2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 * Copyright (c) 2017 Facebook
6 * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of version 2 of the GNU General Public
10 * License as published by the Free Software Foundation.
14 #include <asm/types.h>
15 #include <linux/types.h>
28 #include <sys/capability.h>
30 #include <linux/unistd.h>
31 #include <linux/filter.h>
32 #include <linux/bpf_perf_event.h>
33 #include <linux/bpf.h>
34 #include <linux/if_ether.h>
39 # include "autoconf.h"
41 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
42 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
45 #include "bpf_rlimit.h"
48 #include "../../../include/linux/filter.h"
50 #define MAX_INSNS BPF_MAXINSNS
52 #define MAX_NR_MAPS 13
53 #define MAX_TEST_RUNS 8
54 #define POINTER_VALUE 0xcafe4all
55 #define TEST_DATA_LEN 64
57 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
58 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
60 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
61 static bool unpriv_disabled = false;
65 struct bpf_insn insns[MAX_INSNS];
66 int fixup_map_hash_8b[MAX_FIXUPS];
67 int fixup_map_hash_48b[MAX_FIXUPS];
68 int fixup_map_hash_16b[MAX_FIXUPS];
69 int fixup_map_array_48b[MAX_FIXUPS];
70 int fixup_map_sockmap[MAX_FIXUPS];
71 int fixup_map_sockhash[MAX_FIXUPS];
72 int fixup_map_xskmap[MAX_FIXUPS];
73 int fixup_map_stacktrace[MAX_FIXUPS];
74 int fixup_prog1[MAX_FIXUPS];
75 int fixup_prog2[MAX_FIXUPS];
76 int fixup_map_in_map[MAX_FIXUPS];
77 int fixup_cgroup_storage[MAX_FIXUPS];
78 int fixup_percpu_cgroup_storage[MAX_FIXUPS];
80 const char *errstr_unpriv;
81 uint32_t retval, retval_unpriv, insn_processed;
86 } result, result_unpriv;
87 enum bpf_prog_type prog_type;
89 __u8 data[TEST_DATA_LEN];
90 void (*fill_helper)(struct bpf_test *self);
93 uint32_t retval, retval_unpriv;
95 __u8 data[TEST_DATA_LEN];
96 __u64 data64[TEST_DATA_LEN / 8];
98 } retvals[MAX_TEST_RUNS];
101 /* Note we want this to be 64 bit aligned so that the end of our array is
102 * actually the end of the structure.
104 #define MAX_ENTRIES 11
108 int foo[MAX_ENTRIES];
116 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
118 /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
120 unsigned int len = BPF_MAXINSNS;
121 struct bpf_insn *insn = self->insns;
124 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
126 for (j = 0; j < PUSH_CNT; j++) {
127 insn[i++] = BPF_LD_ABS(BPF_B, 0);
128 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
130 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
131 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
132 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
133 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
134 BPF_FUNC_skb_vlan_push),
135 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
139 for (j = 0; j < PUSH_CNT; j++) {
140 insn[i++] = BPF_LD_ABS(BPF_B, 0);
141 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
143 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
144 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
145 BPF_FUNC_skb_vlan_pop),
146 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
152 for (; i < len - 1; i++)
153 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
154 insn[len - 1] = BPF_EXIT_INSN();
157 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
159 struct bpf_insn *insn = self->insns;
160 unsigned int len = BPF_MAXINSNS;
163 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
164 insn[i++] = BPF_LD_ABS(BPF_B, 0);
165 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
168 insn[i++] = BPF_LD_ABS(BPF_B, 1);
169 insn[i] = BPF_EXIT_INSN();
172 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
174 struct bpf_insn *insn = self->insns;
178 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
179 while (i < self->retval) {
180 uint64_t val = bpf_semi_rand_get();
181 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
186 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
188 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
189 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
190 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
191 insn[i] = BPF_EXIT_INSN();
193 self->retval = (uint32_t)res;
196 /* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */
197 #define BPF_SK_LOOKUP \
198 /* struct bpf_sock_tuple tuple = {} */ \
199 BPF_MOV64_IMM(BPF_REG_2, 0), \
200 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8), \
201 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -16), \
202 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -24), \
203 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -32), \
204 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -40), \
205 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -48), \
206 /* sk = sk_lookup_tcp(ctx, &tuple, sizeof tuple, 0, 0) */ \
207 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), \
208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48), \
209 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)), \
210 BPF_MOV64_IMM(BPF_REG_4, 0), \
211 BPF_MOV64_IMM(BPF_REG_5, 0), \
212 BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp)
214 static struct bpf_test tests[] = {
218 BPF_MOV64_IMM(BPF_REG_1, 1),
219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
220 BPF_MOV64_IMM(BPF_REG_2, 3),
221 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
223 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
224 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
231 "DIV32 by 0, zero check 1",
233 BPF_MOV32_IMM(BPF_REG_0, 42),
234 BPF_MOV32_IMM(BPF_REG_1, 0),
235 BPF_MOV32_IMM(BPF_REG_2, 1),
236 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
243 "DIV32 by 0, zero check 2",
245 BPF_MOV32_IMM(BPF_REG_0, 42),
246 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
247 BPF_MOV32_IMM(BPF_REG_2, 1),
248 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
255 "DIV64 by 0, zero check",
257 BPF_MOV32_IMM(BPF_REG_0, 42),
258 BPF_MOV32_IMM(BPF_REG_1, 0),
259 BPF_MOV32_IMM(BPF_REG_2, 1),
260 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
267 "MOD32 by 0, zero check 1",
269 BPF_MOV32_IMM(BPF_REG_0, 42),
270 BPF_MOV32_IMM(BPF_REG_1, 0),
271 BPF_MOV32_IMM(BPF_REG_2, 1),
272 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
279 "MOD32 by 0, zero check 2",
281 BPF_MOV32_IMM(BPF_REG_0, 42),
282 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
283 BPF_MOV32_IMM(BPF_REG_2, 1),
284 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
291 "MOD64 by 0, zero check",
293 BPF_MOV32_IMM(BPF_REG_0, 42),
294 BPF_MOV32_IMM(BPF_REG_1, 0),
295 BPF_MOV32_IMM(BPF_REG_2, 1),
296 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
303 "DIV32 by 0, zero check ok, cls",
305 BPF_MOV32_IMM(BPF_REG_0, 42),
306 BPF_MOV32_IMM(BPF_REG_1, 2),
307 BPF_MOV32_IMM(BPF_REG_2, 16),
308 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
309 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
312 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
317 "DIV32 by 0, zero check 1, cls",
319 BPF_MOV32_IMM(BPF_REG_1, 0),
320 BPF_MOV32_IMM(BPF_REG_0, 1),
321 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
324 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
329 "DIV32 by 0, zero check 2, cls",
331 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
332 BPF_MOV32_IMM(BPF_REG_0, 1),
333 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
336 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
341 "DIV64 by 0, zero check, cls",
343 BPF_MOV32_IMM(BPF_REG_1, 0),
344 BPF_MOV32_IMM(BPF_REG_0, 1),
345 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
348 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
353 "MOD32 by 0, zero check ok, cls",
355 BPF_MOV32_IMM(BPF_REG_0, 42),
356 BPF_MOV32_IMM(BPF_REG_1, 3),
357 BPF_MOV32_IMM(BPF_REG_2, 5),
358 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
359 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
362 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
367 "MOD32 by 0, zero check 1, cls",
369 BPF_MOV32_IMM(BPF_REG_1, 0),
370 BPF_MOV32_IMM(BPF_REG_0, 1),
371 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
374 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
379 "MOD32 by 0, zero check 2, cls",
381 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
382 BPF_MOV32_IMM(BPF_REG_0, 1),
383 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
386 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
391 "MOD64 by 0, zero check 1, cls",
393 BPF_MOV32_IMM(BPF_REG_1, 0),
394 BPF_MOV32_IMM(BPF_REG_0, 2),
395 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
398 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
403 "MOD64 by 0, zero check 2, cls",
405 BPF_MOV32_IMM(BPF_REG_1, 0),
406 BPF_MOV32_IMM(BPF_REG_0, -1),
407 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
410 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
414 /* Just make sure that JITs used udiv/umod as otherwise we get
415 * an exception from INT_MIN/-1 overflow similarly as with div
419 "DIV32 overflow, check 1",
421 BPF_MOV32_IMM(BPF_REG_1, -1),
422 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
423 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
431 "DIV32 overflow, check 2",
433 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
434 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
437 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
442 "DIV64 overflow, check 1",
444 BPF_MOV64_IMM(BPF_REG_1, -1),
445 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
446 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
449 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
454 "DIV64 overflow, check 2",
456 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
457 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
460 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
465 "MOD32 overflow, check 1",
467 BPF_MOV32_IMM(BPF_REG_1, -1),
468 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
469 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
472 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
477 "MOD32 overflow, check 2",
479 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
480 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
483 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
488 "MOD64 overflow, check 1",
490 BPF_MOV64_IMM(BPF_REG_1, -1),
491 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
492 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
493 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
494 BPF_MOV32_IMM(BPF_REG_0, 0),
495 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
496 BPF_MOV32_IMM(BPF_REG_0, 1),
499 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
504 "MOD64 overflow, check 2",
506 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
507 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
508 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
509 BPF_MOV32_IMM(BPF_REG_0, 0),
510 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
511 BPF_MOV32_IMM(BPF_REG_0, 1),
514 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
519 "xor32 zero extend check",
521 BPF_MOV32_IMM(BPF_REG_2, -1),
522 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
523 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
524 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
525 BPF_MOV32_IMM(BPF_REG_0, 2),
526 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
527 BPF_MOV32_IMM(BPF_REG_0, 1),
530 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
538 .errstr = "unknown opcode 00",
546 .errstr = "R0 !read_ok",
555 .errstr = "unreachable",
561 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
562 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
565 .errstr = "unreachable",
571 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
574 .errstr = "jump out of range",
578 "out of range jump2",
580 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
583 .errstr = "jump out of range",
589 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
590 BPF_LD_IMM64(BPF_REG_0, 0),
591 BPF_LD_IMM64(BPF_REG_0, 0),
592 BPF_LD_IMM64(BPF_REG_0, 1),
593 BPF_LD_IMM64(BPF_REG_0, 1),
594 BPF_MOV64_IMM(BPF_REG_0, 2),
597 .errstr = "invalid BPF_LD_IMM insn",
598 .errstr_unpriv = "R1 pointer comparison",
604 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
605 BPF_LD_IMM64(BPF_REG_0, 0),
606 BPF_LD_IMM64(BPF_REG_0, 0),
607 BPF_LD_IMM64(BPF_REG_0, 1),
608 BPF_LD_IMM64(BPF_REG_0, 1),
611 .errstr = "invalid BPF_LD_IMM insn",
612 .errstr_unpriv = "R1 pointer comparison",
618 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
619 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
620 BPF_LD_IMM64(BPF_REG_0, 0),
621 BPF_LD_IMM64(BPF_REG_0, 0),
622 BPF_LD_IMM64(BPF_REG_0, 1),
623 BPF_LD_IMM64(BPF_REG_0, 1),
626 .errstr = "invalid bpf_ld_imm64 insn",
632 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
635 .errstr = "invalid bpf_ld_imm64 insn",
641 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
643 .errstr = "invalid bpf_ld_imm64 insn",
649 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
650 BPF_RAW_INSN(0, 0, 0, 0, 0),
658 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
659 BPF_RAW_INSN(0, 0, 0, 0, 1),
668 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
669 BPF_RAW_INSN(0, 0, 0, 0, 1),
672 .errstr = "uses reserved fields",
678 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
679 BPF_RAW_INSN(0, 0, 0, 1, 1),
682 .errstr = "invalid bpf_ld_imm64 insn",
688 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
689 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
692 .errstr = "invalid bpf_ld_imm64 insn",
698 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
699 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
702 .errstr = "invalid bpf_ld_imm64 insn",
708 BPF_MOV64_IMM(BPF_REG_1, 0),
709 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
710 BPF_RAW_INSN(0, 0, 0, 0, 1),
713 .errstr = "not pointing to valid bpf_map",
719 BPF_MOV64_IMM(BPF_REG_1, 0),
720 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
721 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
724 .errstr = "invalid bpf_ld_imm64 insn",
730 BPF_MOV64_IMM(BPF_REG_0, 1),
731 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
740 BPF_LD_IMM64(BPF_REG_0, 0x1122334485667788),
741 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 7),
750 BPF_MOV64_IMM(BPF_REG_0, 1),
751 BPF_MOV64_IMM(BPF_REG_1, 5),
752 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
761 BPF_LD_IMM64(BPF_REG_0, 0xffff55667788),
762 BPF_MOV64_IMM(BPF_REG_1, 15),
763 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
772 BPF_MOV64_IMM(BPF_REG_0, 1),
773 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
781 BPF_MOV64_IMM(BPF_REG_0, 1),
782 BPF_MOV64_IMM(BPF_REG_1, 5),
783 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
791 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
793 .errstr = "not an exit",
799 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
802 .errstr = "back-edge",
808 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
809 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
810 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
811 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
814 .errstr = "back-edge",
820 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
821 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
822 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
823 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
826 .errstr = "back-edge",
830 "read uninitialized register",
832 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
835 .errstr = "R2 !read_ok",
839 "read invalid register",
841 BPF_MOV64_REG(BPF_REG_0, -1),
844 .errstr = "R15 is invalid",
848 "program doesn't init R0 before exit",
850 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
853 .errstr = "R0 !read_ok",
857 "program doesn't init R0 before exit in all branches",
859 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
860 BPF_MOV64_IMM(BPF_REG_0, 1),
861 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
864 .errstr = "R0 !read_ok",
865 .errstr_unpriv = "R1 pointer comparison",
869 "stack out of bounds",
871 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
