REG_0, 41),
12084 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12085 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12088 static int create_prog_array(void)
12090 int p1key = 0, p2key = 1;
12091 int mfd, p1fd, p2fd;
12093 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
12094 sizeof(int), 4, 0);
12096 printf("Failed to create prog array '%s'!\n", strerror(errno));
12100 p1fd = create_prog_dummy1();
12101 p2fd = create_prog_dummy2(mfd, p2key);
12102 if (p1fd < 0 || p2fd < 0)
12104 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
12106 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
12119 static int create_map_in_map(void)
12121 int inner_map_fd, outer_map_fd;
12123 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12124 sizeof(int), 1, 0);
12125 if (inner_map_fd < 0) {
12126 printf("Failed to create array '%s'!\n", strerror(errno));
12127 return inner_map_fd;
12130 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
12131 sizeof(int), inner_map_fd, 1, 0);
12132 if (outer_map_fd < 0)
12133 printf("Failed to create array of maps '%s'!\n",
12136 close(inner_map_fd);
12138 return outer_map_fd;
12141 static char bpf_vlog[UINT_MAX >> 8];
12143 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
12146 int *fixup_map1 = test->fixup_map1;
12147 int *fixup_map2 = test->fixup_map2;
12148 int *fixup_map3 = test->fixup_map3;
12149 int *fixup_prog = test->fixup_prog;
12150 int *fixup_map_in_map = test->fixup_map_in_map;
12152 if (test->fill_helper)
12153 test->fill_helper(test);
12155 /* Allocating HTs with 1 elem is fine here, since we only test
12156 * for verifier and not do a runtime lookup, so the only thing
12157 * that really matters is value size in this case.
12160 map_fds[0] = create_map(sizeof(long long), 1);
12162 prog[*fixup_map1].imm = map_fds[0];
12164 } while (*fixup_map1);
12168 map_fds[1] = create_map(sizeof(struct test_val), 1);
12170 prog[*fixup_map2].imm = map_fds[1];
12172 } while (*fixup_map2);
12176 map_fds[1] = create_map(sizeof(struct other_val), 1);
12178 prog[*fixup_map3].imm = map_fds[1];
12180 } while (*fixup_map3);
12184 map_fds[2] = create_prog_array();
12186 prog[*fixup_prog].imm = map_fds[2];
12188 } while (*fixup_prog);
12191 if (*fixup_map_in_map) {
12192 map_fds[3] = create_map_in_map();
12194 prog[*fixup_map_in_map].imm = map_fds[3];
12195 fixup_map_in_map++;
12196 } while (*fixup_map_in_map);
12200 static void do_test_single(struct bpf_test *test, bool unpriv,
12201 int *passes, int *errors)
12203 int fd_prog, expected_ret, reject_from_alignment;
12204 int prog_len, prog_type = test->prog_type;
12205 struct bpf_insn *prog = test->insns;
12206 int map_fds[MAX_NR_MAPS];
12207 const char *expected_err;
12211 for (i = 0; i < MAX_NR_MAPS; i++)
12214 do_test_fixup(test, prog, map_fds);
12215 prog_len = probe_filter_length(prog);
12217 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
12218 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
12219 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
12221 expected_ret = unpriv && test->result_unpriv != UNDEF ?
12222 test->result_unpriv : test->result;
12223 expected_err = unpriv && test->errstr_unpriv ?
12224 test->errstr_unpriv : test->errstr;
12226 reject_from_alignment = fd_prog < 0 &&
12227 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
12228 strstr(bpf_vlog, "Unknown alignment.");
12229 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
12230 if (reject_from_alignment) {
12231 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
12236 if (expected_ret == ACCEPT) {
12237 if (fd_prog < 0 && !reject_from_alignment) {
12238 printf("FAIL\nFailed to load prog '%s'!\n",
12243 if (fd_prog >= 0) {
12244 printf("FAIL\nUnexpected success to load!\n");
12247 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
12248 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
12249 expected_err, bpf_vlog);
12254 if (fd_prog >= 0) {
12255 err = bpf_prog_test_run(fd_prog, 1, test->data,
12256 sizeof(test->data), NULL, NULL,
12258 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
12259 printf("Unexpected bpf_prog_test_run error\n");
12262 if (!err && retval != test->retval &&
12263 test->retval != POINTER_VALUE) {
12264 printf("FAIL retval %d != %d\n", retval, test->retval);
12269 printf("OK%s\n", reject_from_alignment ?
12270 " (NOTE: reject due to unknown alignment)" : "");
12273 for (i = 0; i < MAX_NR_MAPS; i++)
12279 printf("%s", bpf_vlog);
12283 static bool is_admin(void)
12286 cap_flag_value_t sysadmin = CAP_CLEAR;
12287 const cap_value_t cap_val = CAP_SYS_ADMIN;
12289 #ifdef CAP_IS_SUPPORTED
12290 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
12291 perror("cap_get_flag");
12295 caps = cap_get_proc();
12297 perror("cap_get_proc");
12300 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
12301 perror("cap_get_flag");
12302 if (cap_free(caps))
12303 perror("cap_free");
12304 return (sysadmin == CAP_SET);
12307 static int set_admin(bool admin)
12310 const cap_value_t cap_val = CAP_SYS_ADMIN;
12313 caps = cap_get_proc();
12315 perror("cap_get_proc");
12318 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
12319 admin ? CAP_SET : CAP_CLEAR)) {
12320 perror("cap_set_flag");
12323 if (cap_set_proc(caps)) {
12324 perror("cap_set_proc");
12329 if (cap_free(caps))
12330 perror("cap_free");
12334 static void get_unpriv_disabled()
12339 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
12341 perror("fopen /proc/sys/"UNPRIV_SYSCTL);
12342 unpriv_disabled = true;
12345 if (fgets(buf, 2, fd) == buf && atoi(buf))
12346 unpriv_disabled = true;
12350 static int do_test(bool unpriv, unsigned int from, unsigned int to)
12352 int i, passes = 0, errors = 0, skips = 0;
12354 for (i = from; i < to; i++) {
12355 struct bpf_test *test = &tests[i];
12357 /* Program types that are not supported by non-root we
12360 if (!test->prog_type && unpriv_disabled) {
12361 printf("#%d/u %s SKIP\n", i, test->descr);
12363 } else if (!test->prog_type) {
12366 printf("#%d/u %s ", i, test->descr);
12367 do_test_single(test, true, &passes, &errors);
12373 printf("#%d/p %s SKIP\n", i, test->descr);
12376 printf("#%d/p %s ", i, test->descr);
12377 do_test_single(test, false, &passes, &errors);
12381 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
12383 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
12386 int main(int argc, char **argv)
12388 unsigned int from = 0, to = ARRAY_SIZE(tests);
12389 bool unpriv = !is_admin();
12392 unsigned int l = atoi(argv[argc - 2]);
12393 unsigned int u = atoi(argv[argc - 1]);
12395 if (l < to && u < to) {
12399 } else if (argc == 2) {
12400 unsigned int t = atoi(argv[argc - 1]);
12408 get_unpriv_disabled();
12409 if (unpriv && unpriv_disabled) {
12410 printf("Cannot run as unprivileged user with sysctl %s.\n",
12412 return EXIT_FAILURE;
12415 bpf_semi_rand_init();
12416 return do_test(unpriv, from, to);
projects / linux.git / blob