2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 * Copyright (c) 2017 Facebook
6 * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of version 2 of the GNU General Public
10 * License as published by the Free Software Foundation.
14 #include <asm/types.h>
15 #include <linux/types.h>
28 #include <sys/capability.h>
30 #include <linux/unistd.h>
31 #include <linux/filter.h>
32 #include <linux/bpf_perf_event.h>
33 #include <linux/bpf.h>
34 #include <linux/if_ether.h>
39 # include "autoconf.h"
41 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
42 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
45 #include "bpf_rlimit.h"
48 #include "../../../include/linux/filter.h"
50 #define MAX_INSNS BPF_MAXINSNS
52 #define MAX_NR_MAPS 13
53 #define MAX_TEST_RUNS 8
54 #define POINTER_VALUE 0xcafe4all
55 #define TEST_DATA_LEN 64
57 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
58 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
60 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
61 static bool unpriv_disabled = false;
65 struct bpf_insn insns[MAX_INSNS];
66 int fixup_map_hash_8b[MAX_FIXUPS];
67 int fixup_map_hash_48b[MAX_FIXUPS];
68 int fixup_map_hash_16b[MAX_FIXUPS];
69 int fixup_map_array_48b[MAX_FIXUPS];
70 int fixup_map_sockmap[MAX_FIXUPS];
71 int fixup_map_sockhash[MAX_FIXUPS];
72 int fixup_map_xskmap[MAX_FIXUPS];
73 int fixup_map_stacktrace[MAX_FIXUPS];
74 int fixup_prog1[MAX_FIXUPS];
75 int fixup_prog2[MAX_FIXUPS];
76 int fixup_map_in_map[MAX_FIXUPS];
77 int fixup_cgroup_storage[MAX_FIXUPS];
78 int fixup_percpu_cgroup_storage[MAX_FIXUPS];
80 const char *errstr_unpriv;
81 uint32_t retval, retval_unpriv, insn_processed;
86 } result, result_unpriv;
87 enum bpf_prog_type prog_type;
89 __u8 data[TEST_DATA_LEN];
90 void (*fill_helper)(struct bpf_test *self);
93 uint32_t retval, retval_unpriv;
95 __u8 data[TEST_DATA_LEN];
96 __u64 data64[TEST_DATA_LEN / 8];
98 } retvals[MAX_TEST_RUNS];
101 /* Note we want this to be 64 bit aligned so that the end of our array is
102 * actually the end of the structure.
104 #define MAX_ENTRIES 11
108 int foo[MAX_ENTRIES];
116 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
118 /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
120 unsigned int len = BPF_MAXINSNS;
121 struct bpf_insn *insn = self->insns;
124 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
126 for (j = 0; j < PUSH_CNT; j++) {
127 insn[i++] = BPF_LD_ABS(BPF_B, 0);
128 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
130 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
131 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
132 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
133 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
134 BPF_FUNC_skb_vlan_push),
135 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
139 for (j = 0; j < PUSH_CNT; j++) {
140 insn[i++] = BPF_LD_ABS(BPF_B, 0);
141 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
143 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
144 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
145 BPF_FUNC_skb_vlan_pop),
146 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
152 for (; i < len - 1; i++)
153 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
154 insn[len - 1] = BPF_EXIT_INSN();
157 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
159 struct bpf_insn *insn = self->insns;
160 unsigned int len = BPF_MAXINSNS;
163 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
164 insn[i++] = BPF_LD_ABS(BPF_B, 0);
165 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
168 insn[i++] = BPF_LD_ABS(BPF_B, 1);
169 insn[i] = BPF_EXIT_INSN();
172 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
174 struct bpf_insn *insn = self->insns;
178 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
179 while (i < self->retval) {
180 uint64_t val = bpf_semi_rand_get();
181 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
186 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
188 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
189 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
190 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
191 insn[i] = BPF_EXIT_INSN();
193 self->retval = (uint32_t)res;
196 /* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */
197 #define BPF_SK_LOOKUP \
198 /* struct bpf_sock_tuple tuple = {} */ \
199 BPF_MOV64_IMM(BPF_REG_2, 0), \
200 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8), \
201 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -16), \
202 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -24), \
203 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -32), \
204 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -40), \
205 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -48), \
206 /* sk = sk_lookup_tcp(ctx, &tuple, sizeof tuple, 0, 0) */ \
207 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), \
208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), \
209 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)), \
210 BPF_MOV64_IMM(BPF_REG_4, 0), \
211 BPF_MOV64_IMM(BPF_REG_5, 0), \
212 BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp)
214 static struct bpf_test tests[] = {
218 BPF_MOV64_IMM(BPF_REG_1, 1),
219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
220 BPF_MOV64_IMM(BPF_REG_2, 3),
221 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
223 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
224 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
231 "DIV32 by 0, zero check 1",
233 BPF_MOV32_IMM(BPF_REG_0, 42),
234 BPF_MOV32_IMM(BPF_REG_1, 0),
235 BPF_MOV32_IMM(BPF_REG_2, 1),
236 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
243 "DIV32 by 0, zero check 2",
245 BPF_MOV32_IMM(BPF_REG_0, 42),
246 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
247 BPF_MOV32_IMM(BPF_REG_2, 1),
248 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
255 "DIV64 by 0, zero check",
257 BPF_MOV32_IMM(BPF_REG_0, 42),
258 BPF_MOV32_IMM(BPF_REG_1, 0),
259 BPF_MOV32_IMM(BPF_REG_2, 1),
260 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
267 "MOD32 by 0, zero check 1",
269 BPF_MOV32_IMM(BPF_REG_0, 42),
270 BPF_MOV32_IMM(BPF_REG_1, 0),
271 BPF_MOV32_IMM(BPF_REG_2, 1),
272 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
279 "MOD32 by 0, zero check 2",
281 BPF_MOV32_IMM(BPF_REG_0, 42),
282 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
283 BPF_MOV32_IMM(BPF_REG_2, 1),
284 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
291 "MOD64 by 0, zero check",
293 BPF_MOV32_IMM(BPF_REG_0, 42),
294 BPF_MOV32_IMM(BPF_REG_1, 0),
295 BPF_MOV32_IMM(BPF_REG_2, 1),
296 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
303 "DIV32 by 0, zero check ok, cls",
305 BPF_MOV32_IMM(BPF_REG_0, 42),
306 BPF_MOV32_IMM(BPF_REG_1, 2),
307 BPF_MOV32_IMM(BPF_REG_2, 16),
308 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
309 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
312 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
317 "DIV32 by 0, zero check 1, cls",
319 BPF_MOV32_IMM(BPF_REG_1, 0),
320 BPF_MOV32_IMM(BPF_REG_0, 1),
321 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
324 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
329 "DIV32 by 0, zero check 2, cls",
331 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
332 BPF_MOV32_IMM(BPF_REG_0, 1),
333 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
336 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
341 "DIV64 by 0, zero check, cls",
343 BPF_MOV32_IMM(BPF_REG_1, 0),
344 BPF_MOV32_IMM(BPF_REG_0, 1),
345 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
348 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
353 "MOD32 by 0, zero check ok, cls",
355 BPF_MOV32_IMM(BPF_REG_0, 42),
356 BPF_MOV32_IMM(BPF_REG_1, 3),
357 BPF_MOV32_IMM(BPF_REG_2, 5),
358 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
359 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
362 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
367 "MOD32 by 0, zero check 1, cls",
369 BPF_MOV32_IMM(BPF_REG_1, 0),
370 BPF_MOV32_IMM(BPF_REG_0, 1),
371 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
374 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
379 "MOD32 by 0, zero check 2, cls",
381 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
382 BPF_MOV32_IMM(BPF_REG_0, 1),
383 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
386 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
391 "MOD64 by 0, zero check 1, cls",
393 BPF_MOV32_IMM(BPF_REG_1, 0),
394 BPF_MOV32_IMM(BPF_REG_0, 2),
395 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
398 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
403 "MOD64 by 0, zero check 2, cls",
405 BPF_MOV32_IMM(BPF_REG_1, 0),
406 BPF_MOV32_IMM(BPF_REG_0, -1),
407 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
410 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
414 /* Just make sure that JITs used udiv/umod as otherwise we get
415 * an exception from INT_MIN/-1 overflow similarly as with div
419 "DIV32 overflow, check 1",
421 BPF_MOV32_IMM(BPF_REG_1, -1),
422 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
423 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
431 "DIV32 overflow, check 2",
433 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
434 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
437 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
442 "DIV64 overflow, check 1",
444 BPF_MOV64_IMM(BPF_REG_1, -1),
445 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
446 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
449 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
454 "DIV64 overflow, check 2",
456 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
457 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
460 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
465 "MOD32 overflow, check 1",
467 BPF_MOV32_IMM(BPF_REG_1, -1),
468 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
469 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
472 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
477 "MOD32 overflow, check 2",
479 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
480 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
483 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
488 "MOD64 overflow, check 1",
490 BPF_MOV64_IMM(BPF_REG_1, -1),
491 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
492 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
493 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
494 BPF_MOV32_IMM(BPF_REG_0, 0),
495 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
496 BPF_MOV32_IMM(BPF_REG_0, 1),
499 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
504 "MOD64 overflow, check 2",
506 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
507 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
508 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
509 BPF_MOV32_IMM(BPF_REG_0, 0),
510 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
511 BPF_MOV32_IMM(BPF_REG_0, 1),
514 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
519 "xor32 zero extend check",
521 BPF_MOV32_IMM(BPF_REG_2, -1),
522 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
523 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
524 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
525 BPF_MOV32_IMM(BPF_REG_0, 2),
526 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
527 BPF_MOV32_IMM(BPF_REG_0, 1),
530 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
538 .errstr = "unknown opcode 00",
546 .errstr = "R0 !read_ok",
555 .errstr = "unreachable",
561 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
562 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
565 .errstr = "unreachable",
571 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
574 .errstr = "jump out of range",
578 "out of range jump2",
580 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
583 .errstr = "jump out of range",
589 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
590 BPF_LD_IMM64(BPF_REG_0, 0),
591 BPF_LD_IMM64(BPF_REG_0, 0),
592 BPF_LD_IMM64(BPF_REG_0, 1),
593 BPF_LD_IMM64(BPF_REG_0, 1),
594 BPF_MOV64_IMM(BPF_REG_0, 2),
597 .errstr = "invalid BPF_LD_IMM insn",
598 .errstr_unpriv = "R1 pointer comparison",
604 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
605 BPF_LD_IMM64(BPF_REG_0, 0),
606 BPF_LD_IMM64(BPF_REG_0, 0),
607 BPF_LD_IMM64(BPF_REG_0, 1),
608 BPF_LD_IMM64(BPF_REG_0, 1),
611 .errstr = "invalid BPF_LD_IMM insn",
612 .errstr_unpriv = "R1 pointer comparison",
618 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
619 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
620 BPF_LD_IMM64(BPF_REG_0, 0),
621 BPF_LD_IMM64(BPF_REG_0, 0),
622 BPF_LD_IMM64(BPF_REG_0, 1),
623 BPF_LD_IMM64(BPF_REG_0, 1),
626 .errstr = "invalid bpf_ld_imm64 insn",
632 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
635 .errstr = "invalid bpf_ld_imm64 insn",
641 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
643 .errstr = "invalid bpf_ld_imm64 insn",
649 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
650 BPF_RAW_INSN(0, 0, 0, 0, 0),
658 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
659 BPF_RAW_INSN(0, 0, 0, 0, 1),
668 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
669 BPF_RAW_INSN(0, 0, 0, 0, 1),
672 .errstr = "uses reserved fields",
678 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
679 BPF_RAW_INSN(0, 0, 0, 1, 1),
682 .errstr = "invalid bpf_ld_imm64 insn",
688 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
689 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
692 .errstr = "invalid bpf_ld_imm64 insn",
698 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
699 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
702 .errstr = "invalid bpf_ld_imm64 insn",
708 BPF_MOV64_IMM(BPF_REG_1, 0),
709 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
710 BPF_RAW_INSN(0, 0, 0, 0, 1),
713 .errstr = "not pointing to valid bpf_map",
719 BPF_MOV64_IMM(BPF_REG_1, 0),
720 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
721 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
724 .errstr = "invalid bpf_ld_imm64 insn",
730 BPF_MOV64_IMM(BPF_REG_0, 1),
731 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
740 BPF_LD_IMM64(BPF_REG_0, 0x1122334485667788),
741 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 7),
750 BPF_MOV64_IMM(BPF_REG_0, 1),
751 BPF_MOV64_IMM(BPF_REG_1, 5),
752 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
761 BPF_LD_IMM64(BPF_REG_0, 0xffff55667788),
762 BPF_MOV64_IMM(BPF_REG_1, 15),
763 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
772 BPF_MOV64_IMM(BPF_REG_0, 1),
773 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
781 BPF_MOV64_IMM(BPF_REG_0, 1),
782 BPF_MOV64_IMM(BPF_REG_1, 5),
783 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
791 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
793 .errstr = "not an exit",
799 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
802 .errstr = "back-edge",
808 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
809 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
810 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
811 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
814 .errstr = "back-edge",
820 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
821 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
822 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
823 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
826 .errstr = "back-edge",
830 "read uninitialized register",
832 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
835 .errstr = "R2 !read_ok",
839 "read invalid register",
841 BPF_MOV64_REG(BPF_REG_0, -1),
844 .errstr = "R15 is invalid",
848 "program doesn't init R0 before exit",
850 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
853 .errstr = "R0 !read_ok",
857 "program doesn't init R0 before exit in all branches",
859 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
860 BPF_MOV64_IMM(BPF_REG_0, 1),
861 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
864 .errstr = "R0 !read_ok",
865 .errstr_unpriv = "R1 pointer comparison",
869 "stack out of bounds",
871 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
874 .errstr = "invalid stack",
878 "invalid call insn1",
880 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
883 .errstr = "unknown opcode 8d",
887 "invalid call insn2",
889 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
892 .errstr = "BPF_CALL uses reserved",
896 "invalid function call",
898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
901 .errstr = "invalid func unknown#1234567",
905 "uninitialized stack1",
907 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
908 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
909 BPF_LD_MAP_FD(BPF_REG_1, 0),
910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
911 BPF_FUNC_map_lookup_elem),
914 .fixup_map_hash_8b = { 2 },
915 .errstr = "invalid indirect read from stack",
919 "uninitialized stack2",
921 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
922 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
925 .errstr = "invalid read from stack",
929 "invalid fp arithmetic",
930 /* If this gets ever changed, make sure JITs can deal with it. */
932 BPF_MOV64_IMM(BPF_REG_0, 0),
933 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
934 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
935 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
938 .errstr = "R1 subtraction from stack pointer",
942 "non-invalid fp arithmetic",
944 BPF_MOV64_IMM(BPF_REG_0, 0),
945 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
951 "invalid argument register",
953 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
954 BPF_FUNC_get_cgroup_classid),
955 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
956 BPF_FUNC_get_cgroup_classid),
959 .errstr = "R1 !read_ok",
961 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
964 "non-invalid argument register",
966 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
967 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
968 BPF_FUNC_get_cgroup_classid),
969 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
970 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
971 BPF_FUNC_get_cgroup_classid),
975 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
978 "check valid spill/fill",
980 /* spill R1(ctx) into stack */
981 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
982 /* fill it back into R2 */
983 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
984 /* should be able to access R0 = *(R2 + 8) */
985 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
986 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
989 .errstr_unpriv = "R0 leaks addr",
991 .result_unpriv = REJECT,
992 .retval = POINTER_VALUE,
995 "check valid spill/fill, skb mark",
997 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
998 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
999 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1000 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
1001 offsetof(struct __sk_buff, mark)),
1005 .result_unpriv = ACCEPT,
1008 "check corrupted spill/fill",
1010 /* spill R1(ctx) into stack */
1011 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
1012 /* mess up with R1 pointer on stack */
1013 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
1014 /* fill back into R0 is fine for priv.
1015 * R0 now becomes SCALAR_VALUE.
1017 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1018 /* Load from R0 should fail. */
1019 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8),
1022 .errstr_unpriv = "attempt to corrupt spilled",
1023 .errstr = "R0 invalid mem access 'inv",
1027 "check corrupted spill/fill, LSB",
1029 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
1030 BPF_ST_MEM(BPF_H, BPF_REG_10, -8, 0xcafe),
1031 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1034 .errstr_unpriv = "attempt to corrupt spilled",
1035 .result_unpriv = REJECT,
1037 .retval = POINTER_VALUE,
1040 "check corrupted spill/fill, MSB",
1042 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
1043 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0x12345678),
1044 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1047 .errstr_unpriv = "attempt to corrupt spilled",
1048 .result_unpriv = REJECT,
1050 .retval = POINTER_VALUE,
1053 "invalid src register in STX",
1055 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
1058 .errstr = "R15 is invalid",
1062 "invalid dst register in STX",
1064 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
1067 .errstr = "R14 is invalid",
1071 "invalid dst register in ST",
1073 BPF_ST_MEM(BPF_B, 14, -1, -1),
1076 .errstr = "R14 is invalid",
1080 "invalid src register in LDX",
1082 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1085 .errstr = "R12 is invalid",
1089 "invalid dst register in LDX",
1091 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1094 .errstr = "R11 is invalid",
1100 BPF_RAW_INSN(0, 0, 0, 0, 0),
1103 .errstr = "unknown opcode 00",
1109 BPF_RAW_INSN(1, 0, 0, 0, 0),
1112 .errstr = "BPF_LDX uses reserved fields",
1118 BPF_RAW_INSN(-1, 0, 0, 0, 0),
1121 .errstr = "unknown opcode ff",
1127 BPF_RAW_INSN(-1, -1, -1, -1, -1),
1130 .errstr = "unknown opcode ff",
1136 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1139 .errstr = "BPF_ALU uses reserved fields",
1143 "misaligned read from stack",
1145 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1146 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1149 .errstr = "misaligned stack access",
1153 "invalid map_fd for function call",
1155 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1156 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1157 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1158 BPF_LD_MAP_FD(BPF_REG_1, 0),
1159 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1160 BPF_FUNC_map_delete_elem),
1163 .errstr = "fd 0 is not pointing to valid bpf_map",
1167 "don't check return value before access",
1169 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1170 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1171 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1172 BPF_LD_MAP_FD(BPF_REG_1, 0),
1173 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1174 BPF_FUNC_map_lookup_elem),
1175 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1178 .fixup_map_hash_8b = { 3 },
1179 .errstr = "R0 invalid mem access 'map_value_or_null'",
1183 "access memory with incorrect alignment",
1185 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1186 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1187 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1188 BPF_LD_MAP_FD(BPF_REG_1, 0),
1189 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1190 BPF_FUNC_map_lookup_elem),
1191 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1192 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1195 .fixup_map_hash_8b = { 3 },
1196 .errstr = "misaligned value access",
1198 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1201 "sometimes access memory with incorrect alignment",
1203 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1204 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1206 BPF_LD_MAP_FD(BPF_REG_1, 0),
1207 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1208 BPF_FUNC_map_lookup_elem),
1209 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1210 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1212 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1215 .fixup_map_hash_8b = { 3 },
1216 .errstr = "R0 invalid mem access",
1217 .errstr_unpriv = "R0 leaks addr",
1219 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1224 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1225 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1226 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1227 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1228 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1229 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1230 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1231 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1233 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1234 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1235 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1237 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1238 BPF_MOV64_IMM(BPF_REG_0, 0),
1241 .errstr_unpriv = "R1 pointer comparison",
1242 .result_unpriv = REJECT,
1248 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1250 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1251 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1252 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1253 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1254 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1256 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1257 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1259 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1260 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1261 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1262 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1263 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1265 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1266 BPF_MOV64_IMM(BPF_REG_0, 0),
1269 .errstr_unpriv = "R1 pointer comparison",
1270 .result_unpriv = REJECT,
1276 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1277 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1278 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1279 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1280 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1281 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1282 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1283 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1284 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1285 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1286 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1287 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1288 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1289 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1290 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1292 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1293 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1294 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1295 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1296 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1297 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1298 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1299 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1300 BPF_LD_MAP_FD(BPF_REG_1, 0),
1301 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1302 BPF_FUNC_map_delete_elem),
1305 .fixup_map_hash_8b = { 24 },
1306 .errstr_unpriv = "R1 pointer comparison",
1307 .result_unpriv = REJECT,
1314 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1315 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1316 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1317 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1318 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1319 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1320 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1321 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1322 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1323 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1324 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1325 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1326 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1327 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1328 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1329 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1330 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1331 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1332 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1333 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1334 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1335 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1336 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1337 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1338 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1339 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1340 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1341 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1342 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1343 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1344 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1345 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1346 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1347 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1348 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1349 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1350 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1351 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1352 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1353 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1354 BPF_MOV64_IMM(BPF_REG_0, 0),
1357 .errstr_unpriv = "R1 pointer comparison",
1358 .result_unpriv = REJECT,
1364 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1365 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1366 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1367 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1368 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1369 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1370 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1371 BPF_MOV64_IMM(BPF_REG_0, 0),
1372 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1373 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1374 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1375 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1376 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1377 BPF_MOV64_IMM(BPF_REG_0, 0),
1378 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1379 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1380 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1381 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1382 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1383 BPF_MOV64_IMM(BPF_REG_0, 0),
1384 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1385 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1386 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1387 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1388 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1389 BPF_MOV64_IMM(BPF_REG_0, 0),
1390 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1391 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1392 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1393 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1394 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1395 BPF_MOV64_IMM(BPF_REG_0, 0),
1398 .errstr_unpriv = "R1 pointer comparison",
1399 .result_unpriv = REJECT,
1403 "access skb fields ok",
1405 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1406 offsetof(struct __sk_buff, len)),
1407 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1408 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1409 offsetof(struct __sk_buff, mark)),
1410 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1411 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1412 offsetof(struct __sk_buff, pkt_type)),
1413 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1414 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1415 offsetof(struct __sk_buff, queue_mapping)),
1416 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1417 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1418 offsetof(struct __sk_buff, protocol)),
1419 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1420 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1421 offsetof(struct __sk_buff, vlan_present)),
1422 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1423 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1424 offsetof(struct __sk_buff, vlan_tci)),
1425 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1426 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1427 offsetof(struct __sk_buff, napi_id)),
1428 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1434 "access skb fields bad1",
1436 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1439 .errstr = "invalid bpf_context access",
1443 "access skb fields bad2",
1445 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1446 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1447 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1449 BPF_LD_MAP_FD(BPF_REG_1, 0),
1450 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1451 BPF_FUNC_map_lookup_elem),
1452 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1454 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1455 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1456 offsetof(struct __sk_buff, pkt_type)),
1459 .fixup_map_hash_8b = { 4 },
1460 .errstr = "different pointers",
1461 .errstr_unpriv = "R1 pointer comparison",
1465 "access skb fields bad3",
1467 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1468 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1469 offsetof(struct __sk_buff, pkt_type)),
1471 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1472 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1474 BPF_LD_MAP_FD(BPF_REG_1, 0),
1475 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1476 BPF_FUNC_map_lookup_elem),
1477 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1479 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1480 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1482 .fixup_map_hash_8b = { 6 },
1483 .errstr = "different pointers",
1484 .errstr_unpriv = "R1 pointer comparison",
1488 "access skb fields bad4",
1490 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1491 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1492 offsetof(struct __sk_buff, len)),
1493 BPF_MOV64_IMM(BPF_REG_0, 0),
1495 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1496 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1497 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1498 BPF_LD_MAP_FD(BPF_REG_1, 0),
1499 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1500 BPF_FUNC_map_lookup_elem),
1501 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1503 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1504 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1506 .fixup_map_hash_8b = { 7 },
1507 .errstr = "different pointers",
1508 .errstr_unpriv = "R1 pointer comparison",
1512 "invalid access __sk_buff family",
1514 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1515 offsetof(struct __sk_buff, family)),
1518 .errstr = "invalid bpf_context access",
1522 "invalid access __sk_buff remote_ip4",
1524 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1525 offsetof(struct __sk_buff, remote_ip4)),
1528 .errstr = "invalid bpf_context access",
1532 "invalid access __sk_buff local_ip4",
1534 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1535 offsetof(struct __sk_buff, local_ip4)),
1538 .errstr = "invalid bpf_context access",
1542 "invalid access __sk_buff remote_ip6",
1544 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1545 offsetof(struct __sk_buff, remote_ip6)),
1548 .errstr = "invalid bpf_context access",
1552 "invalid access __sk_buff local_ip6",
1554 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1555 offsetof(struct __sk_buff, local_ip6)),
1558 .errstr = "invalid bpf_context access",
1562 "invalid access __sk_buff remote_port",
1564 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1565 offsetof(struct __sk_buff, remote_port)),
1568 .errstr = "invalid bpf_context access",
1572 "invalid access __sk_buff remote_port",
1574 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1575 offsetof(struct __sk_buff, local_port)),
1578 .errstr = "invalid bpf_context access",
1582 "valid access __sk_buff family",
1584 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1585 offsetof(struct __sk_buff, family)),
1589 .prog_type = BPF_PROG_TYPE_SK_SKB,
1592 "valid access __sk_buff remote_ip4",
1594 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1595 offsetof(struct __sk_buff, remote_ip4)),
1599 .prog_type = BPF_PROG_TYPE_SK_SKB,
1602 "valid access __sk_buff local_ip4",
1604 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1605 offsetof(struct __sk_buff, local_ip4)),
1609 .prog_type = BPF_PROG_TYPE_SK_SKB,
1612 "valid access __sk_buff remote_ip6",
1614 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1615 offsetof(struct __sk_buff, remote_ip6[0])),
1616 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1617 offsetof(struct __sk_buff, remote_ip6[1])),
1618 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1619 offsetof(struct __sk_buff, remote_ip6[2])),
1620 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1621 offsetof(struct __sk_buff, remote_ip6[3])),
1625 .prog_type = BPF_PROG_TYPE_SK_SKB,
1628 "valid access __sk_buff local_ip6",
1630 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1631 offsetof(struct __sk_buff, local_ip6[0])),
1632 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1633 offsetof(struct __sk_buff, local_ip6[1])),
1634 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1635 offsetof(struct __sk_buff, local_ip6[2])),
1636 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1637 offsetof(struct __sk_buff, local_ip6[3])),
1641 .prog_type = BPF_PROG_TYPE_SK_SKB,
1644 "valid access __sk_buff remote_port",
1646 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1647 offsetof(struct __sk_buff, remote_port)),
1651 .prog_type = BPF_PROG_TYPE_SK_SKB,
1654 "valid access __sk_buff remote_port",
1656 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1657 offsetof(struct __sk_buff, local_port)),
1661 .prog_type = BPF_PROG_TYPE_SK_SKB,
1664 "invalid access of tc_classid for SK_SKB",
1666 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1667 offsetof(struct __sk_buff, tc_classid)),
1671 .prog_type = BPF_PROG_TYPE_SK_SKB,
1672 .errstr = "invalid bpf_context access",
1675 "invalid access of skb->mark for SK_SKB",
1677 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1678 offsetof(struct __sk_buff, mark)),
1682 .prog_type = BPF_PROG_TYPE_SK_SKB,
1683 .errstr = "invalid bpf_context access",
1686 "check skb->mark is not writeable by SK_SKB",
1688 BPF_MOV64_IMM(BPF_REG_0, 0),
1689 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1690 offsetof(struct __sk_buff, mark)),
1694 .prog_type = BPF_PROG_TYPE_SK_SKB,
1695 .errstr = "invalid bpf_context access",
1698 "check skb->tc_index is writeable by SK_SKB",
1700 BPF_MOV64_IMM(BPF_REG_0, 0),
1701 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1702 offsetof(struct __sk_buff, tc_index)),
1706 .prog_type = BPF_PROG_TYPE_SK_SKB,
1709 "check skb->priority is writeable by SK_SKB",
1711 BPF_MOV64_IMM(BPF_REG_0, 0),
1712 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1713 offsetof(struct __sk_buff, priority)),
1717 .prog_type = BPF_PROG_TYPE_SK_SKB,
1720 "direct packet read for SK_SKB",
1722 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1723 offsetof(struct __sk_buff, data)),
1724 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1725 offsetof(struct __sk_buff, data_end)),
1726 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1728 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1729 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1730 BPF_MOV64_IMM(BPF_REG_0, 0),
1734 .prog_type = BPF_PROG_TYPE_SK_SKB,
1737 "direct packet write for SK_SKB",
1739 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1740 offsetof(struct __sk_buff, data)),
1741 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1742 offsetof(struct __sk_buff, data_end)),
1743 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1745 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1746 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1747 BPF_MOV64_IMM(BPF_REG_0, 0),
1751 .prog_type = BPF_PROG_TYPE_SK_SKB,
1754 "overlapping checks for direct packet access SK_SKB",
1756 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1757 offsetof(struct __sk_buff, data)),
1758 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1759 offsetof(struct __sk_buff, data_end)),
1760 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1762 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1763 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1764 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1765 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1766 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1767 BPF_MOV64_IMM(BPF_REG_0, 0),
1771 .prog_type = BPF_PROG_TYPE_SK_SKB,
1774 "valid access family in SK_MSG",
1776 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1777 offsetof(struct sk_msg_md, family)),
1781 .prog_type = BPF_PROG_TYPE_SK_MSG,
1784 "valid access remote_ip4 in SK_MSG",
1786 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1787 offsetof(struct sk_msg_md, remote_ip4)),
1791 .prog_type = BPF_PROG_TYPE_SK_MSG,
1794 "valid access local_ip4 in SK_MSG",
1796 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1797 offsetof(struct sk_msg_md, local_ip4)),
1801 .prog_type = BPF_PROG_TYPE_SK_MSG,
1804 "valid access remote_port in SK_MSG",
1806 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1807 offsetof(struct sk_msg_md, remote_port)),
1811 .prog_type = BPF_PROG_TYPE_SK_MSG,
1814 "valid access local_port in SK_MSG",
1816 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1817 offsetof(struct sk_msg_md, local_port)),
1821 .prog_type = BPF_PROG_TYPE_SK_MSG,
1824 "valid access remote_ip6 in SK_MSG",
1826 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1827 offsetof(struct sk_msg_md, remote_ip6[0])),
1828 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1829 offsetof(struct sk_msg_md, remote_ip6[1])),
1830 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1831 offsetof(struct sk_msg_md, remote_ip6[2])),
1832 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1833 offsetof(struct sk_msg_md, remote_ip6[3])),
1837 .prog_type = BPF_PROG_TYPE_SK_SKB,
1840 "valid access local_ip6 in SK_MSG",
1842 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1843 offsetof(struct sk_msg_md, local_ip6[0])),
1844 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1845 offsetof(struct sk_msg_md, local_ip6[1])),
1846 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1847 offsetof(struct sk_msg_md, local_ip6[2])),
1848 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1849 offsetof(struct sk_msg_md, local_ip6[3])),
1853 .prog_type = BPF_PROG_TYPE_SK_SKB,
1856 "valid access size in SK_MSG",
1858 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1859 offsetof(struct sk_msg_md, size)),
1863 .prog_type = BPF_PROG_TYPE_SK_MSG,
1866 "invalid 64B read of size in SK_MSG",
1868 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1869 offsetof(struct sk_msg_md, size)),
1872 .errstr = "invalid bpf_context access",
1874 .prog_type = BPF_PROG_TYPE_SK_MSG,
1877 "invalid read past end of SK_MSG",
1879 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1880 offsetof(struct sk_msg_md, size) + 4),
1883 .errstr = "invalid bpf_context access",
1885 .prog_type = BPF_PROG_TYPE_SK_MSG,
1888 "invalid read offset in SK_MSG",
1890 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1891 offsetof(struct sk_msg_md, family) + 1),
1894 .errstr = "invalid bpf_context access",
1896 .prog_type = BPF_PROG_TYPE_SK_MSG,
1897 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1900 "direct packet read for SK_MSG",
1902 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1903 offsetof(struct sk_msg_md, data)),
1904 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1905 offsetof(struct sk_msg_md, data_end)),
1906 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1908 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1909 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1910 BPF_MOV64_IMM(BPF_REG_0, 0),
1914 .prog_type = BPF_PROG_TYPE_SK_MSG,
1917 "direct packet write for SK_MSG",
1919 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1920 offsetof(struct sk_msg_md, data)),
1921 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1922 offsetof(struct sk_msg_md, data_end)),
1923 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1925 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1926 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1927 BPF_MOV64_IMM(BPF_REG_0, 0),
1931 .prog_type = BPF_PROG_TYPE_SK_MSG,
1934 "overlapping checks for direct packet access SK_MSG",
1936 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1937 offsetof(struct sk_msg_md, data)),
1938 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1939 offsetof(struct sk_msg_md, data_end)),
1940 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1942 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1943 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1944 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1945 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1946 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1947 BPF_MOV64_IMM(BPF_REG_0, 0),
1951 .prog_type = BPF_PROG_TYPE_SK_MSG,
1954 "check skb->mark is not writeable by sockets",
1956 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1957 offsetof(struct __sk_buff, mark)),
1960 .errstr = "invalid bpf_context access",
1961 .errstr_unpriv = "R1 leaks addr",
1965 "check skb->tc_index is not writeable by sockets",
1967 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1968 offsetof(struct __sk_buff, tc_index)),
1971 .errstr = "invalid bpf_context access",
1972 .errstr_unpriv = "R1 leaks addr",
1976 "check cb access: byte",
1978 BPF_MOV64_IMM(BPF_REG_0, 0),
1979 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1980 offsetof(struct __sk_buff, cb[0])),
1981 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1982 offsetof(struct __sk_buff, cb[0]) + 1),
1983 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1984 offsetof(struct __sk_buff, cb[0]) + 2),
1985 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1986 offsetof(struct __sk_buff, cb[0]) + 3),
1987 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1988 offsetof(struct __sk_buff, cb[1])),
1989 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1990 offsetof(struct __sk_buff, cb[1]) + 1),
1991 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1992 offsetof(struct __sk_buff, cb[1]) + 2),
1993 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1994 offsetof(struct __sk_buff, cb[1]) + 3),
1995 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1996 offsetof(struct __sk_buff, cb[2])),
1997 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1998 offsetof(struct __sk_buff, cb[2]) + 1),
1999 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2000 offsetof(struct __sk_buff, cb[2]) + 2),
2001 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2002 offsetof(struct __sk_buff, cb[2]) + 3),
2003 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2004 offsetof(struct __sk_buff, cb[3])),
2005 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2006 offsetof(struct __sk_buff, cb[3]) + 1),
2007 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2008 offsetof(struct __sk_buff, cb[3]) + 2),
2009 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2010 offsetof(struct __sk_buff, cb[3]) + 3),
2011 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2012 offsetof(struct __sk_buff, cb[4])),
2013 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2014 offsetof(struct __sk_buff, cb[4]) + 1),
2015 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2016 offsetof(struct __sk_buff, cb[4]) + 2),
2017 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2018 offsetof(struct __sk_buff, cb[4]) + 3),
2019 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2020 offsetof(struct __sk_buff, cb[0])),
2021 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2022 offsetof(struct __sk_buff, cb[0]) + 1),
2023 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2024 offsetof(struct __sk_buff, cb[0]) + 2),
2025 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2026 offsetof(struct __sk_buff, cb[0]) + 3),
2027 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2028 offsetof(struct __sk_buff, cb[1])),
2029 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2030 offsetof(struct __sk_buff, cb[1]) + 1),
2031 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2032 offsetof(struct __sk_buff, cb[1]) + 2),
2033 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2034 offsetof(struct __sk_buff, cb[1]) + 3),
2035 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2036 offsetof(struct __sk_buff, cb[2])),
2037 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2038 offsetof(struct __sk_buff, cb[2]) + 1),
2039 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2040 offsetof(struct __sk_buff, cb[2]) + 2),
2041 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2042 offsetof(struct __sk_buff, cb[2]) + 3),
2043 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2044 offsetof(struct __sk_buff, cb[3])),
2045 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2046 offsetof(struct __sk_buff, cb[3]) + 1),
2047 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2048 offsetof(struct __sk_buff, cb[3]) + 2),
2049 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2050 offsetof(struct __sk_buff, cb[3]) + 3),
2051 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2052 offsetof(struct __sk_buff, cb[4])),
2053 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2054 offsetof(struct __sk_buff, cb[4]) + 1),
2055 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2056 offsetof(struct __sk_buff, cb[4]) + 2),
2057 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2058 offsetof(struct __sk_buff, cb[4]) + 3),
2064 "__sk_buff->hash, offset 0, byte store not permitted",
2066 BPF_MOV64_IMM(BPF_REG_0, 0),
2067 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2068 offsetof(struct __sk_buff, hash)),
2071 .errstr = "invalid bpf_context access",
2075 "__sk_buff->tc_index, offset 3, byte store not permitted",
2077 BPF_MOV64_IMM(BPF_REG_0, 0),
2078 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2079 offsetof(struct __sk_buff, tc_index) + 3),
2082 .errstr = "invalid bpf_context access",
2086 "check skb->hash byte load permitted",
2088 BPF_MOV64_IMM(BPF_REG_0, 0),
2089 #if __BYTE_ORDER == __LITTLE_ENDIAN
2090 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2091 offsetof(struct __sk_buff, hash)),
2093 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2094 offsetof(struct __sk_buff, hash) + 3),
2101 "check skb->hash byte load permitted 1",
2103 BPF_MOV64_IMM(BPF_REG_0, 0),
2104 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2105 offsetof(struct __sk_buff, hash) + 1),
2111 "check skb->hash byte load permitted 2",
2113 BPF_MOV64_IMM(BPF_REG_0, 0),
2114 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2115 offsetof(struct __sk_buff, hash) + 2),
2121 "check skb->hash byte load permitted 3",
2123 BPF_MOV64_IMM(BPF_REG_0, 0),
2124 #if __BYTE_ORDER == __LITTLE_ENDIAN
2125 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2126 offsetof(struct __sk_buff, hash) + 3),
2128 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2129 offsetof(struct __sk_buff, hash)),
2136 "check cb access: byte, wrong type",
2138 BPF_MOV64_IMM(BPF_REG_0, 0),
2139 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2140 offsetof(struct __sk_buff, cb[0])),
2143 .errstr = "invalid bpf_context access",
2145 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2148 "check cb access: half",
2150 BPF_MOV64_IMM(BPF_REG_0, 0),
2151 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2152 offsetof(struct __sk_buff, cb[0])),
2153 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2154 offsetof(struct __sk_buff, cb[0]) + 2),
2155 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2156 offsetof(struct __sk_buff, cb[1])),
2157 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2158 offsetof(struct __sk_buff, cb[1]) + 2),
2159 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2160 offsetof(struct __sk_buff, cb[2])),
2161 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2162 offsetof(struct __sk_buff, cb[2]) + 2),
2163 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2164 offsetof(struct __sk_buff, cb[3])),
2165 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2166 offsetof(struct __sk_buff, cb[3]) + 2),
2167 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2168 offsetof(struct __sk_buff, cb[4])),
2169 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2170 offsetof(struct __sk_buff, cb[4]) + 2),
2171 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2172 offsetof(struct __sk_buff, cb[0])),
2173 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2174 offsetof(struct __sk_buff, cb[0]) + 2),
2175 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2176 offsetof(struct __sk_buff, cb[1])),
2177 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2178 offsetof(struct __sk_buff, cb[1]) + 2),
2179 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2180 offsetof(struct __sk_buff, cb[2])),
2181 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2182 offsetof(struct __sk_buff, cb[2]) + 2),
2183 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2184 offsetof(struct __sk_buff, cb[3])),
2185 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2186 offsetof(struct __sk_buff, cb[3]) + 2),
2187 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2188 offsetof(struct __sk_buff, cb[4])),
2189 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2190 offsetof(struct __sk_buff, cb[4]) + 2),
2196 "check cb access: half, unaligned",
2198 BPF_MOV64_IMM(BPF_REG_0, 0),
2199 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2200 offsetof(struct __sk_buff, cb[0]) + 1),
2203 .errstr = "misaligned context access",
2205 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2208 "check __sk_buff->hash, offset 0, half store not permitted",
2210 BPF_MOV64_IMM(BPF_REG_0, 0),
2211 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2212 offsetof(struct __sk_buff, hash)),
2215 .errstr = "invalid bpf_context access",
2219 "check __sk_buff->tc_index, offset 2, half store not permitted",
2221 BPF_MOV64_IMM(BPF_REG_0, 0),
2222 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2223 offsetof(struct __sk_buff, tc_index) + 2),
2226 .errstr = "invalid bpf_context access",
2230 "check skb->hash half load permitted",
2232 BPF_MOV64_IMM(BPF_REG_0, 0),
2233 #if __BYTE_ORDER == __LITTLE_ENDIAN
2234 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2235 offsetof(struct __sk_buff, hash)),
2237 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2238 offsetof(struct __sk_buff, hash) + 2),
2245 "check skb->hash half load permitted 2",
2247 BPF_MOV64_IMM(BPF_REG_0, 0),
2248 #if __BYTE_ORDER == __LITTLE_ENDIAN
2249 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2250 offsetof(struct __sk_buff, hash) + 2),
2252 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2253 offsetof(struct __sk_buff, hash)),
2260 "check skb->hash half load not permitted, unaligned 1",
2262 BPF_MOV64_IMM(BPF_REG_0, 0),
2263 #if __BYTE_ORDER == __LITTLE_ENDIAN
2264 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2265 offsetof(struct __sk_buff, hash) + 1),
2267 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2268 offsetof(struct __sk_buff, hash) + 3),
2272 .errstr = "invalid bpf_context access",
2276 "check skb->hash half load not permitted, unaligned 3",
2278 BPF_MOV64_IMM(BPF_REG_0, 0),
2279 #if __BYTE_ORDER == __LITTLE_ENDIAN
2280 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2281 offsetof(struct __sk_buff, hash) + 3),
2283 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2284 offsetof(struct __sk_buff, hash) + 1),
2288 .errstr = "invalid bpf_context access",
2290 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2291 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2294 "check cb access: half, wrong type",
2296 BPF_MOV64_IMM(BPF_REG_0, 0),
2297 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2298 offsetof(struct __sk_buff, cb[0])),
2301 .errstr = "invalid bpf_context access",
2303 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2306 "check cb access: word",
2308 BPF_MOV64_IMM(BPF_REG_0, 0),
2309 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2310 offsetof(struct __sk_buff, cb[0])),
2311 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2312 offsetof(struct __sk_buff, cb[1])),
2313 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2314 offsetof(struct __sk_buff, cb[2])),
2315 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2316 offsetof(struct __sk_buff, cb[3])),
2317 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2318 offsetof(struct __sk_buff, cb[4])),
2319 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2320 offsetof(struct __sk_buff, cb[0])),
2321 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2322 offsetof(struct __sk_buff, cb[1])),
2323 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2324 offsetof(struct __sk_buff, cb[2])),
2325 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2326 offsetof(struct __sk_buff, cb[3])),
2327 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2328 offsetof(struct __sk_buff, cb[4])),
2334 "check cb access: word, unaligned 1",
2336 BPF_MOV64_IMM(BPF_REG_0, 0),
2337 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2338 offsetof(struct __sk_buff, cb[0]) + 2),
2341 .errstr = "misaligned context access",
2343 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2346 "check cb access: word, unaligned 2",
2348 BPF_MOV64_IMM(BPF_REG_0, 0),
2349 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2350 offsetof(struct __sk_buff, cb[4]) + 1),
2353 .errstr = "misaligned context access",
2355 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2358 "check cb access: word, unaligned 3",
2360 BPF_MOV64_IMM(BPF_REG_0, 0),
2361 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2362 offsetof(struct __sk_buff, cb[4]) + 2),
2365 .errstr = "misaligned context access",
2367 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2370 "check cb access: word, unaligned 4",
2372 BPF_MOV64_IMM(BPF_REG_0, 0),
2373 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2374 offsetof(struct __sk_buff, cb[4]) + 3),
2377 .errstr = "misaligned context access",
2379 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2382 "check cb access: double",
2384 BPF_MOV64_IMM(BPF_REG_0, 0),
2385 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2386 offsetof(struct __sk_buff, cb[0])),
2387 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2388 offsetof(struct __sk_buff, cb[2])),
2389 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2390 offsetof(struct __sk_buff, cb[0])),
2391 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2392 offsetof(struct __sk_buff, cb[2])),
2398 "check cb access: double, unaligned 1",
2400 BPF_MOV64_IMM(BPF_REG_0, 0),
2401 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2402 offsetof(struct __sk_buff, cb[1])),
2405 .errstr = "misaligned context access",
2407 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2410 "check cb access: double, unaligned 2",
2412 BPF_MOV64_IMM(BPF_REG_0, 0),
2413 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2414 offsetof(struct __sk_buff, cb[3])),
2417 .errstr = "misaligned context access",
2419 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2422 "check cb access: double, oob 1",
2424 BPF_MOV64_IMM(BPF_REG_0, 0),
2425 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2426 offsetof(struct __sk_buff, cb[4])),
2429 .errstr = "invalid bpf_context access",
2433 "check cb access: double, oob 2",
2435 BPF_MOV64_IMM(BPF_REG_0, 0),
2436 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2437 offsetof(struct __sk_buff, cb[4])),
2440 .errstr = "invalid bpf_context access",
2444 "check __sk_buff->ifindex dw store not permitted",
2446 BPF_MOV64_IMM(BPF_REG_0, 0),
2447 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2448 offsetof(struct __sk_buff, ifindex)),
2451 .errstr = "invalid bpf_context access",
2455 "check __sk_buff->ifindex dw load not permitted",
2457 BPF_MOV64_IMM(BPF_REG_0, 0),
2458 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2459 offsetof(struct __sk_buff, ifindex)),
2462 .errstr = "invalid bpf_context access",
2466 "check cb access: double, wrong type",
2468 BPF_MOV64_IMM(BPF_REG_0, 0),
2469 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2470 offsetof(struct __sk_buff, cb[0])),
2473 .errstr = "invalid bpf_context access",
2475 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2478 "check out of range skb->cb access",
2480 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2481 offsetof(struct __sk_buff, cb[0]) + 256),
2484 .errstr = "invalid bpf_context access",
2485 .errstr_unpriv = "",
2487 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2490 "write skb fields from socket prog",
2492 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2493 offsetof(struct __sk_buff, cb[4])),
2494 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2495 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2496 offsetof(struct __sk_buff, mark)),
2497 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2498 offsetof(struct __sk_buff, tc_index)),
2499 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2500 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2501 offsetof(struct __sk_buff, cb[0])),
2502 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2503 offsetof(struct __sk_buff, cb[2])),
2507 .errstr_unpriv = "R1 leaks addr",
2508 .result_unpriv = REJECT,
2511 "write skb fields from tc_cls_act prog",
2513 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2514 offsetof(struct __sk_buff, cb[0])),
2515 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2516 offsetof(struct __sk_buff, mark)),
2517 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2518 offsetof(struct __sk_buff, tc_index)),
2519 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2520 offsetof(struct __sk_buff, tc_index)),
2521 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2522 offsetof(struct __sk_buff, cb[3])),
2523 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2524 offsetof(struct __sk_buff, tstamp)),
2525 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2526 offsetof(struct __sk_buff, tstamp)),
2529 .errstr_unpriv = "",
2530 .result_unpriv = REJECT,
2532 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2535 "PTR_TO_STACK store/load",
2537 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2539 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2540 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2544 .retval = 0xfaceb00c,
2547 "PTR_TO_STACK store/load - bad alignment on off",
2549 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2550 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2551 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2552 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2556 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2559 "PTR_TO_STACK store/load - bad alignment on reg",