874 .errstr = "invalid stack",
878 "invalid call insn1",
880 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
883 .errstr = "unknown opcode 8d",
887 "invalid call insn2",
889 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
892 .errstr = "BPF_CALL uses reserved",
896 "invalid function call",
898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
901 .errstr = "invalid func unknown#1234567",
905 "uninitialized stack1",
907 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
908 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
909 BPF_LD_MAP_FD(BPF_REG_1, 0),
910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
911 BPF_FUNC_map_lookup_elem),
914 .fixup_map_hash_8b = { 2 },
915 .errstr = "invalid indirect read from stack",
919 "uninitialized stack2",
921 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
922 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
925 .errstr = "invalid read from stack",
929 "invalid fp arithmetic",
930 /* If this gets ever changed, make sure JITs can deal with it. */
932 BPF_MOV64_IMM(BPF_REG_0, 0),
933 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
934 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
935 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
938 .errstr = "R1 subtraction from stack pointer",
942 "non-invalid fp arithmetic",
944 BPF_MOV64_IMM(BPF_REG_0, 0),
945 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
951 "invalid argument register",
953 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
954 BPF_FUNC_get_cgroup_classid),
955 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
956 BPF_FUNC_get_cgroup_classid),
959 .errstr = "R1 !read_ok",
961 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
964 "non-invalid argument register",
966 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
967 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
968 BPF_FUNC_get_cgroup_classid),
969 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
970 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
971 BPF_FUNC_get_cgroup_classid),
975 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
978 "check valid spill/fill",
980 /* spill R1(ctx) into stack */
981 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
982 /* fill it back into R2 */
983 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
984 /* should be able to access R0 = *(R2 + 8) */
985 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
986 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
989 .errstr_unpriv = "R0 leaks addr",
991 .result_unpriv = REJECT,
992 .retval = POINTER_VALUE,
995 "check valid spill/fill, skb mark",
997 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
998 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
999 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1000 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
1001 offsetof(struct __sk_buff, mark)),
1005 .result_unpriv = ACCEPT,
1008 "check corrupted spill/fill",
1010 /* spill R1(ctx) into stack */
1011 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
1012 /* mess up with R1 pointer on stack */
1013 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
1014 /* fill back into R0 is fine for priv.
1015 * R0 now becomes SCALAR_VALUE.
1017 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1018 /* Load from R0 should fail. */
1019 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8),
1022 .errstr_unpriv = "attempt to corrupt spilled",
1023 .errstr = "R0 invalid mem access 'inv",
1027 "check corrupted spill/fill, LSB",
1029 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
1030 BPF_ST_MEM(BPF_H, BPF_REG_10, -8, 0xcafe),
1031 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1034 .errstr_unpriv = "attempt to corrupt spilled",
1035 .result_unpriv = REJECT,
1037 .retval = POINTER_VALUE,
1040 "check corrupted spill/fill, MSB",
1042 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
1043 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0x12345678),
1044 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1047 .errstr_unpriv = "attempt to corrupt spilled",
1048 .result_unpriv = REJECT,
1050 .retval = POINTER_VALUE,
1053 "invalid src register in STX",
1055 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
1058 .errstr = "R15 is invalid",
1062 "invalid dst register in STX",
1064 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
1067 .errstr = "R14 is invalid",
1071 "invalid dst register in ST",
1073 BPF_ST_MEM(BPF_B, 14, -1, -1),
1076 .errstr = "R14 is invalid",
1080 "invalid src register in LDX",
1082 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1085 .errstr = "R12 is invalid",
1089 "invalid dst register in LDX",
1091 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1094 .errstr = "R11 is invalid",
1100 BPF_RAW_INSN(0, 0, 0, 0, 0),
1103 .errstr = "unknown opcode 00",
1109 BPF_RAW_INSN(1, 0, 0, 0, 0),
1112 .errstr = "BPF_LDX uses reserved fields",
1118 BPF_RAW_INSN(-1, 0, 0, 0, 0),
1121 .errstr = "unknown opcode ff",
1127 BPF_RAW_INSN(-1, -1, -1, -1, -1),
1130 .errstr = "unknown opcode ff",
1136 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1139 .errstr = "BPF_ALU uses reserved fields",
1143 "misaligned read from stack",
1145 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1146 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1149 .errstr = "misaligned stack access",
1153 "invalid map_fd for function call",
1155 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1156 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1157 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1158 BPF_LD_MAP_FD(BPF_REG_1, 0),
1159 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1160 BPF_FUNC_map_delete_elem),
1163 .errstr = "fd 0 is not pointing to valid bpf_map",
1167 "don't check return value before access",
1169 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1170 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1171 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1172 BPF_LD_MAP_FD(BPF_REG_1, 0),
1173 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1174 BPF_FUNC_map_lookup_elem),
1175 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1178 .fixup_map_hash_8b = { 3 },
1179 .errstr = "R0 invalid mem access 'map_value_or_null'",
1183 "access memory with incorrect alignment",
1185 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1186 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1187 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1188 BPF_LD_MAP_FD(BPF_REG_1, 0),
1189 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1190 BPF_FUNC_map_lookup_elem),
1191 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1192 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1195 .fixup_map_hash_8b = { 3 },
1196 .errstr = "misaligned value access",
1198 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1201 "sometimes access memory with incorrect alignment",
1203 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1204 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1206 BPF_LD_MAP_FD(BPF_REG_1, 0),
1207 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1208 BPF_FUNC_map_lookup_elem),
1209 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1210 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1212 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1215 .fixup_map_hash_8b = { 3 },
1216 .errstr = "R0 invalid mem access",
1217 .errstr_unpriv = "R0 leaks addr",
1219 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1224 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1225 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1226 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1227 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1228 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1229 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1230 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1231 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1233 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1234 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1235 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1237 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1238 BPF_MOV64_IMM(BPF_REG_0, 0),
1241 .errstr_unpriv = "R1 pointer comparison",
1242 .result_unpriv = REJECT,
1248 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1250 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1251 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1252 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1253 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1254 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1256 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1257 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1259 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1260 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1261 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1262 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1263 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1265 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1266 BPF_MOV64_IMM(BPF_REG_0, 0),
1269 .errstr_unpriv = "R1 pointer comparison",
1270 .result_unpriv = REJECT,
1276 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1277 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1278 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1279 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1280 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1281 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1282 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1283 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1284 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1285 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1286 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1287 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1288 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1289 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1290 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1292 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1293 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1294 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1295 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1296 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1297 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1298 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1299 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1300 BPF_LD_MAP_FD(BPF_REG_1, 0),
1301 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1302 BPF_FUNC_map_delete_elem),
1305 .fixup_map_hash_8b = { 24 },
1306 .errstr_unpriv = "R1 pointer comparison",
1307 .result_unpriv = REJECT,
1314 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1315 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1316 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1317 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1318 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1319 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1320 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1321 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1322 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1323 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1324 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1325 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1326 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1327 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1328 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1329 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1330 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1331 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1332 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1333 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1334 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1335 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1336 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1337 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1338 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1339 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1340 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1341 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1342 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1343 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1344 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1345 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1346 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1347 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1348 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1349 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1350 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1351 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1352 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1353 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1354 BPF_MOV64_IMM(BPF_REG_0, 0),
1357 .errstr_unpriv = "R1 pointer comparison",
1358 .result_unpriv = REJECT,
1364 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1365 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1366 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1367 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1368 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1369 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1370 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1371 BPF_MOV64_IMM(BPF_REG_0, 0),
1372 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1373 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1374 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1375 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1376 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1377 BPF_MOV64_IMM(BPF_REG_0, 0),
1378 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1379 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1380 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1381 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1382 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1383 BPF_MOV64_IMM(BPF_REG_0, 0),
1384 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1385 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1386 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1387 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1388 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1389 BPF_MOV64_IMM(BPF_REG_0, 0),
1390 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1391 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1392 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1393 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1394 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1395 BPF_MOV64_IMM(BPF_REG_0, 0),
1398 .errstr_unpriv = "R1 pointer comparison",
1399 .result_unpriv = REJECT,
1403 "access skb fields ok",
1405 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1406 offsetof(struct __sk_buff, len)),
1407 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1408 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1409 offsetof(struct __sk_buff, mark)),
1410 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1411 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1412 offsetof(struct __sk_buff, pkt_type)),
1413 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1414 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1415 offsetof(struct __sk_buff, queue_mapping)),
1416 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1417 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1418 offsetof(struct __sk_buff, protocol)),
1419 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1420 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1421 offsetof(struct __sk_buff, vlan_present)),
1422 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1423 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1424 offsetof(struct __sk_buff, vlan_tci)),
1425 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1426 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1427 offsetof(struct __sk_buff, napi_id)),