2561 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2562 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2563 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2564 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2568 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2571 "PTR_TO_STACK store/load - out of bounds low",
2573 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2574 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2575 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2576 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2580 .errstr = "invalid stack off=-79992 size=8",
2581 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
2584 "PTR_TO_STACK store/load - out of bounds high",
2586 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2588 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2589 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2593 .errstr = "invalid stack off=0 size=8",
2596 "unpriv: return pointer",
2598 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2602 .result_unpriv = REJECT,
2603 .errstr_unpriv = "R0 leaks addr",
2604 .retval = POINTER_VALUE,
2607 "unpriv: add const to pointer",
2609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2610 BPF_MOV64_IMM(BPF_REG_0, 0),
2616 "unpriv: add pointer to pointer",
2618 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2619 BPF_MOV64_IMM(BPF_REG_0, 0),
2623 .errstr = "R1 pointer += pointer",
2626 "unpriv: neg pointer",
2628 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2629 BPF_MOV64_IMM(BPF_REG_0, 0),
2633 .result_unpriv = REJECT,
2634 .errstr_unpriv = "R1 pointer arithmetic",
2637 "unpriv: cmp pointer with const",
2639 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2640 BPF_MOV64_IMM(BPF_REG_0, 0),
2644 .result_unpriv = REJECT,
2645 .errstr_unpriv = "R1 pointer comparison",
2648 "unpriv: cmp pointer with pointer",
2650 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2651 BPF_MOV64_IMM(BPF_REG_0, 0),
2655 .result_unpriv = REJECT,
2656 .errstr_unpriv = "R10 pointer comparison",
2659 "unpriv: check that printk is disallowed",
2661 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2662 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2663 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2664 BPF_MOV64_IMM(BPF_REG_2, 8),
2665 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2666 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2667 BPF_FUNC_trace_printk),
2668 BPF_MOV64_IMM(BPF_REG_0, 0),
2671 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2672 .result_unpriv = REJECT,
2676 "unpriv: pass pointer to helper function",
2678 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2679 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2680 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2681 BPF_LD_MAP_FD(BPF_REG_1, 0),
2682 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2683 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2684 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2685 BPF_FUNC_map_update_elem),
2686 BPF_MOV64_IMM(BPF_REG_0, 0),
2689 .fixup_map_hash_8b = { 3 },
2690 .errstr_unpriv = "R4 leaks addr",
2691 .result_unpriv = REJECT,
2695 "unpriv: indirectly pass pointer on stack to helper function",
2697 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2698 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2700 BPF_LD_MAP_FD(BPF_REG_1, 0),
2701 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2702 BPF_FUNC_map_lookup_elem),
2703 BPF_MOV64_IMM(BPF_REG_0, 0),
2706 .fixup_map_hash_8b = { 3 },
2707 .errstr = "invalid indirect read from stack off -8+0 size 8",
2711 "unpriv: mangle pointer on stack 1",
2713 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2714 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2715 BPF_MOV64_IMM(BPF_REG_0, 0),
2718 .errstr_unpriv = "attempt to corrupt spilled",
2719 .result_unpriv = REJECT,
2723 "unpriv: mangle pointer on stack 2",
2725 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2726 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2727 BPF_MOV64_IMM(BPF_REG_0, 0),
2730 .errstr_unpriv = "attempt to corrupt spilled",
2731 .result_unpriv = REJECT,
2735 "unpriv: read pointer from stack in small chunks",
2737 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2738 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2739 BPF_MOV64_IMM(BPF_REG_0, 0),
2742 .errstr = "invalid size",
2746 "unpriv: write pointer into ctx",
2748 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2749 BPF_MOV64_IMM(BPF_REG_0, 0),
2752 .errstr_unpriv = "R1 leaks addr",
2753 .result_unpriv = REJECT,
2754 .errstr = "invalid bpf_context access",
2758 "unpriv: spill/fill of ctx",
2760 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2762 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2763 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2764 BPF_MOV64_IMM(BPF_REG_0, 0),
2770 "unpriv: spill/fill of ctx 2",
2772 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2773 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2774 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2775 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2776 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2777 BPF_FUNC_get_hash_recalc),
2778 BPF_MOV64_IMM(BPF_REG_0, 0),
2782 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2785 "unpriv: spill/fill of ctx 3",
2787 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2789 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2790 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2791 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2792 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2793 BPF_FUNC_get_hash_recalc),
2797 .errstr = "R1 type=fp expected=ctx",
2798 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2801 "unpriv: spill/fill of ctx 4",
2803 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2804 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2805 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2806 BPF_MOV64_IMM(BPF_REG_0, 1),
2807 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2809 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2810 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2811 BPF_FUNC_get_hash_recalc),
2815 .errstr = "R1 type=inv expected=ctx",
2816 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2819 "unpriv: spill/fill of different pointers stx",
2821 BPF_MOV64_IMM(BPF_REG_3, 42),
2822 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2824 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2825 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2827 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2828 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2829 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2830 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2831 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2832 offsetof(struct __sk_buff, mark)),
2833 BPF_MOV64_IMM(BPF_REG_0, 0),
2837 .errstr = "same insn cannot be used with different pointers",
2838 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2841 "unpriv: spill/fill of different pointers stx - ctx and sock",
2843 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2844 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2846 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2848 /* void *target = &foo; */
2849 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2851 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2852 /* if (skb == NULL) *target = sock; */
2853 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2854 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2855 /* else *target = skb; */
2856 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2857 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2858 /* struct __sk_buff *skb = *target; */
2859 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2860 /* skb->mark = 42; */
2861 BPF_MOV64_IMM(BPF_REG_3, 42),
2862 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2863 offsetof(struct __sk_buff, mark)),
2864 /* if (sk) bpf_sk_release(sk) */
2865 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2866 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2867 BPF_MOV64_IMM(BPF_REG_0, 0),
2871 .errstr = "type=ctx expected=sock",
2872 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2875 "unpriv: spill/fill of different pointers stx - leak sock",
2877 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2878 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2880 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2882 /* void *target = &foo; */
2883 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2884 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2885 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2886 /* if (skb == NULL) *target = sock; */
2887 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2888 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2889 /* else *target = skb; */
2890 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2891 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2892 /* struct __sk_buff *skb = *target; */
2893 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2894 /* skb->mark = 42; */
2895 BPF_MOV64_IMM(BPF_REG_3, 42),
2896 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2897 offsetof(struct __sk_buff, mark)),
2901 //.errstr = "same insn cannot be used with different pointers",
2902 .errstr = "Unreleased reference",
2903 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2906 "unpriv: spill/fill of different pointers stx - sock and ctx (read)",
2908 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2909 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2911 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2913 /* void *target = &foo; */
2914 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2916 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2917 /* if (skb) *target = skb */
2918 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2919 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2920 /* else *target = sock */
2921 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2922 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2923 /* struct bpf_sock *sk = *target; */
2924 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2925 /* if (sk) u32 foo = sk->mark; bpf_sk_release(sk); */
2926 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
2927 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2928 offsetof(struct bpf_sock, mark)),
2929 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2930 BPF_MOV64_IMM(BPF_REG_0, 0),
2934 .errstr = "same insn cannot be used with different pointers",
2935 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2938 "unpriv: spill/fill of different pointers stx - sock and ctx (write)",
2940 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2941 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2943 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2945 /* void *target = &foo; */
2946 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2947 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2948 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2949 /* if (skb) *target = skb */
2950 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2951 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2952 /* else *target = sock */
2953 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2954 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2955 /* struct bpf_sock *sk = *target; */
2956 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2957 /* if (sk) sk->mark = 42; bpf_sk_release(sk); */
2958 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2959 BPF_MOV64_IMM(BPF_REG_3, 42),
2960 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2961 offsetof(struct bpf_sock, mark)),
2962 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2963 BPF_MOV64_IMM(BPF_REG_0, 0),
2967 //.errstr = "same insn cannot be used with different pointers",
2968 .errstr = "cannot write into socket",
2969 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2972 "unpriv: spill/fill of different pointers ldx",
2974 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2976 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2977 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2978 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2979 -(__s32)offsetof(struct bpf_perf_event_data,
2980 sample_period) - 8),
2981 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2982 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2983 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2984 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2985 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2986 offsetof(struct bpf_perf_event_data,
2988 BPF_MOV64_IMM(BPF_REG_0, 0),
2992 .errstr = "same insn cannot be used with different pointers",
2993 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2996 "unpriv: write pointer into map elem value",
2998 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3001 BPF_LD_MAP_FD(BPF_REG_1, 0),
3002 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3003 BPF_FUNC_map_lookup_elem),
3004 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3005 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
3008 .fixup_map_hash_8b = { 3 },
3009 .errstr_unpriv = "R0 leaks addr",
3010 .result_unpriv = REJECT,
3014 "alu32: mov u32 const",
3016 BPF_MOV32_IMM(BPF_REG_7, 0),
3017 BPF_ALU32_IMM(BPF_AND, BPF_REG_7, 1),
3018 BPF_MOV32_REG(BPF_REG_0, BPF_REG_7),
3019 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3020 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
3027 "unpriv: partial copy of pointer",
3029 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
3030 BPF_MOV64_IMM(BPF_REG_0, 0),
3033 .errstr_unpriv = "R10 partial copy",
3034 .result_unpriv = REJECT,
3038 "unpriv: pass pointer to tail_call",
3040 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
3041 BPF_LD_MAP_FD(BPF_REG_2, 0),
3042 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3043 BPF_FUNC_tail_call),
3044 BPF_MOV64_IMM(BPF_REG_0, 0),
3047 .fixup_prog1 = { 1 },
3048 .errstr_unpriv = "R3 leaks addr into helper",
3049 .result_unpriv = REJECT,
3053 "unpriv: cmp map pointer with zero",
3055 BPF_MOV64_IMM(BPF_REG_1, 0),
3056 BPF_LD_MAP_FD(BPF_REG_1, 0),
3057 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
3058 BPF_MOV64_IMM(BPF_REG_0, 0),
3061 .fixup_map_hash_8b = { 1 },
3062 .errstr_unpriv = "R1 pointer comparison",
3063 .result_unpriv = REJECT,
3067 "unpriv: write into frame pointer",
3069 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
3070 BPF_MOV64_IMM(BPF_REG_0, 0),
3073 .errstr = "frame pointer is read only",
3077 "unpriv: spill/fill frame pointer",
3079 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3081 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
3082 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
3083 BPF_MOV64_IMM(BPF_REG_0, 0),
3086 .errstr = "frame pointer is read only",
3090 "unpriv: cmp of frame pointer",
3092 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
3093 BPF_MOV64_IMM(BPF_REG_0, 0),
3096 .errstr_unpriv = "R10 pointer comparison",
3097 .result_unpriv = REJECT,
3101 "unpriv: adding of fp",
3103 BPF_MOV64_IMM(BPF_REG_0, 0),
3104 BPF_MOV64_IMM(BPF_REG_1, 0),
3105 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
3106 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
3109 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3110 .result_unpriv = REJECT,
3114 "unpriv: cmp of stack pointer",
3116 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3118 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
3119 BPF_MOV64_IMM(BPF_REG_0, 0),
3122 .errstr_unpriv = "R2 pointer comparison",
3123 .result_unpriv = REJECT,
3127 "runtime/jit: tail_call within bounds, prog once",
3129 BPF_MOV64_IMM(BPF_REG_3, 0),
3130 BPF_LD_MAP_FD(BPF_REG_2, 0),
3131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3132 BPF_FUNC_tail_call),
3133 BPF_MOV64_IMM(BPF_REG_0, 1),
3136 .fixup_prog1 = { 1 },
3141 "runtime/jit: tail_call within bounds, prog loop",
3143 BPF_MOV64_IMM(BPF_REG_3, 1),
3144 BPF_LD_MAP_FD(BPF_REG_2, 0),
3145 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3146 BPF_FUNC_tail_call),
3147 BPF_MOV64_IMM(BPF_REG_0, 1),
3150 .fixup_prog1 = { 1 },
3155 "runtime/jit: tail_call within bounds, no prog",
3157 BPF_MOV64_IMM(BPF_REG_3, 2),
3158 BPF_LD_MAP_FD(BPF_REG_2, 0),
3159 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3160 BPF_FUNC_tail_call),
3161 BPF_MOV64_IMM(BPF_REG_0, 1),
3164 .fixup_prog1 = { 1 },
3169 "runtime/jit: tail_call out of bounds",
3171 BPF_MOV64_IMM(BPF_REG_3, 256),
3172 BPF_LD_MAP_FD(BPF_REG_2, 0),
3173 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3174 BPF_FUNC_tail_call),
3175 BPF_MOV64_IMM(BPF_REG_0, 2),
3178 .fixup_prog1 = { 1 },
3183 "runtime/jit: pass negative index to tail_call",
3185 BPF_MOV64_IMM(BPF_REG_3, -1),
3186 BPF_LD_MAP_FD(BPF_REG_2, 0),
3187 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3188 BPF_FUNC_tail_call),
3189 BPF_MOV64_IMM(BPF_REG_0, 2),
3192 .fixup_prog1 = { 1 },
3197 "runtime/jit: pass > 32bit index to tail_call",
3199 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
3200 BPF_LD_MAP_FD(BPF_REG_2, 0),
3201 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3202 BPF_FUNC_tail_call),
3203 BPF_MOV64_IMM(BPF_REG_0, 2),
3206 .fixup_prog1 = { 2 },
3209 /* Verifier rewrite for unpriv skips tail call here. */
3213 "PTR_TO_STACK check high 1",
3215 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
3217 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3218 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3225 "PTR_TO_STACK check high 2",
3227 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3228 BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
3229 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
3236 "PTR_TO_STACK check high 3",
3238 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3239 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
3240 BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
3241 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
3244 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3245 .result_unpriv = REJECT,
3250 "PTR_TO_STACK check high 4",
3252 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3253 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
3254 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3255 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3258 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3259 .errstr = "invalid stack off=0 size=1",
3263 "PTR_TO_STACK check high 5",
3265 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3266 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
3267 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3268 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3272 .errstr = "invalid stack off",
3275 "PTR_TO_STACK check high 6",
3277 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3278 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
3279 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
3280 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
3284 .errstr = "invalid stack off",
3287 "PTR_TO_STACK check high 7",
3289 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3290 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
3291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
3292 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
3293 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
3297 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3298 .errstr = "fp pointer offset",
3301 "PTR_TO_STACK check low 1",
3303 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -512),
3305 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3306 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3313 "PTR_TO_STACK check low 2",
3315 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3316 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
3317 BPF_ST_MEM(BPF_B, BPF_REG_1, 1, 42),
3318 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1),
3321 .result_unpriv = REJECT,
3322 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3327 "PTR_TO_STACK check low 3",
3329 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
3331 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3332 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3335 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3336 .errstr = "invalid stack off=-513 size=1",
3340 "PTR_TO_STACK check low 4",
3342 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3343 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, INT_MIN),
3344 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3345 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3349 .errstr = "math between fp pointer",
3352 "PTR_TO_STACK check low 5",
3354 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3355 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
3356 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3357 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3361 .errstr = "invalid stack off",
3364 "PTR_TO_STACK check low 6",
3366 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3367 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
3368 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
3369 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
3373 .errstr = "invalid stack off",
3376 "PTR_TO_STACK check low 7",
3378 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
3380 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
3381 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
3382 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
3386 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3387 .errstr = "fp pointer offset",
3390 "PTR_TO_STACK mixed reg/k, 1",
3392 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3393 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
3394 BPF_MOV64_IMM(BPF_REG_2, -3),
3395 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
3396 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3397 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3404 "PTR_TO_STACK mixed reg/k, 2",
3406 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3407 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
3408 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
3410 BPF_MOV64_IMM(BPF_REG_2, -3),
3411 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
3412 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3413 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
3414 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_5, -6),
3421 "PTR_TO_STACK mixed reg/k, 3",
3423 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
3425 BPF_MOV64_IMM(BPF_REG_2, -3),
3426 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
3427 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3428 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3437 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3438 BPF_MOV64_IMM(BPF_REG_2, -3),
3439 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
3440 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3441 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3444 .result_unpriv = REJECT,
3445 .errstr_unpriv = "invalid stack off=0 size=1",
3450 "stack pointer arithmetic",
3452 BPF_MOV64_IMM(BPF_REG_1, 4),
3453 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
3454 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
3455 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3457 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3458 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
3459 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3460 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3462 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3463 BPF_MOV64_IMM(BPF_REG_0, 0),
3469 "raw_stack: no skb_load_bytes",
3471 BPF_MOV64_IMM(BPF_REG_2, 4),
3472 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3474 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3475 BPF_MOV64_IMM(BPF_REG_4, 8),
3476 /* Call to skb_load_bytes() omitted. */
3477 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3481 .errstr = "invalid read from stack off -8+0 size 8",
3482 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3485 "raw_stack: skb_load_bytes, negative len",
3487 BPF_MOV64_IMM(BPF_REG_2, 4),
3488 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3489 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3490 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3491 BPF_MOV64_IMM(BPF_REG_4, -8),
3492 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3493 BPF_FUNC_skb_load_bytes),
3494 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3498 .errstr = "R4 min value is negative",
3499 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3502 "raw_stack: skb_load_bytes, negative len 2",
3504 BPF_MOV64_IMM(BPF_REG_2, 4),
3505 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3507 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3508 BPF_MOV64_IMM(BPF_REG_4, ~0),
3509 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3510 BPF_FUNC_skb_load_bytes),
3511 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3515 .errstr = "R4 min value is negative",
3516 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3519 "raw_stack: skb_load_bytes, zero len",
3521 BPF_MOV64_IMM(BPF_REG_2, 4),
3522 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3523 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3524 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3525 BPF_MOV64_IMM(BPF_REG_4, 0),
3526 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3527 BPF_FUNC_skb_load_bytes),
3528 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3532 .errstr = "invalid stack type R3",
3533 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3536 "raw_stack: skb_load_bytes, no init",
3538 BPF_MOV64_IMM(BPF_REG_2, 4),
3539 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3541 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3542 BPF_MOV64_IMM(BPF_REG_4, 8),
3543 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3544 BPF_FUNC_skb_load_bytes),
3545 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3549 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3552 "raw_stack: skb_load_bytes, init",
3554 BPF_MOV64_IMM(BPF_REG_2, 4),
3555 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3557 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3558 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3559 BPF_MOV64_IMM(BPF_REG_4, 8),
3560 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3561 BPF_FUNC_skb_load_bytes),
3562 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3566 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3569 "raw_stack: skb_load_bytes, spilled regs around bounds",
3571 BPF_MOV64_IMM(BPF_REG_2, 4),
3572 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3573 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3574 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3575 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3576 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3577 BPF_MOV64_IMM(BPF_REG_4, 8),
3578 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3579 BPF_FUNC_skb_load_bytes),
3580 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3581 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3582 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3583 offsetof(struct __sk_buff, mark)),
3584 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3585 offsetof(struct __sk_buff, priority)),
3586 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3590 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3593 "raw_stack: skb_load_bytes, spilled regs corruption",
3595 BPF_MOV64_IMM(BPF_REG_2, 4),
3596 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3597 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3598 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3599 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3600 BPF_MOV64_IMM(BPF_REG_4, 8),
3601 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3602 BPF_FUNC_skb_load_bytes),
3603 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3604 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3605 offsetof(struct __sk_buff, mark)),
3609 .errstr = "R0 invalid mem access 'inv'",
3610 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3611 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3614 "raw_stack: skb_load_bytes, spilled regs corruption 2",
3616 BPF_MOV64_IMM(BPF_REG_2, 4),
3617 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3618 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3619 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3620 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3621 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3622 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3623 BPF_MOV64_IMM(BPF_REG_4, 8),
3624 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3625 BPF_FUNC_skb_load_bytes),
3626 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3627 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3628 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3629 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3630 offsetof(struct __sk_buff, mark)),
3631 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3632 offsetof(struct __sk_buff, priority)),
3633 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3634 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3635 offsetof(struct __sk_buff, pkt_type)),
3636 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3640 .errstr = "R3 invalid mem access 'inv'",
3641 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3642 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3645 "raw_stack: skb_load_bytes, spilled regs + data",
3647 BPF_MOV64_IMM(BPF_REG_2, 4),
3648 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3649 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3650 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3651 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3652 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3653 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3654 BPF_MOV64_IMM(BPF_REG_4, 8),
3655 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3656 BPF_FUNC_skb_load_bytes),
3657 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3658 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3659 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3660 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3661 offsetof(struct __sk_buff, mark)),
3662 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3663 offsetof(struct __sk_buff, priority)),
3664 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3665 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3669 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3672 "raw_stack: skb_load_bytes, invalid access 1",
3674 BPF_MOV64_IMM(BPF_REG_2, 4),
3675 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3677 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3678 BPF_MOV64_IMM(BPF_REG_4, 8),
3679 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3680 BPF_FUNC_skb_load_bytes),
3681 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3685 .errstr = "invalid stack type R3 off=-513 access_size=8",
3686 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3689 "raw_stack: skb_load_bytes, invalid access 2",
3691 BPF_MOV64_IMM(BPF_REG_2, 4),
3692 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3693 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3694 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3695 BPF_MOV64_IMM(BPF_REG_4, 8),
3696 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3697 BPF_FUNC_skb_load_bytes),
3698 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3702 .errstr = "invalid stack type R3 off=-1 access_size=8",
3703 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3706 "raw_stack: skb_load_bytes, invalid access 3",
3708 BPF_MOV64_IMM(BPF_REG_2, 4),
3709 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3710 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3711 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3712 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3713 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3714 BPF_FUNC_skb_load_bytes),
3715 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3719 .errstr = "R4 min value is negative",
3720 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3723 "raw_stack: skb_load_bytes, invalid access 4",
3725 BPF_MOV64_IMM(BPF_REG_2, 4),
3726 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3728 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3729 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3730 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3731 BPF_FUNC_skb_load_bytes),
3732 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3736 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3737 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3740 "raw_stack: skb_load_bytes, invalid access 5",
3742 BPF_MOV64_IMM(BPF_REG_2, 4),
3743 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3745 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3746 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3747 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3748 BPF_FUNC_skb_load_bytes),
3749 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3753 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3754 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3757 "raw_stack: skb_load_bytes, invalid access 6",
3759 BPF_MOV64_IMM(BPF_REG_2, 4),
3760 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3762 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3763 BPF_MOV64_IMM(BPF_REG_4, 0),
3764 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3765 BPF_FUNC_skb_load_bytes),
3766 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3770 .errstr = "invalid stack type R3 off=-512 access_size=0",
3771 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3774 "raw_stack: skb_load_bytes, large access",
3776 BPF_MOV64_IMM(BPF_REG_2, 4),
3777 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3778 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3779 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3780 BPF_MOV64_IMM(BPF_REG_4, 512),
3781 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3782 BPF_FUNC_skb_load_bytes),
3783 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3787 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3790 "context stores via ST",
3792 BPF_MOV64_IMM(BPF_REG_0, 0),
3793 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3796 .errstr = "BPF_ST stores into R1 ctx is not allowed",
3798 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3801 "context stores via XADD",
3803 BPF_MOV64_IMM(BPF_REG_0, 0),
3804 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3805 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3808 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
3810 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3813 "direct packet access: test1",
3815 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3816 offsetof(struct __sk_buff, data)),
3817 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3818 offsetof(struct __sk_buff, data_end)),
3819 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3820 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3821 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3822 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3823 BPF_MOV64_IMM(BPF_REG_0, 0),
3827 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3830 "direct packet access: test2",
3832 BPF_MOV64_IMM(BPF_REG_0, 1),
3833 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3834 offsetof(struct __sk_buff, data_end)),
3835 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3836 offsetof(struct __sk_buff, data)),
3837 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3838 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3839 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3840 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3841 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3842 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3843 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3844 offsetof(struct __sk_buff, data)),
3845 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3846 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3847 offsetof(struct __sk_buff, len)),
3848 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3849 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3850 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3851 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3853 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3854 offsetof(struct __sk_buff, data_end)),
3855 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3856 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3857 BPF_MOV64_IMM(BPF_REG_0, 0),
3861 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3864 "direct packet access: test3",
3866 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3867 offsetof(struct __sk_buff, data)),
3868 BPF_MOV64_IMM(BPF_REG_0, 0),
3871 .errstr = "invalid bpf_context access off=76",
3873 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3876 "direct packet access: test4 (write)",
3878 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3879 offsetof(struct __sk_buff, data)),
3880 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3881 offsetof(struct __sk_buff, data_end)),
3882 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3884 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3885 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3886 BPF_MOV64_IMM(BPF_REG_0, 0),
3890 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3893 "direct packet access: test5 (pkt_end >= reg, good access)",
3895 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3896 offsetof(struct __sk_buff, data)),
3897 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3898 offsetof(struct __sk_buff, data_end)),
3899 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3901 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3902 BPF_MOV64_IMM(BPF_REG_0, 1),
3904 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3905 BPF_MOV64_IMM(BPF_REG_0, 0),
3909 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3912 "direct packet access: test6 (pkt_end >= reg, bad access)",
3914 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3915 offsetof(struct __sk_buff, data)),
3916 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3917 offsetof(struct __sk_buff, data_end)),
3918 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3920 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3921 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3922 BPF_MOV64_IMM(BPF_REG_0, 1),
3924 BPF_MOV64_IMM(BPF_REG_0, 0),
3927 .errstr = "invalid access to packet",
3929 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3932 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3934 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3935 offsetof(struct __sk_buff, data)),
3936 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3937 offsetof(struct __sk_buff, data_end)),
3938 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3939 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3940 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3941 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3942 BPF_MOV64_IMM(BPF_REG_0, 1),
3944 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3945 BPF_MOV64_IMM(BPF_REG_0, 0),
3948 .errstr = "invalid access to packet",
3950 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3953 "direct packet access: test8 (double test, variant 1)",
3955 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3956 offsetof(struct __sk_buff, data)),
3957 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3958 offsetof(struct __sk_buff, data_end)),
3959 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3961 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3962 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3963 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3964 BPF_MOV64_IMM(BPF_REG_0, 1),
3966 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3967 BPF_MOV64_IMM(BPF_REG_0, 0),
3971 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3974 "direct packet access: test9 (double test, variant 2)",
3976 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3977 offsetof(struct __sk_buff, data)),
3978 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3979 offsetof(struct __sk_buff, data_end)),
3980 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3982 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3983 BPF_MOV64_IMM(BPF_REG_0, 1),
3985 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3986 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3987 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3988 BPF_MOV64_IMM(BPF_REG_0, 0),
3992 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3995 "direct packet access: test10 (write invalid)",
3997 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3998 offsetof(struct __sk_buff, data)),
3999 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4000 offsetof(struct __sk_buff, data_end)),
4001 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4003 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
4004 BPF_MOV64_IMM(BPF_REG_0, 0),
4006 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4007 BPF_MOV64_IMM(BPF_REG_0, 0),
4010 .errstr = "invalid access to packet",
4012 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4015 "direct packet access: test11 (shift, good access)",
4017 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4018 offsetof(struct __sk_buff, data)),
4019 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4020 offsetof(struct __sk_buff, data_end)),
4021 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4022 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
4023 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
4024 BPF_MOV64_IMM(BPF_REG_3, 144),
4025 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
4026 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
4027 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
4028 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
4029 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
4030 BPF_MOV64_IMM(BPF_REG_0, 1),
4032 BPF_MOV64_IMM(BPF_REG_0, 0),
4036 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4040 "direct packet access: test12 (and, good access)",
4042 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4043 offsetof(struct __sk_buff, data)),
4044 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4045 offsetof(struct __sk_buff, data_end)),
4046 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4047 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
4048 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
4049 BPF_MOV64_IMM(BPF_REG_3, 144),
4050 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
4051 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
4052 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
4053 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
4054 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
4055 BPF_MOV64_IMM(BPF_REG_0, 1),
4057 BPF_MOV64_IMM(BPF_REG_0, 0),
4061 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4065 "direct packet access: test13 (branches, good access)",
4067 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4068 offsetof(struct __sk_buff, data)),
4069 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4070 offsetof(struct __sk_buff, data_end)),
4071 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
4073 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
4074 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4075 offsetof(struct __sk_buff, mark)),
4076 BPF_MOV64_IMM(BPF_REG_4, 1),
4077 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
4078 BPF_MOV64_IMM(BPF_REG_3, 14),
4079 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
4080 BPF_MOV64_IMM(BPF_REG_3, 24),
4081 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
4082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
4083 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
4084 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
4085 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
4086 BPF_MOV64_IMM(BPF_REG_0, 1),
4088 BPF_MOV64_IMM(BPF_REG_0, 0),
4092 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4096 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
4098 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4099 offsetof(struct __sk_buff, data)),
4100 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4101 offsetof(struct __sk_buff, data_end)),
4102 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
4104 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
4105 BPF_MOV64_IMM(BPF_REG_5, 12),
4106 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
4107 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
4108 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
4109 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
4110 BPF_MOV64_IMM(BPF_REG_0, 1),
4112 BPF_MOV64_IMM(BPF_REG_0, 0),
4116 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4120 "direct packet access: test15 (spill with xadd)",
4122 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4123 offsetof(struct __sk_buff, data)),
4124 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4125 offsetof(struct __sk_buff, data_end)),
4126 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4127 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4128 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
4129 BPF_MOV64_IMM(BPF_REG_5, 4096),
4130 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
4131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
4132 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
4133 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
4134 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
4135 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
4136 BPF_MOV64_IMM(BPF_REG_0, 0),
4139 .errstr = "R2 invalid mem access 'inv'",
4141 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4142 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4145 "direct packet access: test16 (arith on data_end)",
4147 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4148 offsetof(struct __sk_buff, data)),
4149 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4150 offsetof(struct __sk_buff, data_end)),
4151 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4153 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
4154 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4155 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4156 BPF_MOV64_IMM(BPF_REG_0, 0),
4159 .errstr = "R3 pointer arithmetic on pkt_end",
4161 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4164 "direct packet access: test17 (pruning, alignment)",
4166 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4167 offsetof(struct __sk_buff, data)),
4168 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4169 offsetof(struct __sk_buff, data_end)),
4170 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4171 offsetof(struct __sk_buff, mark)),
4172 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
4174 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
4175 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4176 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
4177 BPF_MOV64_IMM(BPF_REG_0, 0),
4179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
4182 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
4184 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4185 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
4188 "direct packet access: test18 (imm += pkt_ptr, 1)",
4190 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4191 offsetof(struct __sk_buff, data)),
4192 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4193 offsetof(struct __sk_buff, data_end)),
4194 BPF_MOV64_IMM(BPF_REG_0, 8),
4195 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
4196 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4197 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4198 BPF_MOV64_IMM(BPF_REG_0, 0),
4202 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4205 "direct packet access: test19 (imm += pkt_ptr, 2)",
4207 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4208 offsetof(struct __sk_buff, data)),
4209 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4210 offsetof(struct __sk_buff, data_end)),
4211 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4213 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
4214 BPF_MOV64_IMM(BPF_REG_4, 4),
4215 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4216 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
4217 BPF_MOV64_IMM(BPF_REG_0, 0),
4221 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4224 "direct packet access: test20 (x += pkt_ptr, 1)",
4226 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4227 offsetof(struct __sk_buff, data)),
4228 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4229 offsetof(struct __sk_buff, data_end)),
4230 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
4231 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4232 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
4233 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
4234 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4235 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4236 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4237 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
4238 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
4239 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
4240 BPF_MOV64_IMM(BPF_REG_0, 0),
4243 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4245 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4248 "direct packet access: test21 (x += pkt_ptr, 2)",
4250 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4251 offsetof(struct __sk_buff, data)),
4252 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4253 offsetof(struct __sk_buff, data_end)),
4254 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4255 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4256 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
4257 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
4258 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
4259 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
4260 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
4261 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4262 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
4264 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
4265 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
4266 BPF_MOV64_IMM(BPF_REG_0, 0),
4269 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4271 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4274 "direct packet access: test22 (x += pkt_ptr, 3)",
4276 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4277 offsetof(struct __sk_buff, data)),
4278 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4279 offsetof(struct __sk_buff, data_end)),
4280 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4282 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
4283 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
4284 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
4285 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
4286 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
4287 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
4288 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
4289 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
4290 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
4291 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4292 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
4293 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
4294 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
4295 BPF_MOV64_IMM(BPF_REG_2, 1),
4296 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
4297 BPF_MOV64_IMM(BPF_REG_0, 0),
4300 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4302 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4305 "direct packet access: test23 (x += pkt_ptr, 4)",
4307 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4308 offsetof(struct __sk_buff, data)),
4309 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4310 offsetof(struct __sk_buff, data_end)),
4311 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
4312 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4313 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
4314 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
4315 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4316 BPF_MOV64_IMM(BPF_REG_0, 31),
4317 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
4318 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
4319 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
4320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
4321 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4322 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
4323 BPF_MOV64_IMM(BPF_REG_0, 0),
4326 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4328 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
4329 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4332 "direct packet access: test24 (x += pkt_ptr, 5)",
4334 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4335 offsetof(struct __sk_buff, data)),
4336 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4337 offsetof(struct __sk_buff, data_end)),
4338 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
4339 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4340 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
4341 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
4342 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4343 BPF_MOV64_IMM(BPF_REG_0, 64),
4344 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
4345 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
4346 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
4347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
4348 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4349 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
4350 BPF_MOV64_IMM(BPF_REG_0, 0),
4353 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4355 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4358 "direct packet access: test25 (marking on <, good access)",
4360 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4361 offsetof(struct __sk_buff, data)),
4362 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4363 offsetof(struct __sk_buff, data_end)),
4364 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4366 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
4367 BPF_MOV64_IMM(BPF_REG_0, 0),
4369 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4370 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4373 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4376 "direct packet access: test26 (marking on <, bad access)",
4378 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4379 offsetof(struct __sk_buff, data)),
4380 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4381 offsetof(struct __sk_buff, data_end)),
4382 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4384 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
4385 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4386 BPF_MOV64_IMM(BPF_REG_0, 0),
4388 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
4391 .errstr = "invalid access to packet",
4392 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4395 "direct packet access: test27 (marking on <=, good access)",
4397 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4398 offsetof(struct __sk_buff, data)),
4399 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4400 offsetof(struct __sk_buff, data_end)),
4401 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4403 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
4404 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4405 BPF_MOV64_IMM(BPF_REG_0, 1),
4409 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4413 "direct packet access: test28 (marking on <=, bad access)",
4415 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4416 offsetof(struct __sk_buff, data)),
4417 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4418 offsetof(struct __sk_buff, data_end)),
4419 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4421 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
4422 BPF_MOV64_IMM(BPF_REG_0, 1),
4424 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4425 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4428 .errstr = "invalid access to packet",
4429 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4432 "helper access to packet: test1, valid packet_ptr range",
4434 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4435 offsetof(struct xdp_md, data)),
4436 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4437 offsetof(struct xdp_md, data_end)),
4438 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4440 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4441 BPF_LD_MAP_FD(BPF_REG_1, 0),
4442 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4443 BPF_MOV64_IMM(BPF_REG_4, 0),
4444 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4445 BPF_FUNC_map_update_elem),
4446 BPF_MOV64_IMM(BPF_REG_0, 0),
4449 .fixup_map_hash_8b = { 5 },
4450 .result_unpriv = ACCEPT,
4452 .prog_type = BPF_PROG_TYPE_XDP,
4455 "helper access to packet: test2, unchecked packet_ptr",
4457 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4458 offsetof(struct xdp_md, data)),
4459 BPF_LD_MAP_FD(BPF_REG_1, 0),
4460 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4461 BPF_FUNC_map_lookup_elem),
4462 BPF_MOV64_IMM(BPF_REG_0, 0),
4465 .fixup_map_hash_8b = { 1 },
4467 .errstr = "invalid access to packet",
4468 .prog_type = BPF_PROG_TYPE_XDP,
4471 "helper access to packet: test3, variable add",
4473 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4474 offsetof(struct xdp_md, data)),
4475 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4476 offsetof(struct xdp_md, data_end)),
4477 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4479 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4480 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4481 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4482 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4483 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4484 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4485 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4486 BPF_LD_MAP_FD(BPF_REG_1, 0),
4487 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4488 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4489 BPF_FUNC_map_lookup_elem),
4490 BPF_MOV64_IMM(BPF_REG_0, 0),
4493 .fixup_map_hash_8b = { 11 },
4495 .prog_type = BPF_PROG_TYPE_XDP,
4498 "helper access to packet: test4, packet_ptr with bad range",
4500 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4501 offsetof(struct xdp_md, data)),
4502 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4503 offsetof(struct xdp_md, data_end)),
4504 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4506 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4507 BPF_MOV64_IMM(BPF_REG_0, 0),
4509 BPF_LD_MAP_FD(BPF_REG_1, 0),
4510 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4511 BPF_FUNC_map_lookup_elem),
4512 BPF_MOV64_IMM(BPF_REG_0, 0),
4515 .fixup_map_hash_8b = { 7 },
4517 .errstr = "invalid access to packet",
4518 .prog_type = BPF_PROG_TYPE_XDP,
4521 "helper access to packet: test5, packet_ptr with too short range",
4523 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4524 offsetof(struct xdp_md, data)),
4525 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4526 offsetof(struct xdp_md, data_end)),
4527 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4528 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4529 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4530 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4531 BPF_LD_MAP_FD(BPF_REG_1, 0),
4532 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4533 BPF_FUNC_map_lookup_elem),
4534 BPF_MOV64_IMM(BPF_REG_0, 0),
4537 .fixup_map_hash_8b = { 6 },
4539 .errstr = "invalid access to packet",
4540 .prog_type = BPF_PROG_TYPE_XDP,
4543 "helper access to packet: test6, cls valid packet_ptr range",
4545 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4546 offsetof(struct __sk_buff, data)),
4547 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4548 offsetof(struct __sk_buff, data_end)),
4549 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4550 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4551 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4552 BPF_LD_MAP_FD(BPF_REG_1, 0),
4553 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4554 BPF_MOV64_IMM(BPF_REG_4, 0),
4555 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4556 BPF_FUNC_map_update_elem),
4557 BPF_MOV64_IMM(BPF_REG_0, 0),
4560 .fixup_map_hash_8b = { 5 },
4562 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4565 "helper access to packet: test7, cls unchecked packet_ptr",
4567 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4568 offsetof(struct __sk_buff, data)),
4569 BPF_LD_MAP_FD(BPF_REG_1, 0),
4570 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4571 BPF_FUNC_map_lookup_elem),
4572 BPF_MOV64_IMM(BPF_REG_0, 0),
4575 .fixup_map_hash_8b = { 1 },
4577 .errstr = "invalid access to packet",
4578 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4581 "helper access to packet: test8, cls variable add",
4583 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4584 offsetof(struct __sk_buff, data)),
4585 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4586 offsetof(struct __sk_buff, data_end)),
4587 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4589 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4590 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4591 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4592 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4593 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4594 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4595 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4596 BPF_LD_MAP_FD(BPF_REG_1, 0),
4597 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4598 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4599 BPF_FUNC_map_lookup_elem),
4600 BPF_MOV64_IMM(BPF_REG_0, 0),
4603 .fixup_map_hash_8b = { 11 },
4605 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4608 "helper access to packet: test9, cls packet_ptr with bad range",
4610 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4611 offsetof(struct __sk_buff, data)),
4612 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4613 offsetof(struct __sk_buff, data_end)),
4614 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4616 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4617 BPF_MOV64_IMM(BPF_REG_0, 0),
4619 BPF_LD_MAP_FD(BPF_REG_1, 0),
4620 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4621 BPF_FUNC_map_lookup_elem),
4622 BPF_MOV64_IMM(BPF_REG_0, 0),
4625 .fixup_map_hash_8b = { 7 },
4627 .errstr = "invalid access to packet",
4628 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4631 "helper access to packet: test10, cls packet_ptr with too short range",
4633 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4634 offsetof(struct __sk_buff, data)),
4635 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4636 offsetof(struct __sk_buff, data_end)),
4637 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4638 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4639 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4640 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4641 BPF_LD_MAP_FD(BPF_REG_1, 0),
4642 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4643 BPF_FUNC_map_lookup_elem),
4644 BPF_MOV64_IMM(BPF_REG_0, 0),
4647 .fixup_map_hash_8b = { 6 },
4649 .errstr = "invalid access to packet",
4650 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4653 "helper access to packet: test11, cls unsuitable helper 1",
4655 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4656 offsetof(struct __sk_buff, data)),
4657 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4658 offsetof(struct __sk_buff, data_end)),
4659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4660 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4662 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4663 BPF_MOV64_IMM(BPF_REG_2, 0),
4664 BPF_MOV64_IMM(BPF_REG_4, 42),
4665 BPF_MOV64_IMM(BPF_REG_5, 0),
4666 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4667 BPF_FUNC_skb_store_bytes),
4668 BPF_MOV64_IMM(BPF_REG_0, 0),
4672 .errstr = "helper access to the packet",
4673 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4676 "helper access to packet: test12, cls unsuitable helper 2",
4678 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4679 offsetof(struct __sk_buff, data)),
4680 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4681 offsetof(struct __sk_buff, data_end)),
4682 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4683 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4684 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4685 BPF_MOV64_IMM(BPF_REG_2, 0),
4686 BPF_MOV64_IMM(BPF_REG_4, 4),
4687 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4688 BPF_FUNC_skb_load_bytes),
4689 BPF_MOV64_IMM(BPF_REG_0, 0),
4693 .errstr = "helper access to the packet",
4694 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4697 "helper access to packet: test13, cls helper ok",
4699 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4700 offsetof(struct __sk_buff, data)),
4701 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4702 offsetof(struct __sk_buff, data_end)),
4703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4704 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4705 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4706 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4707 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4708 BPF_MOV64_IMM(BPF_REG_2, 4),
4709 BPF_MOV64_IMM(BPF_REG_3, 0),
4710 BPF_MOV64_IMM(BPF_REG_4, 0),
4711 BPF_MOV64_IMM(BPF_REG_5, 0),
4712 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4713 BPF_FUNC_csum_diff),
4714 BPF_MOV64_IMM(BPF_REG_0, 0),
4718 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4721 "helper access to packet: test14, cls helper ok sub",
4723 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4724 offsetof(struct __sk_buff, data)),
4725 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4726 offsetof(struct __sk_buff, data_end)),
4727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4728 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4730 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4731 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4732 BPF_MOV64_IMM(BPF_REG_2, 4),
4733 BPF_MOV64_IMM(BPF_REG_3, 0),
4734 BPF_MOV64_IMM(BPF_REG_4, 0),
4735 BPF_MOV64_IMM(BPF_REG_5, 0),
4736 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4737 BPF_FUNC_csum_diff),
4738 BPF_MOV64_IMM(BPF_REG_0, 0),
4742 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4745 "helper access to packet: test15, cls helper fail sub",
4747 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4748 offsetof(struct __sk_buff, data)),
4749 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4750 offsetof(struct __sk_buff, data_end)),
4751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4752 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4754 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4755 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4756 BPF_MOV64_IMM(BPF_REG_2, 4),
4757 BPF_MOV64_IMM(BPF_REG_3, 0),
4758 BPF_MOV64_IMM(BPF_REG_4, 0),
4759 BPF_MOV64_IMM(BPF_REG_5, 0),
4760 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4761 BPF_FUNC_csum_diff),
4762 BPF_MOV64_IMM(BPF_REG_0, 0),
4766 .errstr = "invalid access to packet",
4767 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4770 "helper access to packet: test16, cls helper fail range 1",
4772 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4773 offsetof(struct __sk_buff, data)),
4774 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4775 offsetof(struct __sk_buff, data_end)),
4776 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4777 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4778 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4779 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4780 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4781 BPF_MOV64_IMM(BPF_REG_2, 8),
4782 BPF_MOV64_IMM(BPF_REG_3, 0),
4783 BPF_MOV64_IMM(BPF_REG_4, 0),
4784 BPF_MOV64_IMM(BPF_REG_5, 0),
4785 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4786 BPF_FUNC_csum_diff),
4787 BPF_MOV64_IMM(BPF_REG_0, 0),
4791 .errstr = "invalid access to packet",
4792 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4795 "helper access to packet: test17, cls helper fail range 2",
4797 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4798 offsetof(struct __sk_buff, data)),
4799 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4800 offsetof(struct __sk_buff, data_end)),
4801 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4802 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4803 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4804 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4805 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4806 BPF_MOV64_IMM(BPF_REG_2, -9),
4807 BPF_MOV64_IMM(BPF_REG_3, 0),
4808 BPF_MOV64_IMM(BPF_REG_4, 0),
4809 BPF_MOV64_IMM(BPF_REG_5, 0),
4810 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4811 BPF_FUNC_csum_diff),
4812 BPF_MOV64_IMM(BPF_REG_0, 0),
4816 .errstr = "R2 min value is negative",
4817 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4820 "helper access to packet: test18, cls helper fail range 3",
4822 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4823 offsetof(struct __sk_buff, data)),
4824 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4825 offsetof(struct __sk_buff, data_end)),
4826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4827 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4829 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4831 BPF_MOV64_IMM(BPF_REG_2, ~0),
4832 BPF_MOV64_IMM(BPF_REG_3, 0),
4833 BPF_MOV64_IMM(BPF_REG_4, 0),
4834 BPF_MOV64_IMM(BPF_REG_5, 0),
4835 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4836 BPF_FUNC_csum_diff),
4837 BPF_MOV64_IMM(BPF_REG_0, 0),
4841 .errstr = "R2 min value is negative",
4842 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4845 "helper access to packet: test19, cls helper range zero",
4847 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4848 offsetof(struct __sk_buff, data)),
4849 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4850 offsetof(struct __sk_buff, data_end)),
4851 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4852 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4854 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4855 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4856 BPF_MOV64_IMM(BPF_REG_2, 0),
4857 BPF_MOV64_IMM(BPF_REG_3, 0),
4858 BPF_MOV64_IMM(BPF_REG_4, 0),
4859 BPF_MOV64_IMM(BPF_REG_5, 0),
4860 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4861 BPF_FUNC_csum_diff),
4862 BPF_MOV64_IMM(BPF_REG_0, 0),
4866 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4869 "helper access to packet: test20, pkt end as input",
4871 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4872 offsetof(struct __sk_buff, data)),
4873 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4874 offsetof(struct __sk_buff, data_end)),
4875 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4876 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4878 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4879 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4880 BPF_MOV64_IMM(BPF_REG_2, 4),
4881 BPF_MOV64_IMM(BPF_REG_3, 0),
4882 BPF_MOV64_IMM(BPF_REG_4, 0),
4883 BPF_MOV64_IMM(BPF_REG_5, 0),
4884 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4885 BPF_FUNC_csum_diff),
4886 BPF_MOV64_IMM(BPF_REG_0, 0),
4890 .errstr = "R1 type=pkt_end expected=fp",
4891 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4894 "helper access to packet: test21, wrong reg",
4896 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4897 offsetof(struct __sk_buff, data)),
4898 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4899 offsetof(struct __sk_buff, data_end)),
4900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4901 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4902 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4903 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4904 BPF_MOV64_IMM(BPF_REG_2, 4),
4905 BPF_MOV64_IMM(BPF_REG_3, 0),
4906 BPF_MOV64_IMM(BPF_REG_4, 0),
4907 BPF_MOV64_IMM(BPF_REG_5, 0),
4908 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4909 BPF_FUNC_csum_diff),
4910 BPF_MOV64_IMM(BPF_REG_0, 0),
4914 .errstr = "invalid access to packet",
4915 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4918 "prevent map lookup in sockmap",
4920 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4921 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4922 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4923 BPF_LD_MAP_FD(BPF_REG_1, 0),
4924 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4925 BPF_FUNC_map_lookup_elem),
4928 .fixup_map_sockmap = { 3 },
4930 .errstr = "cannot pass map_type 15 into func bpf_map_lookup_elem",
4931 .prog_type = BPF_PROG_TYPE_SOCK_OPS,
4934 "prevent map lookup in sockhash",
4936 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4937 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4938 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4939 BPF_LD_MAP_FD(BPF_REG_1, 0),
4940 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4941 BPF_FUNC_map_lookup_elem),
4944 .fixup_map_sockhash = { 3 },
4946 .errstr = "cannot pass map_type 18 into func bpf_map_lookup_elem",
4947 .prog_type = BPF_PROG_TYPE_SOCK_OPS,
4950 "prevent map lookup in xskmap",
4952 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4953 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4954 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4955 BPF_LD_MAP_FD(BPF_REG_1, 0),
4956 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4957 BPF_FUNC_map_lookup_elem),
4960 .fixup_map_xskmap = { 3 },
4962 .errstr = "cannot pass map_type 17 into func bpf_map_lookup_elem",
4963 .prog_type = BPF_PROG_TYPE_XDP,
4966 "prevent map lookup in stack trace",
4968 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4969 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4971 BPF_LD_MAP_FD(BPF_REG_1, 0),
4972 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4973 BPF_FUNC_map_lookup_elem),
4976 .fixup_map_stacktrace = { 3 },
4978 .errstr = "cannot pass map_type 7 into func bpf_map_lookup_elem",
4979 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
4982 "prevent map lookup in prog array",
4984 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4985 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4986 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4987 BPF_LD_MAP_FD(BPF_REG_1, 0),
4988 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4989 BPF_FUNC_map_lookup_elem),
4992 .fixup_prog2 = { 3 },
4994 .errstr = "cannot pass map_type 3 into func bpf_map_lookup_elem",
4997 "valid map access into an array with a constant",
4999 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5000 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5001 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5002 BPF_LD_MAP_FD(BPF_REG_1, 0),
5003 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5004 BPF_FUNC_map_lookup_elem),
5005 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5006 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5007 offsetof(struct test_val, foo)),
5010 .fixup_map_hash_48b = { 3 },
5011 .errstr_unpriv = "R0 leaks addr",
5012 .result_unpriv = REJECT,
5016 "valid map access into an array with a register",
5018 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5019 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5020 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5021 BPF_LD_MAP_FD(BPF_REG_1, 0),
5022 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5023 BPF_FUNC_map_lookup_elem),
5024 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5025 BPF_MOV64_IMM(BPF_REG_1, 4),
5026 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5027 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5028 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5029 offsetof(struct test_val, foo)),
5032 .fixup_map_hash_48b = { 3 },
5033 .errstr_unpriv = "R0 leaks addr",
5034 .result_unpriv = REJECT,
5036 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5039 "valid map access into an array with a variable",
5041 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5042 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5043 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5044 BPF_LD_MAP_FD(BPF_REG_1, 0),
5045 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5046 BPF_FUNC_map_lookup_elem),
5047 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5048 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5049 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
5050 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5051 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5052 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5053 offsetof(struct test_val, foo)),
5056 .fixup_map_hash_48b = { 3 },
5057 .errstr_unpriv = "R0 leaks addr",
5058 .result_unpriv = REJECT,
5060 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5063 "valid map access into an array with a signed variable",
5065 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5066 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5067 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5068 BPF_LD_MAP_FD(BPF_REG_1, 0),
5069 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5070 BPF_FUNC_map_lookup_elem),
5071 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5072 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5073 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
5074 BPF_MOV32_IMM(BPF_REG_1, 0),
5075 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
5076 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
5077 BPF_MOV32_IMM(BPF_REG_1, 0),
5078 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
5079 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5080 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5081 offsetof(struct test_val, foo)),
5084 .fixup_map_hash_48b = { 3 },
5085 .errstr_unpriv = "R0 leaks addr",
5086 .result_unpriv = REJECT,
5088 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5091 "invalid map access into an array with a constant",
5093 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5094 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5096 BPF_LD_MAP_FD(BPF_REG_1, 0),
5097 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5098 BPF_FUNC_map_lookup_elem),
5099 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5100 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
5101 offsetof(struct test_val, foo)),
5104 .fixup_map_hash_48b = { 3 },
5105 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
5109 "invalid map access into an array with a register",
5111 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5112 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5114 BPF_LD_MAP_FD(BPF_REG_1, 0),
5115 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5116 BPF_FUNC_map_lookup_elem),
5117 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5118 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
5119 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5120 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5121 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5122 offsetof(struct test_val, foo)),
5125 .fixup_map_hash_48b = { 3 },
5126 .errstr = "R0 min value is outside of the array range",
5128 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5131 "invalid map access into an array with a variable",
5133 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5134 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5135 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5136 BPF_LD_MAP_FD(BPF_REG_1, 0),
5137 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5138 BPF_FUNC_map_lookup_elem),
5139 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5140 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5141 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5142 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5143 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5144 offsetof(struct test_val, foo)),
5147 .fixup_map_hash_48b = { 3 },
5148 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
5150 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5153 "invalid map access into an array with no floor check",
5155 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5156 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5157 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5158 BPF_LD_MAP_FD(BPF_REG_1, 0),
5159 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5160 BPF_FUNC_map_lookup_elem),
5161 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5162 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5163 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
5164 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
5165 BPF_MOV32_IMM(BPF_REG_1, 0),
5166 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
5167 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5168 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5169 offsetof(struct test_val, foo)),
5172 .fixup_map_hash_48b = { 3 },
5173 .errstr_unpriv = "R0 leaks addr",
5174 .errstr = "R0 unbounded memory access",
5175 .result_unpriv = REJECT,
5177 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5180 "invalid map access into an array with a invalid max check",
5182 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5183 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5184 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5185 BPF_LD_MAP_FD(BPF_REG_1, 0),
5186 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5187 BPF_FUNC_map_lookup_elem),
5188 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5189 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5190 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
5191 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
5192 BPF_MOV32_IMM(BPF_REG_1, 0),
5193 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
5194 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5195 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5196 offsetof(struct test_val, foo)),
5199 .fixup_map_hash_48b = { 3 },
5200 .errstr_unpriv = "R0 leaks addr",
5201 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
5202 .result_unpriv = REJECT,
5204 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5207 "invalid map access into an array with a invalid max check",
5209 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5210 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5212 BPF_LD_MAP_FD(BPF_REG_1, 0),
5213 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5214 BPF_FUNC_map_lookup_elem),
5215 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5216 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5217 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5218 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5220 BPF_LD_MAP_FD(BPF_REG_1, 0),
5221 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5222 BPF_FUNC_map_lookup_elem),
5223 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5224 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
5225 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
5226 offsetof(struct test_val, foo)),
5229 .fixup_map_hash_48b = { 3, 11 },
5230 .errstr = "R0 pointer += pointer",
5232 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5235 "direct packet read test#1 for CGROUP_SKB",
5237 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5238 offsetof(struct __sk_buff, data)),
5239 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5240 offsetof(struct __sk_buff, data_end)),
5241 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5242 offsetof(struct __sk_buff, len)),
5243 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5244 offsetof(struct __sk_buff, pkt_type)),
5245 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5246 offsetof(struct __sk_buff, mark)),
5247 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
5248 offsetof(struct __sk_buff, mark)),
5249 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5250 offsetof(struct __sk_buff, queue_mapping)),
5251 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5252 offsetof(struct __sk_buff, protocol)),
5253 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5254 offsetof(struct __sk_buff, vlan_present)),
5255 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5256 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5257 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5258 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5259 BPF_MOV64_IMM(BPF_REG_0, 0),
5263 .result_unpriv = REJECT,
5264 .errstr_unpriv = "invalid bpf_context access off=76 size=4",
5265 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5268 "direct packet read test#2 for CGROUP_SKB",
5270 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5271 offsetof(struct __sk_buff, vlan_tci)),
5272 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5273 offsetof(struct __sk_buff, vlan_proto)),
5274 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5275 offsetof(struct __sk_buff, priority)),
5276 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
5277 offsetof(struct __sk_buff, priority)),
5278 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5279 offsetof(struct __sk_buff,
5281 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5282 offsetof(struct __sk_buff, tc_index)),
5283 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5284 offsetof(struct __sk_buff, hash)),
5285 BPF_MOV64_IMM(BPF_REG_0, 0),
5289 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5292 "direct packet read test#3 for CGROUP_SKB",
5294 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5295 offsetof(struct __sk_buff, cb[0])),
5296 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5297 offsetof(struct __sk_buff, cb[1])),
5298 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5299 offsetof(struct __sk_buff, cb[2])),
5300 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5301 offsetof(struct __sk_buff, cb[3])),
5302 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5303 offsetof(struct __sk_buff, cb[4])),
5304 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5305 offsetof(struct __sk_buff, napi_id)),
5306 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_4,
5307 offsetof(struct __sk_buff, cb[0])),
5308 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_5,
5309 offsetof(struct __sk_buff, cb[1])),
5310 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
5311 offsetof(struct __sk_buff, cb[2])),
5312 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_7,
5313 offsetof(struct __sk_buff, cb[3])),
5314 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_8,
5315 offsetof(struct __sk_buff, cb[4])),
5316 BPF_MOV64_IMM(BPF_REG_0, 0),
5320 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5323 "direct packet read test#4 for CGROUP_SKB",
5325 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5326 offsetof(struct __sk_buff, family)),
5327 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5328 offsetof(struct __sk_buff, remote_ip4)),
5329 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5330 offsetof(struct __sk_buff, local_ip4)),
5331 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5332 offsetof(struct __sk_buff, remote_ip6[0])),
5333 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5334 offsetof(struct __sk_buff, remote_ip6[1])),
5335 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5336 offsetof(struct __sk_buff, remote_ip6[2])),
5337 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5338 offsetof(struct __sk_buff, remote_ip6[3])),
5339 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5340 offsetof(struct __sk_buff, local_ip6[0])),
5341 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5342 offsetof(struct __sk_buff, local_ip6[1])),
5343 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5344 offsetof(struct __sk_buff, local_ip6[2])),
5345 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5346 offsetof(struct __sk_buff, local_ip6[3])),
5347 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5348 offsetof(struct __sk_buff, remote_port)),
5349 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5350 offsetof(struct __sk_buff, local_port)),
5351 BPF_MOV64_IMM(BPF_REG_0, 0),
5355 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5358 "invalid access of tc_classid for CGROUP_SKB",
5360 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5361 offsetof(struct __sk_buff, tc_classid)),
5362 BPF_MOV64_IMM(BPF_REG_0, 0),
5366 .errstr = "invalid bpf_context access",
5367 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5370 "invalid access of data_meta for CGROUP_SKB",
5372 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5373 offsetof(struct __sk_buff, data_meta)),
5374 BPF_MOV64_IMM(BPF_REG_0, 0),
5378 .errstr = "invalid bpf_context access",
5379 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5382 "invalid access of flow_keys for CGROUP_SKB",
5384 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5385 offsetof(struct __sk_buff, flow_keys)),
5386 BPF_MOV64_IMM(BPF_REG_0, 0),
5390 .errstr = "invalid bpf_context access",
5391 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5394 "invalid write access to napi_id for CGROUP_SKB",
5396 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5397 offsetof(struct __sk_buff, napi_id)),
5398 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_9,
5399 offsetof(struct __sk_buff, napi_id)),
5400 BPF_MOV64_IMM(BPF_REG_0, 0),
5404 .errstr = "invalid bpf_context access",
5405 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5408 "valid cgroup storage access",
5410 BPF_MOV64_IMM(BPF_REG_2, 0),
5411 BPF_LD_MAP_FD(BPF_REG_1, 0),
5412 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5413 BPF_FUNC_get_local_storage),
5414 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5415 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5416 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5419 .fixup_cgroup_storage = { 1 },
5421 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5424 "invalid cgroup storage access 1",
5426 BPF_MOV64_IMM(BPF_REG_2, 0),
5427 BPF_LD_MAP_FD(BPF_REG_1, 0),
5428 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5429 BPF_FUNC_get_local_storage),
5430 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5431 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5432 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5435 .fixup_map_hash_8b = { 1 },
5437 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5438 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5441 "invalid cgroup storage access 2",
5443 BPF_MOV64_IMM(BPF_REG_2, 0),
5444 BPF_LD_MAP_FD(BPF_REG_1, 1),
5445 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5446 BPF_FUNC_get_local_storage),
5447 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5451 .errstr = "fd 1 is not pointing to valid bpf_map",
5452 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5455 "invalid cgroup storage access 3",
5457 BPF_MOV64_IMM(BPF_REG_2, 0),
5458 BPF_LD_MAP_FD(BPF_REG_1, 0),
5459 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5460 BPF_FUNC_get_local_storage),
5461 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5462 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5463 BPF_MOV64_IMM(BPF_REG_0, 0),
5466 .fixup_cgroup_storage = { 1 },
5468 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
5469 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5472 "invalid cgroup storage access 4",
5474 BPF_MOV64_IMM(BPF_REG_2, 0),
5475 BPF_LD_MAP_FD(BPF_REG_1, 0),
5476 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5477 BPF_FUNC_get_local_storage),
5478 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5479 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5483 .fixup_cgroup_storage = { 1 },
5485 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5486 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5487 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5490 "invalid cgroup storage access 5",
5492 BPF_MOV64_IMM(BPF_REG_2, 7),
5493 BPF_LD_MAP_FD(BPF_REG_1, 0),
5494 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5495 BPF_FUNC_get_local_storage),
5496 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5497 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5498 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5501 .fixup_cgroup_storage = { 1 },
5503 .errstr = "get_local_storage() doesn't support non-zero flags",
5504 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5507 "invalid cgroup storage access 6",
5509 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5510 BPF_LD_MAP_FD(BPF_REG_1, 0),
5511 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5512 BPF_FUNC_get_local_storage),
5513 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5514 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5515 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5518 .fixup_cgroup_storage = { 1 },
5520 .errstr = "get_local_storage() doesn't support non-zero flags",
5521 .errstr_unpriv = "R2 leaks addr into helper function",
5522 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5525 "valid per-cpu cgroup storage access",
5527 BPF_MOV64_IMM(BPF_REG_2, 0),
5528 BPF_LD_MAP_FD(BPF_REG_1, 0),
5529 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5530 BPF_FUNC_get_local_storage),
5531 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5532 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5533 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5536 .fixup_percpu_cgroup_storage = { 1 },
5538 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5541 "invalid per-cpu cgroup storage access 1",
5543 BPF_MOV64_IMM(BPF_REG_2, 0),
5544 BPF_LD_MAP_FD(BPF_REG_1, 0),
5545 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5546 BPF_FUNC_get_local_storage),
5547 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5548 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5549 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5552 .fixup_map_hash_8b = { 1 },
5554 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5555 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5558 "invalid per-cpu cgroup storage access 2",
5560 BPF_MOV64_IMM(BPF_REG_2, 0),
5561 BPF_LD_MAP_FD(BPF_REG_1, 1),
5562 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5563 BPF_FUNC_get_local_storage),
5564 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5568 .errstr = "fd 1 is not pointing to valid bpf_map",
5569 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5572 "invalid per-cpu cgroup storage access 3",
5574 BPF_MOV64_IMM(BPF_REG_2, 0),
5575 BPF_LD_MAP_FD(BPF_REG_1, 0),
5576 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5577 BPF_FUNC_get_local_storage),
5578 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5579 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5580 BPF_MOV64_IMM(BPF_REG_0, 0),
5583 .fixup_percpu_cgroup_storage = { 1 },
5585 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
5586 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5589 "invalid per-cpu cgroup storage access 4",
5591 BPF_MOV64_IMM(BPF_REG_2, 0),
5592 BPF_LD_MAP_FD(BPF_REG_1, 0),
5593 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5594 BPF_FUNC_get_local_storage),
5595 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5596 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5597 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5600 .fixup_cgroup_storage = { 1 },
5602 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5603 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5604 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5607 "invalid per-cpu cgroup storage access 5",
5609 BPF_MOV64_IMM(BPF_REG_2, 7),
5610 BPF_LD_MAP_FD(BPF_REG_1, 0),
5611 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5612 BPF_FUNC_get_local_storage),
5613 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5614 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5615 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5618 .fixup_percpu_cgroup_storage = { 1 },
5620 .errstr = "get_local_storage() doesn't support non-zero flags",
5621 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5624 "invalid per-cpu cgroup storage access 6",
5626 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5627 BPF_LD_MAP_FD(BPF_REG_1, 0),
5628 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5629 BPF_FUNC_get_local_storage),
5630 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5631 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5632 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5635 .fixup_percpu_cgroup_storage = { 1 },
5637 .errstr = "get_local_storage() doesn't support non-zero flags",
5638 .errstr_unpriv = "R2 leaks addr into helper function",
5639 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5642 "write tstamp from CGROUP_SKB",
5644 BPF_MOV64_IMM(BPF_REG_0, 0),
5645 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5646 offsetof(struct __sk_buff, tstamp)),
5647 BPF_MOV64_IMM(BPF_REG_0, 0),
5651 .result_unpriv = REJECT,
5652 .errstr_unpriv = "invalid bpf_context access off=152 size=8",
5653 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5656 "read tstamp from CGROUP_SKB",
5658 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
5659 offsetof(struct __sk_buff, tstamp)),
5660 BPF_MOV64_IMM(BPF_REG_0, 0),
5664 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5667 "read gso_segs from CGROUP_SKB",
5669 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5670 offsetof(struct __sk_buff, gso_segs)),
5671 BPF_MOV64_IMM(BPF_REG_0, 0),
5675 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5678 "write gso_segs from CGROUP_SKB",
5680 BPF_MOV64_IMM(BPF_REG_0, 0),
5681 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
5682 offsetof(struct __sk_buff, gso_segs)),
5683 BPF_MOV64_IMM(BPF_REG_0, 0),
5687 .result_unpriv = REJECT,
5688 .errstr = "invalid bpf_context access off=164 size=4",
5689 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5692 "read gso_segs from CLS",
5694 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5695 offsetof(struct __sk_buff, gso_segs)),
5696 BPF_MOV64_IMM(BPF_REG_0, 0),
5700 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5703 "multiple registers share map_lookup_elem result",
5705 BPF_MOV64_IMM(BPF_REG_1, 10),
5706 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5707 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5709 BPF_LD_MAP_FD(BPF_REG_1, 0),
5710 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5711 BPF_FUNC_map_lookup_elem),
5712 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5713 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5714 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5717 .fixup_map_hash_8b = { 4 },
5719 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5722 "alu ops on ptr_to_map_value_or_null, 1",
5724 BPF_MOV64_IMM(BPF_REG_1, 10),
5725 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5726 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5728 BPF_LD_MAP_FD(BPF_REG_1, 0),
5729 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5730 BPF_FUNC_map_lookup_elem),
5731 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5732 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
5733 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
5734 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5735 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5738 .fixup_map_hash_8b = { 4 },
5739 .errstr = "R4 pointer arithmetic on map_value_or_null",
5741 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5744 "alu ops on ptr_to_map_value_or_null, 2",
5746 BPF_MOV64_IMM(BPF_REG_1, 10),
5747 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5748 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5749 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5750 BPF_LD_MAP_FD(BPF_REG_1, 0),
5751 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5752 BPF_FUNC_map_lookup_elem),
5753 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5754 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
5755 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5756 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5759 .fixup_map_hash_8b = { 4 },
5760 .errstr = "R4 pointer arithmetic on map_value_or_null",
5762 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5765 "alu ops on ptr_to_map_value_or_null, 3",
5767 BPF_MOV64_IMM(BPF_REG_1, 10),
5768 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5769 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5771 BPF_LD_MAP_FD(BPF_REG_1, 0),
5772 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5773 BPF_FUNC_map_lookup_elem),
5774 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5775 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
5776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5777 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5780 .fixup_map_hash_8b = { 4 },
5781 .errstr = "R4 pointer arithmetic on map_value_or_null",
5783 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5786 "invalid memory access with multiple map_lookup_elem calls",
5788 BPF_MOV64_IMM(BPF_REG_1, 10),
5789 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5790 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5792 BPF_LD_MAP_FD(BPF_REG_1, 0),
5793 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5794 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5795 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5796 BPF_FUNC_map_lookup_elem),
5797 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5798 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5799 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5800 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5801 BPF_FUNC_map_lookup_elem),
5802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5803 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5806 .fixup_map_hash_8b = { 4 },
5808 .errstr = "R4 !read_ok",
5809 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5812 "valid indirect map_lookup_elem access with 2nd lookup in branch",
5814 BPF_MOV64_IMM(BPF_REG_1, 10),
5815 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5816 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5818 BPF_LD_MAP_FD(BPF_REG_1, 0),
5819 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5820 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5821 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5822 BPF_FUNC_map_lookup_elem),
5823 BPF_MOV64_IMM(BPF_REG_2, 10),
5824 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
5825 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5826 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5827 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5828 BPF_FUNC_map_lookup_elem),
5829 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5830 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5831 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5834 .fixup_map_hash_8b = { 4 },
5836 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5839 "invalid map access from else condition",
5841 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5842 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5844 BPF_LD_MAP_FD(BPF_REG_1, 0),
5845 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
5846 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5847 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5848 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
5849 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5850 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5851 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5852 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
5855 .fixup_map_hash_48b = { 3 },
5856 .errstr = "R0 unbounded memory access",
5858 .errstr_unpriv = "R0 leaks addr",
5859 .result_unpriv = REJECT,
5860 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5863 "constant register |= constant should keep constant type",
5865 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5866 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5867 BPF_MOV64_IMM(BPF_REG_2, 34),
5868 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
5869 BPF_MOV64_IMM(BPF_REG_3, 0),
5870 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5874 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5877 "constant register |= constant should not bypass stack boundary checks",
5879 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5881 BPF_MOV64_IMM(BPF_REG_2, 34),
5882 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
5883 BPF_MOV64_IMM(BPF_REG_3, 0),
5884 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5887 .errstr = "invalid stack type R1 off=-48 access_size=58",
5889 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5892 "constant register |= constant register should keep constant type",
5894 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5895 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5896 BPF_MOV64_IMM(BPF_REG_2, 34),
5897 BPF_MOV64_IMM(BPF_REG_4, 13),
5898 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5899 BPF_MOV64_IMM(BPF_REG_3, 0),
5900 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5904 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5907 "constant register |= constant register should not bypass stack boundary checks",
5909 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5910 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5911 BPF_MOV64_IMM(BPF_REG_2, 34),
5912 BPF_MOV64_IMM(BPF_REG_4, 24),
5913 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5914 BPF_MOV64_IMM(BPF_REG_3, 0),
5915 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5918 .errstr = "invalid stack type R1 off=-48 access_size=58",
5920 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5923 "invalid direct packet write for LWT_IN",
5925 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5926 offsetof(struct __sk_buff, data)),
5927 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5928 offsetof(struct __sk_buff, data_end)),
5929 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5930 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5931 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5932 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5933 BPF_MOV64_IMM(BPF_REG_0, 0),
5936 .errstr = "cannot write into packet",
5938 .prog_type = BPF_PROG_TYPE_LWT_IN,
5941 "invalid direct packet write for LWT_OUT",
5943 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5944 offsetof(struct __sk_buff, data)),
5945 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5946 offsetof(struct __sk_buff, data_end)),
5947 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5948 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5949 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5950 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5951 BPF_MOV64_IMM(BPF_REG_0, 0),
5954 .errstr = "cannot write into packet",
5956 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5959 "direct packet write for LWT_XMIT",
5961 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5962 offsetof(struct __sk_buff, data)),
5963 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5964 offsetof(struct __sk_buff, data_end)),
5965 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5966 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5967 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5968 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5969 BPF_MOV64_IMM(BPF_REG_0, 0),
5973 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5976 "direct packet read for LWT_IN",
5978 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5979 offsetof(struct __sk_buff, data)),
5980 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5981 offsetof(struct __sk_buff, data_end)),
5982 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5984 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5985 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5986 BPF_MOV64_IMM(BPF_REG_0, 0),
5990 .prog_type = BPF_PROG_TYPE_LWT_IN,
5993 "direct packet read for LWT_OUT",
5995 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5996 offsetof(struct __sk_buff, data)),
5997 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5998 offsetof(struct __sk_buff, data_end)),
5999 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6001 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
6002 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6003 BPF_MOV64_IMM(BPF_REG_0, 0),
6007 .prog_type = BPF_PROG_TYPE_LWT_OUT,
6010 "direct packet read for LWT_XMIT",
6012 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6013 offsetof(struct __sk_buff, data)),
6014 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6015 offsetof(struct __sk_buff, data_end)),
6016 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6018 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
6019 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6020 BPF_MOV64_IMM(BPF_REG_0, 0),
6024 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
6027 "overlapping checks for direct packet access",
6029 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6030 offsetof(struct __sk_buff, data)),
6031 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6032 offsetof(struct __sk_buff, data_end)),
6033 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6035 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
6036 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
6037 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
6038 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
6039 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
6040 BPF_MOV64_IMM(BPF_REG_0, 0),
6044 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
6047 "make headroom for LWT_XMIT",
6049 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6050 BPF_MOV64_IMM(BPF_REG_2, 34),
6051 BPF_MOV64_IMM(BPF_REG_3, 0),
6052 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
6053 /* split for s390 to succeed */
6054 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6055 BPF_MOV64_IMM(BPF_REG_2, 42),
6056 BPF_MOV64_IMM(BPF_REG_3, 0),
6057 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
6058 BPF_MOV64_IMM(BPF_REG_0, 0),
6062 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
6065 "invalid access of tc_classid for LWT_IN",
6067 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6068 offsetof(struct __sk_buff, tc_classid)),
6072 .errstr = "invalid bpf_context access",
6075 "invalid access of tc_classid for LWT_OUT",
6077 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6078 offsetof(struct __sk_buff, tc_classid)),
6082 .errstr = "invalid bpf_context access",
6085 "invalid access of tc_classid for LWT_XMIT",
6087 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6088 offsetof(struct __sk_buff, tc_classid)),
6092 .errstr = "invalid bpf_context access",
6095 "leak pointer into ctx 1",
6097 BPF_MOV64_IMM(BPF_REG_0, 0),
6098 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
6099 offsetof(struct __sk_buff, cb[0])),
6100 BPF_LD_MAP_FD(BPF_REG_2, 0),
6101 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
6102 offsetof(struct __sk_buff, cb[0])),
6105 .fixup_map_hash_8b = { 2 },
6106 .errstr_unpriv = "R2 leaks addr into mem",
6107 .result_unpriv = REJECT,
6109 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
6112 "leak pointer into ctx 2",
6114 BPF_MOV64_IMM(BPF_REG_0, 0),
6115 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
6116 offsetof(struct __sk_buff, cb[0])),
6117 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
6118 offsetof(struct __sk_buff, cb[0])),
6121 .errstr_unpriv = "R10 leaks addr into mem",
6122 .result_unpriv = REJECT,
6124 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
6127 "leak pointer into ctx 3",
6129 BPF_MOV64_IMM(BPF_REG_0, 0),
6130 BPF_LD_MAP_FD(BPF_REG_2, 0),
6131 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
6132 offsetof(struct __sk_buff, cb[0])),
6135 .fixup_map_hash_8b = { 1 },
6136 .errstr_unpriv = "R2 leaks addr into ctx",
6137 .result_unpriv = REJECT,
6141 "leak pointer into map val",
6143 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6144 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6145 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6146 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6147 BPF_LD_MAP_FD(BPF_REG_1, 0),
6148 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6149 BPF_FUNC_map_lookup_elem),
6150 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6151 BPF_MOV64_IMM(BPF_REG_3, 0),
6152 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
6153 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
6154 BPF_MOV64_IMM(BPF_REG_0, 0),
6157 .fixup_map_hash_8b = { 4 },
6158 .errstr_unpriv = "R6 leaks addr into mem",
6159 .result_unpriv = REJECT,
6163 "helper access to map: full range",
6165 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6166 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6167 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6168 BPF_LD_MAP_FD(BPF_REG_1, 0),
6169 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6170 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6171 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6172 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6173 BPF_MOV64_IMM(BPF_REG_3, 0),
6174 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6177 .fixup_map_hash_48b = { 3 },
6179 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6182 "helper access to map: partial range",
6184 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6186 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6187 BPF_LD_MAP_FD(BPF_REG_1, 0),
6188 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6189 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6190 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6191 BPF_MOV64_IMM(BPF_REG_2, 8),
6192 BPF_MOV64_IMM(BPF_REG_3, 0),
6193 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6196 .fixup_map_hash_48b = { 3 },
6198 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6201 "helper access to map: empty range",
6203 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6204 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6205 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6206 BPF_LD_MAP_FD(BPF_REG_1, 0),
6207 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6208 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6209 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6210 BPF_MOV64_IMM(BPF_REG_2, 0),
6211 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6214 .fixup_map_hash_48b = { 3 },
6215 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
6217 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6220 "helper access to map: out-of-bound range",
6222 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6224 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6225 BPF_LD_MAP_FD(BPF_REG_1, 0),
6226 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6227 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6229 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
6230 BPF_MOV64_IMM(BPF_REG_3, 0),
6231 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6234 .fixup_map_hash_48b = { 3 },
6235 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
6237 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6240 "helper access to map: negative range",
6242 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6243 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6244 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6245 BPF_LD_MAP_FD(BPF_REG_1, 0),
6246 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6247 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6248 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6249 BPF_MOV64_IMM(BPF_REG_2, -8),
6250 BPF_MOV64_IMM(BPF_REG_3, 0),
6251 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6254 .fixup_map_hash_48b = { 3 },
6255 .errstr = "R2 min value is negative",
6257 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6260 "helper access to adjusted map (via const imm): full range",
6262 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6264 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6265 BPF_LD_MAP_FD(BPF_REG_1, 0),
6266 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6268 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6269 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6270 offsetof(struct test_val, foo)),
6271 BPF_MOV64_IMM(BPF_REG_2,
6272 sizeof(struct test_val) -
6273 offsetof(struct test_val, foo)),
6274 BPF_MOV64_IMM(BPF_REG_3, 0),
6275 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6278 .fixup_map_hash_48b = { 3 },
6280 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6283 "helper access to adjusted map (via const imm): partial range",
6285 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6287 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6288 BPF_LD_MAP_FD(BPF_REG_1, 0),
6289 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6290 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6291 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6292 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6293 offsetof(struct test_val, foo)),
6294 BPF_MOV64_IMM(BPF_REG_2, 8),
6295 BPF_MOV64_IMM(BPF_REG_3, 0),
6296 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6299 .fixup_map_hash_48b = { 3 },
6301 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6304 "helper access to adjusted map (via const imm): empty range",
6306 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6308 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6309 BPF_LD_MAP_FD(BPF_REG_1, 0),
6310 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6311 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6312 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6313 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6314 offsetof(struct test_val, foo)),
6315 BPF_MOV64_IMM(BPF_REG_2, 0),
6316 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6319 .fixup_map_hash_48b = { 3 },
6320 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
6322 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6325 "helper access to adjusted map (via const imm): out-of-bound range",
6327 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6329 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6330 BPF_LD_MAP_FD(BPF_REG_1, 0),
6331 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6332 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6333 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6334 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6335 offsetof(struct test_val, foo)),
6336 BPF_MOV64_IMM(BPF_REG_2,
6337 sizeof(struct test_val) -
6338 offsetof(struct test_val, foo) + 8),
6339 BPF_MOV64_IMM(BPF_REG_3, 0),
6340 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6343 .fixup_map_hash_48b = { 3 },
6344 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
6346 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6349 "helper access to adjusted map (via const imm): negative range (> adjustment)",
6351 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6352 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6353 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6354 BPF_LD_MAP_FD(BPF_REG_1, 0),
6355 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6356 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6357 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6358 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6359 offsetof(struct test_val, foo)),
6360 BPF_MOV64_IMM(BPF_REG_2, -8),
6361 BPF_MOV64_IMM(BPF_REG_3, 0),
6362 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6365 .fixup_map_hash_48b = { 3 },
6366 .errstr = "R2 min value is negative",
6368 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6371 "helper access to adjusted map (via const imm): negative range (< adjustment)",
6373 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6374 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6375 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6376 BPF_LD_MAP_FD(BPF_REG_1, 0),
6377 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6378 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6379 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6380 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6381 offsetof(struct test_val, foo)),
6382 BPF_MOV64_IMM(BPF_REG_2, -1),
6383 BPF_MOV64_IMM(BPF_REG_3, 0),
6384 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6387 .fixup_map_hash_48b = { 3 },
6388 .errstr = "R2 min value is negative",
6390 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6393 "helper access to adjusted map (via const reg): full range",
6395 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6396 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6397 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6398 BPF_LD_MAP_FD(BPF_REG_1, 0),
6399 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6400 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6401 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6402 BPF_MOV64_IMM(BPF_REG_3,
6403 offsetof(struct test_val, foo)),
6404 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6405 BPF_MOV64_IMM(BPF_REG_2,
6406 sizeof(struct test_val) -
6407 offsetof(struct test_val, foo)),
6408 BPF_MOV64_IMM(BPF_REG_3, 0),
6409 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6412 .fixup_map_hash_48b = { 3 },
6414 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6417 "helper access to adjusted map (via const reg): partial range",
6419 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6421 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6422 BPF_LD_MAP_FD(BPF_REG_1, 0),
6423 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6424 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6425 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6426 BPF_MOV64_IMM(BPF_REG_3,
6427 offsetof(struct test_val, foo)),
6428 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6429 BPF_MOV64_IMM(BPF_REG_2, 8),
6430 BPF_MOV64_IMM(BPF_REG_3, 0),
6431 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6434 .fixup_map_hash_48b = { 3 },
6436 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6439 "helper access to adjusted map (via const reg): empty range",
6441 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6443 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6444 BPF_LD_MAP_FD(BPF_REG_1, 0),
6445 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6446 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6447 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6448 BPF_MOV64_IMM(BPF_REG_3, 0),
6449 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6450 BPF_MOV64_IMM(BPF_REG_2, 0),
6451 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6454 .fixup_map_hash_48b = { 3 },
6455 .errstr = "R1 min value is outside of the array range",
6457 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6460 "helper access to adjusted map (via const reg): out-of-bound range",
6462 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6463 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6464 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6465 BPF_LD_MAP_FD(BPF_REG_1, 0),
6466 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6467 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6468 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6469 BPF_MOV64_IMM(BPF_REG_3,
6470 offsetof(struct test_val, foo)),
6471 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6472 BPF_MOV64_IMM(BPF_REG_2,
6473 sizeof(struct test_val) -
6474 offsetof(struct test_val, foo) + 8),
6475 BPF_MOV64_IMM(BPF_REG_3, 0),
6476 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6479 .fixup_map_hash_48b = { 3 },
6480 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
6482 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6485 "helper access to adjusted map (via const reg): negative range (> adjustment)",
6487 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6488 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6489 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6490 BPF_LD_MAP_FD(BPF_REG_1, 0),
6491 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6492 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6493 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6494 BPF_MOV64_IMM(BPF_REG_3,
6495 offsetof(struct test_val, foo)),
6496 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6497 BPF_MOV64_IMM(BPF_REG_2, -8),
6498 BPF_MOV64_IMM(BPF_REG_3, 0),
6499 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6502 .fixup_map_hash_48b = { 3 },
6503 .errstr = "R2 min value is negative",
6505 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6508 "helper access to adjusted map (via const reg): negative range (< adjustment)",
6510 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6511 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6512 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6513 BPF_LD_MAP_FD(BPF_REG_1, 0),
6514 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6515 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6516 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6517 BPF_MOV64_IMM(BPF_REG_3,
6518 offsetof(struct test_val, foo)),
6519 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6520 BPF_MOV64_IMM(BPF_REG_2, -1),
6521 BPF_MOV64_IMM(BPF_REG_3, 0),
6522 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6525 .fixup_map_hash_48b = { 3 },
6526 .errstr = "R2 min value is negative",