1428 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1434 "access skb fields bad1",
1436 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1439 .errstr = "invalid bpf_context access",
1443 "access skb fields bad2",
1445 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1446 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1447 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1449 BPF_LD_MAP_FD(BPF_REG_1, 0),
1450 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1451 BPF_FUNC_map_lookup_elem),
1452 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1454 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1455 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1456 offsetof(struct __sk_buff, pkt_type)),
1459 .fixup_map_hash_8b = { 4 },
1460 .errstr = "different pointers",
1461 .errstr_unpriv = "R1 pointer comparison",
1465 "access skb fields bad3",
1467 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1468 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1469 offsetof(struct __sk_buff, pkt_type)),
1471 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1472 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1474 BPF_LD_MAP_FD(BPF_REG_1, 0),
1475 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1476 BPF_FUNC_map_lookup_elem),
1477 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1479 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1480 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1482 .fixup_map_hash_8b = { 6 },
1483 .errstr = "different pointers",
1484 .errstr_unpriv = "R1 pointer comparison",
1488 "access skb fields bad4",
1490 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1491 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1492 offsetof(struct __sk_buff, len)),
1493 BPF_MOV64_IMM(BPF_REG_0, 0),
1495 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1496 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1497 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1498 BPF_LD_MAP_FD(BPF_REG_1, 0),
1499 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1500 BPF_FUNC_map_lookup_elem),
1501 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1503 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1504 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1506 .fixup_map_hash_8b = { 7 },
1507 .errstr = "different pointers",
1508 .errstr_unpriv = "R1 pointer comparison",
1512 "invalid access __sk_buff family",
1514 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1515 offsetof(struct __sk_buff, family)),
1518 .errstr = "invalid bpf_context access",
1522 "invalid access __sk_buff remote_ip4",
1524 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1525 offsetof(struct __sk_buff, remote_ip4)),
1528 .errstr = "invalid bpf_context access",
1532 "invalid access __sk_buff local_ip4",
1534 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1535 offsetof(struct __sk_buff, local_ip4)),
1538 .errstr = "invalid bpf_context access",
1542 "invalid access __sk_buff remote_ip6",
1544 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1545 offsetof(struct __sk_buff, remote_ip6)),
1548 .errstr = "invalid bpf_context access",
1552 "invalid access __sk_buff local_ip6",
1554 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1555 offsetof(struct __sk_buff, local_ip6)),
1558 .errstr = "invalid bpf_context access",
1562 "invalid access __sk_buff remote_port",
1564 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1565 offsetof(struct __sk_buff, remote_port)),
1568 .errstr = "invalid bpf_context access",
1572 "invalid access __sk_buff remote_port",
1574 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1575 offsetof(struct __sk_buff, local_port)),
1578 .errstr = "invalid bpf_context access",
1582 "valid access __sk_buff family",
1584 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1585 offsetof(struct __sk_buff, family)),
1589 .prog_type = BPF_PROG_TYPE_SK_SKB,
1592 "valid access __sk_buff remote_ip4",
1594 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1595 offsetof(struct __sk_buff, remote_ip4)),
1599 .prog_type = BPF_PROG_TYPE_SK_SKB,
1602 "valid access __sk_buff local_ip4",
1604 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1605 offsetof(struct __sk_buff, local_ip4)),
1609 .prog_type = BPF_PROG_TYPE_SK_SKB,
1612 "valid access __sk_buff remote_ip6",
1614 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1615 offsetof(struct __sk_buff, remote_ip6[0])),
1616 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1617 offsetof(struct __sk_buff, remote_ip6[1])),
1618 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1619 offsetof(struct __sk_buff, remote_ip6[2])),
1620 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1621 offsetof(struct __sk_buff, remote_ip6[3])),
1625 .prog_type = BPF_PROG_TYPE_SK_SKB,
1628 "valid access __sk_buff local_ip6",
1630 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1631 offsetof(struct __sk_buff, local_ip6[0])),
1632 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1633 offsetof(struct __sk_buff, local_ip6[1])),
1634 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1635 offsetof(struct __sk_buff, local_ip6[2])),
1636 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1637 offsetof(struct __sk_buff, local_ip6[3])),
1641 .prog_type = BPF_PROG_TYPE_SK_SKB,
1644 "valid access __sk_buff remote_port",
1646 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1647 offsetof(struct __sk_buff, remote_port)),
1651 .prog_type = BPF_PROG_TYPE_SK_SKB,
1654 "valid access __sk_buff remote_port",
1656 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1657 offsetof(struct __sk_buff, local_port)),
1661 .prog_type = BPF_PROG_TYPE_SK_SKB,
1664 "invalid access of tc_classid for SK_SKB",
1666 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1667 offsetof(struct __sk_buff, tc_classid)),
1671 .prog_type = BPF_PROG_TYPE_SK_SKB,
1672 .errstr = "invalid bpf_context access",
1675 "invalid access of skb->mark for SK_SKB",
1677 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1678 offsetof(struct __sk_buff, mark)),
1682 .prog_type = BPF_PROG_TYPE_SK_SKB,
1683 .errstr = "invalid bpf_context access",
1686 "check skb->mark is not writeable by SK_SKB",
1688 BPF_MOV64_IMM(BPF_REG_0, 0),
1689 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1690 offsetof(struct __sk_buff, mark)),
1694 .prog_type = BPF_PROG_TYPE_SK_SKB,
1695 .errstr = "invalid bpf_context access",
1698 "check skb->tc_index is writeable by SK_SKB",
1700 BPF_MOV64_IMM(BPF_REG_0, 0),
1701 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1702 offsetof(struct __sk_buff, tc_index)),
1706 .prog_type = BPF_PROG_TYPE_SK_SKB,
1709 "check skb->priority is writeable by SK_SKB",
1711 BPF_MOV64_IMM(BPF_REG_0, 0),
1712 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1713 offsetof(struct __sk_buff, priority)),
1717 .prog_type = BPF_PROG_TYPE_SK_SKB,
1720 "direct packet read for SK_SKB",
1722 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1723 offsetof(struct __sk_buff, data)),
1724 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1725 offsetof(struct __sk_buff, data_end)),
1726 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1728 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1729 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1730 BPF_MOV64_IMM(BPF_REG_0, 0),
1734 .prog_type = BPF_PROG_TYPE_SK_SKB,
1737 "direct packet write for SK_SKB",
1739 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1740 offsetof(struct __sk_buff, data)),
1741 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1742 offsetof(struct __sk_buff, data_end)),
1743 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1745 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1746 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1747 BPF_MOV64_IMM(BPF_REG_0, 0),
1751 .prog_type = BPF_PROG_TYPE_SK_SKB,
1754 "overlapping checks for direct packet access SK_SKB",
1756 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1757 offsetof(struct __sk_buff, data)),
1758 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1759 offsetof(struct __sk_buff, data_end)),
1760 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1762 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1763 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1764 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1765 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1766 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1767 BPF_MOV64_IMM(BPF_REG_0, 0),
1771 .prog_type = BPF_PROG_TYPE_SK_SKB,
1774 "valid access family in SK_MSG",
1776 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1777 offsetof(struct sk_msg_md, family)),
1781 .prog_type = BPF_PROG_TYPE_SK_MSG,
1784 "valid access remote_ip4 in SK_MSG",
1786 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1787 offsetof(struct sk_msg_md, remote_ip4)),
1791 .prog_type = BPF_PROG_TYPE_SK_MSG,
1794 "valid access local_ip4 in SK_MSG",
1796 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1797 offsetof(struct sk_msg_md, local_ip4)),
1801 .prog_type = BPF_PROG_TYPE_SK_MSG,
1804 "valid access remote_port in SK_MSG",
1806 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1807 offsetof(struct sk_msg_md, remote_port)),
1811 .prog_type = BPF_PROG_TYPE_SK_MSG,
1814 "valid access local_port in SK_MSG",
1816 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1817 offsetof(struct sk_msg_md, local_port)),
1821 .prog_type = BPF_PROG_TYPE_SK_MSG,
1824 "valid access remote_ip6 in SK_MSG",
1826 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1827 offsetof(struct sk_msg_md, remote_ip6[0])),
1828 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1829 offsetof(struct sk_msg_md, remote_ip6[1])),
1830 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1831 offsetof(struct sk_msg_md, remote_ip6[2])),
1832 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1833 offsetof(struct sk_msg_md, remote_ip6[3])),
1837 .prog_type = BPF_PROG_TYPE_SK_SKB,
1840 "valid access local_ip6 in SK_MSG",
1842 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1843 offsetof(struct sk_msg_md, local_ip6[0])),
1844 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1845 offsetof(struct sk_msg_md, local_ip6[1])),
1846 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1847 offsetof(struct sk_msg_md, local_ip6[2])),
1848 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1849 offsetof(struct sk_msg_md, local_ip6[3])),
1853 .prog_type = BPF_PROG_TYPE_SK_SKB,
1856 "valid access size in SK_MSG",
1858 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1859 offsetof(struct sk_msg_md, size)),
1863 .prog_type = BPF_PROG_TYPE_SK_MSG,
1866 "invalid 64B read of size in SK_MSG",
1868 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1869 offsetof(struct sk_msg_md, size)),
1872 .errstr = "invalid bpf_context access",
1874 .prog_type = BPF_PROG_TYPE_SK_MSG,
1877 "invalid read past end of SK_MSG",
1879 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1880 offsetof(struct sk_msg_md, size) + 4),
1883 .errstr = "invalid bpf_context access",
1885 .prog_type = BPF_PROG_TYPE_SK_MSG,
1888 "invalid read offset in SK_MSG",
1890 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1891 offsetof(struct sk_msg_md, family) + 1),
1894 .errstr = "invalid bpf_context access",
1896 .prog_type = BPF_PROG_TYPE_SK_MSG,
1897 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1900 "direct packet read for SK_MSG",
1902 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1903 offsetof(struct sk_msg_md, data)),
1904 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1905 offsetof(struct sk_msg_md, data_end)),
1906 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1908 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1909 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1910 BPF_MOV64_IMM(BPF_REG_0, 0),
1914 .prog_type = BPF_PROG_TYPE_SK_MSG,
1917 "direct packet write for SK_MSG",
1919 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1920 offsetof(struct sk_msg_md, data)),
1921 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1922 offsetof(struct sk_msg_md, data_end)),
1923 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1925 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1926 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1927 BPF_MOV64_IMM(BPF_REG_0, 0),
1931 .prog_type = BPF_PROG_TYPE_SK_MSG,
1934 "overlapping checks for direct packet access SK_MSG",
1936 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1937 offsetof(struct sk_msg_md, data)),
1938 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1939 offsetof(struct sk_msg_md, data_end)),
1940 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1942 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1943 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1944 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1945 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1946 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1947 BPF_MOV64_IMM(BPF_REG_0, 0),
1951 .prog_type = BPF_PROG_TYPE_SK_MSG,
1954 "check skb->mark is not writeable by sockets",
1956 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1957 offsetof(struct __sk_buff, mark)),
1960 .errstr = "invalid bpf_context access",
1961 .errstr_unpriv = "R1 leaks addr",
1965 "check skb->tc_index is not writeable by sockets",
1967 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1968 offsetof(struct __sk_buff, tc_index)),
1971 .errstr = "invalid bpf_context access",
1972 .errstr_unpriv = "R1 leaks addr",
1976 "check cb access: byte",
1978 BPF_MOV64_IMM(BPF_REG_0, 0),
1979 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1980 offsetof(struct __sk_buff, cb[0])),
1981 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1982 offsetof(struct __sk_buff, cb[0]) + 1),
1983 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1984 offsetof(struct __sk_buff, cb[0]) + 2),
1985 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1986 offsetof(struct __sk_buff, cb[0]) + 3),
1987 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1988 offsetof(struct __sk_buff, cb[1])),
1989 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1990 offsetof(struct __sk_buff, cb[1]) + 1),
1991 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1992 offsetof(struct __sk_buff, cb[1]) + 2),
1993 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1994 offsetof(struct __sk_buff, cb[1]) + 3),
1995 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1996 offsetof(struct __sk_buff, cb[2])),
1997 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1998 offsetof(struct __sk_buff, cb[2]) + 1),
1999 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2000 offsetof(struct __sk_buff, cb[2]) + 2),
2001 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2002 offsetof(struct __sk_buff, cb[2]) + 3),
2003 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2004 offsetof(struct __sk_buff, cb[3])),
2005 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2006 offsetof(struct __sk_buff, cb[3]) + 1),
2007 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2008 offsetof(struct __sk_buff, cb[3]) + 2),
2009 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2010 offsetof(struct __sk_buff, cb[3]) + 3),
2011 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2012 offsetof(struct __sk_buff, cb[4])),
2013 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2014 offsetof(struct __sk_buff, cb[4]) + 1),
2015 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2016 offsetof(struct __sk_buff, cb[4]) + 2),
2017 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2018 offsetof(struct __sk_buff, cb[4]) + 3),
2019 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2020 offsetof(struct __sk_buff, cb[0])),
2021 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2022 offsetof(struct __sk_buff, cb[0]) + 1),
2023 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2024 offsetof(struct __sk_buff, cb[0]) + 2),
2025 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2026 offsetof(struct __sk_buff, cb[0]) + 3),
2027 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2028 offsetof(struct __sk_buff, cb[1])),
2029 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2030 offsetof(struct __sk_buff, cb[1]) + 1),