6528 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6531 "helper access to adjusted map (via variable): full range",
6533 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6535 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6536 BPF_LD_MAP_FD(BPF_REG_1, 0),
6537 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6538 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6539 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6540 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6541 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6542 offsetof(struct test_val, foo), 4),
6543 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6544 BPF_MOV64_IMM(BPF_REG_2,
6545 sizeof(struct test_val) -
6546 offsetof(struct test_val, foo)),
6547 BPF_MOV64_IMM(BPF_REG_3, 0),
6548 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6551 .fixup_map_hash_48b = { 3 },
6553 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6556 "helper access to adjusted map (via variable): partial range",
6558 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6559 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6560 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6561 BPF_LD_MAP_FD(BPF_REG_1, 0),
6562 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6563 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6564 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6565 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6566 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6567 offsetof(struct test_val, foo), 4),
6568 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6569 BPF_MOV64_IMM(BPF_REG_2, 8),
6570 BPF_MOV64_IMM(BPF_REG_3, 0),
6571 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6574 .fixup_map_hash_48b = { 3 },
6576 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6579 "helper access to adjusted map (via variable): empty range",
6581 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6583 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6584 BPF_LD_MAP_FD(BPF_REG_1, 0),
6585 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6586 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6587 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6588 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6589 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6590 offsetof(struct test_val, foo), 3),
6591 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6592 BPF_MOV64_IMM(BPF_REG_2, 0),
6593 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6596 .fixup_map_hash_48b = { 3 },
6597 .errstr = "R1 min value is outside of the array range",
6599 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6602 "helper access to adjusted map (via variable): no max check",
6604 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6606 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6607 BPF_LD_MAP_FD(BPF_REG_1, 0),
6608 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6609 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6610 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6611 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6612 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6613 BPF_MOV64_IMM(BPF_REG_2, 1),
6614 BPF_MOV64_IMM(BPF_REG_3, 0),
6615 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6618 .fixup_map_hash_48b = { 3 },
6619 .errstr = "R1 unbounded memory access",
6621 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6624 "helper access to adjusted map (via variable): wrong max check",
6626 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6627 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6628 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6629 BPF_LD_MAP_FD(BPF_REG_1, 0),
6630 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6631 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6632 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6633 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6634 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6635 offsetof(struct test_val, foo), 4),
6636 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6637 BPF_MOV64_IMM(BPF_REG_2,
6638 sizeof(struct test_val) -
6639 offsetof(struct test_val, foo) + 1),
6640 BPF_MOV64_IMM(BPF_REG_3, 0),
6641 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6644 .fixup_map_hash_48b = { 3 },
6645 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
6647 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6650 "helper access to map: bounds check using <, good access",
6652 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6653 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6654 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6655 BPF_LD_MAP_FD(BPF_REG_1, 0),
6656 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6657 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6658 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6659 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6660 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
6661 BPF_MOV64_IMM(BPF_REG_0, 0),
6663 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6664 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6665 BPF_MOV64_IMM(BPF_REG_0, 0),
6668 .fixup_map_hash_48b = { 3 },
6670 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6673 "helper access to map: bounds check using <, bad access",
6675 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6677 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6678 BPF_LD_MAP_FD(BPF_REG_1, 0),
6679 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6680 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6681 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6682 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6683 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
6684 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6685 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6686 BPF_MOV64_IMM(BPF_REG_0, 0),
6688 BPF_MOV64_IMM(BPF_REG_0, 0),
6691 .fixup_map_hash_48b = { 3 },
6693 .errstr = "R1 unbounded memory access",
6694 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6697 "helper access to map: bounds check using <=, good access",
6699 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6700 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6701 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6702 BPF_LD_MAP_FD(BPF_REG_1, 0),
6703 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6704 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6705 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6706 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6707 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
6708 BPF_MOV64_IMM(BPF_REG_0, 0),
6710 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6711 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6712 BPF_MOV64_IMM(BPF_REG_0, 0),
6715 .fixup_map_hash_48b = { 3 },
6717 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6720 "helper access to map: bounds check using <=, bad access",
6722 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6723 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6724 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6725 BPF_LD_MAP_FD(BPF_REG_1, 0),
6726 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6727 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6728 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6729 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6730 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
6731 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6732 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6733 BPF_MOV64_IMM(BPF_REG_0, 0),
6735 BPF_MOV64_IMM(BPF_REG_0, 0),
6738 .fixup_map_hash_48b = { 3 },
6740 .errstr = "R1 unbounded memory access",
6741 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6744 "helper access to map: bounds check using s<, good access",
6746 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6747 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6748 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6749 BPF_LD_MAP_FD(BPF_REG_1, 0),
6750 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6751 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6752 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6753 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6754 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6755 BPF_MOV64_IMM(BPF_REG_0, 0),
6757 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
6758 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6759 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6760 BPF_MOV64_IMM(BPF_REG_0, 0),
6763 .fixup_map_hash_48b = { 3 },
6765 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6768 "helper access to map: bounds check using s<, good access 2",
6770 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6771 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6772 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6773 BPF_LD_MAP_FD(BPF_REG_1, 0),
6774 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6776 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6777 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6778 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6779 BPF_MOV64_IMM(BPF_REG_0, 0),
6781 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6782 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6783 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6784 BPF_MOV64_IMM(BPF_REG_0, 0),
6787 .fixup_map_hash_48b = { 3 },
6789 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6792 "helper access to map: bounds check using s<, bad access",
6794 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6795 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6796 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6797 BPF_LD_MAP_FD(BPF_REG_1, 0),
6798 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6799 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6800 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6801 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6802 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6803 BPF_MOV64_IMM(BPF_REG_0, 0),
6805 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6806 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6807 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6808 BPF_MOV64_IMM(BPF_REG_0, 0),
6811 .fixup_map_hash_48b = { 3 },
6813 .errstr = "R1 min value is negative",
6814 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6817 "helper access to map: bounds check using s<=, good access",
6819 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6820 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6821 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6822 BPF_LD_MAP_FD(BPF_REG_1, 0),
6823 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6824 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6825 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6826 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6827 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6828 BPF_MOV64_IMM(BPF_REG_0, 0),
6830 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
6831 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6832 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6833 BPF_MOV64_IMM(BPF_REG_0, 0),
6836 .fixup_map_hash_48b = { 3 },
6838 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6841 "helper access to map: bounds check using s<=, good access 2",
6843 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6845 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6846 BPF_LD_MAP_FD(BPF_REG_1, 0),
6847 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6848 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6849 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6850 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6851 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6852 BPF_MOV64_IMM(BPF_REG_0, 0),
6854 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6855 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6856 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6857 BPF_MOV64_IMM(BPF_REG_0, 0),
6860 .fixup_map_hash_48b = { 3 },
6862 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6865 "helper access to map: bounds check using s<=, bad access",
6867 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6869 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6870 BPF_LD_MAP_FD(BPF_REG_1, 0),
6871 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6872 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6873 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6874 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6875 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6876 BPF_MOV64_IMM(BPF_REG_0, 0),
6878 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6879 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6880 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6881 BPF_MOV64_IMM(BPF_REG_0, 0),
6884 .fixup_map_hash_48b = { 3 },
6886 .errstr = "R1 min value is negative",
6887 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6890 "map access: known scalar += value_ptr from different maps",
6892 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6893 offsetof(struct __sk_buff, len)),
6894 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6895 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6897 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
6898 BPF_LD_MAP_FD(BPF_REG_1, 0),
6899 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
6900 BPF_LD_MAP_FD(BPF_REG_1, 0),
6901 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6902 BPF_FUNC_map_lookup_elem),
6903 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6904 BPF_MOV64_IMM(BPF_REG_1, 4),
6905 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
6906 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6907 BPF_MOV64_IMM(BPF_REG_0, 1),
6910 .fixup_map_hash_16b = { 5 },
6911 .fixup_map_array_48b = { 8 },
6913 .result_unpriv = REJECT,
6914 .errstr_unpriv = "R1 tried to add from different maps",
6918 "map access: value_ptr -= known scalar from different maps",
6920 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6921 offsetof(struct __sk_buff, len)),
6922 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6923 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6925 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
6926 BPF_LD_MAP_FD(BPF_REG_1, 0),
6927 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
6928 BPF_LD_MAP_FD(BPF_REG_1, 0),
6929 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6930 BPF_FUNC_map_lookup_elem),
6931 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6932 BPF_MOV64_IMM(BPF_REG_1, 4),
6933 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6934 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6935 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6936 BPF_MOV64_IMM(BPF_REG_0, 1),
6939 .fixup_map_hash_16b = { 5 },
6940 .fixup_map_array_48b = { 8 },
6942 .result_unpriv = REJECT,
6943 .errstr_unpriv = "R0 min value is outside of the array range",
6947 "map access: known scalar += value_ptr from different maps, but same value properties",
6949 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6950 offsetof(struct __sk_buff, len)),
6951 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6952 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6953 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6954 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
6955 BPF_LD_MAP_FD(BPF_REG_1, 0),
6956 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
6957 BPF_LD_MAP_FD(BPF_REG_1, 0),
6958 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6959 BPF_FUNC_map_lookup_elem),
6960 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6961 BPF_MOV64_IMM(BPF_REG_1, 4),
6962 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
6963 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6964 BPF_MOV64_IMM(BPF_REG_0, 1),
6967 .fixup_map_hash_48b = { 5 },
6968 .fixup_map_array_48b = { 8 },
6973 "map access: mixing value pointer and scalar, 1",
6975 // load map value pointer into r0 and r2
6976 BPF_MOV64_IMM(BPF_REG_0, 1),
6977 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
6978 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
6979 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
6980 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
6981 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6982 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
6984 // load some number from the map into r1
6985 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6986 // depending on r1, branch:
6987 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 3),
6989 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6990 BPF_MOV64_IMM(BPF_REG_3, 0),
6993 BPF_MOV64_IMM(BPF_REG_2, 0),
6994 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
6995 // common instruction
6996 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6997 // depending on r1, branch:
6998 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
7002 BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
7003 // verifier follows fall-through
7004 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
7005 BPF_MOV64_IMM(BPF_REG_0, 0),
7007 // fake-dead code; targeted from branch A to
7008 // prevent dead code sanitization
7009 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7010 BPF_MOV64_IMM(BPF_REG_0, 0),
7013 .fixup_map_array_48b = { 1 },
7015 .result_unpriv = REJECT,
7016 .errstr_unpriv = "R2 tried to add from different pointers or scalars",
7020 "map access: mixing value pointer and scalar, 2",
7022 // load map value pointer into r0 and r2
7023 BPF_MOV64_IMM(BPF_REG_0, 1),
7024 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
7025 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
7026 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
7027 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
7028 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7029 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7031 // load some number from the map into r1
7032 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7033 // depending on r1, branch:
7034 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
7036 BPF_MOV64_IMM(BPF_REG_2, 0),
7037 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
7040 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7041 BPF_MOV64_IMM(BPF_REG_3, 0),
7042 // common instruction
7043 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7044 // depending on r1, branch:
7045 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
7049 BPF_MOV64_IMM(BPF_REG_0, 0x13371337),
7050 // verifier follows fall-through
7051 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0x100000, 2),
7052 BPF_MOV64_IMM(BPF_REG_0, 0),
7054 // fake-dead code; targeted from branch A to
7055 // prevent dead code sanitization
7056 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7057 BPF_MOV64_IMM(BPF_REG_0, 0),
7060 .fixup_map_array_48b = { 1 },
7062 .result_unpriv = REJECT,
7063 .errstr_unpriv = "R2 tried to add from different maps or paths",
7067 "sanitation: alu with different scalars",
7069 BPF_MOV64_IMM(BPF_REG_0, 1),
7070 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
7071 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
7072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -16),
7073 BPF_ST_MEM(BPF_DW, BPF_REG_FP, -16, 0),
7074 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7075 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7077 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7078 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
7079 BPF_MOV64_IMM(BPF_REG_2, 0),
7080 BPF_MOV64_IMM(BPF_REG_3, 0x100000),
7082 BPF_MOV64_IMM(BPF_REG_2, 42),
7083 BPF_MOV64_IMM(BPF_REG_3, 0x100001),
7084 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7085 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7088 .fixup_map_array_48b = { 1 },
7093 "map access: value_ptr += known scalar, upper oob arith, test 1",
7095 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7096 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7098 BPF_LD_MAP_FD(BPF_REG_1, 0),
7099 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7100 BPF_FUNC_map_lookup_elem),
7101 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7102 BPF_MOV64_IMM(BPF_REG_1, 48),
7103 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7104 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7105 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7106 BPF_MOV64_IMM(BPF_REG_0, 1),
7109 .fixup_map_array_48b = { 3 },
7111 .result_unpriv = REJECT,
7112 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7116 "map access: value_ptr += known scalar, upper oob arith, test 2",
7118 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7119 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7120 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7121 BPF_LD_MAP_FD(BPF_REG_1, 0),
7122 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7123 BPF_FUNC_map_lookup_elem),
7124 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7125 BPF_MOV64_IMM(BPF_REG_1, 49),
7126 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7127 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7128 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7129 BPF_MOV64_IMM(BPF_REG_0, 1),
7132 .fixup_map_array_48b = { 3 },
7134 .result_unpriv = REJECT,
7135 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7139 "map access: value_ptr += known scalar, upper oob arith, test 3",
7141 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7142 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7143 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7144 BPF_LD_MAP_FD(BPF_REG_1, 0),
7145 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7146 BPF_FUNC_map_lookup_elem),
7147 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7148 BPF_MOV64_IMM(BPF_REG_1, 47),
7149 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7150 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7151 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7152 BPF_MOV64_IMM(BPF_REG_0, 1),
7155 .fixup_map_array_48b = { 3 },
7157 .result_unpriv = REJECT,
7158 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7162 "map access: value_ptr -= known scalar, lower oob arith, test 1",
7164 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7165 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7166 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7167 BPF_LD_MAP_FD(BPF_REG_1, 0),
7168 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7169 BPF_FUNC_map_lookup_elem),
7170 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7171 BPF_MOV64_IMM(BPF_REG_1, 47),
7172 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7173 BPF_MOV64_IMM(BPF_REG_1, 48),
7174 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7175 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7176 BPF_MOV64_IMM(BPF_REG_0, 1),
7179 .fixup_map_array_48b = { 3 },
7181 .errstr = "R0 min value is outside of the array range",
7182 .result_unpriv = REJECT,
7183 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7186 "map access: value_ptr -= known scalar, lower oob arith, test 2",
7188 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7189 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7190 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7191 BPF_LD_MAP_FD(BPF_REG_1, 0),
7192 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7193 BPF_FUNC_map_lookup_elem),
7194 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7195 BPF_MOV64_IMM(BPF_REG_1, 47),
7196 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7197 BPF_MOV64_IMM(BPF_REG_1, 48),
7198 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7199 BPF_MOV64_IMM(BPF_REG_1, 1),
7200 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7201 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7202 BPF_MOV64_IMM(BPF_REG_0, 1),
7205 .fixup_map_array_48b = { 3 },
7207 .result_unpriv = REJECT,
7208 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7212 "map access: value_ptr -= known scalar, lower oob arith, test 3",
7214 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7215 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7217 BPF_LD_MAP_FD(BPF_REG_1, 0),
7218 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7219 BPF_FUNC_map_lookup_elem),
7220 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7221 BPF_MOV64_IMM(BPF_REG_1, 47),
7222 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7223 BPF_MOV64_IMM(BPF_REG_1, 47),
7224 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7225 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7226 BPF_MOV64_IMM(BPF_REG_0, 1),
7229 .fixup_map_array_48b = { 3 },
7231 .result_unpriv = REJECT,
7232 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7236 "map access: known scalar += value_ptr",
7238 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7239 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7240 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7241 BPF_LD_MAP_FD(BPF_REG_1, 0),
7242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7243 BPF_FUNC_map_lookup_elem),
7244 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7245 BPF_MOV64_IMM(BPF_REG_1, 4),
7246 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7247 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
7248 BPF_MOV64_IMM(BPF_REG_0, 1),
7251 .fixup_map_array_48b = { 3 },
7256 "map access: value_ptr += known scalar, 1",
7258 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7259 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7260 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7261 BPF_LD_MAP_FD(BPF_REG_1, 0),
7262 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7263 BPF_FUNC_map_lookup_elem),
7264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7265 BPF_MOV64_IMM(BPF_REG_1, 4),
7266 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7267 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7268 BPF_MOV64_IMM(BPF_REG_0, 1),
7271 .fixup_map_array_48b = { 3 },
7276 "map access: value_ptr += known scalar, 2",
7278 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7279 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7281 BPF_LD_MAP_FD(BPF_REG_1, 0),
7282 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7283 BPF_FUNC_map_lookup_elem),
7284 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7285 BPF_MOV64_IMM(BPF_REG_1, 49),
7286 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7287 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7288 BPF_MOV64_IMM(BPF_REG_0, 1),
7291 .fixup_map_array_48b = { 3 },
7293 .errstr = "invalid access to map value",
7296 "map access: value_ptr += known scalar, 3",
7298 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7299 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7300 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7301 BPF_LD_MAP_FD(BPF_REG_1, 0),
7302 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7303 BPF_FUNC_map_lookup_elem),
7304 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7305 BPF_MOV64_IMM(BPF_REG_1, -1),
7306 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7307 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7308 BPF_MOV64_IMM(BPF_REG_0, 1),
7311 .fixup_map_array_48b = { 3 },
7313 .errstr = "invalid access to map value",
7316 "map access: value_ptr += known scalar, 4",
7318 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7319 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7321 BPF_LD_MAP_FD(BPF_REG_1, 0),
7322 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7323 BPF_FUNC_map_lookup_elem),
7324 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7325 BPF_MOV64_IMM(BPF_REG_1, 5),
7326 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7327 BPF_MOV64_IMM(BPF_REG_1, -2),
7328 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7329 BPF_MOV64_IMM(BPF_REG_1, -1),
7330 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7331 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7332 BPF_MOV64_IMM(BPF_REG_0, 1),
7335 .fixup_map_array_48b = { 3 },
7337 .result_unpriv = REJECT,
7338 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7342 "map access: value_ptr += known scalar, 5",
7344 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7345 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7346 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7347 BPF_LD_MAP_FD(BPF_REG_1, 0),
7348 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7349 BPF_FUNC_map_lookup_elem),
7350 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7351 BPF_MOV64_IMM(BPF_REG_1, (6 + 1) * sizeof(int)),
7352 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7353 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7356 .fixup_map_array_48b = { 3 },
7358 .retval = 0xabcdef12,
7361 "map access: value_ptr += known scalar, 6",
7363 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7364 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7366 BPF_LD_MAP_FD(BPF_REG_1, 0),
7367 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7368 BPF_FUNC_map_lookup_elem),
7369 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7370 BPF_MOV64_IMM(BPF_REG_1, (3 + 1) * sizeof(int)),
7371 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7372 BPF_MOV64_IMM(BPF_REG_1, 3 * sizeof(int)),
7373 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7374 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
7377 .fixup_map_array_48b = { 3 },
7379 .retval = 0xabcdef12,
7382 "map access: unknown scalar += value_ptr, 1",
7384 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7385 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7387 BPF_LD_MAP_FD(BPF_REG_1, 0),
7388 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7389 BPF_FUNC_map_lookup_elem),
7390 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7391 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7392 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7393 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7394 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
7395 BPF_MOV64_IMM(BPF_REG_0, 1),
7398 .fixup_map_array_48b = { 3 },
7403 "map access: unknown scalar += value_ptr, 2",
7405 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7406 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7408 BPF_LD_MAP_FD(BPF_REG_1, 0),
7409 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7410 BPF_FUNC_map_lookup_elem),
7411 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7412 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7413 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
7414 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7415 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7418 .fixup_map_array_48b = { 3 },
7420 .retval = 0xabcdef12,
7423 "map access: unknown scalar += value_ptr, 3",
7425 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7426 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7427 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7428 BPF_LD_MAP_FD(BPF_REG_1, 0),
7429 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7430 BPF_FUNC_map_lookup_elem),
7431 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7432 BPF_MOV64_IMM(BPF_REG_1, -1),
7433 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7434 BPF_MOV64_IMM(BPF_REG_1, 1),
7435 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7436 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7437 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
7438 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7439 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7442 .fixup_map_array_48b = { 3 },
7444 .result_unpriv = REJECT,
7445 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7446 .retval = 0xabcdef12,
7449 "map access: unknown scalar += value_ptr, 4",
7451 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7452 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7454 BPF_LD_MAP_FD(BPF_REG_1, 0),
7455 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7456 BPF_FUNC_map_lookup_elem),
7457 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7458 BPF_MOV64_IMM(BPF_REG_1, 19),
7459 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7460 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7461 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
7462 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7463 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7466 .fixup_map_array_48b = { 3 },
7468 .errstr = "R1 max value is outside of the array range",
7469 .errstr_unpriv = "R1 pointer arithmetic of map value goes out of range",
7472 "map access: value_ptr += unknown scalar, 1",
7474 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7475 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7476 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7477 BPF_LD_MAP_FD(BPF_REG_1, 0),
7478 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7479 BPF_FUNC_map_lookup_elem),
7480 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7481 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7482 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7483 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7484 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7485 BPF_MOV64_IMM(BPF_REG_0, 1),
7488 .fixup_map_array_48b = { 3 },
7493 "map access: value_ptr += unknown scalar, 2",
7495 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7496 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7497 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7498 BPF_LD_MAP_FD(BPF_REG_1, 0),
7499 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7500 BPF_FUNC_map_lookup_elem),
7501 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7502 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7503 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
7504 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7505 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
7508 .fixup_map_array_48b = { 3 },
7510 .retval = 0xabcdef12,
7513 "map access: value_ptr += unknown scalar, 3",
7515 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7516 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7518 BPF_LD_MAP_FD(BPF_REG_1, 0),
7519 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7520 BPF_FUNC_map_lookup_elem),
7521 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7522 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7523 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 8),
7524 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 16),
7525 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7526 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 1),
7527 BPF_ALU64_IMM(BPF_OR, BPF_REG_3, 1),
7528 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_3, 4),
7529 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
7530 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7531 BPF_MOV64_IMM(BPF_REG_0, 1),
7533 BPF_MOV64_IMM(BPF_REG_0, 2),
7534 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
7536 .fixup_map_array_48b = { 3 },
7541 "map access: value_ptr += value_ptr",
7543 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7544 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7546 BPF_LD_MAP_FD(BPF_REG_1, 0),
7547 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7548 BPF_FUNC_map_lookup_elem),
7549 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7550 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_0),
7551 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7552 BPF_MOV64_IMM(BPF_REG_0, 1),
7555 .fixup_map_array_48b = { 3 },
7557 .errstr = "R0 pointer += pointer prohibited",
7560 "map access: known scalar -= value_ptr",
7562 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7563 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7564 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7565 BPF_LD_MAP_FD(BPF_REG_1, 0),
7566 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7567 BPF_FUNC_map_lookup_elem),
7568 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7569 BPF_MOV64_IMM(BPF_REG_1, 4),
7570 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
7571 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
7572 BPF_MOV64_IMM(BPF_REG_0, 1),
7575 .fixup_map_array_48b = { 3 },
7577 .errstr = "R1 tried to subtract pointer from scalar",
7580 "map access: value_ptr -= known scalar",
7582 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7583 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7584 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7585 BPF_LD_MAP_FD(BPF_REG_1, 0),
7586 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7587 BPF_FUNC_map_lookup_elem),
7588 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7589 BPF_MOV64_IMM(BPF_REG_1, 4),
7590 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7591 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7592 BPF_MOV64_IMM(BPF_REG_0, 1),
7595 .fixup_map_array_48b = { 3 },
7597 .errstr = "R0 min value is outside of the array range",
7600 "map access: value_ptr -= known scalar, 2",
7602 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7603 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7604 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7605 BPF_LD_MAP_FD(BPF_REG_1, 0),
7606 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7607 BPF_FUNC_map_lookup_elem),
7608 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7609 BPF_MOV64_IMM(BPF_REG_1, 6),
7610 BPF_MOV64_IMM(BPF_REG_2, 4),
7611 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7612 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
7613 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7614 BPF_MOV64_IMM(BPF_REG_0, 1),
7617 .fixup_map_array_48b = { 3 },
7619 .result_unpriv = REJECT,
7620 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7624 "map access: unknown scalar -= value_ptr",
7626 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7627 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7629 BPF_LD_MAP_FD(BPF_REG_1, 0),
7630 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7631 BPF_FUNC_map_lookup_elem),
7632 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7633 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7634 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7635 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
7636 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
7637 BPF_MOV64_IMM(BPF_REG_0, 1),
7640 .fixup_map_array_48b = { 3 },
7642 .errstr = "R1 tried to subtract pointer from scalar",
7645 "map access: value_ptr -= unknown scalar",
7647 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7648 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7649 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7650 BPF_LD_MAP_FD(BPF_REG_1, 0),
7651 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7652 BPF_FUNC_map_lookup_elem),
7653 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7654 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7655 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7656 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7657 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7658 BPF_MOV64_IMM(BPF_REG_0, 1),
7661 .fixup_map_array_48b = { 3 },
7663 .errstr = "R0 min value is negative",
7666 "map access: value_ptr -= unknown scalar, 2",
7668 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7669 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7670 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7671 BPF_LD_MAP_FD(BPF_REG_1, 0),
7672 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7673 BPF_FUNC_map_lookup_elem),
7674 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7675 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7676 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7677 BPF_ALU64_IMM(BPF_OR, BPF_REG_1, 0x7),
7678 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7679 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7680 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
7681 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7682 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7683 BPF_MOV64_IMM(BPF_REG_0, 1),
7686 .fixup_map_array_48b = { 3 },
7688 .result_unpriv = REJECT,
7689 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7693 "map access: value_ptr -= value_ptr",
7695 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7696 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7697 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7698 BPF_LD_MAP_FD(BPF_REG_1, 0),
7699 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7700 BPF_FUNC_map_lookup_elem),
7701 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7702 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_0),
7703 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7704 BPF_MOV64_IMM(BPF_REG_0, 1),
7707 .fixup_map_array_48b = { 3 },
7709 .errstr = "R0 invalid mem access 'inv'",
7710 .errstr_unpriv = "R0 pointer -= pointer prohibited",
7713 "map lookup helper access to map",
7715 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7717 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7718 BPF_LD_MAP_FD(BPF_REG_1, 0),
7719 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7720 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7721 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7722 BPF_LD_MAP_FD(BPF_REG_1, 0),
7723 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7726 .fixup_map_hash_16b = { 3, 8 },
7728 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7731 "map update helper access to map",
7733 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7734 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7735 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7736 BPF_LD_MAP_FD(BPF_REG_1, 0),
7737 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7738 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7739 BPF_MOV64_IMM(BPF_REG_4, 0),
7740 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
7741 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7742 BPF_LD_MAP_FD(BPF_REG_1, 0),
7743 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
7746 .fixup_map_hash_16b = { 3, 10 },
7748 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7751 "map update helper access to map: wrong size",
7753 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7755 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7756 BPF_LD_MAP_FD(BPF_REG_1, 0),
7757 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7758 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7759 BPF_MOV64_IMM(BPF_REG_4, 0),
7760 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
7761 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7762 BPF_LD_MAP_FD(BPF_REG_1, 0),
7763 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
7766 .fixup_map_hash_8b = { 3 },
7767 .fixup_map_hash_16b = { 10 },
7769 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
7770 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7773 "map helper access to adjusted map (via const imm)",
7775 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7776 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7777 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7778 BPF_LD_MAP_FD(BPF_REG_1, 0),
7779 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7781 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7782 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
7783 offsetof(struct other_val, bar)),
7784 BPF_LD_MAP_FD(BPF_REG_1, 0),
7785 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7788 .fixup_map_hash_16b = { 3, 9 },
7790 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7793 "map helper access to adjusted map (via const imm): out-of-bound 1",
7795 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7796 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7797 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7798 BPF_LD_MAP_FD(BPF_REG_1, 0),
7799 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7801 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7802 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
7803 sizeof(struct other_val) - 4),
7804 BPF_LD_MAP_FD(BPF_REG_1, 0),
7805 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7808 .fixup_map_hash_16b = { 3, 9 },
7810 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
7811 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7814 "map helper access to adjusted map (via const imm): out-of-bound 2",
7816 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7818 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7819 BPF_LD_MAP_FD(BPF_REG_1, 0),
7820 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7821 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7822 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7824 BPF_LD_MAP_FD(BPF_REG_1, 0),
7825 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7828 .fixup_map_hash_16b = { 3, 9 },
7830 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
7831 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7834 "map helper access to adjusted map (via const reg)",
7836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7838 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7839 BPF_LD_MAP_FD(BPF_REG_1, 0),
7840 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7841 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7842 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7843 BPF_MOV64_IMM(BPF_REG_3,
7844 offsetof(struct other_val, bar)),
7845 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7846 BPF_LD_MAP_FD(BPF_REG_1, 0),
7847 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7850 .fixup_map_hash_16b = { 3, 10 },
7852 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7855 "map helper access to adjusted map (via const reg): out-of-bound 1",
7857 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7858 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7859 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7860 BPF_LD_MAP_FD(BPF_REG_1, 0),
7861 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7862 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7863 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7864 BPF_MOV64_IMM(BPF_REG_3,
7865 sizeof(struct other_val) - 4),
7866 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7867 BPF_LD_MAP_FD(BPF_REG_1, 0),
7868 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7871 .fixup_map_hash_16b = { 3, 10 },
7873 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
7874 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7877 "map helper access to adjusted map (via const reg): out-of-bound 2",
7879 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7881 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7882 BPF_LD_MAP_FD(BPF_REG_1, 0),
7883 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7884 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7885 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7886 BPF_MOV64_IMM(BPF_REG_3, -4),
7887 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7888 BPF_LD_MAP_FD(BPF_REG_1, 0),
7889 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7892 .fixup_map_hash_16b = { 3, 10 },
7894 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
7895 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7898 "map helper access to adjusted map (via variable)",
7900 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7901 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7902 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7903 BPF_LD_MAP_FD(BPF_REG_1, 0),
7904 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7905 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7906 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7907 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
7908 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
7909 offsetof(struct other_val, bar), 4),
7910 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7911 BPF_LD_MAP_FD(BPF_REG_1, 0),
7912 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7915 .fixup_map_hash_16b = { 3, 11 },
7917 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7920 "map helper access to adjusted map (via variable): no max check",
7922 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7923 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7924 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7925 BPF_LD_MAP_FD(BPF_REG_1, 0),
7926 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7927 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7928 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7929 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
7930 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7931 BPF_LD_MAP_FD(BPF_REG_1, 0),
7932 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7935 .fixup_map_hash_16b = { 3, 10 },
7937 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
7938 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7941 "map helper access to adjusted map (via variable): wrong max check",
7943 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7944 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7945 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7946 BPF_LD_MAP_FD(BPF_REG_1, 0),
7947 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7948 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7949 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7950 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
7951 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
7952 offsetof(struct other_val, bar) + 1, 4),
7953 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7954 BPF_LD_MAP_FD(BPF_REG_1, 0),
7955 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7958 .fixup_map_hash_16b = { 3, 11 },
7960 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
7961 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7964 "map element value is preserved across register spilling",
7966 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7968 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7969 BPF_LD_MAP_FD(BPF_REG_1, 0),
7970 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7971 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7972 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
7973 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7974 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
7975 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7976 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
7977 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
7980 .fixup_map_hash_48b = { 3 },
7981 .errstr_unpriv = "R0 leaks addr",
7983 .result_unpriv = REJECT,
7986 "map element value or null is marked on register spilling",
7988 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7989 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7990 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7991 BPF_LD_MAP_FD(BPF_REG_1, 0),
7992 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7993 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7994 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
7995 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7996 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7997 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
7998 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
8001 .fixup_map_hash_48b = { 3 },
8002 .errstr_unpriv = "R0 leaks addr",
8004 .result_unpriv = REJECT,
8007 "map element value store of cleared call register",
8009 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8010 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8011 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8012 BPF_LD_MAP_FD(BPF_REG_1, 0),
8013 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8014 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
8015 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
8018 .fixup_map_hash_48b = { 3 },
8019 .errstr_unpriv = "R1 !read_ok",
8020 .errstr = "R1 !read_ok",
8022 .result_unpriv = REJECT,
8025 "map element value with unaligned store",
8027 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8028 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8029 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8030 BPF_LD_MAP_FD(BPF_REG_1, 0),
8031 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8032 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
8033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
8034 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
8035 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
8036 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
8037 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
8038 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
8039 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
8040 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
8041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
8042 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
8043 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
8044 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
8045 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
8046 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
8047 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
8048 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
8049 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
8052 .fixup_map_hash_48b = { 3 },
8053 .errstr_unpriv = "R0 leaks addr",
8055 .result_unpriv = REJECT,
8056 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8059 "map element value with unaligned load",
8061 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8062 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8063 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8064 BPF_LD_MAP_FD(BPF_REG_1, 0),
8065 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8066 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
8067 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
8068 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
8069 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
8070 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
8071 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
8072 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
8073 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
8074 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
8075 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
8076 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
8077 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
8080 .fixup_map_hash_48b = { 3 },
8081 .errstr_unpriv = "R0 leaks addr",
8083 .result_unpriv = REJECT,
8084 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8087 "map element value illegal alu op, 1",
8089 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8090 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8091 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8092 BPF_LD_MAP_FD(BPF_REG_1, 0),
8093 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8094 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8095 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
8096 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
8099 .fixup_map_hash_48b = { 3 },
8100 .errstr = "R0 bitwise operator &= on pointer",
8104 "map element value illegal alu op, 2",
8106 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8107 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8108 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8109 BPF_LD_MAP_FD(BPF_REG_1, 0),
8110 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8111 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8112 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
8113 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
8116 .fixup_map_hash_48b = { 3 },
8117 .errstr = "R0 32-bit pointer arithmetic prohibited",
8121 "map element value illegal alu op, 3",
8123 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8124 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8125 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8126 BPF_LD_MAP_FD(BPF_REG_1, 0),
8127 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8128 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8129 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
8130 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
8133 .fixup_map_hash_48b = { 3 },
8134 .errstr = "R0 pointer arithmetic with /= operator",
8138 "map element value illegal alu op, 4",
8140 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8141 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8142 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8143 BPF_LD_MAP_FD(BPF_REG_1, 0),
8144 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8145 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8146 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
8147 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
8150 .fixup_map_hash_48b = { 3 },
8151 .errstr_unpriv = "R0 pointer arithmetic prohibited",
8152 .errstr = "invalid mem access 'inv'",
8154 .result_unpriv = REJECT,
8155 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8158 "map element value illegal alu op, 5",
8160 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8161 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8162 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8163 BPF_LD_MAP_FD(BPF_REG_1, 0),
8164 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8165 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8166 BPF_MOV64_IMM(BPF_REG_3, 4096),
8167 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8168 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8169 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8170 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
8171 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
8172 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
8175 .fixup_map_hash_48b = { 3 },
8176 .errstr = "R0 invalid mem access 'inv'",
8178 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8181 "map element value is preserved across register spilling",
8183 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8184 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8185 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8186 BPF_LD_MAP_FD(BPF_REG_1, 0),
8187 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8188 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8189 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
8190 offsetof(struct test_val, foo)),
8191 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
8192 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8193 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
8194 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
8195 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
8196 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
8199 .fixup_map_hash_48b = { 3 },
8200 .errstr_unpriv = "R0 leaks addr",
8202 .result_unpriv = REJECT,
8203 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8206 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
8208 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8210 BPF_MOV64_IMM(BPF_REG_0, 0),
8211 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8212 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
8213 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
8214 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
8215 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
8216 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
8217 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
8218 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
8219 BPF_MOV64_IMM(BPF_REG_2, 16),
8220 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8221 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8222 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
8223 BPF_MOV64_IMM(BPF_REG_4, 0),
8224 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
8225 BPF_MOV64_IMM(BPF_REG_3, 0),
8226 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8227 BPF_MOV64_IMM(BPF_REG_0, 0),
8231 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8234 "helper access to variable memory: stack, bitwise AND, zero included",
8236 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8237 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8238 BPF_MOV64_IMM(BPF_REG_2, 16),
8239 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8240 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8241 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
8242 BPF_MOV64_IMM(BPF_REG_3, 0),
8243 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8246 .errstr = "invalid indirect read from stack off -64+0 size 64",
8248 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8251 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
8253 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8254 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8255 BPF_MOV64_IMM(BPF_REG_2, 16),
8256 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8257 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8258 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
8259 BPF_MOV64_IMM(BPF_REG_4, 0),
8260 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
8261 BPF_MOV64_IMM(BPF_REG_3, 0),
8262 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8263 BPF_MOV64_IMM(BPF_REG_0, 0),
8266 .errstr = "invalid stack type R1 off=-64 access_size=65",
8268 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8271 "helper access to variable memory: stack, JMP, correct bounds",
8273 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8275 BPF_MOV64_IMM(BPF_REG_0, 0),
8276 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8277 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
8278 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
8279 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
8280 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
8281 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
8282 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
8283 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
8284 BPF_MOV64_IMM(BPF_REG_2, 16),
8285 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8286 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8287 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
8288 BPF_MOV64_IMM(BPF_REG_4, 0),
8289 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
8290 BPF_MOV64_IMM(BPF_REG_3, 0),
8291 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8292 BPF_MOV64_IMM(BPF_REG_0, 0),
8296 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8299 "helper access to variable memory: stack, JMP (signed), correct bounds",
8301 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8302 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8303 BPF_MOV64_IMM(BPF_REG_0, 0),
8304 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8305 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
8306 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
8307 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
8308 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
8309 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
8310 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
8311 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
8312 BPF_MOV64_IMM(BPF_REG_2, 16),
8313 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8314 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8315 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
8316 BPF_MOV64_IMM(BPF_REG_4, 0),
8317 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
8318 BPF_MOV64_IMM(BPF_REG_3, 0),
8319 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8320 BPF_MOV64_IMM(BPF_REG_0, 0),
8324 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8327 "helper access to variable memory: stack, JMP, bounds + offset",
8329 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8331 BPF_MOV64_IMM(BPF_REG_2, 16),
8332 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8333 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8334 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
8335 BPF_MOV64_IMM(BPF_REG_4, 0),
8336 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
8337 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
8338 BPF_MOV64_IMM(BPF_REG_3, 0),
8339 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8340 BPF_MOV64_IMM(BPF_REG_0, 0),
8343 .errstr = "invalid stack type R1 off=-64 access_size=65",
8345 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8348 "helper access to variable memory: stack, JMP, wrong max",
8350 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8351 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8352 BPF_MOV64_IMM(BPF_REG_2, 16),
8353 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8354 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8355 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
8356 BPF_MOV64_IMM(BPF_REG_4, 0),
8357 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
8358 BPF_MOV64_IMM(BPF_REG_3, 0),
8359 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8360 BPF_MOV64_IMM(BPF_REG_0, 0),
8363 .errstr = "invalid stack type R1 off=-64 access_size=65",
8365 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8368 "helper access to variable memory: stack, JMP, no max check",
8370 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8371 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8372 BPF_MOV64_IMM(BPF_REG_2, 16),
8373 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8374 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8375 BPF_MOV64_IMM(BPF_REG_4, 0),
8376 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
8377 BPF_MOV64_IMM(BPF_REG_3, 0),
8378 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8379 BPF_MOV64_IMM(BPF_REG_0, 0),
8382 /* because max wasn't checked, signed min is negative */
8383 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
8385 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8388 "helper access to variable memory: stack, JMP, no min check",
8390 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8392 BPF_MOV64_IMM(BPF_REG_2, 16),
8393 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8394 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8395 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
8396 BPF_MOV64_IMM(BPF_REG_3, 0),
8397 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8398 BPF_MOV64_IMM(BPF_REG_0, 0),
8401 .errstr = "invalid indirect read from stack off -64+0 size 64",
8403 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8406 "helper access to variable memory: stack, JMP (signed), no min check",
8408 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8410 BPF_MOV64_IMM(BPF_REG_2, 16),
8411 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8412 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8413 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
8414 BPF_MOV64_IMM(BPF_REG_3, 0),
8415 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8416 BPF_MOV64_IMM(BPF_REG_0, 0),
8419 .errstr = "R2 min value is negative",
8421 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8424 "helper access to variable memory: map, JMP, correct bounds",
8426 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8427 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8428 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8429 BPF_LD_MAP_FD(BPF_REG_1, 0),
8430 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8431 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
8432 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8433 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
8434 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8435 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8436 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
8437 sizeof(struct test_val), 4),
8438 BPF_MOV64_IMM(BPF_REG_4, 0),
8439 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
8440 BPF_MOV64_IMM(BPF_REG_3, 0),
8441 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8442 BPF_MOV64_IMM(BPF_REG_0, 0),
8445 .fixup_map_hash_48b = { 3 },
8447 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8450 "helper access to variable memory: map, JMP, wrong max",
8452 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8454 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8455 BPF_LD_MAP_FD(BPF_REG_1, 0),
8456 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8457 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
8458 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8459 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
8460 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8461 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8462 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
8463 sizeof(struct test_val) + 1, 4),
8464 BPF_MOV64_IMM(BPF_REG_4, 0),
8465 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
8466 BPF_MOV64_IMM(BPF_REG_3, 0),
8467 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8468 BPF_MOV64_IMM(BPF_REG_0, 0),
8471 .fixup_map_hash_48b = { 3 },
8472 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
8474 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8477 "helper access to variable memory: map adjusted, JMP, correct bounds",
8479 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8481 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8482 BPF_LD_MAP_FD(BPF_REG_1, 0),
8483 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8484 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
8485 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
8487 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
8488 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8489 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8490 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
8491 sizeof(struct test_val) - 20, 4),
8492 BPF_MOV64_IMM(BPF_REG_4, 0),
8493 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
8494 BPF_MOV64_IMM(BPF_REG_3, 0),
8495 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8496 BPF_MOV64_IMM(BPF_REG_0, 0),
8499 .fixup_map_hash_48b = { 3 },
8501 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8504 "helper access to variable memory: map adjusted, JMP, wrong max",
8506 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8507 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8508 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8509 BPF_LD_MAP_FD(BPF_REG_1, 0),
8510 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8511 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
8512 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
8514 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
8515 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8516 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8517 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
8518 sizeof(struct test_val) - 19, 4),
8519 BPF_MOV64_IMM(BPF_REG_4, 0),
8520 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
8521 BPF_MOV64_IMM(BPF_REG_3, 0),
8522 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8523 BPF_MOV64_IMM(BPF_REG_0, 0),
8526 .fixup_map_hash_48b = { 3 },
8527 .errstr = "R1 min value is outside of the array range",
8529 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8532 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
8534 BPF_MOV64_IMM(BPF_REG_1, 0),
8535 BPF_MOV64_IMM(BPF_REG_2, 0),
8536 BPF_MOV64_IMM(BPF_REG_3, 0),
8537 BPF_MOV64_IMM(BPF_REG_4, 0),
8538 BPF_MOV64_IMM(BPF_REG_5, 0),
8539 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8543 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8546 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
8548 BPF_MOV64_IMM(BPF_REG_1, 0),
8549 BPF_MOV64_IMM(BPF_REG_2, 1),
8550 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8551 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8552 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
8553 BPF_MOV64_IMM(BPF_REG_3, 0),
8554 BPF_MOV64_IMM(BPF_REG_4, 0),
8555 BPF_MOV64_IMM(BPF_REG_5, 0),
8556 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8559 .errstr = "R1 type=inv expected=fp",
8561 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8564 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
8566 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8567 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
8568 BPF_MOV64_IMM(BPF_REG_2, 0),
8569 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
8570 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
8571 BPF_MOV64_IMM(BPF_REG_3, 0),
8572 BPF_MOV64_IMM(BPF_REG_4, 0),
8573 BPF_MOV64_IMM(BPF_REG_5, 0),
8574 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8578 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8581 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
8583 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8584 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8586 BPF_LD_MAP_FD(BPF_REG_1, 0),
8587 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8588 BPF_FUNC_map_lookup_elem),
8589 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8590 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8591 BPF_MOV64_IMM(BPF_REG_2, 0),
8592 BPF_MOV64_IMM(BPF_REG_3, 0),
8593 BPF_MOV64_IMM(BPF_REG_4, 0),
8594 BPF_MOV64_IMM(BPF_REG_5, 0),
8595 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8598 .fixup_map_hash_8b = { 3 },
8600 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8603 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
8605 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8606 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8608 BPF_LD_MAP_FD(BPF_REG_1, 0),
8609 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8610 BPF_FUNC_map_lookup_elem),
8611 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8612 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8613 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
8614 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
8616 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
8617 BPF_MOV64_IMM(BPF_REG_3, 0),
8618 BPF_MOV64_IMM(BPF_REG_4, 0),
8619 BPF_MOV64_IMM(BPF_REG_5, 0),
8620 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8623 .fixup_map_hash_8b = { 3 },
8625 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8628 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
8630 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8631 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8632 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8633 BPF_LD_MAP_FD(BPF_REG_1, 0),
8634 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8635 BPF_FUNC_map_lookup_elem),
8636 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8637 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8638 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8639 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
8640 BPF_MOV64_IMM(BPF_REG_3, 0),
8641 BPF_MOV64_IMM(BPF_REG_4, 0),
8642 BPF_MOV64_IMM(BPF_REG_5, 0),
8643 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8646 .fixup_map_hash_8b = { 3 },
8648 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8651 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
8653 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8654 offsetof(struct __sk_buff, data)),
8655 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8656 offsetof(struct __sk_buff, data_end)),
8657 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
8658 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8659 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
8660 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
8661 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
8662 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
8663 BPF_MOV64_IMM(BPF_REG_3, 0),
8664 BPF_MOV64_IMM(BPF_REG_4, 0),
8665 BPF_MOV64_IMM(BPF_REG_5, 0),
8666 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8670 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8671 .retval = 0 /* csum_diff of 64-byte packet */,
8672 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8675 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
8677 BPF_MOV64_IMM(BPF_REG_1, 0),
8678 BPF_MOV64_IMM(BPF_REG_2, 0),
8679 BPF_MOV64_IMM(BPF_REG_3, 0),
8680 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8683 .errstr = "R1 type=inv expected=fp",
8685 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8688 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
8690 BPF_MOV64_IMM(BPF_REG_1, 0),
8691 BPF_MOV64_IMM(BPF_REG_2, 1),
8692 BPF_MOV64_IMM(BPF_REG_3, 0),
8693 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8696 .errstr = "R1 type=inv expected=fp",
8698 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8701 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
8703 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8704 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
8705 BPF_MOV64_IMM(BPF_REG_2, 0),
8706 BPF_MOV64_IMM(BPF_REG_3, 0),
8707 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8711 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8714 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
8716 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8717 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8718 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8719 BPF_LD_MAP_FD(BPF_REG_1, 0),
8720 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8721 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8722 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8723 BPF_MOV64_IMM(BPF_REG_2, 0),
8724 BPF_MOV64_IMM(BPF_REG_3, 0),
8725 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8728 .fixup_map_hash_8b = { 3 },
8730 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8733 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
8735 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8736 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8737 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8738 BPF_LD_MAP_FD(BPF_REG_1, 0),
8739 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8740 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8741 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8742 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
8743 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
8745 BPF_MOV64_IMM(BPF_REG_3, 0),
8746 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8749 .fixup_map_hash_8b = { 3 },
8751 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8754 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
8756 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8757 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8758 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8759 BPF_LD_MAP_FD(BPF_REG_1, 0),
8760 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8761 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8762 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8763 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8764 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
8765 BPF_MOV64_IMM(BPF_REG_3, 0),
8766 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8769 .fixup_map_hash_8b = { 3 },
8771 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8774 "helper access to variable memory: 8 bytes leak",
8776 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8778 BPF_MOV64_IMM(BPF_REG_0, 0),
8779 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8780 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
8781 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
8782 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
8783 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
8784 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
8785 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
8786 BPF_MOV64_IMM(BPF_REG_2, 1),
8787 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8788 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8789 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
8790 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
8791 BPF_MOV64_IMM(BPF_REG_3, 0),
8792 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8793 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8796 .errstr = "invalid indirect read from stack off -64+32 size 64",
8798 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8801 "helper access to variable memory: 8 bytes no leak (init memory)",
8803 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8804 BPF_MOV64_IMM(BPF_REG_0, 0),
8805 BPF_MOV64_IMM(BPF_REG_0, 0),
8806 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8807 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
8808 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
8809 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
8810 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
8811 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
8812 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
8813 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
8814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8815 BPF_MOV64_IMM(BPF_REG_2, 0),
8816 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
8817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
8818 BPF_MOV64_IMM(BPF_REG_3, 0),
8819 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8820 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8824 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8827 "invalid and of negative number",
8829 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8830 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8832 BPF_LD_MAP_FD(BPF_REG_1, 0),
8833 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8834 BPF_FUNC_map_lookup_elem),
8835 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8836 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8837 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
8838 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
8839 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8840 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
8841 offsetof(struct test_val, foo)),
8844 .fixup_map_hash_48b = { 3 },
8845 .errstr = "R0 max value is outside of the array range",
8847 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8850 "invalid range check",
8852 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8853 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8854 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8855 BPF_LD_MAP_FD(BPF_REG_1, 0),
8856 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8857 BPF_FUNC_map_lookup_elem),
8858 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
8859 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
8860 BPF_MOV64_IMM(BPF_REG_9, 1),
8861 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
8862 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
8863 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
8864 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
8865 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
8866 BPF_MOV32_IMM(BPF_REG_3, 1),
8867 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
8868 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
8869 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
8870 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
8871 BPF_MOV64_REG(BPF_REG_0, 0),
8874 .fixup_map_hash_48b = { 3 },
8875 .errstr = "R0 max value is outside of the array range",
8877 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8880 "map in map access",
8882 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8883 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8884 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8885 BPF_LD_MAP_FD(BPF_REG_1, 0),
8886 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8887 BPF_FUNC_map_lookup_elem),
8888 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8889 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8890 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8891 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8892 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8893 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8894 BPF_FUNC_map_lookup_elem),
8895 BPF_MOV64_IMM(BPF_REG_0, 0),
8898 .fixup_map_in_map = { 3 },
8902 "invalid inner map pointer",
8904 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8905 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8906 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8907 BPF_LD_MAP_FD(BPF_REG_1, 0),
8908 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8909 BPF_FUNC_map_lookup_elem),
8910 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8911 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8912 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8913 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8914 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8916 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8917 BPF_FUNC_map_lookup_elem),
8918 BPF_MOV64_IMM(BPF_REG_0, 0),
8921 .fixup_map_in_map = { 3 },
8922 .errstr = "R1 pointer arithmetic on map_ptr prohibited",
8926 "forgot null checking on the inner map pointer",
8928 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8929 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8930 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8931 BPF_LD_MAP_FD(BPF_REG_1, 0),
8932 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8933 BPF_FUNC_map_lookup_elem),
8934 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8935 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8936 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8937 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8938 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8939 BPF_FUNC_map_lookup_elem),
8940 BPF_MOV64_IMM(BPF_REG_0, 0),
8943 .fixup_map_in_map = { 3 },
8944 .errstr = "R1 type=map_value_or_null expected=map_ptr",
8948 "ld_abs: check calling conv, r1",
8950 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8951 BPF_MOV64_IMM(BPF_REG_1, 0),
8952 BPF_LD_ABS(BPF_W, -0x200000),
8953 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8956 .errstr = "R1 !read_ok",
8960 "ld_abs: check calling conv, r2",
8962 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8963 BPF_MOV64_IMM(BPF_REG_2, 0),
8964 BPF_LD_ABS(BPF_W, -0x200000),
8965 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8968 .errstr = "R2 !read_ok",
8972 "ld_abs: check calling conv, r3",
8974 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8975 BPF_MOV64_IMM(BPF_REG_3, 0),
8976 BPF_LD_ABS(BPF_W, -0x200000),
8977 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8980 .errstr = "R3 !read_ok",
8984 "ld_abs: check calling conv, r4",
8986 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8987 BPF_MOV64_IMM(BPF_REG_4, 0),
8988 BPF_LD_ABS(BPF_W, -0x200000),
8989 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8992 .errstr = "R4 !read_ok",
8996 "ld_abs: check calling conv, r5",
8998 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8999 BPF_MOV64_IMM(BPF_REG_5, 0),
9000 BPF_LD_ABS(BPF_W, -0x200000),
9001 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
9004 .errstr = "R5 !read_ok",
9008 "ld_abs: check calling conv, r7",
9010 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9011 BPF_MOV64_IMM(BPF_REG_7, 0),
9012 BPF_LD_ABS(BPF_W, -0x200000),
9013 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
9019 "ld_abs: tests on r6 and skb data reload helper",
9021 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9022 BPF_LD_ABS(BPF_B, 0),
9023 BPF_LD_ABS(BPF_H, 0),
9024 BPF_LD_ABS(BPF_W, 0),
9025 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
9026 BPF_MOV64_IMM(BPF_REG_6, 0),
9027 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
9028 BPF_MOV64_IMM(BPF_REG_2, 1),
9029 BPF_MOV64_IMM(BPF_REG_3, 2),
9030 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9031 BPF_FUNC_skb_vlan_push),
9032 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
9033 BPF_LD_ABS(BPF_B, 0),
9034 BPF_LD_ABS(BPF_H, 0),
9035 BPF_LD_ABS(BPF_W, 0),
9036 BPF_MOV64_IMM(BPF_REG_0, 42),
9039 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9041 .retval = 42 /* ultimate return value */,
9044 "ld_ind: check calling conv, r1",
9046 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9047 BPF_MOV64_IMM(BPF_REG_1, 1),
9048 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
9049 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9052 .errstr = "R1 !read_ok",
9056 "ld_ind: check calling conv, r2",
9058 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9059 BPF_MOV64_IMM(BPF_REG_2, 1),
9060 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
9061 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9064 .errstr = "R2 !read_ok",
9068 "ld_ind: check calling conv, r3",
9070 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9071 BPF_MOV64_IMM(BPF_REG_3, 1),
9072 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
9073 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9076 .errstr = "R3 !read_ok",
9080 "ld_ind: check calling conv, r4",
9082 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9083 BPF_MOV64_IMM(BPF_REG_4, 1),
9084 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
9085 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
9088 .errstr = "R4 !read_ok",
9092 "ld_ind: check calling conv, r5",
9094 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9095 BPF_MOV64_IMM(BPF_REG_5, 1),
9096 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
9097 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
9100 .errstr = "R5 !read_ok",
9104 "ld_ind: check calling conv, r7",
9106 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9107 BPF_MOV64_IMM(BPF_REG_7, 1),
9108 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
9109 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
9116 "check bpf_perf_event_data->sample_period byte load permitted",
9118 BPF_MOV64_IMM(BPF_REG_0, 0),
9119 #if __BYTE_ORDER == __LITTLE_ENDIAN
9120 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
9121 offsetof(struct bpf_perf_event_data, sample_period)),
9123 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
9124 offsetof(struct bpf_perf_event_data, sample_period) + 7),
9129 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
9132 "check bpf_perf_event_data->sample_period half load permitted",
9134 BPF_MOV64_IMM(BPF_REG_0, 0),
9135 #if __BYTE_ORDER == __LITTLE_ENDIAN
9136 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
9137 offsetof(struct bpf_perf_event_data, sample_period)),
9139 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
9140 offsetof(struct bpf_perf_event_data, sample_period) + 6),
9145 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
9148 "check bpf_perf_event_data->sample_period word load permitted",
9150 BPF_MOV64_IMM(BPF_REG_0, 0),
9151 #if __BYTE_ORDER == __LITTLE_ENDIAN
9152 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9153 offsetof(struct bpf_perf_event_data, sample_period)),
9155 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9156 offsetof(struct bpf_perf_event_data, sample_period) + 4),
9161 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
9164 "check bpf_perf_event_data->sample_period dword load permitted",
9166 BPF_MOV64_IMM(BPF_REG_0, 0),
9167 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
9168 offsetof(struct bpf_perf_event_data, sample_period)),
9172 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
9175 "check skb->data half load not permitted",
9177 BPF_MOV64_IMM(BPF_REG_0, 0),
9178 #if __BYTE_ORDER == __LITTLE_ENDIAN
9179 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
9180 offsetof(struct __sk_buff, data)),
9182 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
9183 offsetof(struct __sk_buff, data) + 2),
9188 .errstr = "invalid bpf_context access",
9191 "check skb->tc_classid half load not permitted for lwt prog",
9193 BPF_MOV64_IMM(BPF_REG_0, 0),
9194 #if __BYTE_ORDER == __LITTLE_ENDIAN
9195 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
9196 offsetof(struct __sk_buff, tc_classid)),
9198 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
9199 offsetof(struct __sk_buff, tc_classid) + 2),
9204 .errstr = "invalid bpf_context access",
9205 .prog_type = BPF_PROG_TYPE_LWT_IN,
9208 "bounds checks mixing signed and unsigned, positive bounds",
9210 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9211 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9213 BPF_LD_MAP_FD(BPF_REG_1, 0),
9214 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9215 BPF_FUNC_map_lookup_elem),
9216 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
9217 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9218 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9219 BPF_MOV64_IMM(BPF_REG_2, 2),
9220 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
9221 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
9222 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9223 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9224 BPF_MOV64_IMM(BPF_REG_0, 0),
9227 .fixup_map_hash_8b = { 3 },
9228 .errstr = "unbounded min value",
9229 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9233 "bounds checks mixing signed and unsigned",
9235 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9236 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9237 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9238 BPF_LD_MAP_FD(BPF_REG_1, 0),
9239 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9240 BPF_FUNC_map_lookup_elem),
9241 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
9242 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9243 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9244 BPF_MOV64_IMM(BPF_REG_2, -1),
9245 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
9246 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9247 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9248 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9249 BPF_MOV64_IMM(BPF_REG_0, 0),
9252 .fixup_map_hash_8b = { 3 },
9253 .errstr = "unbounded min value",
9254 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9258 "bounds checks mixing signed and unsigned, variant 2",
9260 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9261 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9263 BPF_LD_MAP_FD(BPF_REG_1, 0),
9264 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9265 BPF_FUNC_map_lookup_elem),
9266 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9267 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9268 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9269 BPF_MOV64_IMM(BPF_REG_2, -1),
9270 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
9271 BPF_MOV64_IMM(BPF_REG_8, 0),
9272 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
9273 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
9274 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
9275 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
9276 BPF_MOV64_IMM(BPF_REG_0, 0),
9279 .fixup_map_hash_8b = { 3 },
9280 .errstr = "unbounded min value",
9281 .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
9285 "bounds checks mixing signed and unsigned, variant 3",
9287 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9288 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9289 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9290 BPF_LD_MAP_FD(BPF_REG_1, 0),
9291 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9292 BPF_FUNC_map_lookup_elem),
9293 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
9294 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9295 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9296 BPF_MOV64_IMM(BPF_REG_2, -1),
9297 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
9298 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
9299 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
9300 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
9301 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
9302 BPF_MOV64_IMM(BPF_REG_0, 0),
9305 .fixup_map_hash_8b = { 3 },
9306 .errstr = "unbounded min value",
9307 .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
9311 "bounds checks mixing signed and unsigned, variant 4",
9313 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9314 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9316 BPF_LD_MAP_FD(BPF_REG_1, 0),
9317 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9318 BPF_FUNC_map_lookup_elem),
9319 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
9320 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9321 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9322 BPF_MOV64_IMM(BPF_REG_2, 1),
9323 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9324 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9325 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9326 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9327 BPF_MOV64_IMM(BPF_REG_0, 0),
9330 .fixup_map_hash_8b = { 3 },
9334 "bounds checks mixing signed and unsigned, variant 5",
9336 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9337 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9339 BPF_LD_MAP_FD(BPF_REG_1, 0),
9340 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9341 BPF_FUNC_map_lookup_elem),
9342 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9343 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9344 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9345 BPF_MOV64_IMM(BPF_REG_2, -1),
9346 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
9347 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
9348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
9349 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9350 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9351 BPF_MOV64_IMM(BPF_REG_0, 0),
9354 .fixup_map_hash_8b = { 3 },
9355 .errstr = "unbounded min value",
9356 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9360 "bounds checks mixing signed and unsigned, variant 6",
9362 BPF_MOV64_IMM(BPF_REG_2, 0),
9363 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
9364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
9365 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9366 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
9367 BPF_MOV64_IMM(BPF_REG_6, -1),
9368 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
9369 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
9370 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
9371 BPF_MOV64_IMM(BPF_REG_5, 0),
9372 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
9373 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9374 BPF_FUNC_skb_load_bytes),
9375 BPF_MOV64_IMM(BPF_REG_0, 0),
9378 .errstr = "R4 min value is negative, either use unsigned",
9382 "bounds checks mixing signed and unsigned, variant 7",
9384 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9385 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9387 BPF_LD_MAP_FD(BPF_REG_1, 0),
9388 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9389 BPF_FUNC_map_lookup_elem),
9390 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
9391 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9392 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9393 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
9394 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
9395 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9396 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9397 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9398 BPF_MOV64_IMM(BPF_REG_0, 0),
9401 .fixup_map_hash_8b = { 3 },
9405 "bounds checks mixing signed and unsigned, variant 8",
9407 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9408 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9410 BPF_LD_MAP_FD(BPF_REG_1, 0),
9411 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9412 BPF_FUNC_map_lookup_elem),
9413 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9414 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9415 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9416 BPF_MOV64_IMM(BPF_REG_2, -1),
9417 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
9418 BPF_MOV64_IMM(BPF_REG_0, 0),
9420 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9421 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9422 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9423 BPF_MOV64_IMM(BPF_REG_0, 0),
9426 .fixup_map_hash_8b = { 3 },
9427 .errstr = "unbounded min value",
9428 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9432 "bounds checks mixing signed and unsigned, variant 9",
9434 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9435 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9437 BPF_LD_MAP_FD(BPF_REG_1, 0),
9438 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9439 BPF_FUNC_map_lookup_elem),
9440 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
9441 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9442 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9443 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
9444 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
9445 BPF_MOV64_IMM(BPF_REG_0, 0),
9447 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9448 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9449 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9450 BPF_MOV64_IMM(BPF_REG_0, 0),
9453 .fixup_map_hash_8b = { 3 },
9457 "bounds checks mixing signed and unsigned, variant 10",
9459 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9460 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9462 BPF_LD_MAP_FD(BPF_REG_1, 0),
9463 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9464 BPF_FUNC_map_lookup_elem),
9465 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9466 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9467 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9468 BPF_MOV64_IMM(BPF_REG_2, 0),
9469 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
9470 BPF_MOV64_IMM(BPF_REG_0, 0),
9472 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9473 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9474 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9475 BPF_MOV64_IMM(BPF_REG_0, 0),
9478 .fixup_map_hash_8b = { 3 },
9479 .errstr = "unbounded min value",
9480 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9484 "bounds checks mixing signed and unsigned, variant 11",
9486 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9487 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9488 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9489 BPF_LD_MAP_FD(BPF_REG_1, 0),
9490 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9491 BPF_FUNC_map_lookup_elem),
9492 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9493 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9494 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9495 BPF_MOV64_IMM(BPF_REG_2, -1),
9496 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
9498 BPF_MOV64_IMM(BPF_REG_0, 0),
9500 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9501 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9502 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9503 BPF_MOV64_IMM(BPF_REG_0, 0),
9506 .fixup_map_hash_8b = { 3 },
9507 .errstr = "unbounded min value",
9508 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9512 "bounds checks mixing signed and unsigned, variant 12",
9514 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9515 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9516 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9517 BPF_LD_MAP_FD(BPF_REG_1, 0),
9518 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9519 BPF_FUNC_map_lookup_elem),
9520 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9521 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9522 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9523 BPF_MOV64_IMM(BPF_REG_2, -6),
9524 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
9525 BPF_MOV64_IMM(BPF_REG_0, 0),
9527 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9528 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9529 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9530 BPF_MOV64_IMM(BPF_REG_0, 0),
9533 .fixup_map_hash_8b = { 3 },
9534 .errstr = "unbounded min value",
9535 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9539 "bounds checks mixing signed and unsigned, variant 13",
9541 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9542 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9543 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9544 BPF_LD_MAP_FD(BPF_REG_1, 0),
9545 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9546 BPF_FUNC_map_lookup_elem),
9547 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
9548 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9549 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9550 BPF_MOV64_IMM(BPF_REG_2, 2),
9551 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
9552 BPF_MOV64_IMM(BPF_REG_7, 1),
9553 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
9554 BPF_MOV64_IMM(BPF_REG_0, 0),
9556 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
9557 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
9558 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
9559 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9560 BPF_MOV64_IMM(BPF_REG_0, 0),
9563 .fixup_map_hash_8b = { 3 },
9564 .errstr = "unbounded min value",
9565 .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds",
9569 "bounds checks mixing signed and unsigned, variant 14",
9571 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
9572 offsetof(struct __sk_buff, mark)),
9573 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9574 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9575 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9576 BPF_LD_MAP_FD(BPF_REG_1, 0),
9577 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9578 BPF_FUNC_map_lookup_elem),
9579 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
9580 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9581 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9582 BPF_MOV64_IMM(BPF_REG_2, -1),
9583 BPF_MOV64_IMM(BPF_REG_8, 2),
9584 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
9585 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
9586 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9587 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9588 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9589 BPF_MOV64_IMM(BPF_REG_0, 0),
9591 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
9592 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
9594 .fixup_map_hash_8b = { 4 },
9595 .errstr = "unbounded min value",
9596 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9600 "bounds checks mixing signed and unsigned, variant 15",
9602 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9603 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9604 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9605 BPF_LD_MAP_FD(BPF_REG_1, 0),
9606 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9607 BPF_FUNC_map_lookup_elem),
9608 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9609 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9610 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9611 BPF_MOV64_IMM(BPF_REG_2, -6),
9612 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
9613 BPF_MOV64_IMM(BPF_REG_0, 0),
9615 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9616 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
9617 BPF_MOV64_IMM(BPF_REG_0, 0),
9619 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9620 BPF_MOV64_IMM(BPF_REG_0, 0),
9623 .fixup_map_hash_8b = { 3 },
9624 .errstr = "unbounded min value",
9625 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9627 .result_unpriv = REJECT,
9630 "subtraction bounds (map value) variant 1",
9632 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9633 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9634 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9635 BPF_LD_MAP_FD(BPF_REG_1, 0),
9636 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9637 BPF_FUNC_map_lookup_elem),
9638 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9639 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9640 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
9641 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
9642 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
9643 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
9644 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
9645 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9646 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9648 BPF_MOV64_IMM(BPF_REG_0, 0),
9651 .fixup_map_hash_8b = { 3 },
9652 .errstr = "R0 max value is outside of the array range",
9656 "subtraction bounds (map value) variant 2",
9658 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9659 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9661 BPF_LD_MAP_FD(BPF_REG_1, 0),
9662 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9663 BPF_FUNC_map_lookup_elem),
9664 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
9665 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9666 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
9667 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
9668 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
9669 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
9670 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9671 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9673 BPF_MOV64_IMM(BPF_REG_0, 0),
9676 .fixup_map_hash_8b = { 3 },
9677 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
9678 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9682 "check subtraction on pointers for unpriv",
9684 BPF_MOV64_IMM(BPF_REG_0, 0),
9685 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
9686 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
9687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8),
9688 BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 9),
9689 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9690 BPF_FUNC_map_lookup_elem),
9691 BPF_MOV64_REG(BPF_REG_9, BPF_REG_FP),
9692 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_0),
9693 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
9694 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
9695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8),
9696 BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 0),
9697 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9698 BPF_FUNC_map_lookup_elem),
9699 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9701 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_9, 0),
9702 BPF_MOV64_IMM(BPF_REG_0, 0),
9705 .fixup_map_hash_8b = { 1, 9 },
9707 .result_unpriv = REJECT,
9708 .errstr_unpriv = "R9 pointer -= pointer prohibited",
9711 "bounds check based on zero-extended MOV",
9713 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9714 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9715 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9716 BPF_LD_MAP_FD(BPF_REG_1, 0),
9717 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9718 BPF_FUNC_map_lookup_elem),
9719 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9720 /* r2 = 0x0000'0000'ffff'ffff */
9721 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
9723 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
9725 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
9726 /* access at offset 0 */
9727 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9729 BPF_MOV64_IMM(BPF_REG_0, 0),
9732 .fixup_map_hash_8b = { 3 },
9736 "bounds check based on sign-extended MOV. test1",
9738 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9739 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9740 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9741 BPF_LD_MAP_FD(BPF_REG_1, 0),
9742 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9743 BPF_FUNC_map_lookup_elem),
9744 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9745 /* r2 = 0xffff'ffff'ffff'ffff */
9746 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
9747 /* r2 = 0xffff'ffff */
9748 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
9749 /* r0 = <oob pointer> */
9750 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
9751 /* access to OOB pointer */
9752 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9754 BPF_MOV64_IMM(BPF_REG_0, 0),
9757 .fixup_map_hash_8b = { 3 },
9758 .errstr = "map_value pointer and 4294967295",
9762 "bounds check based on sign-extended MOV. test2",
9764 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9765 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9766 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9767 BPF_LD_MAP_FD(BPF_REG_1, 0),
9768 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9769 BPF_FUNC_map_lookup_elem),
9770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9771 /* r2 = 0xffff'ffff'ffff'ffff */
9772 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
9773 /* r2 = 0xfff'ffff */
9774 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
9775 /* r0 = <oob pointer> */
9776 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
9777 /* access to OOB pointer */
9778 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9780 BPF_MOV64_IMM(BPF_REG_0, 0),
9783 .fixup_map_hash_8b = { 3 },
9784 .errstr = "R0 min value is outside of the array range",
9788 "bounds check based on reg_off + var_off + insn_off. test1",
9790 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
9791 offsetof(struct __sk_buff, mark)),
9792 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9793 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9794 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9795 BPF_LD_MAP_FD(BPF_REG_1, 0),
9796 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9797 BPF_FUNC_map_lookup_elem),
9798 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9799 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
9800 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
9801 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
9802 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
9803 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
9804 BPF_MOV64_IMM(BPF_REG_0, 0),
9807 .fixup_map_hash_8b = { 4 },
9808 .errstr = "value_size=8 off=1073741825",
9810 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9813 "bounds check based on reg_off + var_off + insn_off. test2",
9815 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
9816 offsetof(struct __sk_buff, mark)),
9817 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9818 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9819 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9820 BPF_LD_MAP_FD(BPF_REG_1, 0),
9821 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9822 BPF_FUNC_map_lookup_elem),
9823 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9824 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
9825 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
9826 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
9827 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
9828 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
9829 BPF_MOV64_IMM(BPF_REG_0, 0),
9832 .fixup_map_hash_8b = { 4 },
9833 .errstr = "value 1073741823",
9835 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9838 "bounds check after truncation of non-boundary-crossing range",
9840 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9841 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9843 BPF_LD_MAP_FD(BPF_REG_1, 0),
9844 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9845 BPF_FUNC_map_lookup_elem),
9846 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9847 /* r1 = [0x00, 0xff] */
9848 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9849 BPF_MOV64_IMM(BPF_REG_2, 1),
9850 /* r2 = 0x10'0000'0000 */
9851 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
9852 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
9853 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
9854 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
9855 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
9856 /* r1 = [0x00, 0xff] */
9857 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
9859 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
9861 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9862 /* access at offset 0 */
9863 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9865 BPF_MOV64_IMM(BPF_REG_0, 0),
9868 .fixup_map_hash_8b = { 3 },
9872 "bounds check after truncation of boundary-crossing range (1)",
9874 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9875 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9876 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9877 BPF_LD_MAP_FD(BPF_REG_1, 0),
9878 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9879 BPF_FUNC_map_lookup_elem),
9880 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9881 /* r1 = [0x00, 0xff] */
9882 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
9884 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
9885 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
9886 /* r1 = [0xffff'ff80, 0xffff'ffff] or
9887 * [0x0000'0000, 0x0000'007f]
9889 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
9890 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
9891 /* r1 = [0x00, 0xff] or
9892 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
9894 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
9896 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
9898 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
9899 /* no-op or OOB pointer computation */
9900 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9901 /* potentially OOB access */
9902 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9904 BPF_MOV64_IMM(BPF_REG_0, 0),
9907 .fixup_map_hash_8b = { 3 },
9908 /* not actually fully unbounded, but the bound is very high */
9909 .errstr = "R0 unbounded memory access",
9913 "bounds check after truncation of boundary-crossing range (2)",
9915 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9916 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9918 BPF_LD_MAP_FD(BPF_REG_1, 0),
9919 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9920 BPF_FUNC_map_lookup_elem),
9921 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9922 /* r1 = [0x00, 0xff] */
9923 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
9925 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
9926 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
9927 /* r1 = [0xffff'ff80, 0xffff'ffff] or
9928 * [0x0000'0000, 0x0000'007f]
9929 * difference to previous test: truncation via MOV32
9932 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
9933 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
9934 /* r1 = [0x00, 0xff] or
9935 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
9937 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
9939 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
9941 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
9942 /* no-op or OOB pointer computation */
9943 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9944 /* potentially OOB access */
9945 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9947 BPF_MOV64_IMM(BPF_REG_0, 0),
9950 .fixup_map_hash_8b = { 3 },
9951 /* not actually fully unbounded, but the bound is very high */
9952 .errstr = "R0 unbounded memory access",
9956 "bounds check after wrapping 32-bit addition",
9958 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9959 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9961 BPF_LD_MAP_FD(BPF_REG_1, 0),
9962 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9963 BPF_FUNC_map_lookup_elem),
9964 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
9965 /* r1 = 0x7fff'ffff */
9966 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
9967 /* r1 = 0xffff'fffe */
9968 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
9970 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
9972 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9973 /* access at offset 0 */
9974 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9976 BPF_MOV64_IMM(BPF_REG_0, 0),
9979 .fixup_map_hash_8b = { 3 },
9983 "bounds check after shift with oversized count operand",
9985 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9986 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9987 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9988 BPF_LD_MAP_FD(BPF_REG_1, 0),
9989 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9990 BPF_FUNC_map_lookup_elem),
9991 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
9992 BPF_MOV64_IMM(BPF_REG_2, 32),
9993 BPF_MOV64_IMM(BPF_REG_1, 1),
9994 /* r1 = (u32)1 << (u32)32 = ? */
9995 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
9996 /* r1 = [0x0000, 0xffff] */
9997 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
9998 /* computes unknown pointer, potentially OOB */
9999 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
10000 /* potentially OOB access */
10001 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10003 BPF_MOV64_IMM(BPF_REG_0, 0),
10006 .fixup_map_hash_8b = { 3 },
10007 .errstr = "R0 max value is outside of the array range",
10011 "bounds check after right shift of maybe-negative number",
10013 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10014 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10015 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10016 BPF_LD_MAP_FD(BPF_REG_1, 0),
10017 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10018 BPF_FUNC_map_lookup_elem),
10019 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
10020 /* r1 = [0x00, 0xff] */
10021 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
10022 /* r1 = [-0x01, 0xfe] */
10023 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
10024 /* r1 = 0 or 0xff'ffff'ffff'ffff */
10025 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
10026 /* r1 = 0 or 0xffff'ffff'ffff */
10027 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
10028 /* computes unknown pointer, potentially OOB */
10029 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
10030 /* potentially OOB access */
10031 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10033 BPF_MOV64_IMM(BPF_REG_0, 0),
10036 .fixup_map_hash_8b = { 3 },
10037 .errstr = "R0 unbounded memory access",
10041 "bounds check after 32-bit right shift with 64-bit input",
10043 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10044 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10045 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10046 BPF_LD_MAP_FD(BPF_REG_1, 0),
10047 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10048 BPF_FUNC_map_lookup_elem),
10049 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
10051 BPF_MOV64_IMM(BPF_REG_1, 2),
10053 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 31),
10054 /* r1 = 0 (NOT 2!) */
10055 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 31),
10056 /* r1 = 0xffff'fffe (NOT 0!) */
10057 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 2),
10058 /* computes OOB pointer */
10059 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
10061 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10063 BPF_MOV64_IMM(BPF_REG_0, 0),
10066 .fixup_map_hash_8b = { 3 },
10067 .errstr = "R0 invalid mem access",
10071 "bounds check map access with off+size signed 32bit overflow. test1",
10073 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10074 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10075 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10076 BPF_LD_MAP_FD(BPF_REG_1, 0),
10077 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10078 BPF_FUNC_map_lookup_elem),
10079 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
10082 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
10086 .fixup_map_hash_8b = { 3 },
10087 .errstr = "map_value pointer and 2147483646",
10091 "bounds check map access with off+size signed 32bit overflow. test2",
10093 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10094 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10096 BPF_LD_MAP_FD(BPF_REG_1, 0),
10097 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10098 BPF_FUNC_map_lookup_elem),
10099 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
10102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
10103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
10104 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
10108 .fixup_map_hash_8b = { 3 },
10109 .errstr = "pointer offset 1073741822",
10110 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
10114 "bounds check map access with off+size signed 32bit overflow. test3",
10116 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10117 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10118 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10119 BPF_LD_MAP_FD(BPF_REG_1, 0),
10120 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10121 BPF_FUNC_map_lookup_elem),
10122 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10124 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
10125 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
10126 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
10130 .fixup_map_hash_8b = { 3 },
10131 .errstr = "pointer offset -1073741822",
10132 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
10136 "bounds check map access with off+size signed 32bit overflow. test4",
10138 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10139 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10140 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10141 BPF_LD_MAP_FD(BPF_REG_1, 0),
10142 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10143 BPF_FUNC_map_lookup_elem),
10144 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10146 BPF_MOV64_IMM(BPF_REG_1, 1000000),
10147 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
10148 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
10149 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
10153 .fixup_map_hash_8b = { 3 },
10154 .errstr = "map_value pointer and 1000000000000",
10158 "pointer/scalar confusion in state equality check (way 1)",
10160 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10161 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10162 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10163 BPF_LD_MAP_FD(BPF_REG_1, 0),
10164 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10165 BPF_FUNC_map_lookup_elem),
10166 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
10167 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
10169 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10173 .fixup_map_hash_8b = { 3 },