2031 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2032 offsetof(struct __sk_buff, cb[1]) + 2),
2033 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2034 offsetof(struct __sk_buff, cb[1]) + 3),
2035 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2036 offsetof(struct __sk_buff, cb[2])),
2037 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2038 offsetof(struct __sk_buff, cb[2]) + 1),
2039 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2040 offsetof(struct __sk_buff, cb[2]) + 2),
2041 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2042 offsetof(struct __sk_buff, cb[2]) + 3),
2043 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2044 offsetof(struct __sk_buff, cb[3])),
2045 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2046 offsetof(struct __sk_buff, cb[3]) + 1),
2047 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2048 offsetof(struct __sk_buff, cb[3]) + 2),
2049 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2050 offsetof(struct __sk_buff, cb[3]) + 3),
2051 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2052 offsetof(struct __sk_buff, cb[4])),
2053 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2054 offsetof(struct __sk_buff, cb[4]) + 1),
2055 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2056 offsetof(struct __sk_buff, cb[4]) + 2),
2057 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2058 offsetof(struct __sk_buff, cb[4]) + 3),
2064 "__sk_buff->hash, offset 0, byte store not permitted",
2066 BPF_MOV64_IMM(BPF_REG_0, 0),
2067 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2068 offsetof(struct __sk_buff, hash)),
2071 .errstr = "invalid bpf_context access",
2075 "__sk_buff->tc_index, offset 3, byte store not permitted",
2077 BPF_MOV64_IMM(BPF_REG_0, 0),
2078 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2079 offsetof(struct __sk_buff, tc_index) + 3),
2082 .errstr = "invalid bpf_context access",
2086 "check skb->hash byte load permitted",
2088 BPF_MOV64_IMM(BPF_REG_0, 0),
2089 #if __BYTE_ORDER == __LITTLE_ENDIAN
2090 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2091 offsetof(struct __sk_buff, hash)),
2093 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2094 offsetof(struct __sk_buff, hash) + 3),
2101 "check skb->hash byte load permitted 1",
2103 BPF_MOV64_IMM(BPF_REG_0, 0),
2104 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2105 offsetof(struct __sk_buff, hash) + 1),
2111 "check skb->hash byte load permitted 2",
2113 BPF_MOV64_IMM(BPF_REG_0, 0),
2114 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2115 offsetof(struct __sk_buff, hash) + 2),
2121 "check skb->hash byte load permitted 3",
2123 BPF_MOV64_IMM(BPF_REG_0, 0),
2124 #if __BYTE_ORDER == __LITTLE_ENDIAN
2125 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2126 offsetof(struct __sk_buff, hash) + 3),
2128 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2129 offsetof(struct __sk_buff, hash)),
2136 "check cb access: byte, wrong type",
2138 BPF_MOV64_IMM(BPF_REG_0, 0),
2139 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2140 offsetof(struct __sk_buff, cb[0])),
2143 .errstr = "invalid bpf_context access",
2145 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2148 "check cb access: half",
2150 BPF_MOV64_IMM(BPF_REG_0, 0),
2151 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2152 offsetof(struct __sk_buff, cb[0])),
2153 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2154 offsetof(struct __sk_buff, cb[0]) + 2),
2155 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2156 offsetof(struct __sk_buff, cb[1])),
2157 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2158 offsetof(struct __sk_buff, cb[1]) + 2),
2159 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2160 offsetof(struct __sk_buff, cb[2])),
2161 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2162 offsetof(struct __sk_buff, cb[2]) + 2),
2163 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2164 offsetof(struct __sk_buff, cb[3])),
2165 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2166 offsetof(struct __sk_buff, cb[3]) + 2),
2167 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2168 offsetof(struct __sk_buff, cb[4])),
2169 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2170 offsetof(struct __sk_buff, cb[4]) + 2),
2171 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2172 offsetof(struct __sk_buff, cb[0])),
2173 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2174 offsetof(struct __sk_buff, cb[0]) + 2),
2175 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2176 offsetof(struct __sk_buff, cb[1])),
2177 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2178 offsetof(struct __sk_buff, cb[1]) + 2),
2179 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2180 offsetof(struct __sk_buff, cb[2])),
2181 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2182 offsetof(struct __sk_buff, cb[2]) + 2),
2183 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2184 offsetof(struct __sk_buff, cb[3])),
2185 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2186 offsetof(struct __sk_buff, cb[3]) + 2),
2187 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2188 offsetof(struct __sk_buff, cb[4])),
2189 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2190 offsetof(struct __sk_buff, cb[4]) + 2),
2196 "check cb access: half, unaligned",
2198 BPF_MOV64_IMM(BPF_REG_0, 0),
2199 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2200 offsetof(struct __sk_buff, cb[0]) + 1),
2203 .errstr = "misaligned context access",
2205 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2208 "check __sk_buff->hash, offset 0, half store not permitted",
2210 BPF_MOV64_IMM(BPF_REG_0, 0),
2211 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2212 offsetof(struct __sk_buff, hash)),
2215 .errstr = "invalid bpf_context access",
2219 "check __sk_buff->tc_index, offset 2, half store not permitted",
2221 BPF_MOV64_IMM(BPF_REG_0, 0),
2222 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2223 offsetof(struct __sk_buff, tc_index) + 2),
2226 .errstr = "invalid bpf_context access",
2230 "check skb->hash half load permitted",
2232 BPF_MOV64_IMM(BPF_REG_0, 0),
2233 #if __BYTE_ORDER == __LITTLE_ENDIAN
2234 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2235 offsetof(struct __sk_buff, hash)),
2237 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2238 offsetof(struct __sk_buff, hash) + 2),
2245 "check skb->hash half load permitted 2",
2247 BPF_MOV64_IMM(BPF_REG_0, 0),
2248 #if __BYTE_ORDER == __LITTLE_ENDIAN
2249 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2250 offsetof(struct __sk_buff, hash) + 2),
2252 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2253 offsetof(struct __sk_buff, hash)),
2260 "check skb->hash half load not permitted, unaligned 1",
2262 BPF_MOV64_IMM(BPF_REG_0, 0),
2263 #if __BYTE_ORDER == __LITTLE_ENDIAN
2264 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2265 offsetof(struct __sk_buff, hash) + 1),
2267 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2268 offsetof(struct __sk_buff, hash) + 3),
2272 .errstr = "invalid bpf_context access",
2276 "check skb->hash half load not permitted, unaligned 3",
2278 BPF_MOV64_IMM(BPF_REG_0, 0),
2279 #if __BYTE_ORDER == __LITTLE_ENDIAN
2280 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2281 offsetof(struct __sk_buff, hash) + 3),
2283 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2284 offsetof(struct __sk_buff, hash) + 1),
2288 .errstr = "invalid bpf_context access",
2290 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2291 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2294 "check cb access: half, wrong type",
2296 BPF_MOV64_IMM(BPF_REG_0, 0),
2297 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2298 offsetof(struct __sk_buff, cb[0])),
2301 .errstr = "invalid bpf_context access",
2303 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2306 "check cb access: word",
2308 BPF_MOV64_IMM(BPF_REG_0, 0),
2309 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2310 offsetof(struct __sk_buff, cb[0])),
2311 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2312 offsetof(struct __sk_buff, cb[1])),
2313 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2314 offsetof(struct __sk_buff, cb[2])),
2315 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2316 offsetof(struct __sk_buff, cb[3])),
2317 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2318 offsetof(struct __sk_buff, cb[4])),
2319 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2320 offsetof(struct __sk_buff, cb[0])),
2321 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2322 offsetof(struct __sk_buff, cb[1])),
2323 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2324 offsetof(struct __sk_buff, cb[2])),
2325 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2326 offsetof(struct __sk_buff, cb[3])),
2327 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2328 offsetof(struct __sk_buff, cb[4])),
2334 "check cb access: word, unaligned 1",
2336 BPF_MOV64_IMM(BPF_REG_0, 0),
2337 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2338 offsetof(struct __sk_buff, cb[0]) + 2),
2341 .errstr = "misaligned context access",
2343 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2346 "check cb access: word, unaligned 2",
2348 BPF_MOV64_IMM(BPF_REG_0, 0),
2349 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2350 offsetof(struct __sk_buff, cb[4]) + 1),
2353 .errstr = "misaligned context access",
2355 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2358 "check cb access: word, unaligned 3",
2360 BPF_MOV64_IMM(BPF_REG_0, 0),
2361 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2362 offsetof(struct __sk_buff, cb[4]) + 2),
2365 .errstr = "misaligned context access",
2367 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2370 "check cb access: word, unaligned 4",
2372 BPF_MOV64_IMM(BPF_REG_0, 0),
2373 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2374 offsetof(struct __sk_buff, cb[4]) + 3),
2377 .errstr = "misaligned context access",
2379 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2382 "check cb access: double",
2384 BPF_MOV64_IMM(BPF_REG_0, 0),
2385 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2386 offsetof(struct __sk_buff, cb[0])),
2387 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2388 offsetof(struct __sk_buff, cb[2])),
2389 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2390 offsetof(struct __sk_buff, cb[0])),
2391 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2392 offsetof(struct __sk_buff, cb[2])),
2398 "check cb access: double, unaligned 1",
2400 BPF_MOV64_IMM(BPF_REG_0, 0),
2401 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2402 offsetof(struct __sk_buff, cb[1])),
2405 .errstr = "misaligned context access",
2407 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2410 "check cb access: double, unaligned 2",
2412 BPF_MOV64_IMM(BPF_REG_0, 0),
2413 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2414 offsetof(struct __sk_buff, cb[3])),
2417 .errstr = "misaligned context access",
2419 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2422 "check cb access: double, oob 1",
2424 BPF_MOV64_IMM(BPF_REG_0, 0),
2425 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2426 offsetof(struct __sk_buff, cb[4])),
2429 .errstr = "invalid bpf_context access",
2433 "check cb access: double, oob 2",
2435 BPF_MOV64_IMM(BPF_REG_0, 0),
2436 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2437 offsetof(struct __sk_buff, cb[4])),
2440 .errstr = "invalid bpf_context access",
2444 "check __sk_buff->ifindex dw store not permitted",
2446 BPF_MOV64_IMM(BPF_REG_0, 0),
2447 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2448 offsetof(struct __sk_buff, ifindex)),
2451 .errstr = "invalid bpf_context access",
2455 "check __sk_buff->ifindex dw load not permitted",
2457 BPF_MOV64_IMM(BPF_REG_0, 0),
2458 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2459 offsetof(struct __sk_buff, ifindex)),
2462 .errstr = "invalid bpf_context access",
2466 "check cb access: double, wrong type",
2468 BPF_MOV64_IMM(BPF_REG_0, 0),
2469 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2470 offsetof(struct __sk_buff, cb[0])),
2473 .errstr = "invalid bpf_context access",
2475 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2478 "check out of range skb->cb access",
2480 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2481 offsetof(struct __sk_buff, cb[0]) + 256),
2484 .errstr = "invalid bpf_context access",
2485 .errstr_unpriv = "",
2487 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2490 "write skb fields from socket prog",
2492 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2493 offsetof(struct __sk_buff, cb[4])),
2494 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2495 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2496 offsetof(struct __sk_buff, mark)),
2497 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2498 offsetof(struct __sk_buff, tc_index)),
2499 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2500 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2501 offsetof(struct __sk_buff, cb[0])),
2502 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2503 offsetof(struct __sk_buff, cb[2])),
2507 .errstr_unpriv = "R1 leaks addr",
2508 .result_unpriv = REJECT,
2511 "write skb fields from tc_cls_act prog",
2513 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2514 offsetof(struct __sk_buff, cb[0])),
2515 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2516 offsetof(struct __sk_buff, mark)),
2517 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2518 offsetof(struct __sk_buff, tc_index)),
2519 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2520 offsetof(struct __sk_buff, tc_index)),
2521 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2522 offsetof(struct __sk_buff, cb[3])),
2523 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2524 offsetof(struct __sk_buff, tstamp)),
2525 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2526 offsetof(struct __sk_buff, tstamp)),
2529 .errstr_unpriv = "",
2530 .result_unpriv = REJECT,
2532 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2535 "PTR_TO_STACK store/load",
2537 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2539 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2540 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2544 .retval = 0xfaceb00c,
2547 "PTR_TO_STACK store/load - bad alignment on off",
2549 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2550 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2551 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2552 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2556 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2559 "PTR_TO_STACK store/load - bad alignment on reg",
2561 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2562 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2563 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2564 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2568 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2571 "PTR_TO_STACK store/load - out of bounds low",
2573 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2574 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2575 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2576 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2580 .errstr = "invalid stack off=-79992 size=8",
2581 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
2584 "PTR_TO_STACK store/load - out of bounds high",
2586 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2588 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2589 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2593 .errstr = "invalid stack off=0 size=8",
2596 "unpriv: return pointer",
2598 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2602 .result_unpriv = REJECT,
2603 .errstr_unpriv = "R0 leaks addr",
2604 .retval = POINTER_VALUE,
2607 "unpriv: add const to pointer",
2609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2610 BPF_MOV64_IMM(BPF_REG_0, 0),
2616 "unpriv: add pointer to pointer",
2618 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2619 BPF_MOV64_IMM(BPF_REG_0, 0),
2623 .errstr = "R1 pointer += pointer",
2626 "unpriv: neg pointer",
2628 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2629 BPF_MOV64_IMM(BPF_REG_0, 0),