10175 .retval = POINTER_VALUE,
10176 .result_unpriv = REJECT,
10177 .errstr_unpriv = "R0 leaks addr as return value"
10180 "pointer/scalar confusion in state equality check (way 2)",
10182 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10183 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10184 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10185 BPF_LD_MAP_FD(BPF_REG_1, 0),
10186 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10187 BPF_FUNC_map_lookup_elem),
10188 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10189 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10191 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
10194 .fixup_map_hash_8b = { 3 },
10196 .retval = POINTER_VALUE,
10197 .result_unpriv = REJECT,
10198 .errstr_unpriv = "R0 leaks addr as return value"
10201 "variable-offset ctx access",
10203 /* Get an unknown value */
10204 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
10205 /* Make it small and 4-byte aligned */
10206 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
10207 /* add it to skb. We now have either &skb->len or
10208 * &skb->pkt_type, but we don't know which
10210 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
10211 /* dereference it */
10212 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10215 .errstr = "variable ctx access var_off=(0x0; 0x4)",
10217 .prog_type = BPF_PROG_TYPE_LWT_IN,
10220 "variable-offset stack access",
10222 /* Fill the top 8 bytes of the stack */
10223 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10224 /* Get an unknown value */
10225 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
10226 /* Make it small and 4-byte aligned */
10227 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
10228 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
10229 /* add it to fp. We now have either fp-4 or fp-8, but
10230 * we don't know which
10232 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
10233 /* dereference it */
10234 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
10237 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
10239 .prog_type = BPF_PROG_TYPE_LWT_IN,
10242 "indirect variable-offset stack access",
10244 /* Fill the top 8 bytes of the stack */
10245 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10246 /* Get an unknown value */
10247 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
10248 /* Make it small and 4-byte aligned */
10249 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
10250 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
10251 /* add it to fp. We now have either fp-4 or fp-8, but
10252 * we don't know which
10254 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
10255 /* dereference it indirectly */
10256 BPF_LD_MAP_FD(BPF_REG_1, 0),
10257 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10258 BPF_FUNC_map_lookup_elem),
10259 BPF_MOV64_IMM(BPF_REG_0, 0),
10262 .fixup_map_hash_8b = { 5 },
10263 .errstr = "variable stack read R2",
10265 .prog_type = BPF_PROG_TYPE_LWT_IN,
10268 "direct stack access with 32-bit wraparound. test1",
10270 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10271 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
10272 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
10273 BPF_MOV32_IMM(BPF_REG_0, 0),
10274 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
10277 .errstr = "fp pointer and 2147483647",
10281 "direct stack access with 32-bit wraparound. test2",
10283 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10284 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
10285 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
10286 BPF_MOV32_IMM(BPF_REG_0, 0),
10287 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
10290 .errstr = "fp pointer and 1073741823",
10294 "direct stack access with 32-bit wraparound. test3",
10296 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
10298 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
10299 BPF_MOV32_IMM(BPF_REG_0, 0),
10300 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
10303 .errstr = "fp pointer offset 1073741822",
10304 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
10308 "liveness pruning and write screening",
10310 /* Get an unknown value */
10311 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
10312 /* branch conditions teach us nothing about R2 */
10313 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
10314 BPF_MOV64_IMM(BPF_REG_0, 0),
10315 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
10316 BPF_MOV64_IMM(BPF_REG_0, 0),
10319 .errstr = "R0 !read_ok",
10321 .prog_type = BPF_PROG_TYPE_LWT_IN,
10324 "varlen_map_value_access pruning",
10326 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10327 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10329 BPF_LD_MAP_FD(BPF_REG_1, 0),
10330 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10331 BPF_FUNC_map_lookup_elem),
10332 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
10333 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
10334 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
10335 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
10336 BPF_MOV32_IMM(BPF_REG_1, 0),
10337 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
10338 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
10339 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
10340 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
10341 offsetof(struct test_val, foo)),
10344 .fixup_map_hash_48b = { 3 },
10345 .errstr_unpriv = "R0 leaks addr",
10346 .errstr = "R0 unbounded memory access",
10347 .result_unpriv = REJECT,
10349 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10352 "invalid 64-bit BPF_END",
10354 BPF_MOV32_IMM(BPF_REG_0, 0),
10356 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
10357 .dst_reg = BPF_REG_0,
10364 .errstr = "unknown opcode d7",
10368 "XDP, using ifindex from netdev",
10370 BPF_MOV64_IMM(BPF_REG_0, 0),
10371 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10372 offsetof(struct xdp_md, ingress_ifindex)),
10373 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
10374 BPF_MOV64_IMM(BPF_REG_0, 1),
10378 .prog_type = BPF_PROG_TYPE_XDP,
10382 "meta access, test1",
10384 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10385 offsetof(struct xdp_md, data_meta)),
10386 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10387 offsetof(struct xdp_md, data)),
10388 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10389 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10390 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
10391 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10392 BPF_MOV64_IMM(BPF_REG_0, 0),
10396 .prog_type = BPF_PROG_TYPE_XDP,
10399 "meta access, test2",
10401 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10402 offsetof(struct xdp_md, data_meta)),
10403 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10404 offsetof(struct xdp_md, data)),
10405 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10406 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
10407 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
10408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
10409 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
10410 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10411 BPF_MOV64_IMM(BPF_REG_0, 0),
10415 .errstr = "invalid access to packet, off=-8",
10416 .prog_type = BPF_PROG_TYPE_XDP,
10419 "meta access, test3",
10421 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10422 offsetof(struct xdp_md, data_meta)),
10423 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10424 offsetof(struct xdp_md, data_end)),
10425 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10426 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10427 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
10428 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10429 BPF_MOV64_IMM(BPF_REG_0, 0),
10433 .errstr = "invalid access to packet",
10434 .prog_type = BPF_PROG_TYPE_XDP,
10437 "meta access, test4",
10439 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10440 offsetof(struct xdp_md, data_meta)),
10441 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10442 offsetof(struct xdp_md, data_end)),
10443 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
10444 offsetof(struct xdp_md, data)),
10445 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
10446 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10447 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
10448 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10449 BPF_MOV64_IMM(BPF_REG_0, 0),
10453 .errstr = "invalid access to packet",
10454 .prog_type = BPF_PROG_TYPE_XDP,
10457 "meta access, test5",
10459 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10460 offsetof(struct xdp_md, data_meta)),
10461 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
10462 offsetof(struct xdp_md, data)),
10463 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
10464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10465 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
10466 BPF_MOV64_IMM(BPF_REG_2, -8),
10467 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10468 BPF_FUNC_xdp_adjust_meta),
10469 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
10470 BPF_MOV64_IMM(BPF_REG_0, 0),
10474 .errstr = "R3 !read_ok",
10475 .prog_type = BPF_PROG_TYPE_XDP,
10478 "meta access, test6",
10480 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10481 offsetof(struct xdp_md, data_meta)),
10482 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10483 offsetof(struct xdp_md, data)),
10484 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
10485 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10486 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
10487 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
10488 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
10489 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10490 BPF_MOV64_IMM(BPF_REG_0, 0),
10494 .errstr = "invalid access to packet",
10495 .prog_type = BPF_PROG_TYPE_XDP,
10498 "meta access, test7",
10500 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10501 offsetof(struct xdp_md, data_meta)),
10502 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10503 offsetof(struct xdp_md, data)),
10504 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
10505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10506 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
10507 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
10508 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
10509 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10510 BPF_MOV64_IMM(BPF_REG_0, 0),
10514 .prog_type = BPF_PROG_TYPE_XDP,
10517 "meta access, test8",
10519 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10520 offsetof(struct xdp_md, data_meta)),
10521 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10522 offsetof(struct xdp_md, data)),
10523 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
10524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
10525 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
10526 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10527 BPF_MOV64_IMM(BPF_REG_0, 0),
10531 .prog_type = BPF_PROG_TYPE_XDP,
10534 "meta access, test9",
10536 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10537 offsetof(struct xdp_md, data_meta)),
10538 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10539 offsetof(struct xdp_md, data)),
10540 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
10541 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
10542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
10543 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
10544 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10545 BPF_MOV64_IMM(BPF_REG_0, 0),
10549 .errstr = "invalid access to packet",
10550 .prog_type = BPF_PROG_TYPE_XDP,
10553 "meta access, test10",
10555 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10556 offsetof(struct xdp_md, data_meta)),
10557 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10558 offsetof(struct xdp_md, data)),
10559 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
10560 offsetof(struct xdp_md, data_end)),
10561 BPF_MOV64_IMM(BPF_REG_5, 42),
10562 BPF_MOV64_IMM(BPF_REG_6, 24),
10563 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
10564 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
10565 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
10566 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
10567 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
10568 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
10569 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
10570 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
10571 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
10572 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
10573 BPF_MOV64_IMM(BPF_REG_0, 0),
10577 .errstr = "invalid access to packet",
10578 .prog_type = BPF_PROG_TYPE_XDP,
10581 "meta access, test11",
10583 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10584 offsetof(struct xdp_md, data_meta)),
10585 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10586 offsetof(struct xdp_md, data)),
10587 BPF_MOV64_IMM(BPF_REG_5, 42),
10588 BPF_MOV64_IMM(BPF_REG_6, 24),
10589 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
10590 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
10591 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
10592 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
10593 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
10594 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
10595 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
10596 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
10597 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
10598 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
10599 BPF_MOV64_IMM(BPF_REG_0, 0),
10603 .prog_type = BPF_PROG_TYPE_XDP,
10606 "meta access, test12",
10608 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10609 offsetof(struct xdp_md, data_meta)),
10610 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10611 offsetof(struct xdp_md, data)),
10612 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
10613 offsetof(struct xdp_md, data_end)),
10614 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
10615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
10616 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
10617 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
10618 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
10619 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
10620 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
10621 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10622 BPF_MOV64_IMM(BPF_REG_0, 0),
10626 .prog_type = BPF_PROG_TYPE_XDP,
10629 "arithmetic ops make PTR_TO_CTX unusable",
10631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
10632 offsetof(struct __sk_buff, data) -
10633 offsetof(struct __sk_buff, mark)),
10634 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10635 offsetof(struct __sk_buff, mark)),
10638 .errstr = "dereference of modified ctx ptr",
10640 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10643 "pkt_end - pkt_start is allowed",
10645 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10646 offsetof(struct __sk_buff, data_end)),
10647 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10648 offsetof(struct __sk_buff, data)),
10649 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
10653 .retval = TEST_DATA_LEN,
10654 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10657 "XDP pkt read, pkt_end mangling, bad access 1",
10659 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10660 offsetof(struct xdp_md, data)),
10661 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10662 offsetof(struct xdp_md, data_end)),
10663 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10665 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
10666 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10667 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10668 BPF_MOV64_IMM(BPF_REG_0, 0),
10671 .errstr = "R3 pointer arithmetic on pkt_end",
10673 .prog_type = BPF_PROG_TYPE_XDP,
10676 "XDP pkt read, pkt_end mangling, bad access 2",
10678 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10679 offsetof(struct xdp_md, data)),
10680 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10681 offsetof(struct xdp_md, data_end)),
10682 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10683 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10684 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
10685 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10686 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10687 BPF_MOV64_IMM(BPF_REG_0, 0),
10690 .errstr = "R3 pointer arithmetic on pkt_end",
10692 .prog_type = BPF_PROG_TYPE_XDP,
10695 "XDP pkt read, pkt_data' > pkt_end, good access",
10697 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10698 offsetof(struct xdp_md, data)),
10699 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10700 offsetof(struct xdp_md, data_end)),
10701 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10702 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10703 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10704 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10705 BPF_MOV64_IMM(BPF_REG_0, 0),
10709 .prog_type = BPF_PROG_TYPE_XDP,
10710 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10713 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
10715 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10716 offsetof(struct xdp_md, data)),
10717 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10718 offsetof(struct xdp_md, data_end)),
10719 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10720 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10721 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10722 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10723 BPF_MOV64_IMM(BPF_REG_0, 0),
10726 .errstr = "R1 offset is outside of the packet",
10728 .prog_type = BPF_PROG_TYPE_XDP,
10729 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10732 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
10734 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10735 offsetof(struct xdp_md, data)),
10736 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10737 offsetof(struct xdp_md, data_end)),
10738 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10739 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10740 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
10741 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10742 BPF_MOV64_IMM(BPF_REG_0, 0),
10745 .errstr = "R1 offset is outside of the packet",
10747 .prog_type = BPF_PROG_TYPE_XDP,
10748 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10751 "XDP pkt read, pkt_end > pkt_data', good access",
10753 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10754 offsetof(struct xdp_md, data)),
10755 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10756 offsetof(struct xdp_md, data_end)),
10757 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10758 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10759 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10760 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10761 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10762 BPF_MOV64_IMM(BPF_REG_0, 0),
10766 .prog_type = BPF_PROG_TYPE_XDP,
10767 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10770 "XDP pkt read, pkt_end > pkt_data', bad access 1",
10772 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10773 offsetof(struct xdp_md, data)),
10774 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10775 offsetof(struct xdp_md, data_end)),
10776 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10778 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10779 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10780 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10781 BPF_MOV64_IMM(BPF_REG_0, 0),
10784 .errstr = "R1 offset is outside of the packet",
10786 .prog_type = BPF_PROG_TYPE_XDP,
10787 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10790 "XDP pkt read, pkt_end > pkt_data', bad access 2",
10792 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10793 offsetof(struct xdp_md, data)),
10794 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10795 offsetof(struct xdp_md, data_end)),
10796 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10797 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10798 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10799 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10800 BPF_MOV64_IMM(BPF_REG_0, 0),
10803 .errstr = "R1 offset is outside of the packet",
10805 .prog_type = BPF_PROG_TYPE_XDP,
10806 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10809 "XDP pkt read, pkt_data' < pkt_end, good access",
10811 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10812 offsetof(struct xdp_md, data)),
10813 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10814 offsetof(struct xdp_md, data_end)),
10815 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10816 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10817 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10818 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10819 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10820 BPF_MOV64_IMM(BPF_REG_0, 0),
10824 .prog_type = BPF_PROG_TYPE_XDP,
10825 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10828 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
10830 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10831 offsetof(struct xdp_md, data)),
10832 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10833 offsetof(struct xdp_md, data_end)),
10834 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10835 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10836 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10837 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10838 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10839 BPF_MOV64_IMM(BPF_REG_0, 0),
10842 .errstr = "R1 offset is outside of the packet",
10844 .prog_type = BPF_PROG_TYPE_XDP,
10845 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10848 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
10850 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10851 offsetof(struct xdp_md, data)),
10852 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10853 offsetof(struct xdp_md, data_end)),
10854 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10855 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10856 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10857 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10858 BPF_MOV64_IMM(BPF_REG_0, 0),
10861 .errstr = "R1 offset is outside of the packet",
10863 .prog_type = BPF_PROG_TYPE_XDP,
10864 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10867 "XDP pkt read, pkt_end < pkt_data', good access",
10869 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10870 offsetof(struct xdp_md, data)),
10871 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10872 offsetof(struct xdp_md, data_end)),
10873 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10874 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10875 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
10876 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10877 BPF_MOV64_IMM(BPF_REG_0, 0),
10881 .prog_type = BPF_PROG_TYPE_XDP,
10882 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10885 "XDP pkt read, pkt_end < pkt_data', bad access 1",
10887 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10888 offsetof(struct xdp_md, data)),
10889 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10890 offsetof(struct xdp_md, data_end)),
10891 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10892 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10893 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
10894 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10895 BPF_MOV64_IMM(BPF_REG_0, 0),
10898 .errstr = "R1 offset is outside of the packet",
10900 .prog_type = BPF_PROG_TYPE_XDP,
10901 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10904 "XDP pkt read, pkt_end < pkt_data', bad access 2",
10906 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10907 offsetof(struct xdp_md, data)),
10908 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10909 offsetof(struct xdp_md, data_end)),
10910 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10911 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10912 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
10913 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10914 BPF_MOV64_IMM(BPF_REG_0, 0),
10917 .errstr = "R1 offset is outside of the packet",
10919 .prog_type = BPF_PROG_TYPE_XDP,
10920 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10923 "XDP pkt read, pkt_data' >= pkt_end, good access",
10925 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10926 offsetof(struct xdp_md, data)),
10927 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10928 offsetof(struct xdp_md, data_end)),
10929 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10930 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10931 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10932 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10933 BPF_MOV64_IMM(BPF_REG_0, 0),
10937 .prog_type = BPF_PROG_TYPE_XDP,
10938 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10941 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
10943 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10944 offsetof(struct xdp_md, data)),
10945 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10946 offsetof(struct xdp_md, data_end)),
10947 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10948 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10949 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10950 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10951 BPF_MOV64_IMM(BPF_REG_0, 0),
10954 .errstr = "R1 offset is outside of the packet",
10956 .prog_type = BPF_PROG_TYPE_XDP,
10957 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10960 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
10962 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10963 offsetof(struct xdp_md, data)),
10964 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10965 offsetof(struct xdp_md, data_end)),
10966 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10968 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
10969 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10970 BPF_MOV64_IMM(BPF_REG_0, 0),
10973 .errstr = "R1 offset is outside of the packet",
10975 .prog_type = BPF_PROG_TYPE_XDP,
10976 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10979 "XDP pkt read, pkt_end >= pkt_data', good access",
10981 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10982 offsetof(struct xdp_md, data)),
10983 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10984 offsetof(struct xdp_md, data_end)),
10985 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10986 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10987 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10988 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10989 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10990 BPF_MOV64_IMM(BPF_REG_0, 0),
10994 .prog_type = BPF_PROG_TYPE_XDP,
10995 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10998 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
11000 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11001 offsetof(struct xdp_md, data)),
11002 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11003 offsetof(struct xdp_md, data_end)),
11004 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11006 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
11007 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11008 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
11009 BPF_MOV64_IMM(BPF_REG_0, 0),
11012 .errstr = "R1 offset is outside of the packet",
11014 .prog_type = BPF_PROG_TYPE_XDP,
11015 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11018 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
11020 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11021 offsetof(struct xdp_md, data)),
11022 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11023 offsetof(struct xdp_md, data_end)),
11024 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11025 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11026 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
11027 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11028 BPF_MOV64_IMM(BPF_REG_0, 0),
11031 .errstr = "R1 offset is outside of the packet",
11033 .prog_type = BPF_PROG_TYPE_XDP,
11034 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11037 "XDP pkt read, pkt_data' <= pkt_end, good access",
11039 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11040 offsetof(struct xdp_md, data)),
11041 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11042 offsetof(struct xdp_md, data_end)),
11043 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11044 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11045 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
11046 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11047 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11048 BPF_MOV64_IMM(BPF_REG_0, 0),
11052 .prog_type = BPF_PROG_TYPE_XDP,
11053 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11056 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
11058 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11059 offsetof(struct xdp_md, data)),
11060 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11061 offsetof(struct xdp_md, data_end)),
11062 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11063 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11064 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
11065 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11066 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
11067 BPF_MOV64_IMM(BPF_REG_0, 0),
11070 .errstr = "R1 offset is outside of the packet",
11072 .prog_type = BPF_PROG_TYPE_XDP,
11073 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11076 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
11078 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11079 offsetof(struct xdp_md, data)),
11080 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11081 offsetof(struct xdp_md, data_end)),
11082 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11084 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
11085 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11086 BPF_MOV64_IMM(BPF_REG_0, 0),
11089 .errstr = "R1 offset is outside of the packet",
11091 .prog_type = BPF_PROG_TYPE_XDP,
11092 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11095 "XDP pkt read, pkt_end <= pkt_data', good access",
11097 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11098 offsetof(struct xdp_md, data)),
11099 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11100 offsetof(struct xdp_md, data_end)),
11101 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11103 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
11104 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11105 BPF_MOV64_IMM(BPF_REG_0, 0),
11109 .prog_type = BPF_PROG_TYPE_XDP,
11110 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11113 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
11115 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11116 offsetof(struct xdp_md, data)),
11117 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11118 offsetof(struct xdp_md, data_end)),
11119 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11120 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11121 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
11122 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11123 BPF_MOV64_IMM(BPF_REG_0, 0),
11126 .errstr = "R1 offset is outside of the packet",
11128 .prog_type = BPF_PROG_TYPE_XDP,
11129 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11132 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
11134 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11135 offsetof(struct xdp_md, data)),
11136 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11137 offsetof(struct xdp_md, data_end)),
11138 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11139 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11140 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
11141 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11142 BPF_MOV64_IMM(BPF_REG_0, 0),
11145 .errstr = "R1 offset is outside of the packet",
11147 .prog_type = BPF_PROG_TYPE_XDP,
11148 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11151 "XDP pkt read, pkt_meta' > pkt_data, good access",
11153 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11154 offsetof(struct xdp_md, data_meta)),
11155 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11156 offsetof(struct xdp_md, data)),
11157 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11158 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11159 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
11160 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11161 BPF_MOV64_IMM(BPF_REG_0, 0),
11165 .prog_type = BPF_PROG_TYPE_XDP,
11166 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11169 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
11171 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11172 offsetof(struct xdp_md, data_meta)),
11173 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11174 offsetof(struct xdp_md, data)),
11175 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11177 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
11178 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
11179 BPF_MOV64_IMM(BPF_REG_0, 0),
11182 .errstr = "R1 offset is outside of the packet",
11184 .prog_type = BPF_PROG_TYPE_XDP,
11185 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11188 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
11190 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11191 offsetof(struct xdp_md, data_meta)),
11192 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11193 offsetof(struct xdp_md, data)),
11194 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11196 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
11197 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11198 BPF_MOV64_IMM(BPF_REG_0, 0),
11201 .errstr = "R1 offset is outside of the packet",
11203 .prog_type = BPF_PROG_TYPE_XDP,
11204 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11207 "XDP pkt read, pkt_data > pkt_meta', good access",
11209 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11210 offsetof(struct xdp_md, data_meta)),
11211 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11212 offsetof(struct xdp_md, data)),
11213 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11215 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
11216 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11217 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11218 BPF_MOV64_IMM(BPF_REG_0, 0),
11222 .prog_type = BPF_PROG_TYPE_XDP,
11223 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11226 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
11228 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11229 offsetof(struct xdp_md, data_meta)),
11230 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11231 offsetof(struct xdp_md, data)),
11232 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11233 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11234 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
11235 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11236 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11237 BPF_MOV64_IMM(BPF_REG_0, 0),
11240 .errstr = "R1 offset is outside of the packet",
11242 .prog_type = BPF_PROG_TYPE_XDP,
11243 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11246 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
11248 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11249 offsetof(struct xdp_md, data_meta)),
11250 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11251 offsetof(struct xdp_md, data)),
11252 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11253 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11254 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
11255 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11256 BPF_MOV64_IMM(BPF_REG_0, 0),
11259 .errstr = "R1 offset is outside of the packet",
11261 .prog_type = BPF_PROG_TYPE_XDP,
11262 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11265 "XDP pkt read, pkt_meta' < pkt_data, good access",
11267 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11268 offsetof(struct xdp_md, data_meta)),
11269 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11270 offsetof(struct xdp_md, data)),
11271 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11272 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11273 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
11274 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11275 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11276 BPF_MOV64_IMM(BPF_REG_0, 0),
11280 .prog_type = BPF_PROG_TYPE_XDP,
11281 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11284 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
11286 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11287 offsetof(struct xdp_md, data_meta)),
11288 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11289 offsetof(struct xdp_md, data)),
11290 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11292 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
11293 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11294 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11295 BPF_MOV64_IMM(BPF_REG_0, 0),
11298 .errstr = "R1 offset is outside of the packet",
11300 .prog_type = BPF_PROG_TYPE_XDP,
11301 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11304 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
11306 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11307 offsetof(struct xdp_md, data_meta)),
11308 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11309 offsetof(struct xdp_md, data)),
11310 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11312 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
11313 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11314 BPF_MOV64_IMM(BPF_REG_0, 0),
11317 .errstr = "R1 offset is outside of the packet",
11319 .prog_type = BPF_PROG_TYPE_XDP,
11320 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11323 "XDP pkt read, pkt_data < pkt_meta', good access",
11325 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11326 offsetof(struct xdp_md, data_meta)),
11327 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11328 offsetof(struct xdp_md, data)),
11329 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11331 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
11332 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11333 BPF_MOV64_IMM(BPF_REG_0, 0),
11337 .prog_type = BPF_PROG_TYPE_XDP,
11338 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11341 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
11343 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11344 offsetof(struct xdp_md, data_meta)),
11345 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11346 offsetof(struct xdp_md, data)),
11347 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11349 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
11350 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
11351 BPF_MOV64_IMM(BPF_REG_0, 0),
11354 .errstr = "R1 offset is outside of the packet",
11356 .prog_type = BPF_PROG_TYPE_XDP,
11357 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11360 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
11362 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11363 offsetof(struct xdp_md, data_meta)),
11364 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11365 offsetof(struct xdp_md, data)),
11366 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11367 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11368 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
11369 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11370 BPF_MOV64_IMM(BPF_REG_0, 0),
11373 .errstr = "R1 offset is outside of the packet",
11375 .prog_type = BPF_PROG_TYPE_XDP,
11376 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11379 "XDP pkt read, pkt_meta' >= pkt_data, good access",
11381 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11382 offsetof(struct xdp_md, data_meta)),
11383 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11384 offsetof(struct xdp_md, data)),
11385 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11387 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
11388 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11389 BPF_MOV64_IMM(BPF_REG_0, 0),
11393 .prog_type = BPF_PROG_TYPE_XDP,
11394 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11397 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
11399 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11400 offsetof(struct xdp_md, data_meta)),
11401 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11402 offsetof(struct xdp_md, data)),
11403 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11405 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
11406 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11407 BPF_MOV64_IMM(BPF_REG_0, 0),
11410 .errstr = "R1 offset is outside of the packet",
11412 .prog_type = BPF_PROG_TYPE_XDP,
11413 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11416 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
11418 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11419 offsetof(struct xdp_md, data_meta)),
11420 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11421 offsetof(struct xdp_md, data)),
11422 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11423 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11424 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
11425 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11426 BPF_MOV64_IMM(BPF_REG_0, 0),
11429 .errstr = "R1 offset is outside of the packet",
11431 .prog_type = BPF_PROG_TYPE_XDP,
11432 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11435 "XDP pkt read, pkt_data >= pkt_meta', good access",
11437 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11438 offsetof(struct xdp_md, data_meta)),
11439 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11440 offsetof(struct xdp_md, data)),
11441 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11443 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
11444 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11445 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11446 BPF_MOV64_IMM(BPF_REG_0, 0),
11450 .prog_type = BPF_PROG_TYPE_XDP,
11451 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11454 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
11456 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11457 offsetof(struct xdp_md, data_meta)),
11458 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11459 offsetof(struct xdp_md, data)),
11460 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11462 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
11463 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11464 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
11465 BPF_MOV64_IMM(BPF_REG_0, 0),
11468 .errstr = "R1 offset is outside of the packet",
11470 .prog_type = BPF_PROG_TYPE_XDP,
11471 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11474 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
11476 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11477 offsetof(struct xdp_md, data_meta)),
11478 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11479 offsetof(struct xdp_md, data)),
11480 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11482 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
11483 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11484 BPF_MOV64_IMM(BPF_REG_0, 0),
11487 .errstr = "R1 offset is outside of the packet",
11489 .prog_type = BPF_PROG_TYPE_XDP,
11490 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11493 "XDP pkt read, pkt_meta' <= pkt_data, good access",
11495 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11496 offsetof(struct xdp_md, data_meta)),
11497 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11498 offsetof(struct xdp_md, data)),
11499 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11501 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
11502 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11503 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11504 BPF_MOV64_IMM(BPF_REG_0, 0),
11508 .prog_type = BPF_PROG_TYPE_XDP,
11509 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11512 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
11514 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11515 offsetof(struct xdp_md, data_meta)),
11516 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11517 offsetof(struct xdp_md, data)),
11518 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11519 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11520 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
11521 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11522 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
11523 BPF_MOV64_IMM(BPF_REG_0, 0),
11526 .errstr = "R1 offset is outside of the packet",
11528 .prog_type = BPF_PROG_TYPE_XDP,
11529 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11532 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
11534 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11535 offsetof(struct xdp_md, data_meta)),
11536 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11537 offsetof(struct xdp_md, data)),
11538 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11539 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11540 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
11541 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11542 BPF_MOV64_IMM(BPF_REG_0, 0),
11545 .errstr = "R1 offset is outside of the packet",
11547 .prog_type = BPF_PROG_TYPE_XDP,
11548 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11551 "XDP pkt read, pkt_data <= pkt_meta', good access",
11553 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11554 offsetof(struct xdp_md, data_meta)),
11555 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11556 offsetof(struct xdp_md, data)),
11557 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11559 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
11560 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11561 BPF_MOV64_IMM(BPF_REG_0, 0),
11565 .prog_type = BPF_PROG_TYPE_XDP,
11566 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11569 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
11571 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11572 offsetof(struct xdp_md, data_meta)),
11573 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11574 offsetof(struct xdp_md, data)),
11575 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11576 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11577 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
11578 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11579 BPF_MOV64_IMM(BPF_REG_0, 0),
11582 .errstr = "R1 offset is outside of the packet",
11584 .prog_type = BPF_PROG_TYPE_XDP,
11585 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11588 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
11590 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11591 offsetof(struct xdp_md, data_meta)),
11592 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11593 offsetof(struct xdp_md, data)),
11594 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11595 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11596 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
11597 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11598 BPF_MOV64_IMM(BPF_REG_0, 0),
11601 .errstr = "R1 offset is outside of the packet",
11603 .prog_type = BPF_PROG_TYPE_XDP,
11604 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11607 "check deducing bounds from const, 1",
11609 BPF_MOV64_IMM(BPF_REG_0, 1),
11610 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
11611 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11615 .errstr = "R0 tried to subtract pointer from scalar",
11618 "check deducing bounds from const, 2",
11620 BPF_MOV64_IMM(BPF_REG_0, 1),
11621 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
11623 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
11625 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
11632 "check deducing bounds from const, 3",
11634 BPF_MOV64_IMM(BPF_REG_0, 0),
11635 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
11636 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11640 .errstr = "R0 tried to subtract pointer from scalar",
11643 "check deducing bounds from const, 4",
11645 BPF_MOV64_IMM(BPF_REG_0, 0),
11646 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
11648 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
11650 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
11656 "check deducing bounds from const, 5",
11658 BPF_MOV64_IMM(BPF_REG_0, 0),
11659 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
11660 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11664 .errstr = "R0 tried to subtract pointer from scalar",
11667 "check deducing bounds from const, 6",
11669 BPF_MOV64_IMM(BPF_REG_0, 0),
11670 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
11672 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11676 .errstr = "R0 tried to subtract pointer from scalar",
11679 "check deducing bounds from const, 7",
11681 BPF_MOV64_IMM(BPF_REG_0, ~0),
11682 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
11683 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
11684 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11685 offsetof(struct __sk_buff, mark)),
11689 .errstr = "dereference of modified ctx ptr",
11690 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11693 "check deducing bounds from const, 8",
11695 BPF_MOV64_IMM(BPF_REG_0, ~0),
11696 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
11697 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
11698 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11699 offsetof(struct __sk_buff, mark)),
11703 .errstr = "dereference of modified ctx ptr",
11704 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11707 "check deducing bounds from const, 9",
11709 BPF_MOV64_IMM(BPF_REG_0, 0),
11710 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
11711 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11715 .errstr = "R0 tried to subtract pointer from scalar",
11718 "check deducing bounds from const, 10",
11720 BPF_MOV64_IMM(BPF_REG_0, 0),
11721 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
11722 /* Marks reg as unknown. */
11723 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
11724 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11728 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
11731 "bpf_exit with invalid return code. test1",
11733 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11736 .errstr = "R0 has value (0x0; 0xffffffff)",
11738 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11741 "bpf_exit with invalid return code. test2",
11743 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11744 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
11748 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11751 "bpf_exit with invalid return code. test3",
11753 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11754 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
11757 .errstr = "R0 has value (0x0; 0x3)",
11759 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11762 "bpf_exit with invalid return code. test4",
11764 BPF_MOV64_IMM(BPF_REG_0, 1),
11768 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11771 "bpf_exit with invalid return code. test5",
11773 BPF_MOV64_IMM(BPF_REG_0, 2),
11776 .errstr = "R0 has value (0x2; 0x0)",
11778 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11781 "bpf_exit with invalid return code. test6",
11783 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
11786 .errstr = "R0 is not a known value (ctx)",
11788 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11791 "bpf_exit with invalid return code. test7",
11793 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11794 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
11795 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
11798 .errstr = "R0 has unknown scalar value",
11800 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11803 "calls: basic sanity",
11805 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11806 BPF_MOV64_IMM(BPF_REG_0, 1),
11808 BPF_MOV64_IMM(BPF_REG_0, 2),
11811 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11815 "calls: not on unpriviledged",
11817 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11818 BPF_MOV64_IMM(BPF_REG_0, 1),
11820 BPF_MOV64_IMM(BPF_REG_0, 2),
11823 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
11824 .result_unpriv = REJECT,
11829 "calls: div by 0 in subprog",
11831 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11832 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11833 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11834 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
11835 offsetof(struct __sk_buff, data_end)),
11836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
11837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
11838 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
11839 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
11840 BPF_MOV64_IMM(BPF_REG_0, 1),
11842 BPF_MOV32_IMM(BPF_REG_2, 0),
11843 BPF_MOV32_IMM(BPF_REG_3, 1),
11844 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
11845 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11846 offsetof(struct __sk_buff, data)),
11849 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11854 "calls: multiple ret types in subprog 1",
11856 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11857 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11858 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11859 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
11860 offsetof(struct __sk_buff, data_end)),
11861 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
11862 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
11863 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
11864 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
11865 BPF_MOV64_IMM(BPF_REG_0, 1),
11867 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11868 offsetof(struct __sk_buff, data)),
11869 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
11870 BPF_MOV32_IMM(BPF_REG_0, 42),
11873 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11875 .errstr = "R0 invalid mem access 'inv'",
11878 "calls: multiple ret types in subprog 2",
11880 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11881 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11882 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11883 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
11884 offsetof(struct __sk_buff, data_end)),
11885 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
11886 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
11887 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
11888 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
11889 BPF_MOV64_IMM(BPF_REG_0, 1),
11891 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11892 offsetof(struct __sk_buff, data)),
11893 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11894 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
11895 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11896 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11898 BPF_LD_MAP_FD(BPF_REG_1, 0),
11899 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11900 BPF_FUNC_map_lookup_elem),
11901 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
11902 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
11903 offsetof(struct __sk_buff, data)),
11904 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
11907 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11908 .fixup_map_hash_8b = { 16 },
11910 .errstr = "R0 min value is outside of the array range",
11913 "calls: overlapping caller/callee",
11915 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
11916 BPF_MOV64_IMM(BPF_REG_0, 1),
11919 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11920 .errstr = "last insn is not an exit or jmp",
11924 "calls: wrong recursive calls",
11926 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
11927 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
11928 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
11929 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
11930 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
11931 BPF_MOV64_IMM(BPF_REG_0, 1),
11934 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11935 .errstr = "jump out of range",
11939 "calls: wrong src reg",
11941 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
11942 BPF_MOV64_IMM(BPF_REG_0, 1),
11945 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11946 .errstr = "BPF_CALL uses reserved fields",
11950 "calls: wrong off value",
11952 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
11953 BPF_MOV64_IMM(BPF_REG_0, 1),
11955 BPF_MOV64_IMM(BPF_REG_0, 2),
11958 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11959 .errstr = "BPF_CALL uses reserved fields",
11963 "calls: jump back loop",
11965 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
11966 BPF_MOV64_IMM(BPF_REG_0, 1),
11969 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11970 .errstr = "back-edge from insn 0 to 0",
11974 "calls: conditional call",
11976 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11977 offsetof(struct __sk_buff, mark)),
11978 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11979 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11980 BPF_MOV64_IMM(BPF_REG_0, 1),
11982 BPF_MOV64_IMM(BPF_REG_0, 2),
11985 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11986 .errstr = "jump out of range",
11990 "calls: conditional call 2",
11992 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11993 offsetof(struct __sk_buff, mark)),
11994 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11995 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11996 BPF_MOV64_IMM(BPF_REG_0, 1),
11998 BPF_MOV64_IMM(BPF_REG_0, 2),
12000 BPF_MOV64_IMM(BPF_REG_0, 3),
12003 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12007 "calls: conditional call 3",
12009 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
12010 offsetof(struct __sk_buff, mark)),
12011 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
12012 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
12013 BPF_MOV64_IMM(BPF_REG_0, 1),
12015 BPF_MOV64_IMM(BPF_REG_0, 1),
12016 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
12017 BPF_MOV64_IMM(BPF_REG_0, 3),
12018 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
12020 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12021 .errstr = "back-edge from insn",
12025 "calls: conditional call 4",
12027 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
12028 offsetof(struct __sk_buff, mark)),
12029 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
12030 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12031 BPF_MOV64_IMM(BPF_REG_0, 1),
12033 BPF_MOV64_IMM(BPF_REG_0, 1),
12034 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
12035 BPF_MOV64_IMM(BPF_REG_0, 3),
12038 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12042 "calls: conditional call 5",
12044 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
12045 offsetof(struct __sk_buff, mark)),
12046 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
12047 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12048 BPF_MOV64_IMM(BPF_REG_0, 1),
12050 BPF_MOV64_IMM(BPF_REG_0, 1),
12051 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
12052 BPF_MOV64_IMM(BPF_REG_0, 3),
12055 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12056 .errstr = "back-edge from insn",
12060 "calls: conditional call 6",
12062 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12063 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
12065 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
12066 offsetof(struct __sk_buff, mark)),
12069 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12070 .errstr = "back-edge from insn",
12074 "calls: using r0 returned by callee",
12076 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12078 BPF_MOV64_IMM(BPF_REG_0, 2),
12081 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12085 "calls: using uninit r0 from callee",
12087 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12091 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12092 .errstr = "!read_ok",
12096 "calls: callee is using r1",
12098 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12100 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
12101 offsetof(struct __sk_buff, len)),
12104 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
12106 .retval = TEST_DATA_LEN,
12109 "calls: callee using args1",
12111 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12113 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
12116 .errstr_unpriv = "allowed for root only",
12117 .result_unpriv = REJECT,
12119 .retval = POINTER_VALUE,
12122 "calls: callee using wrong args2",
12124 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12126 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12129 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12130 .errstr = "R2 !read_ok",
12134 "calls: callee using two args",
12136 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12137 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
12138 offsetof(struct __sk_buff, len)),
12139 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
12140 offsetof(struct __sk_buff, len)),
12141 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12143 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
12144 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
12147 .errstr_unpriv = "allowed for root only",
12148 .result_unpriv = REJECT,
12150 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
12153 "calls: callee changing pkt pointers",
12155 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12156 offsetof(struct xdp_md, data)),
12157 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
12158 offsetof(struct xdp_md, data_end)),
12159 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
12160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
12161 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
12162 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12163 /* clear_all_pkt_pointers() has to walk all frames
12164 * to make sure that pkt pointers in the caller
12165 * are cleared when callee is calling a helper that
12166 * adjusts packet size
12168 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
12169 BPF_MOV32_IMM(BPF_REG_0, 0),
12171 BPF_MOV64_IMM(BPF_REG_2, 0),
12172 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12173 BPF_FUNC_xdp_adjust_head),
12177 .errstr = "R6 invalid mem access 'inv'",
12178 .prog_type = BPF_PROG_TYPE_XDP,
12179 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
12182 "calls: two calls with args",
12184 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12186 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12187 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
12188 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12189 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12190 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12191 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
12192 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
12194 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
12195 offsetof(struct __sk_buff, len)),
12198 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12200 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
12203 "calls: calls with stack arith",
12205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
12207 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
12210 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
12213 BPF_MOV64_IMM(BPF_REG_0, 42),
12214 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
12217 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12222 "calls: calls with misaligned stack access",
12224 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
12226 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12228 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
12229 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12231 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
12232 BPF_MOV64_IMM(BPF_REG_0, 42),
12233 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
12236 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12237 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
12238 .errstr = "misaligned stack access",
12242 "calls: calls control flow, jump test",
12244 BPF_MOV64_IMM(BPF_REG_0, 42),
12245 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12246 BPF_MOV64_IMM(BPF_REG_0, 43),
12247 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12248 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
12251 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12256 "calls: calls control flow, jump test 2",
12258 BPF_MOV64_IMM(BPF_REG_0, 42),
12259 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12260 BPF_MOV64_IMM(BPF_REG_0, 43),
12261 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12262 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
12265 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12266 .errstr = "jump out of range from insn 1 to 4",
12270 "calls: two calls with bad jump",
12272 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12274 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12275 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
12276 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12277 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12278 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12279 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
12280 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
12282 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
12283 offsetof(struct __sk_buff, len)),
12284 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
12287 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12288 .errstr = "jump out of range from insn 11 to 9",
12292 "calls: recursive call. test1",
12294 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12296 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
12299 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12300 .errstr = "back-edge",
12304 "calls: recursive call. test2",
12306 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12308 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
12311 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12312 .errstr = "back-edge",
12316 "calls: unreachable code",
12318 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12320 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12322 BPF_MOV64_IMM(BPF_REG_0, 0),
12324 BPF_MOV64_IMM(BPF_REG_0, 0),
12327 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12328 .errstr = "unreachable insn 6",
12332 "calls: invalid call",
12334 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12336 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
12339 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12340 .errstr = "invalid destination",
12344 "calls: invalid call 2",
12346 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12348 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
12351 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12352 .errstr = "invalid destination",
12356 "calls: jumping across function bodies. test1",
12358 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12359 BPF_MOV64_IMM(BPF_REG_0, 0),
12361 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
12364 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12365 .errstr = "jump out of range",
12369 "calls: jumping across function bodies. test2",
12371 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
12372 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12373 BPF_MOV64_IMM(BPF_REG_0, 0),
12377 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12378 .errstr = "jump out of range",
12382 "calls: call without exit",
12384 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12386 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12388 BPF_MOV64_IMM(BPF_REG_0, 0),
12389 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
12391 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12392 .errstr = "not an exit",
12396 "calls: call into middle of ld_imm64",
12398 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12399 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12400 BPF_MOV64_IMM(BPF_REG_0, 0),
12402 BPF_LD_IMM64(BPF_REG_0, 0),
12405 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12406 .errstr = "last insn",
12410 "calls: call into middle of other call",
12412 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12413 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12414 BPF_MOV64_IMM(BPF_REG_0, 0),
12416 BPF_MOV64_IMM(BPF_REG_0, 0),
12417 BPF_MOV64_IMM(BPF_REG_0, 0),
12420 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12421 .errstr = "last insn",
12425 "calls: ld_abs with changing ctx data in callee",
12427 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12428 BPF_LD_ABS(BPF_B, 0),
12429 BPF_LD_ABS(BPF_H, 0),
12430 BPF_LD_ABS(BPF_W, 0),
12431 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
12432 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
12433 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
12434 BPF_LD_ABS(BPF_B, 0),
12435 BPF_LD_ABS(BPF_H, 0),
12436 BPF_LD_ABS(BPF_W, 0),
12438 BPF_MOV64_IMM(BPF_REG_2, 1),
12439 BPF_MOV64_IMM(BPF_REG_3, 2),
12440 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12441 BPF_FUNC_skb_vlan_push),
12444 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12445 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
12449 "calls: two calls with bad fallthrough",
12451 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12453 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12454 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
12455 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12456 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12457 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12458 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
12459 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
12460 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
12461 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
12462 offsetof(struct __sk_buff, len)),
12465 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12466 .errstr = "not an exit",
12470 "calls: two calls with stack read",
12472 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12473 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12474 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12475 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12477 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12478 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
12479 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12480 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12481 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12482 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
12483 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
12485 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
12488 .prog_type = BPF_PROG_TYPE_XDP,
12492 "calls: two calls with stack write",
12495 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12496 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12497 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12498 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12499 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12500 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12501 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
12505 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12506 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12507 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
12508 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
12509 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12510 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12511 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12512 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
12513 /* write into stack frame of main prog */
12514 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12518 /* read from stack frame of main prog */
12519 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
12522 .prog_type = BPF_PROG_TYPE_XDP,
12526 "calls: stack overflow using two frames (pre-call access)",
12529 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12530 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
12534 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12535 BPF_MOV64_IMM(BPF_REG_0, 0),
12538 .prog_type = BPF_PROG_TYPE_XDP,
12539 .errstr = "combined stack size",
12543 "calls: stack overflow using two frames (post-call access)",
12546 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
12547 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12551 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12552 BPF_MOV64_IMM(BPF_REG_0, 0),
12555 .prog_type = BPF_PROG_TYPE_XDP,
12556 .errstr = "combined stack size",
12560 "calls: stack depth check using three frames. test1",
12563 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
12564 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
12565 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
12566 BPF_MOV64_IMM(BPF_REG_0, 0),
12569 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
12572 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
12573 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
12576 .prog_type = BPF_PROG_TYPE_XDP,
12577 /* stack_main=32, stack_A=256, stack_B=64
12578 * and max(main+A, main+A+B) < 512
12583 "calls: stack depth check using three frames. test2",
12586 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
12587 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
12588 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
12589 BPF_MOV64_IMM(BPF_REG_0, 0),
12592 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
12595 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
12596 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
12599 .prog_type = BPF_PROG_TYPE_XDP,
12600 /* stack_main=32, stack_A=64, stack_B=256
12601 * and max(main+A, main+A+B) < 512
12606 "calls: stack depth check using three frames. test3",
12609 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12610 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
12611 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12612 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
12613 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
12614 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
12615 BPF_MOV64_IMM(BPF_REG_0, 0),
12618 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
12620 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
12621 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
12623 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
12624 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
12625 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
12628 .prog_type = BPF_PROG_TYPE_XDP,
12629 /* stack_main=64, stack_A=224, stack_B=256
12630 * and max(main+A, main+A+B) > 512
12632 .errstr = "combined stack",
12636 "calls: stack depth check using three frames. test4",
12637 /* void main(void) {
12642 * void func1(int alloc_or_recurse) {
12643 * if (alloc_or_recurse) {
12644 * frame_pointer[-300] = 1;
12646 * func2(alloc_or_recurse);
12649 * void func2(int alloc_or_recurse) {
12650 * if (alloc_or_recurse) {
12651 * frame_pointer[-300] = 1;
12657 BPF_MOV64_IMM(BPF_REG_1, 0),
12658 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
12659 BPF_MOV64_IMM(BPF_REG_1, 1),
12660 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
12661 BPF_MOV64_IMM(BPF_REG_1, 1),
12662 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
12663 BPF_MOV64_IMM(BPF_REG_0, 0),
12666 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
12667 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12669 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
12672 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
12673 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12676 .prog_type = BPF_PROG_TYPE_XDP,
12678 .errstr = "combined stack",
12681 "calls: stack depth check using three frames. test5",
12684 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
12687 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
12690 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
12693 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
12696 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
12699 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
12702 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
12705 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
12708 BPF_MOV64_IMM(BPF_REG_0, 0),
12711 .prog_type = BPF_PROG_TYPE_XDP,
12712 .errstr = "call stack",
12716 "calls: spill into caller stack frame",
12718 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12719 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12720 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12721 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12723 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
12724 BPF_MOV64_IMM(BPF_REG_0, 0),
12727 .prog_type = BPF_PROG_TYPE_XDP,
12728 .errstr = "cannot spill",
12732 "calls: write into caller stack frame",
12734 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12735 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12736 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12737 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12738 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
12740 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
12741 BPF_MOV64_IMM(BPF_REG_0, 0),
12744 .prog_type = BPF_PROG_TYPE_XDP,
12749 "calls: write into callee stack frame",
12751 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12752 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
12754 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
12755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
12758 .prog_type = BPF_PROG_TYPE_XDP,
12759 .errstr = "cannot return stack pointer",
12763 "calls: two calls with stack write and void return",
12766 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12767 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12768 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12769 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12771 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12772 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
12776 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12777 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12778 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12779 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12780 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12784 /* write into stack frame of main prog */
12785 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
12786 BPF_EXIT_INSN(), /* void return */
12788 .prog_type = BPF_PROG_TYPE_XDP,
12792 "calls: ambiguous return value",
12794 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12795 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
12796 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12797 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12798 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12799 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12801 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
12802 BPF_MOV64_IMM(BPF_REG_0, 0),
12805 .errstr_unpriv = "allowed for root only",
12806 .result_unpriv = REJECT,
12807 .errstr = "R0 !read_ok",
12811 "calls: two calls that return map_value",
12814 /* pass fp-16, fp-8 into a function */
12815 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12816 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12819 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
12821 /* fetch map_value_ptr from the stack of this function */
12822 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12823 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
12824 /* write into map value */
12825 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12826 /* fetch secound map_value_ptr from the stack */
12827 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
12828 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
12829 /* write into map value */
12830 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12831 BPF_MOV64_IMM(BPF_REG_0, 0),
12835 /* call 3rd function twice */
12836 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12837 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12838 /* first time with fp-8 */
12839 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12840 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12841 /* second time with fp-16 */
12842 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12846 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12847 /* lookup from map */
12848 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12849 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12851 BPF_LD_MAP_FD(BPF_REG_1, 0),
12852 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12853 BPF_FUNC_map_lookup_elem),
12854 /* write map_value_ptr into stack frame of main prog */
12855 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12856 BPF_MOV64_IMM(BPF_REG_0, 0),
12857 BPF_EXIT_INSN(), /* return 0 */
12859 .prog_type = BPF_PROG_TYPE_XDP,
12860 .fixup_map_hash_8b = { 23 },
12864 "calls: two calls that return map_value with bool condition",
12867 /* pass fp-16, fp-8 into a function */
12868 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12870 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12871 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12872 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12873 BPF_MOV64_IMM(BPF_REG_0, 0),
12877 /* call 3rd function twice */
12878 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12879 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12880 /* first time with fp-8 */
12881 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
12882 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
12883 /* fetch map_value_ptr from the stack of this function */
12884 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
12885 /* write into map value */
12886 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12887 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12888 /* second time with fp-16 */
12889 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12890 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
12891 /* fetch secound map_value_ptr from the stack */
12892 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
12893 /* write into map value */
12894 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12898 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12899 /* lookup from map */
12900 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12901 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12902 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12903 BPF_LD_MAP_FD(BPF_REG_1, 0),
12904 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12905 BPF_FUNC_map_lookup_elem),
12906 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12907 BPF_MOV64_IMM(BPF_REG_0, 0),
12908 BPF_EXIT_INSN(), /* return 0 */
12909 /* write map_value_ptr into stack frame of main prog */
12910 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12911 BPF_MOV64_IMM(BPF_REG_0, 1),
12912 BPF_EXIT_INSN(), /* return 1 */
12914 .prog_type = BPF_PROG_TYPE_XDP,
12915 .fixup_map_hash_8b = { 23 },
12919 "calls: two calls that return map_value with incorrect bool check",
12922 /* pass fp-16, fp-8 into a function */
12923 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12925 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12926 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12927 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12928 BPF_MOV64_IMM(BPF_REG_0, 0),
12932 /* call 3rd function twice */
12933 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12934 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12935 /* first time with fp-8 */
12936 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
12937 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
12938 /* fetch map_value_ptr from the stack of this function */
12939 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
12940 /* write into map value */
12941 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12942 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12943 /* second time with fp-16 */
12944 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12945 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12946 /* fetch secound map_value_ptr from the stack */
12947 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
12948 /* write into map value */
12949 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12953 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12954 /* lookup from map */
12955 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12956 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12957 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12958 BPF_LD_MAP_FD(BPF_REG_1, 0),
12959 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12960 BPF_FUNC_map_lookup_elem),
12961 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12962 BPF_MOV64_IMM(BPF_REG_0, 0),
12963 BPF_EXIT_INSN(), /* return 0 */
12964 /* write map_value_ptr into stack frame of main prog */
12965 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12966 BPF_MOV64_IMM(BPF_REG_0, 1),
12967 BPF_EXIT_INSN(), /* return 1 */
12969 .prog_type = BPF_PROG_TYPE_XDP,
12970 .fixup_map_hash_8b = { 23 },
12972 .errstr = "invalid read from stack off -16+0 size 8",
12975 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
12978 /* pass fp-16, fp-8 into a function */
12979 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12980 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12981 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12982 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12983 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12984 BPF_MOV64_IMM(BPF_REG_0, 0),
12988 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12989 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12990 /* 1st lookup from map */
12991 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12992 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12994 BPF_LD_MAP_FD(BPF_REG_1, 0),
12995 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12996 BPF_FUNC_map_lookup_elem),
12997 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12998 BPF_MOV64_IMM(BPF_REG_8, 0),
12999 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
13000 /* write map_value_ptr into stack frame of main prog at fp-8 */
13001 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13002 BPF_MOV64_IMM(BPF_REG_8, 1),
13004 /* 2nd lookup from map */
13005 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
13006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13007 BPF_LD_MAP_FD(BPF_REG_1, 0),
13008 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
13009 BPF_FUNC_map_lookup_elem),
13010 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13011 BPF_MOV64_IMM(BPF_REG_9, 0),
13012 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
13013 /* write map_value_ptr into stack frame of main prog at fp-16 */
13014 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
13015 BPF_MOV64_IMM(BPF_REG_9, 1),
13017 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
13018 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
13019 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
13020 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
13021 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
13022 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
13026 /* if arg2 == 1 do *arg1 = 0 */
13027 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
13028 /* fetch map_value_ptr from the stack of this function */
13029 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
13030 /* write into map value */
13031 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13033 /* if arg4 == 1 do *arg3 = 0 */
13034 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
13035 /* fetch map_value_ptr from the stack of this function */
13036 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
13037 /* write into map value */
13038 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
13041 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13042 .fixup_map_hash_8b = { 12, 22 },
13044 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
13045 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13048 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
13051 /* pass fp-16, fp-8 into a function */
13052 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
13053 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
13054 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13055 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
13056 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13057 BPF_MOV64_IMM(BPF_REG_0, 0),
13061 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13062 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
13063 /* 1st lookup from map */
13064 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13065 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13067 BPF_LD_MAP_FD(BPF_REG_1, 0),
13068 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13069 BPF_FUNC_map_lookup_elem),
13070 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13071 BPF_MOV64_IMM(BPF_REG_8, 0),
13072 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
13073 /* write map_value_ptr into stack frame of main prog at fp-8 */
13074 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13075 BPF_MOV64_IMM(BPF_REG_8, 1),
13077 /* 2nd lookup from map */
13078 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
13079 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13080 BPF_LD_MAP_FD(BPF_REG_1, 0),
13081 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
13082 BPF_FUNC_map_lookup_elem),
13083 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13084 BPF_MOV64_IMM(BPF_REG_9, 0),
13085 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
13086 /* write map_value_ptr into stack frame of main prog at fp-16 */
13087 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
13088 BPF_MOV64_IMM(BPF_REG_9, 1),
13090 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
13091 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
13092 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
13093 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
13094 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
13095 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
13099 /* if arg2 == 1 do *arg1 = 0 */
13100 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
13101 /* fetch map_value_ptr from the stack of this function */
13102 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
13103 /* write into map value */
13104 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13106 /* if arg4 == 1 do *arg3 = 0 */
13107 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
13108 /* fetch map_value_ptr from the stack of this function */
13109 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
13110 /* write into map value */
13111 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13114 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13115 .fixup_map_hash_8b = { 12, 22 },
13119 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
13122 /* pass fp-16, fp-8 into a function */
13123 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
13124 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
13125 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13126 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
13127 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
13128 BPF_MOV64_IMM(BPF_REG_0, 0),
13132 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13133 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
13134 /* 1st lookup from map */
13135 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
13136 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13137 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
13138 BPF_LD_MAP_FD(BPF_REG_1, 0),
13139 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13140 BPF_FUNC_map_lookup_elem),
13141 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13142 BPF_MOV64_IMM(BPF_REG_8, 0),
13143 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
13144 /* write map_value_ptr into stack frame of main prog at fp-8 */
13145 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13146 BPF_MOV64_IMM(BPF_REG_8, 1),
13148 /* 2nd lookup from map */
13149 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13150 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
13151 BPF_LD_MAP_FD(BPF_REG_1, 0),
13152 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13153 BPF_FUNC_map_lookup_elem),
13154 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13155 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
13156 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
13157 /* write map_value_ptr into stack frame of main prog at fp-16 */
13158 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
13159 BPF_MOV64_IMM(BPF_REG_9, 1),
13161 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
13162 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
13163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
13164 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
13165 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
13166 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
13167 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
13170 /* if arg2 == 1 do *arg1 = 0 */
13171 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
13172 /* fetch map_value_ptr from the stack of this function */
13173 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
13174 /* write into map value */
13175 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13177 /* if arg4 == 1 do *arg3 = 0 */
13178 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
13179 /* fetch map_value_ptr from the stack of this function */
13180 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
13181 /* write into map value */
13182 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
13183 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
13185 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13186 .fixup_map_hash_8b = { 12, 22 },
13188 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
13189 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13192 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
13195 /* pass fp-16, fp-8 into a function */
13196 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
13197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
13198 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13199 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
13200 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13201 BPF_MOV64_IMM(BPF_REG_0, 0),
13205 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13206 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
13207 /* 1st lookup from map */
13208 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13209 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13211 BPF_LD_MAP_FD(BPF_REG_1, 0),
13212 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13213 BPF_FUNC_map_lookup_elem),
13214 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
13215 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13216 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13217 BPF_MOV64_IMM(BPF_REG_8, 0),
13218 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13219 BPF_MOV64_IMM(BPF_REG_8, 1),
13221 /* 2nd lookup from map */
13222 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13224 BPF_LD_MAP_FD(BPF_REG_1, 0),
13225 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13226 BPF_FUNC_map_lookup_elem),
13227 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
13228 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
13229 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13230 BPF_MOV64_IMM(BPF_REG_9, 0),
13231 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13232 BPF_MOV64_IMM(BPF_REG_9, 1),
13234 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
13235 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13236 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
13237 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
13238 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
13239 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
13243 /* if arg2 == 1 do *arg1 = 0 */
13244 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
13245 /* fetch map_value_ptr from the stack of this function */
13246 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
13247 /* write into map value */
13248 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13250 /* if arg4 == 1 do *arg3 = 0 */
13251 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
13252 /* fetch map_value_ptr from the stack of this function */
13253 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
13254 /* write into map value */
13255 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13258 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13259 .fixup_map_hash_8b = { 12, 22 },
13263 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
13266 /* pass fp-16, fp-8 into a function */
13267 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
13268 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
13269 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
13271 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13272 BPF_MOV64_IMM(BPF_REG_0, 0),
13276 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13277 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
13278 /* 1st lookup from map */
13279 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13280 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13282 BPF_LD_MAP_FD(BPF_REG_1, 0),
13283 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13284 BPF_FUNC_map_lookup_elem),
13285 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
13286 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13287 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13288 BPF_MOV64_IMM(BPF_REG_8, 0),
13289 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13290 BPF_MOV64_IMM(BPF_REG_8, 1),
13292 /* 2nd lookup from map */
13293 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13294 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13295 BPF_LD_MAP_FD(BPF_REG_1, 0),
13296 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13297 BPF_FUNC_map_lookup_elem),
13298 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
13299 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
13300 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13301 BPF_MOV64_IMM(BPF_REG_9, 0),
13302 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13303 BPF_MOV64_IMM(BPF_REG_9, 1),
13305 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
13306 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13307 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
13308 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
13309 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
13310 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
13314 /* if arg2 == 1 do *arg1 = 0 */
13315 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
13316 /* fetch map_value_ptr from the stack of this function */
13317 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
13318 /* write into map value */
13319 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13321 /* if arg4 == 0 do *arg3 = 0 */
13322 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
13323 /* fetch map_value_ptr from the stack of this function */
13324 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
13325 /* write into map value */
13326 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13329 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13330 .fixup_map_hash_8b = { 12, 22 },
13332 .errstr = "R0 invalid mem access 'inv'",
13335 "calls: pkt_ptr spill into caller stack",
13337 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13339 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
13343 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13344 offsetof(struct __sk_buff, data)),
13345 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13346 offsetof(struct __sk_buff, data_end)),
13347 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13349 /* spill unchecked pkt_ptr into stack of caller */
13350 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13351 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
13352 /* now the pkt range is verified, read pkt_ptr from stack */
13353 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
13354 /* write 4 bytes into packet */
13355 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13359 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13360 .retval = POINTER_VALUE,
13361 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13364 "calls: pkt_ptr spill into caller stack 2",
13366 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13367 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13368 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13369 /* Marking is still kept, but not in all cases safe. */
13370 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13371 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
13375 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13376 offsetof(struct __sk_buff, data)),
13377 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13378 offsetof(struct __sk_buff, data_end)),
13379 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13380 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13381 /* spill unchecked pkt_ptr into stack of caller */
13382 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13383 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
13384 /* now the pkt range is verified, read pkt_ptr from stack */
13385 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
13386 /* write 4 bytes into packet */
13387 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13390 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13391 .errstr = "invalid access to packet",
13393 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13396 "calls: pkt_ptr spill into caller stack 3",
13398 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13399 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13400 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
13401 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13402 /* Marking is still kept and safe here. */
13403 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13404 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
13408 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13409 offsetof(struct __sk_buff, data)),
13410 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13411 offsetof(struct __sk_buff, data_end)),
13412 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13413 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13414 /* spill unchecked pkt_ptr into stack of caller */
13415 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13416 BPF_MOV64_IMM(BPF_REG_5, 0),
13417 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
13418 BPF_MOV64_IMM(BPF_REG_5, 1),
13419 /* now the pkt range is verified, read pkt_ptr from stack */
13420 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
13421 /* write 4 bytes into packet */
13422 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13423 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13429 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13432 "calls: pkt_ptr spill into caller stack 4",
13434 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13436 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
13437 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13438 /* Check marking propagated. */
13439 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13440 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
13444 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13445 offsetof(struct __sk_buff, data)),
13446 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13447 offsetof(struct __sk_buff, data_end)),
13448 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13449 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13450 /* spill unchecked pkt_ptr into stack of caller */
13451 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13452 BPF_MOV64_IMM(BPF_REG_5, 0),
13453 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
13454 BPF_MOV64_IMM(BPF_REG_5, 1),
13455 /* don't read back pkt_ptr from stack here */
13456 /* write 4 bytes into packet */
13457 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13458 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13461 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13464 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13467 "calls: pkt_ptr spill into caller stack 5",
13469 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13470 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13471 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
13472 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13473 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13474 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
13478 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13479 offsetof(struct __sk_buff, data)),
13480 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13481 offsetof(struct __sk_buff, data_end)),
13482 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13483 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13484 BPF_MOV64_IMM(BPF_REG_5, 0),
13485 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
13486 /* spill checked pkt_ptr into stack of caller */
13487 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13488 BPF_MOV64_IMM(BPF_REG_5, 1),
13489 /* don't read back pkt_ptr from stack here */
13490 /* write 4 bytes into packet */
13491 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13492 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13495 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13496 .errstr = "same insn cannot be used with different",
13498 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13501 "calls: pkt_ptr spill into caller stack 6",
13503 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13504 offsetof(struct __sk_buff, data_end)),
13505 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13507 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13508 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13509 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13510 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
13514 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13515 offsetof(struct __sk_buff, data)),
13516 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13517 offsetof(struct __sk_buff, data_end)),
13518 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13519 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13520 BPF_MOV64_IMM(BPF_REG_5, 0),
13521 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
13522 /* spill checked pkt_ptr into stack of caller */
13523 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13524 BPF_MOV64_IMM(BPF_REG_5, 1),
13525 /* don't read back pkt_ptr from stack here */
13526 /* write 4 bytes into packet */
13527 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13528 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13531 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13532 .errstr = "R4 invalid mem access",
13534 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13537 "calls: pkt_ptr spill into caller stack 7",
13539 BPF_MOV64_IMM(BPF_REG_2, 0),
13540 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13541 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13542 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13543 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13544 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13545 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
13549 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13550 offsetof(struct __sk_buff, data)),
13551 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13552 offsetof(struct __sk_buff, data_end)),
13553 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13554 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13555 BPF_MOV64_IMM(BPF_REG_5, 0),
13556 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
13557 /* spill checked pkt_ptr into stack of caller */
13558 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13559 BPF_MOV64_IMM(BPF_REG_5, 1),
13560 /* don't read back pkt_ptr from stack here */
13561 /* write 4 bytes into packet */
13562 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13563 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13566 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13567 .errstr = "R4 invalid mem access",
13569 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13572 "calls: pkt_ptr spill into caller stack 8",
13574 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13575 offsetof(struct __sk_buff, data)),
13576 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13577 offsetof(struct __sk_buff, data_end)),
13578 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13579 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13580 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13582 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13584 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13585 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13586 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13587 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
13591 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13592 offsetof(struct __sk_buff, data)),
13593 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13594 offsetof(struct __sk_buff, data_end)),
13595 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13596 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13597 BPF_MOV64_IMM(BPF_REG_5, 0),
13598 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
13599 /* spill checked pkt_ptr into stack of caller */
13600 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13601 BPF_MOV64_IMM(BPF_REG_5, 1),
13602 /* don't read back pkt_ptr from stack here */
13603 /* write 4 bytes into packet */
13604 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13605 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13608 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13610 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13613 "calls: pkt_ptr spill into caller stack 9",
13615 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13616 offsetof(struct __sk_buff, data)),
13617 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13618 offsetof(struct __sk_buff, data_end)),
13619 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13620 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13621 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13623 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13624 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13625 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13626 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13627 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13628 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
13632 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13633 offsetof(struct __sk_buff, data)),
13634 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13635 offsetof(struct __sk_buff, data_end)),
13636 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13637 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13638 BPF_MOV64_IMM(BPF_REG_5, 0),
13639 /* spill unchecked pkt_ptr into stack of caller */
13640 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13641 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
13642 BPF_MOV64_IMM(BPF_REG_5, 1),
13643 /* don't read back pkt_ptr from stack here */
13644 /* write 4 bytes into packet */
13645 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13646 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13649 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13650 .errstr = "invalid access to packet",
13652 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13655 "calls: caller stack init to zero or map_value_or_null",
13657 BPF_MOV64_IMM(BPF_REG_0, 0),
13658 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
13659 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13661 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
13662 /* fetch map_value_or_null or const_zero from stack */
13663 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
13664 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13665 /* store into map_value */
13666 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
13670 /* if (ctx == 0) return; */
13671 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
13672 /* else bpf_map_lookup() and *(fp - 8) = r0 */
13673 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
13674 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13676 BPF_LD_MAP_FD(BPF_REG_1, 0),
13677 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13678 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13679 BPF_FUNC_map_lookup_elem),
13680 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
13681 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13684 .fixup_map_hash_8b = { 13 },
13686 .prog_type = BPF_PROG_TYPE_XDP,
13689 "calls: stack init to zero and pruning",
13691 /* first make allocated_stack 16 byte */
13692 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
13693 /* now fork the execution such that the false branch
13694 * of JGT insn will be verified second and it skisp zero
13695 * init of fp-8 stack slot. If stack liveness marking
13696 * is missing live_read marks from call map_lookup
13697 * processing then pruning will incorrectly assume
13698 * that fp-8 stack slot was unused in the fall-through
13699 * branch and will accept the program incorrectly
13701 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
13702 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13703 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
13704 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13705 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13706 BPF_LD_MAP_FD(BPF_REG_1, 0),
13707 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13708 BPF_FUNC_map_lookup_elem),
13711 .fixup_map_hash_48b = { 6 },
13712 .errstr = "invalid indirect read from stack off -8+0 size 8",
13714 .prog_type = BPF_PROG_TYPE_XDP,
13717 "calls: two calls returning different map pointers for lookup (hash, array)",
13720 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
13722 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13724 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13725 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13726 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13728 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13729 BPF_FUNC_map_lookup_elem),
13730 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13731 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
13732 offsetof(struct test_val, foo)),
13733 BPF_MOV64_IMM(BPF_REG_0, 1),
13736 BPF_LD_MAP_FD(BPF_REG_0, 0),
13739 BPF_LD_MAP_FD(BPF_REG_0, 0),
13742 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13743 .fixup_map_hash_48b = { 13 },
13744 .fixup_map_array_48b = { 16 },
13749 "calls: two calls returning different map pointers for lookup (hash, map in map)",
13752 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
13754 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13756 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13757 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13758 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13759 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13760 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13761 BPF_FUNC_map_lookup_elem),
13762 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13763 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
13764 offsetof(struct test_val, foo)),
13765 BPF_MOV64_IMM(BPF_REG_0, 1),
13768 BPF_LD_MAP_FD(BPF_REG_0, 0),
13771 BPF_LD_MAP_FD(BPF_REG_0, 0),
13774 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13775 .fixup_map_in_map = { 16 },
13776 .fixup_map_array_48b = { 13 },
13778 .errstr = "R0 invalid mem access 'map_ptr'",
13781 "cond: two branches returning different map pointers for lookup (tail, tail)",
13783 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
13784 offsetof(struct __sk_buff, mark)),
13785 BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
13786 BPF_LD_MAP_FD(BPF_REG_2, 0),
13787 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
13788 BPF_LD_MAP_FD(BPF_REG_2, 0),
13789 BPF_MOV64_IMM(BPF_REG_3, 7),
13790 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13791 BPF_FUNC_tail_call),
13792 BPF_MOV64_IMM(BPF_REG_0, 1),
13795 .fixup_prog1 = { 5 },
13796 .fixup_prog2 = { 2 },
13797 .result_unpriv = REJECT,
13798 .errstr_unpriv = "tail_call abusing map_ptr",
13803 "cond: two branches returning same map pointers for lookup (tail, tail)",
13805 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
13806 offsetof(struct __sk_buff, mark)),
13807 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
13808 BPF_LD_MAP_FD(BPF_REG_2, 0),
13809 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
13810 BPF_LD_MAP_FD(BPF_REG_2, 0),
13811 BPF_MOV64_IMM(BPF_REG_3, 7),
13812 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13813 BPF_FUNC_tail_call),
13814 BPF_MOV64_IMM(BPF_REG_0, 1),
13817 .fixup_prog2 = { 2, 5 },
13818 .result_unpriv = ACCEPT,
13823 "search pruning: all branches should be verified (nop operation)",
13825 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13827 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
13828 BPF_LD_MAP_FD(BPF_REG_1, 0),
13829 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
13830 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
13831 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
13832 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
13833 BPF_MOV64_IMM(BPF_REG_4, 0),
13835 BPF_MOV64_IMM(BPF_REG_4, 1),
13836 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
13837 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
13838 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
13839 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
13840 BPF_MOV64_IMM(BPF_REG_6, 0),
13841 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
13844 .fixup_map_hash_8b = { 3 },
13845 .errstr = "R6 invalid mem access 'inv'",
13847 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
13850 "search pruning: all branches should be verified (invalid stack access)",
13852 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13854 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
13855 BPF_LD_MAP_FD(BPF_REG_1, 0),
13856 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
13857 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
13858 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
13859 BPF_MOV64_IMM(BPF_REG_4, 0),
13860 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
13861 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
13863 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
13864 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
13865 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
13868 .fixup_map_hash_8b = { 3 },
13869 .errstr = "invalid read from stack off -16+0 size 8",
13871 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
13874 "jit: lsh, rsh, arsh by 1",
13876 BPF_MOV64_IMM(BPF_REG_0, 1),
13877 BPF_MOV64_IMM(BPF_REG_1, 0xff),
13878 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
13879 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
13880 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
13882 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
13883 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
13884 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
13886 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
13887 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
13889 BPF_MOV64_IMM(BPF_REG_0, 2),
13896 "jit: mov32 for ldimm64, 1",
13898 BPF_MOV64_IMM(BPF_REG_0, 2),
13899 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
13900 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
13901 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
13902 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
13903 BPF_MOV64_IMM(BPF_REG_0, 1),
13910 "jit: mov32 for ldimm64, 2",
13912 BPF_MOV64_IMM(BPF_REG_0, 1),
13913 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
13914 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
13915 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
13916 BPF_MOV64_IMM(BPF_REG_0, 2),
13923 "jit: various mul tests",
13925 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
13926 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
13927 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
13928 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
13929 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
13930 BPF_MOV64_IMM(BPF_REG_0, 1),
13932 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
13933 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
13934 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
13935 BPF_MOV64_IMM(BPF_REG_0, 1),
13937 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
13938 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
13939 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
13940 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
13941 BPF_MOV64_IMM(BPF_REG_0, 1),
13943 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
13944 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
13945 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
13946 BPF_MOV64_IMM(BPF_REG_0, 1),
13948 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
13949 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
13950 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
13951 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
13952 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
13953 BPF_MOV64_IMM(BPF_REG_0, 1),
13955 BPF_MOV64_IMM(BPF_REG_0, 2),
13962 "xadd/w check unaligned stack",
13964 BPF_MOV64_IMM(BPF_REG_0, 1),
13965 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
13966 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
13967 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
13971 .errstr = "misaligned stack access off",
13972 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13975 "xadd/w check unaligned map",
13977 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13978 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13979 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13980 BPF_LD_MAP_FD(BPF_REG_1, 0),
13981 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13982 BPF_FUNC_map_lookup_elem),
13983 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
13985 BPF_MOV64_IMM(BPF_REG_1, 1),
13986 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
13987 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
13990 .fixup_map_hash_8b = { 3 },
13992 .errstr = "misaligned value access off",
13993 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13996 "xadd/w check unaligned pkt",
13998 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13999 offsetof(struct xdp_md, data)),
14000 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
14001 offsetof(struct xdp_md, data_end)),
14002 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
14003 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
14004 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
14005 BPF_MOV64_IMM(BPF_REG_0, 99),
14006 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
14007 BPF_MOV64_IMM(BPF_REG_0, 1),
14008 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
14009 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
14010 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
14011 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
14012 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
14016 .errstr = "BPF_XADD stores into R2 pkt is not allowed",
14017 .prog_type = BPF_PROG_TYPE_XDP,
14018 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
14021 "xadd/w check whether src/dst got mangled, 1",
14023 BPF_MOV64_IMM(BPF_REG_0, 1),
14024 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
14025 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
14026 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
14027 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
14028 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
14029 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
14030 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
14031 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
14033 BPF_MOV64_IMM(BPF_REG_0, 42),
14037 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14041 "xadd/w check whether src/dst got mangled, 2",
14043 BPF_MOV64_IMM(BPF_REG_0, 1),
14044 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