2633 .result_unpriv = REJECT,
2634 .errstr_unpriv = "R1 pointer arithmetic",
2637 "unpriv: cmp pointer with const",
2639 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2640 BPF_MOV64_IMM(BPF_REG_0, 0),
2644 .result_unpriv = REJECT,
2645 .errstr_unpriv = "R1 pointer comparison",
2648 "unpriv: cmp pointer with pointer",
2650 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2651 BPF_MOV64_IMM(BPF_REG_0, 0),
2655 .result_unpriv = REJECT,
2656 .errstr_unpriv = "R10 pointer comparison",
2659 "unpriv: check that printk is disallowed",
2661 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2662 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2663 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2664 BPF_MOV64_IMM(BPF_REG_2, 8),
2665 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2666 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2667 BPF_FUNC_trace_printk),
2668 BPF_MOV64_IMM(BPF_REG_0, 0),
2671 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2672 .result_unpriv = REJECT,
2676 "unpriv: pass pointer to helper function",
2678 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2679 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2680 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2681 BPF_LD_MAP_FD(BPF_REG_1, 0),
2682 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2683 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2684 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2685 BPF_FUNC_map_update_elem),
2686 BPF_MOV64_IMM(BPF_REG_0, 0),
2689 .fixup_map_hash_8b = { 3 },
2690 .errstr_unpriv = "R4 leaks addr",
2691 .result_unpriv = REJECT,
2695 "unpriv: indirectly pass pointer on stack to helper function",
2697 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2698 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2700 BPF_LD_MAP_FD(BPF_REG_1, 0),
2701 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2702 BPF_FUNC_map_lookup_elem),
2703 BPF_MOV64_IMM(BPF_REG_0, 0),
2706 .fixup_map_hash_8b = { 3 },
2707 .errstr = "invalid indirect read from stack off -8+0 size 8",
2711 "unpriv: mangle pointer on stack 1",
2713 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2714 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2715 BPF_MOV64_IMM(BPF_REG_0, 0),
2718 .errstr_unpriv = "attempt to corrupt spilled",
2719 .result_unpriv = REJECT,
2723 "unpriv: mangle pointer on stack 2",
2725 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2726 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2727 BPF_MOV64_IMM(BPF_REG_0, 0),
2730 .errstr_unpriv = "attempt to corrupt spilled",
2731 .result_unpriv = REJECT,
2735 "unpriv: read pointer from stack in small chunks",
2737 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2738 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2739 BPF_MOV64_IMM(BPF_REG_0, 0),
2742 .errstr = "invalid size",
2746 "unpriv: write pointer into ctx",
2748 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2749 BPF_MOV64_IMM(BPF_REG_0, 0),
2752 .errstr_unpriv = "R1 leaks addr",
2753 .result_unpriv = REJECT,
2754 .errstr = "invalid bpf_context access",
2758 "unpriv: spill/fill of ctx",
2760 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2762 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2763 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2764 BPF_MOV64_IMM(BPF_REG_0, 0),
2770 "unpriv: spill/fill of ctx 2",
2772 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2773 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2774 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2775 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2776 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2777 BPF_FUNC_get_hash_recalc),
2778 BPF_MOV64_IMM(BPF_REG_0, 0),
2782 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2785 "unpriv: spill/fill of ctx 3",
2787 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2789 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2790 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2791 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2792 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2793 BPF_FUNC_get_hash_recalc),
2797 .errstr = "R1 type=fp expected=ctx",
2798 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2801 "unpriv: spill/fill of ctx 4",
2803 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2804 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2805 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2806 BPF_MOV64_IMM(BPF_REG_0, 1),
2807 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2809 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2810 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2811 BPF_FUNC_get_hash_recalc),
2815 .errstr = "R1 type=inv expected=ctx",
2816 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2819 "unpriv: spill/fill of different pointers stx",
2821 BPF_MOV64_IMM(BPF_REG_3, 42),
2822 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2824 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2825 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2827 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2828 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2829 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2830 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2831 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2832 offsetof(struct __sk_buff, mark)),
2833 BPF_MOV64_IMM(BPF_REG_0, 0),
2837 .errstr = "same insn cannot be used with different pointers",
2838 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2841 "unpriv: spill/fill of different pointers stx - ctx and sock",
2843 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2844 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2846 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2848 /* void *target = &foo; */
2849 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2851 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2852 /* if (skb == NULL) *target = sock; */
2853 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2854 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2855 /* else *target = skb; */
2856 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2857 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2858 /* struct __sk_buff *skb = *target; */
2859 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2860 /* skb->mark = 42; */
2861 BPF_MOV64_IMM(BPF_REG_3, 42),
2862 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2863 offsetof(struct __sk_buff, mark)),
2864 /* if (sk) bpf_sk_release(sk) */
2865 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2866 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2867 BPF_MOV64_IMM(BPF_REG_0, 0),
2871 .errstr = "type=ctx expected=sock",
2872 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2875 "unpriv: spill/fill of different pointers stx - leak sock",
2877 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2878 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2880 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2882 /* void *target = &foo; */
2883 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2884 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2885 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2886 /* if (skb == NULL) *target = sock; */
2887 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2888 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2889 /* else *target = skb; */
2890 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2891 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2892 /* struct __sk_buff *skb = *target; */
2893 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2894 /* skb->mark = 42; */
2895 BPF_MOV64_IMM(BPF_REG_3, 42),
2896 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2897 offsetof(struct __sk_buff, mark)),
2901 //.errstr = "same insn cannot be used with different pointers",
2902 .errstr = "Unreleased reference",
2903 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2906 "unpriv: spill/fill of different pointers stx - sock and ctx (read)",
2908 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2909 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2911 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2913 /* void *target = &foo; */
2914 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2916 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2917 /* if (skb) *target = skb */
2918 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2919 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2920 /* else *target = sock */
2921 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2922 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2923 /* struct bpf_sock *sk = *target; */
2924 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2925 /* if (sk) u32 foo = sk->mark; bpf_sk_release(sk); */
2926 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
2927 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2928 offsetof(struct bpf_sock, mark)),
2929 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2930 BPF_MOV64_IMM(BPF_REG_0, 0),
2934 .errstr = "same insn cannot be used with different pointers",
2935 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2938 "unpriv: spill/fill of different pointers stx - sock and ctx (write)",
2940 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2941 /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2943 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2945 /* void *target = &foo; */
2946 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2947 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2948 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2949 /* if (skb) *target = skb */
2950 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2951 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2952 /* else *target = sock */
2953 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2954 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2955 /* struct bpf_sock *sk = *target; */
2956 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2957 /* if (sk) sk->mark = 42; bpf_sk_release(sk); */
2958 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2959 BPF_MOV64_IMM(BPF_REG_3, 42),
2960 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2961 offsetof(struct bpf_sock, mark)),
2962 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2963 BPF_MOV64_IMM(BPF_REG_0, 0),
2967 //.errstr = "same insn cannot be used with different pointers",
2968 .errstr = "cannot write into socket",
2969 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2972 "unpriv: spill/fill of different pointers ldx",
2974 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2976 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2977 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2978 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2979 -(__s32)offsetof(struct bpf_perf_event_data,
2980 sample_period) - 8),
2981 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2982 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2983 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2984 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2985 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2986 offsetof(struct bpf_perf_event_data,
2988 BPF_MOV64_IMM(BPF_REG_0, 0),
2992 .errstr = "same insn cannot be used with different pointers",
2993 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2996 "unpriv: write pointer into map elem value",
2998 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3001 BPF_LD_MAP_FD(BPF_REG_1, 0),
3002 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3003 BPF_FUNC_map_lookup_elem),
3004 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3005 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
3008 .fixup_map_hash_8b = { 3 },
3009 .errstr_unpriv = "R0 leaks addr",
3010 .result_unpriv = REJECT,
3014 "alu32: mov u32 const",
3016 BPF_MOV32_IMM(BPF_REG_7, 0),
3017 BPF_ALU32_IMM(BPF_AND, BPF_REG_7, 1),
3018 BPF_MOV32_REG(BPF_REG_0, BPF_REG_7),
3019 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3020 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
3027 "unpriv: partial copy of pointer",
3029 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
3030 BPF_MOV64_IMM(BPF_REG_0, 0),
3033 .errstr_unpriv = "R10 partial copy",
3034 .result_unpriv = REJECT,
3038 "unpriv: pass pointer to tail_call",
3040 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
3041 BPF_LD_MAP_FD(BPF_REG_2, 0),
3042 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3043 BPF_FUNC_tail_call),
3044 BPF_MOV64_IMM(BPF_REG_0, 0),
3047 .fixup_prog1 = { 1 },
3048 .errstr_unpriv = "R3 leaks addr into helper",
3049 .result_unpriv = REJECT,
3053 "unpriv: cmp map pointer with zero",
3055 BPF_MOV64_IMM(BPF_REG_1, 0),
3056 BPF_LD_MAP_FD(BPF_REG_1, 0),
3057 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
3058 BPF_MOV64_IMM(BPF_REG_0, 0),
3061 .fixup_map_hash_8b = { 1 },
3062 .errstr_unpriv = "R1 pointer comparison",
3063 .result_unpriv = REJECT,
3067 "unpriv: write into frame pointer",
3069 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
3070 BPF_MOV64_IMM(BPF_REG_0, 0),
3073 .errstr = "frame pointer is read only",
3077 "unpriv: spill/fill frame pointer",
3079 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3081 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
3082 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
3083 BPF_MOV64_IMM(BPF_REG_0, 0),
3086 .errstr = "frame pointer is read only",
3090 "unpriv: cmp of frame pointer",
3092 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
3093 BPF_MOV64_IMM(BPF_REG_0, 0),
3096 .errstr_unpriv = "R10 pointer comparison",
3097 .result_unpriv = REJECT,
3101 "unpriv: adding of fp",
3103 BPF_MOV64_IMM(BPF_REG_0, 0),
3104 BPF_MOV64_IMM(BPF_REG_1, 0),
3105 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
3106 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
3109 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3110 .result_unpriv = REJECT,
3114 "unpriv: cmp of stack pointer",
3116 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3118 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
3119 BPF_MOV64_IMM(BPF_REG_0, 0),
3122 .errstr_unpriv = "R2 pointer comparison",
3123 .result_unpriv = REJECT,
3127 "runtime/jit: tail_call within bounds, prog once",
3129 BPF_MOV64_IMM(BPF_REG_3, 0),
3130 BPF_LD_MAP_FD(BPF_REG_2, 0),
3131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3132 BPF_FUNC_tail_call),
3133 BPF_MOV64_IMM(BPF_REG_0, 1),
3136 .fixup_prog1 = { 1 },
3141 "runtime/jit: tail_call within bounds, prog loop",
3143 BPF_MOV64_IMM(BPF_REG_3, 1),
3144 BPF_LD_MAP_FD(BPF_REG_2, 0),
3145 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3146 BPF_FUNC_tail_call),
3147 BPF_MOV64_IMM(BPF_REG_0, 1),
3150 .fixup_prog1 = { 1 },
3155 "runtime/jit: tail_call within bounds, no prog",
3157 BPF_MOV64_IMM(BPF_REG_3, 2),
3158 BPF_LD_MAP_FD(BPF_REG_2, 0),
3159 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3160 BPF_FUNC_tail_call),
3161 BPF_MOV64_IMM(BPF_REG_0, 1),
3164 .fixup_prog1 = { 1 },
3169 "runtime/jit: tail_call out of bounds",
3171 BPF_MOV64_IMM(BPF_REG_3, 256),
3172 BPF_LD_MAP_FD(BPF_REG_2, 0),
3173 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3174 BPF_FUNC_tail_call),
3175 BPF_MOV64_IMM(BPF_REG_0, 2),
3178 .fixup_prog1 = { 1 },
3183 "runtime/jit: pass negative index to tail_call",
3185 BPF_MOV64_IMM(BPF_REG_3, -1),
3186 BPF_LD_MAP_FD(BPF_REG_2, 0),
3187 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3188 BPF_FUNC_tail_call),
3189 BPF_MOV64_IMM(BPF_REG_0, 2),
3192 .fixup_prog1 = { 1 },
3197 "runtime/jit: pass > 32bit index to tail_call",
3199 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
3200 BPF_LD_MAP_FD(BPF_REG_2, 0),
3201 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3202 BPF_FUNC_tail_call),
3203 BPF_MOV64_IMM(BPF_REG_0, 2),
3206 .fixup_prog1 = { 2 },
3209 /* Verifier rewrite for unpriv skips tail call here. */
3213 "PTR_TO_STACK check high 1",
3215 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
3217 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3218 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3225 "PTR_TO_STACK check high 2",