14045 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
14046 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
14047 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
14048 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
14049 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
14050 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
14051 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
14053 BPF_MOV64_IMM(BPF_REG_0, 42),
14057 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14061 "bpf_get_stack return R0 within range",
14063 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
14064 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
14065 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
14066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
14067 BPF_LD_MAP_FD(BPF_REG_1, 0),
14068 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14069 BPF_FUNC_map_lookup_elem),
14070 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
14071 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
14072 BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
14073 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
14074 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
14075 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
14076 BPF_MOV64_IMM(BPF_REG_4, 256),
14077 BPF_EMIT_CALL(BPF_FUNC_get_stack),
14078 BPF_MOV64_IMM(BPF_REG_1, 0),
14079 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
14080 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
14081 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
14082 BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
14083 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
14084 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
14085 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
14086 BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
14087 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
14088 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
14089 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
14090 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
14091 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
14092 BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
14093 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
14094 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
14095 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
14096 BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
14097 BPF_MOV64_IMM(BPF_REG_4, 0),
14098 BPF_EMIT_CALL(BPF_FUNC_get_stack),
14101 .fixup_map_hash_48b = { 4 },
14103 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
14106 "ld_abs: invalid op 1",
14108 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
14109 BPF_LD_ABS(BPF_DW, 0),
14112 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14114 .errstr = "unknown opcode",
14117 "ld_abs: invalid op 2",
14119 BPF_MOV32_IMM(BPF_REG_0, 256),
14120 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
14121 BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
14124 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14126 .errstr = "unknown opcode",
14129 "ld_abs: nmap reduced",
14131 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
14132 BPF_LD_ABS(BPF_H, 12),
14133 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
14134 BPF_LD_ABS(BPF_H, 12),
14135 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
14136 BPF_MOV32_IMM(BPF_REG_0, 18),
14137 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
14138 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
14139 BPF_LD_IND(BPF_W, BPF_REG_7, 14),
14140 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
14141 BPF_MOV32_IMM(BPF_REG_0, 280971478),
14142 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
14143 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
14144 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
14145 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
14146 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
14147 BPF_LD_ABS(BPF_H, 12),
14148 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
14149 BPF_MOV32_IMM(BPF_REG_0, 22),
14150 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
14151 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
14152 BPF_LD_IND(BPF_H, BPF_REG_7, 14),
14153 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
14154 BPF_MOV32_IMM(BPF_REG_0, 17366),
14155 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
14156 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
14157 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
14158 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
14159 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
14160 BPF_MOV32_IMM(BPF_REG_0, 256),
14162 BPF_MOV32_IMM(BPF_REG_0, 0),
14166 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
14167 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
14168 0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
14170 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14175 "ld_abs: div + abs, test 1",
14177 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
14178 BPF_LD_ABS(BPF_B, 3),
14179 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
14180 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
14181 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
14182 BPF_LD_ABS(BPF_B, 4),
14183 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
14184 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
14188 10, 20, 30, 40, 50,
14190 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14195 "ld_abs: div + abs, test 2",
14197 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
14198 BPF_LD_ABS(BPF_B, 3),
14199 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
14200 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
14201 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
14202 BPF_LD_ABS(BPF_B, 128),
14203 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
14204 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
14208 10, 20, 30, 40, 50,
14210 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14215 "ld_abs: div + abs, test 3",
14217 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
14218 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
14219 BPF_LD_ABS(BPF_B, 3),
14220 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
14224 10, 20, 30, 40, 50,
14226 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14231 "ld_abs: div + abs, test 4",
14233 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
14234 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
14235 BPF_LD_ABS(BPF_B, 256),
14236 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
14240 10, 20, 30, 40, 50,
14242 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14247 "ld_abs: vlan + abs, test 1",
14252 .fill_helper = bpf_fill_ld_abs_vlan_push_pop,
14253 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14258 "ld_abs: vlan + abs, test 2",
14260 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
14261 BPF_LD_ABS(BPF_B, 0),
14262 BPF_LD_ABS(BPF_H, 0),
14263 BPF_LD_ABS(BPF_W, 0),
14264 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
14265 BPF_MOV64_IMM(BPF_REG_6, 0),
14266 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
14267 BPF_MOV64_IMM(BPF_REG_2, 1),
14268 BPF_MOV64_IMM(BPF_REG_3, 2),
14269 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14270 BPF_FUNC_skb_vlan_push),
14271 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
14272 BPF_LD_ABS(BPF_B, 0),
14273 BPF_LD_ABS(BPF_H, 0),
14274 BPF_LD_ABS(BPF_W, 0),
14275 BPF_MOV64_IMM(BPF_REG_0, 42),
14281 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14286 "ld_abs: jump around ld_abs",
14291 .fill_helper = bpf_fill_jump_around_ld_abs,
14292 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14297 "ld_dw: xor semi-random 64 bit imms, test 1",
14300 .fill_helper = bpf_fill_rand_ld_dw,
14301 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14306 "ld_dw: xor semi-random 64 bit imms, test 2",
14309 .fill_helper = bpf_fill_rand_ld_dw,
14310 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14315 "ld_dw: xor semi-random 64 bit imms, test 3",
14318 .fill_helper = bpf_fill_rand_ld_dw,
14319 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14324 "ld_dw: xor semi-random 64 bit imms, test 4",
14327 .fill_helper = bpf_fill_rand_ld_dw,
14328 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14333 "pass unmodified ctx pointer to helper",
14335 BPF_MOV64_IMM(BPF_REG_2, 0),
14336 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14337 BPF_FUNC_csum_update),
14338 BPF_MOV64_IMM(BPF_REG_0, 0),
14341 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14345 "reference tracking: leak potential reference",
14348 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), /* leak reference */
14351 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14352 .errstr = "Unreleased reference",
14356 "reference tracking: leak potential reference on stack",
14359 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
14360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
14361 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
14362 BPF_MOV64_IMM(BPF_REG_0, 0),
14365 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14366 .errstr = "Unreleased reference",
14370 "reference tracking: leak potential reference on stack 2",
14373 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
14374 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
14375 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
14376 BPF_MOV64_IMM(BPF_REG_0, 0),
14377 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
14380 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14381 .errstr = "Unreleased reference",
14385 "reference tracking: zero potential reference",
14388 BPF_MOV64_IMM(BPF_REG_0, 0), /* leak reference */
14391 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14392 .errstr = "Unreleased reference",
14396 "reference tracking: copy and zero potential references",
14399 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
14400 BPF_MOV64_IMM(BPF_REG_0, 0),
14401 BPF_MOV64_IMM(BPF_REG_7, 0), /* leak reference */
14404 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14405 .errstr = "Unreleased reference",
14409 "reference tracking: release reference without check",
14412 /* reference in r0 may be NULL */
14413 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14414 BPF_MOV64_IMM(BPF_REG_2, 0),
14415 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14418 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14419 .errstr = "type=sock_or_null expected=sock",
14423 "reference tracking: release reference",
14426 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14427 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
14428 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14431 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14435 "reference tracking: release reference 2",
14438 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14439 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
14441 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14444 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14448 "reference tracking: release reference twice",
14451 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14452 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
14453 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
14454 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14455 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
14456 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14459 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14460 .errstr = "type=inv expected=sock",
14464 "reference tracking: release reference twice inside branch",
14467 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14468 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
14469 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), /* goto end */
14470 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14471 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
14472 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14475 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14476 .errstr = "type=inv expected=sock",
14480 "reference tracking: alloc, check, free in one subbranch",
14482 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
14483 offsetof(struct __sk_buff, data)),
14484 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
14485 offsetof(struct __sk_buff, data_end)),
14486 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
14487 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
14488 /* if (offsetof(skb, mark) > data_len) exit; */
14489 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
14491 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
14492 offsetof(struct __sk_buff, mark)),
14494 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 1), /* mark == 0? */
14495 /* Leak reference in R0 */
14497 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
14498 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14499 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14502 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14503 .errstr = "Unreleased reference",
14505 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
14508 "reference tracking: alloc, check, free in both subbranches",
14510 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
14511 offsetof(struct __sk_buff, data)),
14512 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
14513 offsetof(struct __sk_buff, data_end)),
14514 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
14515 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
14516 /* if (offsetof(skb, mark) > data_len) exit; */
14517 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
14519 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
14520 offsetof(struct __sk_buff, mark)),
14522 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 4), /* mark == 0? */
14523 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
14524 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14525 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14527 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
14528 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14529 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14532 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14534 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
14537 "reference tracking in call: free reference in subprog",
14540 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
14541 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
14542 BPF_MOV64_IMM(BPF_REG_0, 0),
14546 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
14547 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
14548 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14551 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14555 "pass modified ctx pointer to helper, 1",
14557 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
14558 BPF_MOV64_IMM(BPF_REG_2, 0),
14559 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14560 BPF_FUNC_csum_update),
14561 BPF_MOV64_IMM(BPF_REG_0, 0),
14564 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14566 .errstr = "dereference of modified ctx ptr",
14569 "pass modified ctx pointer to helper, 2",
14571 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
14572 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14573 BPF_FUNC_get_socket_cookie),
14574 BPF_MOV64_IMM(BPF_REG_0, 0),
14577 .result_unpriv = REJECT,
14579 .errstr_unpriv = "dereference of modified ctx ptr",
14580 .errstr = "dereference of modified ctx ptr",
14583 "pass modified ctx pointer to helper, 3",
14585 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
14586 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
14587 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
14588 BPF_MOV64_IMM(BPF_REG_2, 0),
14589 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14590 BPF_FUNC_csum_update),
14591 BPF_MOV64_IMM(BPF_REG_0, 0),
14594 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14596 .errstr = "variable ctx access var_off=(0x0; 0x4)",
14599 "mov64 src == dst",
14601 BPF_MOV64_IMM(BPF_REG_2, 0),
14602 BPF_MOV64_REG(BPF_REG_2, BPF_REG_2),
14603 // Check bounds are OK
14604 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
14605 BPF_MOV64_IMM(BPF_REG_0, 0),
14608 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14612 "mov64 src != dst",
14614 BPF_MOV64_IMM(BPF_REG_3, 0),
14615 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
14616 // Check bounds are OK
14617 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
14618 BPF_MOV64_IMM(BPF_REG_0, 0),
14621 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14627 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
14628 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
14629 BPF_ALU64_REG(BPF_MOV, BPF_REG_7, BPF_REG_0),
14630 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
14631 BPF_MOV64_IMM(BPF_REG_0, 0),
14632 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
14633 BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, -8),
14634 BPF_STX_MEM(BPF_B, BPF_REG_10, BPF_REG_7, -9),
14635 BPF_LDX_MEM(BPF_B, BPF_REG_7, BPF_REG_10, -9),
14636 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0),
14637 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0),
14638 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0),
14639 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0),
14643 .result_unpriv = ACCEPT,
14644 .insn_processed = 15,
14647 "masking, test out of bounds 1",
14649 BPF_MOV32_IMM(BPF_REG_1, 5),
14650 BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
14651 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14652 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14653 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14654 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14655 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14656 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14663 "masking, test out of bounds 2",
14665 BPF_MOV32_IMM(BPF_REG_1, 1),
14666 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14667 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14668 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14669 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14670 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14671 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14672 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14679 "masking, test out of bounds 3",
14681 BPF_MOV32_IMM(BPF_REG_1, 0xffffffff),
14682 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14683 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14684 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14685 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14686 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14687 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14688 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14695 "masking, test out of bounds 4",
14697 BPF_MOV32_IMM(BPF_REG_1, 0xffffffff),
14698 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14699 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14700 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14701 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14702 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14703 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14704 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14711 "masking, test out of bounds 5",
14713 BPF_MOV32_IMM(BPF_REG_1, -1),
14714 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14715 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14716 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14717 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14718 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14719 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14720 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14727 "masking, test out of bounds 6",
14729 BPF_MOV32_IMM(BPF_REG_1, -1),
14730 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14731 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14732 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14733 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14734 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14735 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14736 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14743 "masking, test out of bounds 7",
14745 BPF_MOV64_IMM(BPF_REG_1, 5),
14746 BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
14747 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14748 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14749 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14750 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14751 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14752 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14759 "masking, test out of bounds 8",
14761 BPF_MOV64_IMM(BPF_REG_1, 1),
14762 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14763 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14764 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14765 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14766 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14767 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14768 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14775 "masking, test out of bounds 9",
14777 BPF_MOV64_IMM(BPF_REG_1, 0xffffffff),
14778 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14779 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14780 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14781 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14782 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14783 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14784 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14791 "masking, test out of bounds 10",
14793 BPF_MOV64_IMM(BPF_REG_1, 0xffffffff),
14794 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14795 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14796 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14797 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14798 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14799 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14800 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14807 "masking, test out of bounds 11",
14809 BPF_MOV64_IMM(BPF_REG_1, -1),
14810 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14811 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14812 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14813 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14814 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14815 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14816 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14823 "masking, test out of bounds 12",
14825 BPF_MOV64_IMM(BPF_REG_1, -1),
14826 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14827 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14828 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14829 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14830 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14831 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14832 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14839 "masking, test in bounds 1",
14841 BPF_MOV32_IMM(BPF_REG_1, 4),
14842 BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
14843 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14844 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14845 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14846 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14847 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14848 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14855 "masking, test in bounds 2",
14857 BPF_MOV32_IMM(BPF_REG_1, 0),
14858 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14859 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14860 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14861 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14862 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14863 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14864 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14871 "masking, test in bounds 3",
14873 BPF_MOV32_IMM(BPF_REG_1, 0xfffffffe),
14874 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14875 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14876 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14877 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14878 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14879 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14880 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14884 .retval = 0xfffffffe,
14887 "masking, test in bounds 4",
14889 BPF_MOV32_IMM(BPF_REG_1, 0xabcde),
14890 BPF_MOV32_IMM(BPF_REG_2, 0xabcdef - 1),
14891 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14892 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14893 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14894 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14895 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14896 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14903 "masking, test in bounds 5",
14905 BPF_MOV32_IMM(BPF_REG_1, 0),
14906 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14907 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14908 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14909 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14910 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14911 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14912 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14919 "masking, test in bounds 6",
14921 BPF_MOV32_IMM(BPF_REG_1, 46),
14922 BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
14923 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14924 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14925 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14926 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14927 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14928 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14935 "masking, test in bounds 7",
14937 BPF_MOV64_IMM(BPF_REG_3, -46),
14938 BPF_ALU64_IMM(BPF_MUL, BPF_REG_3, -1),
14939 BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
14940 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_3),
14941 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_3),
14942 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14943 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14944 BPF_ALU64_REG(BPF_AND, BPF_REG_3, BPF_REG_2),
14945 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
14952 "masking, test in bounds 8",
14954 BPF_MOV64_IMM(BPF_REG_3, -47),
14955 BPF_ALU64_IMM(BPF_MUL, BPF_REG_3, -1),
14956 BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
14957 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_3),
14958 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_3),
14959 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14960 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14961 BPF_ALU64_REG(BPF_AND, BPF_REG_3, BPF_REG_2),
14962 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
14969 "reference tracking in call: free reference in subprog and outside",
14972 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
14973 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
14974 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
14975 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
14976 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14980 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
14981 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
14982 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14985 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14986 .errstr = "type=inv expected=sock",
14990 "reference tracking in call: alloc & leak reference in subprog",
14992 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
14993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
14994 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
14995 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14996 BPF_MOV64_IMM(BPF_REG_0, 0),
15000 BPF_MOV64_REG(BPF_REG_6, BPF_REG_4),
15002 /* spill unchecked sk_ptr into stack of caller */
15003 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
15004 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15007 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15008 .errstr = "Unreleased reference",
15012 "reference tracking in call: alloc in subprog, release outside",
15014 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
15015 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
15016 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15017 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
15018 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15023 BPF_EXIT_INSN(), /* return sk */
15025 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15026 .retval = POINTER_VALUE,
15030 "reference tracking in call: sk_ptr leak into caller stack",
15032 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
15033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
15034 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
15035 BPF_MOV64_IMM(BPF_REG_0, 0),
15039 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
15040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
15041 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
15042 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
15043 /* spill unchecked sk_ptr into stack of caller */
15044 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
15045 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
15046 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
15047 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
15054 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15055 .errstr = "Unreleased reference",
15059 "reference tracking in call: sk_ptr spill into caller stack",
15061 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
15062 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
15063 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
15064 BPF_MOV64_IMM(BPF_REG_0, 0),
15068 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
15069 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
15070 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
15071 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
15072 /* spill unchecked sk_ptr into stack of caller */
15073 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
15074 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
15075 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
15076 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
15077 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
15078 /* now the sk_ptr is verified, free the reference */
15079 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_4, 0),
15080 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15087 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15091 "reference tracking: allow LD_ABS",
15093 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
15095 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15096 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
15097 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15098 BPF_LD_ABS(BPF_B, 0),
15099 BPF_LD_ABS(BPF_H, 0),
15100 BPF_LD_ABS(BPF_W, 0),
15103 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15107 "reference tracking: forbid LD_ABS while holding reference",
15109 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
15111 BPF_LD_ABS(BPF_B, 0),
15112 BPF_LD_ABS(BPF_H, 0),
15113 BPF_LD_ABS(BPF_W, 0),
15114 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15115 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
15116 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15119 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15120 .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
15124 "reference tracking: allow LD_IND",
15126 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
15128 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15129 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
15130 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15131 BPF_MOV64_IMM(BPF_REG_7, 1),
15132 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
15133 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
15136 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15141 "reference tracking: forbid LD_IND while holding reference",
15143 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
15145 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
15146 BPF_MOV64_IMM(BPF_REG_7, 1),
15147 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
15148 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
15149 BPF_MOV64_REG(BPF_REG_1, BPF_REG_4),
15150 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
15151 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15154 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15155 .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
15159 "reference tracking: check reference or tail call",
15161 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
15163 /* if (sk) bpf_sk_release() */
15164 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15165 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 7),
15166 /* bpf_tail_call() */
15167 BPF_MOV64_IMM(BPF_REG_3, 2),
15168 BPF_LD_MAP_FD(BPF_REG_2, 0),
15169 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
15170 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15171 BPF_FUNC_tail_call),
15172 BPF_MOV64_IMM(BPF_REG_0, 0),
15174 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15177 .fixup_prog1 = { 17 },
15178 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15182 "reference tracking: release reference then tail call",
15184 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
15186 /* if (sk) bpf_sk_release() */
15187 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15188 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
15189 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15190 /* bpf_tail_call() */
15191 BPF_MOV64_IMM(BPF_REG_3, 2),
15192 BPF_LD_MAP_FD(BPF_REG_2, 0),
15193 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
15194 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15195 BPF_FUNC_tail_call),
15196 BPF_MOV64_IMM(BPF_REG_0, 0),
15199 .fixup_prog1 = { 18 },
15200 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15204 "reference tracking: leak possible reference over tail call",
15206 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
15207 /* Look up socket and store in REG_6 */
15209 /* bpf_tail_call() */
15210 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15211 BPF_MOV64_IMM(BPF_REG_3, 2),
15212 BPF_LD_MAP_FD(BPF_REG_2, 0),
15213 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
15214 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15215 BPF_FUNC_tail_call),
15216 BPF_MOV64_IMM(BPF_REG_0, 0),
15217 /* if (sk) bpf_sk_release() */
15218 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15219 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
15220 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15223 .fixup_prog1 = { 16 },
15224 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15225 .errstr = "tail_call would lead to reference leak",
15229 "reference tracking: leak checked reference over tail call",
15231 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
15232 /* Look up socket and store in REG_6 */
15234 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15235 /* if (!sk) goto end */
15236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
15237 /* bpf_tail_call() */
15238 BPF_MOV64_IMM(BPF_REG_3, 0),
15239 BPF_LD_MAP_FD(BPF_REG_2, 0),
15240 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
15241 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15242 BPF_FUNC_tail_call),
15243 BPF_MOV64_IMM(BPF_REG_0, 0),
15244 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15245 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15248 .fixup_prog1 = { 17 },
15249 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15250 .errstr = "tail_call would lead to reference leak",
15254 "reference tracking: mangle and release sock_or_null",
15257 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15258 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
15259 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
15260 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15263 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15264 .errstr = "R1 pointer arithmetic on sock_or_null prohibited",
15268 "reference tracking: mangle and release sock",
15271 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15272 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
15273 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
15274 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15277 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15278 .errstr = "R1 pointer arithmetic on sock prohibited",
15282 "reference tracking: access member",
15285 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15286 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
15287 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
15288 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15289 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15292 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15296 "reference tracking: write to member",
15299 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15300 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
15301 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15302 BPF_LD_IMM64(BPF_REG_2, 42),
15303 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_2,
15304 offsetof(struct bpf_sock, mark)),
15305 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15306 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15307 BPF_LD_IMM64(BPF_REG_0, 0),
15310 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15311 .errstr = "cannot write into socket",
15315 "reference tracking: invalid 64-bit access of member",
15318 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15319 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
15320 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
15321 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15322 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15325 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15326 .errstr = "invalid bpf_sock access off=0 size=8",
15330 "reference tracking: access after release",
15333 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15334 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
15335 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15336 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
15339 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15340 .errstr = "!read_ok",
15344 "reference tracking: direct access for lookup",
15346 /* Check that the packet is at least 64B long */
15347 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
15348 offsetof(struct __sk_buff, data)),
15349 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
15350 offsetof(struct __sk_buff, data_end)),
15351 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
15352 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
15353 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
15354 /* sk = sk_lookup_tcp(ctx, skb->data, ...) */
15355 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)),
15356 BPF_MOV64_IMM(BPF_REG_4, 0),
15357 BPF_MOV64_IMM(BPF_REG_5, 0),
15358 BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp),
15359 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15360 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
15361 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
15362 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15363 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15366 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15370 "calls: ctx read at start of subprog",
15372 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
15373 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
15374 BPF_JMP_REG(BPF_JSGT, BPF_REG_0, BPF_REG_0, 0),
15375 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15376 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
15377 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15379 BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
15380 BPF_MOV64_IMM(BPF_REG_0, 0),
15383 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15384 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
15385 .result_unpriv = REJECT,
15389 "check wire_len is not readable by sockets",
15391 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
15392 offsetof(struct __sk_buff, wire_len)),
15395 .errstr = "invalid bpf_context access",
15399 "check wire_len is readable by tc classifier",
15401 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
15402 offsetof(struct __sk_buff, wire_len)),
15405 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15409 "check wire_len is not writable by tc classifier",
15411 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
15412 offsetof(struct __sk_buff, wire_len)),
15415 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15416 .errstr = "invalid bpf_context access",
15417 .errstr_unpriv = "R1 leaks addr",
15421 "calls: cross frame pruning",
15423 /* r8 = !!random();
15426 * do something bad;
15428 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15429 BPF_FUNC_get_prandom_u32),
15430 BPF_MOV64_IMM(BPF_REG_8, 0),
15431 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
15432 BPF_MOV64_IMM(BPF_REG_8, 1),
15433 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
15434 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
15435 BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 1, 1),
15436 BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
15437 BPF_MOV64_IMM(BPF_REG_0, 0),
15439 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
15442 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15443 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
15444 .errstr = "!read_ok",
15448 "jset: functional",
15451 BPF_MOV64_IMM(BPF_REG_0, 0),
15452 /* prep for direct packet access via r2 */
15453 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
15454 offsetof(struct __sk_buff, data)),
15455 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
15456 offsetof(struct __sk_buff, data_end)),
15457 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
15458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
15459 BPF_JMP_REG(BPF_JLE, BPF_REG_4, BPF_REG_3, 1),
15462 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_2, 0),
15464 /* reg, bit 63 or bit 0 set, taken */
15465 BPF_LD_IMM64(BPF_REG_8, 0x8000000000000001),
15466 BPF_JMP_REG(BPF_JSET, BPF_REG_7, BPF_REG_8, 1),
15469 /* reg, bit 62, not taken */
15470 BPF_LD_IMM64(BPF_REG_8, 0x4000000000000000),
15471 BPF_JMP_REG(BPF_JSET, BPF_REG_7, BPF_REG_8, 1),
15472 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
15475 /* imm, any bit set, taken */
15476 BPF_JMP_IMM(BPF_JSET, BPF_REG_7, -1, 1),
15479 /* imm, bit 31 set, taken */
15480 BPF_JMP_IMM(BPF_JSET, BPF_REG_7, 0x80000000, 1),
15483 /* all good - return r0 == 2 */
15484 BPF_MOV64_IMM(BPF_REG_0, 2),
15487 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15492 .data64 = { (1ULL << 63) | (1U << 31) | (1U << 0), }
15495 .data64 = { (1ULL << 63) | (1U << 31), }
15498 .data64 = { (1ULL << 31) | (1U << 0), }
15501 .data64 = { (__u32)-1, }
15504 .data64 = { ~0x4000000000000000ULL, }
15510 .data64 = { ~0ULL, }
15515 "jset: sign-extend",
15518 BPF_MOV64_IMM(BPF_REG_0, 0),
15519 /* prep for direct packet access via r2 */
15520 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
15521 offsetof(struct __sk_buff, data)),
15522 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
15523 offsetof(struct __sk_buff, data_end)),
15524 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
15525 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
15526 BPF_JMP_REG(BPF_JLE, BPF_REG_4, BPF_REG_3, 1),
15529 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_2, 0),
15531 BPF_JMP_IMM(BPF_JSET, BPF_REG_7, 0x80000000, 1),
15534 BPF_MOV64_IMM(BPF_REG_0, 2),
15537 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15540 .data = { 1, 0, 0, 0, 0, 0, 0, 1, },
15543 "jset: known const compare",
15545 BPF_MOV64_IMM(BPF_REG_0, 1),
15546 BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 1, 1),
15547 BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15550 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15551 .retval_unpriv = 1,
15552 .result_unpriv = ACCEPT,
15557 "jset: known const compare bad",
15559 BPF_MOV64_IMM(BPF_REG_0, 0),
15560 BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 1, 1),
15561 BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15564 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15565 .errstr_unpriv = "!read_ok",
15566 .result_unpriv = REJECT,
15567 .errstr = "!read_ok",
15571 "jset: unknown const compare taken",
15573 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15574 BPF_FUNC_get_prandom_u32),
15575 BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 1, 1),
15576 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
15577 BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15580 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15581 .errstr_unpriv = "!read_ok",
15582 .result_unpriv = REJECT,
15583 .errstr = "!read_ok",
15587 "jset: unknown const compare not taken",
15589 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15590 BPF_FUNC_get_prandom_u32),
15591 BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 1, 1),
15592 BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15595 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15596 .errstr_unpriv = "!read_ok",
15597 .result_unpriv = REJECT,
15598 .errstr = "!read_ok",
15602 "jset: half-known const compare",
15604 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15605 BPF_FUNC_get_prandom_u32),
15606 BPF_ALU64_IMM(BPF_OR, BPF_REG_0, 2),
15607 BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 3, 1),
15608 BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15609 BPF_MOV64_IMM(BPF_REG_0, 0),
15612 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15613 .result_unpriv = ACCEPT,
15619 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15620 BPF_FUNC_get_prandom_u32),
15621 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15622 BPF_MOV64_IMM(BPF_REG_0, 0),
15623 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xff),
15624 BPF_JMP_IMM(BPF_JSET, BPF_REG_1, 0xf0, 3),
15625 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 0x10, 1),
15626 BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15628 BPF_JMP_IMM(BPF_JSET, BPF_REG_1, 0x10, 1),
15630 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0x10, 1),
15631 BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15634 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15635 .result_unpriv = ACCEPT,
15639 "dead code: start",
15641 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
15642 BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15643 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
15644 BPF_MOV64_IMM(BPF_REG_0, 7),
15645 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 10, -4),
15652 "dead code: mid 1",
15654 BPF_MOV64_IMM(BPF_REG_0, 7),
15655 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
15656 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 10, 0),
15663 "dead code: mid 2",
15665 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15666 BPF_FUNC_get_prandom_u32),
15667 BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 1, 4),
15668 BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 1, 1),
15669 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
15670 BPF_MOV64_IMM(BPF_REG_0, 7),
15672 BPF_MOV64_IMM(BPF_REG_0, 1),
15679 "dead code: end 1",
15681 BPF_MOV64_IMM(BPF_REG_0, 7),
15682 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 10, 1),
15690 "dead code: end 2",
15692 BPF_MOV64_IMM(BPF_REG_0, 7),
15693 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 10, 1),
15695 BPF_MOV64_IMM(BPF_REG_0, 12),
15702 "dead code: end 3",
15704 BPF_MOV64_IMM(BPF_REG_0, 7),
15705 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 8, 1),
15707 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 10, 1),
15708 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
15709 BPF_MOV64_IMM(BPF_REG_0, 12),
15710 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
15716 "dead code: tail of main + func",
15718 BPF_MOV64_IMM(BPF_REG_0, 7),
15719 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 8, 1),
15721 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
15723 BPF_MOV64_IMM(BPF_REG_0, 12),
15726 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
15727 .result_unpriv = REJECT,
15732 "dead code: tail of main + two functions",
15734 BPF_MOV64_IMM(BPF_REG_0, 7),
15735 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 8, 1),
15737 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
15739 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
15741 BPF_MOV64_IMM(BPF_REG_0, 12),
15744 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
15745 .result_unpriv = REJECT,
15750 "dead code: function in the middle and mid of another func",
15752 BPF_MOV64_IMM(BPF_REG_1, 7),
15753 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
15755 BPF_MOV64_IMM(BPF_REG_0, 12),
15757 BPF_MOV64_IMM(BPF_REG_0, 7),
15758 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 7, 1),
15759 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -5),
15762 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
15763 .result_unpriv = REJECT,
15768 "dead code: middle of main before call",
15770 BPF_MOV64_IMM(BPF_REG_1, 2),
15771 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 2, 1),
15772 BPF_MOV64_IMM(BPF_REG_1, 5),
15773 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
15775 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
15778 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
15779 .result_unpriv = REJECT,
15784 "dead code: start of a function",
15786 BPF_MOV64_IMM(BPF_REG_1, 2),
15787 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
15789 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
15790 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
15793 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
15794 .result_unpriv = REJECT,
15800 static int probe_filter_length(const struct bpf_insn *fp)
15804 for (len = MAX_INSNS - 1; len > 0; --len)
15805 if (fp[len].code != 0 || fp[len].imm != 0)
15810 static int create_map(uint32_t type, uint32_t size_key,
15811 uint32_t size_value, uint32_t max_elem)
15815 fd = bpf_create_map(type, size_key, size_value, max_elem,
15816 type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
15818 printf("Failed to create hash map '%s'!\n", strerror(errno));
15823 static void update_map(int fd, int index)
15825 struct test_val value = {
15826 .index = (6 + 1) * sizeof(int),
15827 .foo[6] = 0xabcdef12,
15830 assert(!bpf_map_update_elem(fd, &index, &value, 0));
15833 static int create_prog_dummy1(enum bpf_prog_type prog_type)
15835 struct bpf_insn prog[] = {
15836 BPF_MOV64_IMM(BPF_REG_0, 42),
15840 return bpf_load_program(prog_type, prog,
15841 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
15844 static int create_prog_dummy2(enum bpf_prog_type prog_type, int mfd, int idx)
15846 struct bpf_insn prog[] = {
15847 BPF_MOV64_IMM(BPF_REG_3, idx),
15848 BPF_LD_MAP_FD(BPF_REG_2, mfd),
15849 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15850 BPF_FUNC_tail_call),
15851 BPF_MOV64_IMM(BPF_REG_0, 41),
15855 return bpf_load_program(prog_type, prog,
15856 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
15859 static int create_prog_array(enum bpf_prog_type prog_type, uint32_t max_elem,
15863 int mfd, p1fd, p2fd;
15865 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
15866 sizeof(int), max_elem, 0);
15868 printf("Failed to create prog array '%s'!\n", strerror(errno));
15872 p1fd = create_prog_dummy1(prog_type);
15873 p2fd = create_prog_dummy2(prog_type, mfd, p2key);
15874 if (p1fd < 0 || p2fd < 0)
15876 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
15878 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
15891 static int create_map_in_map(void)
15893 int inner_map_fd, outer_map_fd;
15895 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
15896 sizeof(int), 1, 0);
15897 if (inner_map_fd < 0) {
15898 printf("Failed to create array '%s'!\n", strerror(errno));
15899 return inner_map_fd;
15902 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
15903 sizeof(int), inner_map_fd, 1, 0);
15904 if (outer_map_fd < 0)
15905 printf("Failed to create array of maps '%s'!\n",
15908 close(inner_map_fd);
15910 return outer_map_fd;
15913 static int create_cgroup_storage(bool percpu)
15915 enum bpf_map_type type = percpu ? BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE :
15916 BPF_MAP_TYPE_CGROUP_STORAGE;
15919 fd = bpf_create_map(type, sizeof(struct bpf_cgroup_storage_key),
15920 TEST_DATA_LEN, 0, 0);
15922 printf("Failed to create cgroup storage '%s'!\n",
15928 static char bpf_vlog[UINT_MAX >> 8];
15930 static void do_test_fixup(struct bpf_test *test, enum bpf_prog_type prog_type,
15931 struct bpf_insn *prog, int *map_fds)
15933 int *fixup_map_hash_8b = test->fixup_map_hash_8b;
15934 int *fixup_map_hash_48b = test->fixup_map_hash_48b;
15935 int *fixup_map_hash_16b = test->fixup_map_hash_16b;
15936 int *fixup_map_array_48b = test->fixup_map_array_48b;
15937 int *fixup_map_sockmap = test->fixup_map_sockmap;
15938 int *fixup_map_sockhash = test->fixup_map_sockhash;
15939 int *fixup_map_xskmap = test->fixup_map_xskmap;
15940 int *fixup_map_stacktrace = test->fixup_map_stacktrace;
15941 int *fixup_prog1 = test->fixup_prog1;
15942 int *fixup_prog2 = test->fixup_prog2;
15943 int *fixup_map_in_map = test->fixup_map_in_map;
15944 int *fixup_cgroup_storage = test->fixup_cgroup_storage;
15945 int *fixup_percpu_cgroup_storage = test->fixup_percpu_cgroup_storage;
15947 if (test->fill_helper)
15948 test->fill_helper(test);
15950 /* Allocating HTs with 1 elem is fine here, since we only test
15951 * for verifier and not do a runtime lookup, so the only thing
15952 * that really matters is value size in this case.
15954 if (*fixup_map_hash_8b) {
15955 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
15956 sizeof(long long), 1);
15958 prog[*fixup_map_hash_8b].imm = map_fds[0];
15959 fixup_map_hash_8b++;
15960 } while (*fixup_map_hash_8b);
15963 if (*fixup_map_hash_48b) {
15964 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
15965 sizeof(struct test_val), 1);
15967 prog[*fixup_map_hash_48b].imm = map_fds[1];
15968 fixup_map_hash_48b++;
15969 } while (*fixup_map_hash_48b);
15972 if (*fixup_map_hash_16b) {
15973 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
15974 sizeof(struct other_val), 1);
15976 prog[*fixup_map_hash_16b].imm = map_fds[2];
15977 fixup_map_hash_16b++;
15978 } while (*fixup_map_hash_16b);
15981 if (*fixup_map_array_48b) {
15982 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
15983 sizeof(struct test_val), 1);
15984 update_map(map_fds[3], 0);
15986 prog[*fixup_map_array_48b].imm = map_fds[3];
15987 fixup_map_array_48b++;
15988 } while (*fixup_map_array_48b);
15991 if (*fixup_prog1) {
15992 map_fds[4] = create_prog_array(prog_type, 4, 0);
15994 prog[*fixup_prog1].imm = map_fds[4];
15996 } while (*fixup_prog1);
15999 if (*fixup_prog2) {
16000 map_fds[5] = create_prog_array(prog_type, 8, 7);
16002 prog[*fixup_prog2].imm = map_fds[5];
16004 } while (*fixup_prog2);
16007 if (*fixup_map_in_map) {
16008 map_fds[6] = create_map_in_map();
16010 prog[*fixup_map_in_map].imm = map_fds[6];
16011 fixup_map_in_map++;
16012 } while (*fixup_map_in_map);
16015 if (*fixup_cgroup_storage) {
16016 map_fds[7] = create_cgroup_storage(false);
16018 prog[*fixup_cgroup_storage].imm = map_fds[7];
16019 fixup_cgroup_storage++;
16020 } while (*fixup_cgroup_storage);
16023 if (*fixup_percpu_cgroup_storage) {
16024 map_fds[8] = create_cgroup_storage(true);
16026 prog[*fixup_percpu_cgroup_storage].imm = map_fds[8];
16027 fixup_percpu_cgroup_storage++;
16028 } while (*fixup_percpu_cgroup_storage);
16030 if (*fixup_map_sockmap) {
16031 map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int),
16034 prog[*fixup_map_sockmap].imm = map_fds[9];
16035 fixup_map_sockmap++;
16036 } while (*fixup_map_sockmap);
16038 if (*fixup_map_sockhash) {
16039 map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int),
16042 prog[*fixup_map_sockhash].imm = map_fds[10];
16043 fixup_map_sockhash++;
16044 } while (*fixup_map_sockhash);
16046 if (*fixup_map_xskmap) {
16047 map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int),
16050 prog[*fixup_map_xskmap].imm = map_fds[11];
16051 fixup_map_xskmap++;
16052 } while (*fixup_map_xskmap);
16054 if (*fixup_map_stacktrace) {
16055 map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32),
16058 prog[*fixup_map_stacktrace].imm = map_fds[12];
16059 fixup_map_stacktrace++;
16060 } while (*fixup_map_stacktrace);
16064 static int set_admin(bool admin)
16067 const cap_value_t cap_val = CAP_SYS_ADMIN;
16070 caps = cap_get_proc();
16072 perror("cap_get_proc");
16075 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
16076 admin ? CAP_SET : CAP_CLEAR)) {
16077 perror("cap_set_flag");
16080 if (cap_set_proc(caps)) {
16081 perror("cap_set_proc");
16086 if (cap_free(caps))
16087 perror("cap_free");
16091 static int do_prog_test_run(int fd_prog, bool unpriv, uint32_t expected_val,
16092 void *data, size_t size_data)
16094 __u8 tmp[TEST_DATA_LEN << 2];
16095 __u32 size_tmp = sizeof(tmp);
16101 err = bpf_prog_test_run(fd_prog, 1, data, size_data,
16102 tmp, &size_tmp, &retval, NULL);
16105 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
16106 printf("Unexpected bpf_prog_test_run error ");
16109 if (!err && retval != expected_val &&
16110 expected_val != POINTER_VALUE) {
16111 printf("FAIL retval %d != %d ", retval, expected_val);
16118 static void do_test_single(struct bpf_test *test, bool unpriv,
16119 int *passes, int *errors)
16121 int fd_prog, expected_ret, alignment_prevented_execution;
16122 int prog_len, prog_type = test->prog_type;
16123 struct bpf_insn *prog = test->insns;
16124 int run_errs, run_successes;
16125 int map_fds[MAX_NR_MAPS];
16126 const char *expected_err;
16130 for (i = 0; i < MAX_NR_MAPS; i++)
16134 prog_type = BPF_PROG_TYPE_SOCKET_FILTER;
16135 do_test_fixup(test, prog_type, prog, map_fds);
16136 prog_len = probe_filter_length(prog);
16139 if (test->flags & F_LOAD_WITH_STRICT_ALIGNMENT)
16140 pflags |= BPF_F_STRICT_ALIGNMENT;
16141 if (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS)
16142 pflags |= BPF_F_ANY_ALIGNMENT;
16143 fd_prog = bpf_verify_program(prog_type, prog, prog_len, pflags,
16144 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
16146 expected_ret = unpriv && test->result_unpriv != UNDEF ?
16147 test->result_unpriv : test->result;
16148 expected_err = unpriv && test->errstr_unpriv ?
16149 test->errstr_unpriv : test->errstr;
16151 alignment_prevented_execution = 0;
16153 if (expected_ret == ACCEPT) {
16155 printf("FAIL\nFailed to load prog '%s'!\n",
16159 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
16160 if (fd_prog >= 0 &&
16161 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS))
16162 alignment_prevented_execution = 1;
16165 if (fd_prog >= 0) {
16166 printf("FAIL\nUnexpected success to load!\n");
16169 if (!strstr(bpf_vlog, expected_err)) {
16170 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
16171 expected_err, bpf_vlog);
16176 if (test->insn_processed) {
16177 uint32_t insn_processed;
16180 proc = strstr(bpf_vlog, "processed ");
16181 insn_processed = atoi(proc + 10);
16182 if (test->insn_processed != insn_processed) {
16183 printf("FAIL\nUnexpected insn_processed %u vs %u\n",
16184 insn_processed, test->insn_processed);
16191 if (!alignment_prevented_execution && fd_prog >= 0) {
16192 uint32_t expected_val;
16196 expected_val = unpriv && test->retval_unpriv ?
16197 test->retval_unpriv : test->retval;
16199 err = do_prog_test_run(fd_prog, unpriv, expected_val,
16200 test->data, sizeof(test->data));
16207 for (i = 0; i < test->runs; i++) {
16208 if (unpriv && test->retvals[i].retval_unpriv)
16209 expected_val = test->retvals[i].retval_unpriv;
16211 expected_val = test->retvals[i].retval;
16213 err = do_prog_test_run(fd_prog, unpriv, expected_val,
16214 test->retvals[i].data,
16215 sizeof(test->retvals[i].data));
16217 printf("(run %d/%d) ", i + 1, test->runs);
16227 if (run_successes > 1)
16228 printf("%d cases ", run_successes);
16230 if (alignment_prevented_execution)
16231 printf(" (NOTE: not executed due to unknown alignment)");
16239 for (i = 0; i < MAX_NR_MAPS; i++)
16245 printf("%s", bpf_vlog);
16249 static bool is_admin(void)
16252 cap_flag_value_t sysadmin = CAP_CLEAR;
16253 const cap_value_t cap_val = CAP_SYS_ADMIN;
16255 #ifdef CAP_IS_SUPPORTED
16256 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
16257 perror("cap_get_flag");
16261 caps = cap_get_proc();
16263 perror("cap_get_proc");
16266 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
16267 perror("cap_get_flag");
16268 if (cap_free(caps))
16269 perror("cap_free");
16270 return (sysadmin == CAP_SET);
16273 static void get_unpriv_disabled()
16278 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
16280 perror("fopen /proc/sys/"UNPRIV_SYSCTL);
16281 unpriv_disabled = true;
16284 if (fgets(buf, 2, fd) == buf && atoi(buf))
16285 unpriv_disabled = true;
16289 static bool test_as_unpriv(struct bpf_test *test)
16291 return !test->prog_type ||
16292 test->prog_type == BPF_PROG_TYPE_SOCKET_FILTER ||
16293 test->prog_type == BPF_PROG_TYPE_CGROUP_SKB;
16296 static int do_test(bool unpriv, unsigned int from, unsigned int to)
16298 int i, passes = 0, errors = 0, skips = 0;
16300 for (i = from; i < to; i++) {
16301 struct bpf_test *test = &tests[i];
16303 /* Program types that are not supported by non-root we
16306 if (test_as_unpriv(test) && unpriv_disabled) {
16307 printf("#%d/u %s SKIP\n", i, test->descr);
16309 } else if (test_as_unpriv(test)) {
16312 printf("#%d/u %s ", i, test->descr);
16313 do_test_single(test, true, &passes, &errors);
16319 printf("#%d/p %s SKIP\n", i, test->descr);
16322 printf("#%d/p %s ", i, test->descr);
16323 do_test_single(test, false, &passes, &errors);
16327 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
16329 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
16332 int main(int argc, char **argv)
16334 unsigned int from = 0, to = ARRAY_SIZE(tests);
16335 bool unpriv = !is_admin();
16338 unsigned int l = atoi(argv[argc - 2]);
16339 unsigned int u = atoi(argv[argc - 1]);
16341 if (l < to && u < to) {
16345 } else if (argc == 2) {
16346 unsigned int t = atoi(argv[argc - 1]);
16354 get_unpriv_disabled();
16355 if (unpriv && unpriv_disabled) {
16356 printf("Cannot run as unprivileged user with sysctl %s.\n",
16358 return EXIT_FAILURE;
16361 bpf_semi_rand_init();
16362 return do_test(unpriv, from, to);