3227 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3228 BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
3229 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
3236 "PTR_TO_STACK check high 3",
3238 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3239 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
3240 BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
3241 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
3244 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3245 .result_unpriv = REJECT,
3250 "PTR_TO_STACK check high 4",
3252 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3253 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
3254 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3255 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3258 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3259 .errstr = "invalid stack off=0 size=1",
3263 "PTR_TO_STACK check high 5",
3265 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3266 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
3267 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3268 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3272 .errstr = "invalid stack off",
3275 "PTR_TO_STACK check high 6",
3277 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3278 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
3279 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
3280 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
3284 .errstr = "invalid stack off",
3287 "PTR_TO_STACK check high 7",
3289 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3290 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
3291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
3292 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
3293 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
3297 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3298 .errstr = "fp pointer offset",
3301 "PTR_TO_STACK check low 1",
3303 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -512),
3305 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3306 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3313 "PTR_TO_STACK check low 2",
3315 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3316 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
3317 BPF_ST_MEM(BPF_B, BPF_REG_1, 1, 42),
3318 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1),
3321 .result_unpriv = REJECT,
3322 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3327 "PTR_TO_STACK check low 3",
3329 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
3331 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3332 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3335 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3336 .errstr = "invalid stack off=-513 size=1",
3340 "PTR_TO_STACK check low 4",
3342 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3343 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, INT_MIN),
3344 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3345 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3349 .errstr = "math between fp pointer",
3352 "PTR_TO_STACK check low 5",
3354 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3355 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
3356 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3357 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3361 .errstr = "invalid stack off",
3364 "PTR_TO_STACK check low 6",
3366 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3367 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
3368 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
3369 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
3373 .errstr = "invalid stack off",
3376 "PTR_TO_STACK check low 7",
3378 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
3380 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
3381 BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
3382 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
3386 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3387 .errstr = "fp pointer offset",
3390 "PTR_TO_STACK mixed reg/k, 1",
3392 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3393 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
3394 BPF_MOV64_IMM(BPF_REG_2, -3),
3395 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
3396 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3397 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3404 "PTR_TO_STACK mixed reg/k, 2",
3406 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3407 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
3408 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
3410 BPF_MOV64_IMM(BPF_REG_2, -3),
3411 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
3412 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3413 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
3414 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_5, -6),
3421 "PTR_TO_STACK mixed reg/k, 3",
3423 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
3425 BPF_MOV64_IMM(BPF_REG_2, -3),
3426 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
3427 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3428 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3437 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3438 BPF_MOV64_IMM(BPF_REG_2, -3),
3439 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
3440 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3441 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3444 .result_unpriv = REJECT,
3445 .errstr_unpriv = "invalid stack off=0 size=1",
3450 "stack pointer arithmetic",
3452 BPF_MOV64_IMM(BPF_REG_1, 4),
3453 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
3454 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
3455 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3457 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3458 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
3459 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3460 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3462 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3463 BPF_MOV64_IMM(BPF_REG_0, 0),
3469 "raw_stack: no skb_load_bytes",
3471 BPF_MOV64_IMM(BPF_REG_2, 4),
3472 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3474 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3475 BPF_MOV64_IMM(BPF_REG_4, 8),
3476 /* Call to skb_load_bytes() omitted. */
3477 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3481 .errstr = "invalid read from stack off -8+0 size 8",
3482 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3485 "raw_stack: skb_load_bytes, negative len",
3487 BPF_MOV64_IMM(BPF_REG_2, 4),
3488 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3489 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3490 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3491 BPF_MOV64_IMM(BPF_REG_4, -8),
3492 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3493 BPF_FUNC_skb_load_bytes),
3494 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3498 .errstr = "R4 min value is negative",
3499 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3502 "raw_stack: skb_load_bytes, negative len 2",
3504 BPF_MOV64_IMM(BPF_REG_2, 4),
3505 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3507 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3508 BPF_MOV64_IMM(BPF_REG_4, ~0),
3509 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3510 BPF_FUNC_skb_load_bytes),
3511 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3515 .errstr = "R4 min value is negative",
3516 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3519 "raw_stack: skb_load_bytes, zero len",
3521 BPF_MOV64_IMM(BPF_REG_2, 4),
3522 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3523 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3524 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3525 BPF_MOV64_IMM(BPF_REG_4, 0),
3526 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3527 BPF_FUNC_skb_load_bytes),
3528 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3532 .errstr = "invalid stack type R3",
3533 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3536 "raw_stack: skb_load_bytes, no init",
3538 BPF_MOV64_IMM(BPF_REG_2, 4),
3539 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3541 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3542 BPF_MOV64_IMM(BPF_REG_4, 8),
3543 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3544 BPF_FUNC_skb_load_bytes),
3545 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3549 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3552 "raw_stack: skb_load_bytes, init",
3554 BPF_MOV64_IMM(BPF_REG_2, 4),
3555 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3557 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3558 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3559 BPF_MOV64_IMM(BPF_REG_4, 8),
3560 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3561 BPF_FUNC_skb_load_bytes),
3562 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3566 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3569 "raw_stack: skb_load_bytes, spilled regs around bounds",
3571 BPF_MOV64_IMM(BPF_REG_2, 4),
3572 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3573 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3574 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3575 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3576 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3577 BPF_MOV64_IMM(BPF_REG_4, 8),
3578 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3579 BPF_FUNC_skb_load_bytes),
3580 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3581 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3582 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3583 offsetof(struct __sk_buff, mark)),
3584 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3585 offsetof(struct __sk_buff, priority)),
3586 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3590 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3593 "raw_stack: skb_load_bytes, spilled regs corruption",
3595 BPF_MOV64_IMM(BPF_REG_2, 4),
3596 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3597 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3598 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3599 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3600 BPF_MOV64_IMM(BPF_REG_4, 8),
3601 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3602 BPF_FUNC_skb_load_bytes),
3603 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3604 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3605 offsetof(struct __sk_buff, mark)),
3609 .errstr = "R0 invalid mem access 'inv'",
3610 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3611 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3614 "raw_stack: skb_load_bytes, spilled regs corruption 2",
3616 BPF_MOV64_IMM(BPF_REG_2, 4),
3617 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3618 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3619 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3620 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3621 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3622 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3623 BPF_MOV64_IMM(BPF_REG_4, 8),
3624 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3625 BPF_FUNC_skb_load_bytes),
3626 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3627 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3628 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3629 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3630 offsetof(struct __sk_buff, mark)),
3631 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3632 offsetof(struct __sk_buff, priority)),
3633 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3634 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3635 offsetof(struct __sk_buff, pkt_type)),
3636 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3640 .errstr = "R3 invalid mem access 'inv'",
3641 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3642 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3645 "raw_stack: skb_load_bytes, spilled regs + data",
3647 BPF_MOV64_IMM(BPF_REG_2, 4),
3648 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3649 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3650 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3651 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3652 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3653 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3654 BPF_MOV64_IMM(BPF_REG_4, 8),
3655 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3656 BPF_FUNC_skb_load_bytes),
3657 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3658 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3659 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3660 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3661 offsetof(struct __sk_buff, mark)),
3662 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3663 offsetof(struct __sk_buff, priority)),
3664 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3665 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3669 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3672 "raw_stack: skb_load_bytes, invalid access 1",
3674 BPF_MOV64_IMM(BPF_REG_2, 4),
3675 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3677 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3678 BPF_MOV64_IMM(BPF_REG_4, 8),
3679 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3680 BPF_FUNC_skb_load_bytes),
3681 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3685 .errstr = "invalid stack type R3 off=-513 access_size=8",
3686 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3689 "raw_stack: skb_load_bytes, invalid access 2",
3691 BPF_MOV64_IMM(BPF_REG_2, 4),
3692 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3693 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3694 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3695 BPF_MOV64_IMM(BPF_REG_4, 8),
3696 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3697 BPF_FUNC_skb_load_bytes),
3698 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3702 .errstr = "invalid stack type R3 off=-1 access_size=8",
3703 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3706 "raw_stack: skb_load_bytes, invalid access 3",
3708 BPF_MOV64_IMM(BPF_REG_2, 4),
3709 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3710 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3711 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3712 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3713 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3714 BPF_FUNC_skb_load_bytes),
3715 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3719 .errstr = "R4 min value is negative",
3720 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3723 "raw_stack: skb_load_bytes, invalid access 4",
3725 BPF_MOV64_IMM(BPF_REG_2, 4),
3726 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3728 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3729 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3730 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3731 BPF_FUNC_skb_load_bytes),
3732 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3736 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3737 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3740 "raw_stack: skb_load_bytes, invalid access 5",
3742 BPF_MOV64_IMM(BPF_REG_2, 4),
3743 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3745 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3746 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3747 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3748 BPF_FUNC_skb_load_bytes),
3749 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3753 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3754 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3757 "raw_stack: skb_load_bytes, invalid access 6",
3759 BPF_MOV64_IMM(BPF_REG_2, 4),
3760 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3762 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3763 BPF_MOV64_IMM(BPF_REG_4, 0),
3764 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3765 BPF_FUNC_skb_load_bytes),
3766 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3770 .errstr = "invalid stack type R3 off=-512 access_size=0",
3771 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3774 "raw_stack: skb_load_bytes, large access",
3776 BPF_MOV64_IMM(BPF_REG_2, 4),
3777 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3778 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3779 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3780 BPF_MOV64_IMM(BPF_REG_4, 512),
3781 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3782 BPF_FUNC_skb_load_bytes),
3783 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3787 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3790 "context stores via ST",
3792 BPF_MOV64_IMM(BPF_REG_0, 0),
3793 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3796 .errstr = "BPF_ST stores into R1 ctx is not allowed",
3798 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3801 "context stores via XADD",
3803 BPF_MOV64_IMM(BPF_REG_0, 0),
3804 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3805 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3808 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
3810 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3813 "direct packet access: test1",
3815 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3816 offsetof(struct __sk_buff, data)),
3817 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3818 offsetof(struct __sk_buff, data_end)),
3819 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3820 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3821 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3822 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3823 BPF_MOV64_IMM(BPF_REG_0, 0),
3827 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3830 "direct packet access: test2",
3832 BPF_MOV64_IMM(BPF_REG_0, 1),
3833 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3834 offsetof(struct __sk_buff, data_end)),
3835 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3836 offsetof(struct __sk_buff, data)),
3837 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3838 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3839 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3840 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3841 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3842 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3843 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3844 offsetof(struct __sk_buff, data)),
3845 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3846 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3847 offsetof(struct __sk_buff, len)),
3848 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3849 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3850 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3851 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3853 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3854 offsetof(struct __sk_buff, data_end)),
3855 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3856 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3857 BPF_MOV64_IMM(BPF_REG_0, 0),
3861 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3864 "direct packet access: test3",
3866 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3867 offsetof(struct __sk_buff, data)),
3868 BPF_MOV64_IMM(BPF_REG_0, 0),
3871 .errstr = "invalid bpf_context access off=76",
3873 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3876 "direct packet access: test4 (write)",
3878 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3879 offsetof(struct __sk_buff, data)),
3880 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3881 offsetof(struct __sk_buff, data_end)),
3882 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3884 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3885 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3886 BPF_MOV64_IMM(BPF_REG_0, 0),
3890 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3893 "direct packet access: test5 (pkt_end >= reg, good access)",
3895 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3896 offsetof(struct __sk_buff, data)),
3897 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3898 offsetof(struct __sk_buff, data_end)),
3899 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3901 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3902 BPF_MOV64_IMM(BPF_REG_0, 1),
3904 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3905 BPF_MOV64_IMM(BPF_REG_0, 0),
3909 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3912 "direct packet access: test6 (pkt_end >= reg, bad access)",
3914 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3915 offsetof(struct __sk_buff, data)),
3916 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3917 offsetof(struct __sk_buff, data_end)),
3918 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3920 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3921 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3922 BPF_MOV64_IMM(BPF_REG_0, 1),
3924 BPF_MOV64_IMM(BPF_REG_0, 0),
3927 .errstr = "invalid access to packet",
3929 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3932 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3934 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3935 offsetof(struct __sk_buff, data)),
3936 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3937 offsetof(struct __sk_buff, data_end)),
3938 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3939 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3940 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3941 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3942 BPF_MOV64_IMM(BPF_REG_0, 1),
3944 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3945 BPF_MOV64_IMM(BPF_REG_0, 0),
3948 .errstr = "invalid access to packet",
3950 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3953 "direct packet access: test8 (double test, variant 1)",
3955 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3956 offsetof(struct __sk_buff, data)),
3957 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3958 offsetof(struct __sk_buff, data_end)),
3959 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3961 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3962 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3963 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3964 BPF_MOV64_IMM(BPF_REG_0, 1),
3966 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3967 BPF_MOV64_IMM(BPF_REG_0, 0),
3971 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3974 "direct packet access: test9 (double test, variant 2)",
3976 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3977 offsetof(struct __sk_buff, data)),
3978 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3979 offsetof(struct __sk_buff, data_end)),
3980 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3982 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3983 BPF_MOV64_IMM(BPF_REG_0, 1),
3985 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3986 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3987 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3988 BPF_MOV64_IMM(BPF_REG_0, 0),
3992 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3995 "direct packet access: test10 (write invalid)",
3997 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3998 offsetof(struct __sk_buff, data)),
3999 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4000 offsetof(struct __sk_buff, data_end)),
4001 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4003 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
4004 BPF_MOV64_IMM(BPF_REG_0, 0),
4006 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4007 BPF_MOV64_IMM(BPF_REG_0, 0),
4010 .errstr = "invalid access to packet",
4012 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4015 "direct packet access: test11 (shift, good access)",
4017 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4018 offsetof(struct __sk_buff, data)),
4019 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4020 offsetof(struct __sk_buff, data_end)),
4021 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4022 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
4023 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
4024 BPF_MOV64_IMM(BPF_REG_3, 144),
4025 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
4026 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
4027 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
4028 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
4029 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
4030 BPF_MOV64_IMM(BPF_REG_0, 1),
4032 BPF_MOV64_IMM(BPF_REG_0, 0),
4036 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4040 "direct packet access: test12 (and, good access)",
4042 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4043 offsetof(struct __sk_buff, data)),
4044 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4045 offsetof(struct __sk_buff, data_end)),
4046 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4047 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
4048 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
4049 BPF_MOV64_IMM(BPF_REG_3, 144),
4050 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
4051 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
4052 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
4053 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
4054 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
4055 BPF_MOV64_IMM(BPF_REG_0, 1),
4057 BPF_MOV64_IMM(BPF_REG_0, 0),
4061 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4065 "direct packet access: test13 (branches, good access)",
4067 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4068 offsetof(struct __sk_buff, data)),
4069 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4070 offsetof(struct __sk_buff, data_end)),
4071 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
4073 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
4074 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4075 offsetof(struct __sk_buff, mark)),
4076 BPF_MOV64_IMM(BPF_REG_4, 1),
4077 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
4078 BPF_MOV64_IMM(BPF_REG_3, 14),
4079 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
4080 BPF_MOV64_IMM(BPF_REG_3, 24),
4081 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
4082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
4083 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
4084 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
4085 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
4086 BPF_MOV64_IMM(BPF_REG_0, 1),
4088 BPF_MOV64_IMM(BPF_REG_0, 0),
4092 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4096 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
4098 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4099 offsetof(struct __sk_buff, data)),
4100 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4101 offsetof(struct __sk_buff, data_end)),
4102 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
4104 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
4105 BPF_MOV64_IMM(BPF_REG_5, 12),
4106 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
4107 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
4108 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
4109 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
4110 BPF_MOV64_IMM(BPF_REG_0, 1),
4112 BPF_MOV64_IMM(BPF_REG_0, 0),
4116 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4120 "direct packet access: test15 (spill with xadd)",
4122 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4123 offsetof(struct __sk_buff, data)),
4124 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4125 offsetof(struct __sk_buff, data_end)),
4126 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4127 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4128 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
4129 BPF_MOV64_IMM(BPF_REG_5, 4096),
4130 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
4131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
4132 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
4133 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
4134 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
4135 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
4136 BPF_MOV64_IMM(BPF_REG_0, 0),
4139 .errstr = "R2 invalid mem access 'inv'",
4141 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4142 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4145 "direct packet access: test16 (arith on data_end)",
4147 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4148 offsetof(struct __sk_buff, data)),
4149 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4150 offsetof(struct __sk_buff, data_end)),
4151 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4153 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
4154 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4155 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4156 BPF_MOV64_IMM(BPF_REG_0, 0),
4159 .errstr = "R3 pointer arithmetic on pkt_end",
4161 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4164 "direct packet access: test17 (pruning, alignment)",
4166 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4167 offsetof(struct __sk_buff, data)),
4168 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4169 offsetof(struct __sk_buff, data_end)),
4170 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4171 offsetof(struct __sk_buff, mark)),
4172 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
4174 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
4175 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4176 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
4177 BPF_MOV64_IMM(BPF_REG_0, 0),
4179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
4182 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
4184 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4185 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
4188 "direct packet access: test18 (imm += pkt_ptr, 1)",
4190 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4191 offsetof(struct __sk_buff, data)),
4192 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4193 offsetof(struct __sk_buff, data_end)),
4194 BPF_MOV64_IMM(BPF_REG_0, 8),
4195 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
4196 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4197 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4198 BPF_MOV64_IMM(BPF_REG_0, 0),
4202 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4205 "direct packet access: test19 (imm += pkt_ptr, 2)",
4207 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4208 offsetof(struct __sk_buff, data)),
4209 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4210 offsetof(struct __sk_buff, data_end)),
4211 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4213 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
4214 BPF_MOV64_IMM(BPF_REG_4, 4),
4215 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4216 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
4217 BPF_MOV64_IMM(BPF_REG_0, 0),
4221 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4224 "direct packet access: test20 (x += pkt_ptr, 1)",
4226 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4227 offsetof(struct __sk_buff, data)),
4228 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4229 offsetof(struct __sk_buff, data_end)),
4230 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
4231 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4232 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
4233 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
4234 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4235 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4236 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4237 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
4238 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
4239 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
4240 BPF_MOV64_IMM(BPF_REG_0, 0),
4243 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4245 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4248 "direct packet access: test21 (x += pkt_ptr, 2)",
4250 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4251 offsetof(struct __sk_buff, data)),
4252 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4253 offsetof(struct __sk_buff, data_end)),
4254 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4255 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4256 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
4257 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
4258 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
4259 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
4260 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
4261 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4262 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
4264 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
4265 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
4266 BPF_MOV64_IMM(BPF_REG_0, 0),
4269 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4271 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4274 "direct packet access: test22 (x += pkt_ptr, 3)",
4276 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4277 offsetof(struct __sk_buff, data)),
4278 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4279 offsetof(struct __sk_buff, data_end)),
4280 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4282 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
4283 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
4284 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
4285 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
4286 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
4287 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
4288 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
4289 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
4290 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
4291 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4292 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
4293 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
4294 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
4295 BPF_MOV64_IMM(BPF_REG_2, 1),
4296 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
4297 BPF_MOV64_IMM(BPF_REG_0, 0),
4300 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4302 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4305 "direct packet access: test23 (x += pkt_ptr, 4)",
4307 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4308 offsetof(struct __sk_buff, data)),
4309 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4310 offsetof(struct __sk_buff, data_end)),
4311 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
4312 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4313 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
4314 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
4315 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4316 BPF_MOV64_IMM(BPF_REG_0, 31),
4317 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
4318 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
4319 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
4320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
4321 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4322 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
4323 BPF_MOV64_IMM(BPF_REG_0, 0),
4326 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4328 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
4329 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4332 "direct packet access: test24 (x += pkt_ptr, 5)",
4334 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4335 offsetof(struct __sk_buff, data)),
4336 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4337 offsetof(struct __sk_buff, data_end)),
4338 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
4339 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4340 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
4341 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
4342 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4343 BPF_MOV64_IMM(BPF_REG_0, 64),
4344 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
4345 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
4346 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
4347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
4348 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4349 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
4350 BPF_MOV64_IMM(BPF_REG_0, 0),
4353 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4355 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4358 "direct packet access: test25 (marking on <, good access)",
4360 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4361 offsetof(struct __sk_buff, data)),
4362 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4363 offsetof(struct __sk_buff, data_end)),
4364 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4366 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
4367 BPF_MOV64_IMM(BPF_REG_0, 0),
4369 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4370 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4373 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4376 "direct packet access: test26 (marking on <, bad access)",
4378 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4379 offsetof(struct __sk_buff, data)),
4380 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4381 offsetof(struct __sk_buff, data_end)),
4382 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4384 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
4385 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4386 BPF_MOV64_IMM(BPF_REG_0, 0),
4388 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
4391 .errstr = "invalid access to packet",
4392 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4395 "direct packet access: test27 (marking on <=, good access)",
4397 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4398 offsetof(struct __sk_buff, data)),
4399 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4400 offsetof(struct __sk_buff, data_end)),
4401 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4403 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
4404 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4405 BPF_MOV64_IMM(BPF_REG_0, 1),
4409 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4413 "direct packet access: test28 (marking on <=, bad access)",
4415 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4416 offsetof(struct __sk_buff, data)),
4417 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4418 offsetof(struct __sk_buff, data_end)),
4419 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4421 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
4422 BPF_MOV64_IMM(BPF_REG_0, 1),
4424 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4425 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4428 .errstr = "invalid access to packet",
4429 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4432 "helper access to packet: test1, valid packet_ptr range",
4434 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4435 offsetof(struct xdp_md, data)),
4436 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4437 offsetof(struct xdp_md, data_end)),
4438 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4440 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4441 BPF_LD_MAP_FD(BPF_REG_1, 0),
4442 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4443 BPF_MOV64_IMM(BPF_REG_4, 0),
4444 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4445 BPF_FUNC_map_update_elem),
4446 BPF_MOV64_IMM(BPF_REG_0, 0),
4449 .fixup_map_hash_8b = { 5 },
4450 .result_unpriv = ACCEPT,
4452 .prog_type = BPF_PROG_TYPE_XDP,
4455 "helper access to packet: test2, unchecked packet_ptr",
4457 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4458 offsetof(struct xdp_md, data)),
4459 BPF_LD_MAP_FD(BPF_REG_1, 0),
4460 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4461 BPF_FUNC_map_lookup_elem),
4462 BPF_MOV64_IMM(BPF_REG_0, 0),
4465 .fixup_map_hash_8b = { 1 },
4467 .errstr = "invalid access to packet",
4468 .prog_type = BPF_PROG_TYPE_XDP,
4471 "helper access to packet: test3, variable add",
4473 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4474 offsetof(struct xdp_md, data)),
4475 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4476 offsetof(struct xdp_md, data_end)),
4477 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4479 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4480 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4481 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4482 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4483 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4484 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4485 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4486 BPF_LD_MAP_FD(BPF_REG_1, 0),
4487 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4488 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4489 BPF_FUNC_map_lookup_elem),
4490 BPF_MOV64_IMM(BPF_REG_0, 0),
4493 .fixup_map_hash_8b = { 11 },
4495 .prog_type = BPF_PROG_TYPE_XDP,
4498 "helper access to packet: test4, packet_ptr with bad range",
4500 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4501 offsetof(struct xdp_md, data)),
4502 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4503 offsetof(struct xdp_md, data_end)),
4504 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4506 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4507 BPF_MOV64_IMM(BPF_REG_0, 0),
4509 BPF_LD_MAP_FD(BPF_REG_1, 0),
4510 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4511 BPF_FUNC_map_lookup_elem),
4512 BPF_MOV64_IMM(BPF_REG_0, 0),
4515 .fixup_map_hash_8b = { 7 },
4517 .errstr = "invalid access to packet",
4518 .prog_type = BPF_PROG_TYPE_XDP,
4521 "helper access to packet: test5, packet_ptr with too short range",
4523 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4524 offsetof(struct xdp_md, data)),
4525 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4526 offsetof(struct xdp_md, data_end)),
4527 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4528 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4529 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4530 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4531 BPF_LD_MAP_FD(BPF_REG_1, 0),
4532 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4533 BPF_FUNC_map_lookup_elem),
4534 BPF_MOV64_IMM(BPF_REG_0, 0),
4537 .fixup_map_hash_8b = { 6 },
4539 .errstr = "invalid access to packet",
4540 .prog_type = BPF_PROG_TYPE_XDP,
4543 "helper access to packet: test6, cls valid packet_ptr range",
4545 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4546 offsetof(struct __sk_buff, data)),
4547 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4548 offsetof(struct __sk_buff, data_end)),
4549 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4550 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4551 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4552 BPF_LD_MAP_FD(BPF_REG_1, 0),
4553 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4554 BPF_MOV64_IMM(BPF_REG_4, 0),
4555 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4556 BPF_FUNC_map_update_elem),
4557 BPF_MOV64_IMM(BPF_REG_0, 0),
4560 .fixup_map_hash_8b = { 5 },
4562 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4565 "helper access to packet: test7, cls unchecked packet_ptr",
4567 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4568 offsetof(struct __sk_buff, data)),
4569 BPF_LD_MAP_FD(BPF_REG_1, 0),
4570 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4571 BPF_FUNC_map_lookup_elem),
4572 BPF_MOV64_IMM(BPF_REG_0, 0),
4575 .fixup_map_hash_8b = { 1 },
4577 .errstr = "invalid access to packet",
4578 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4581 "helper access to packet: test8, cls variable add",
4583 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4584 offsetof(struct __sk_buff, data)),
4585 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4586 offsetof(struct __sk_buff, data_end)),
4587 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4589 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4590 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4591 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4592 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4593 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4594 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4595 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4596 BPF_LD_MAP_FD(BPF_REG_1, 0),
4597 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4598 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4599 BPF_FUNC_map_lookup_elem),
4600 BPF_MOV64_IMM(BPF_REG_0, 0),
4603 .fixup_map_hash_8b = { 11 },
4605 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4608 "helper access to packet: test9, cls packet_ptr with bad range",
4610 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4611 offsetof(struct __sk_buff, data)),
4612 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4613 offsetof(struct __sk_buff, data_end)),
4614 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4616 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4617 BPF_MOV64_IMM(BPF_REG_0, 0),
4619 BPF_LD_MAP_FD(BPF_REG_1, 0),
4620 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4621 BPF_FUNC_map_lookup_elem),
4622 BPF_MOV64_IMM(BPF_REG_0, 0),
4625 .fixup_map_hash_8b = { 7 },
4627 .errstr = "invalid access to packet",
4628 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4631 "helper access to packet: test10, cls packet_ptr with too short range",
4633 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4634 offsetof(struct __sk_buff, data)),
4635 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4636 offsetof(struct __sk_buff, data_end)),
4637 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4638 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4639 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4640 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4641 BPF_LD_MAP_FD(BPF_REG_1, 0),
4642 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4643 BPF_FUNC_map_lookup_elem),
4644 BPF_MOV64_IMM(BPF_REG_0, 0),
4647 .fixup_map_hash_8b = { 6 },
4649 .errstr = "invalid access to packet",
4650 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4653 "helper access to packet: test11, cls unsuitable helper 1",
4655 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4656 offsetof(struct __sk_buff, data)),
4657 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4658 offsetof(struct __sk_buff, data_end)),
4659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4660 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4662 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4663 BPF_MOV64_IMM(BPF_REG_2, 0),
4664 BPF_MOV64_IMM(BPF_REG_4, 42),
4665 BPF_MOV64_IMM(BPF_REG_5, 0),
4666 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4667 BPF_FUNC_skb_store_bytes),
4668 BPF_MOV64_IMM(BPF_REG_0, 0),
4672 .errstr = "helper access to the packet",
4673 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4676 "helper access to packet: test12, cls unsuitable helper 2",
4678 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4679 offsetof(struct __sk_buff, data)),
4680 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4681 offsetof(struct __sk_buff, data_end)),
4682 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4683 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4684 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4685 BPF_MOV64_IMM(BPF_REG_2, 0),
4686 BPF_MOV64_IMM(BPF_REG_4, 4),
4687 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4688 BPF_FUNC_skb_load_bytes),
4689 BPF_MOV64_IMM(BPF_REG_0, 0),
4693 .errstr = "helper access to the packet",
4694 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4697 "helper access to packet: test13, cls helper ok",
4699 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4700 offsetof(struct __sk_buff, data)),
4701 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4702 offsetof(struct __sk_buff, data_end)),
4703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4704 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4705 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4706 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4707 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4708 BPF_MOV64_IMM(BPF_REG_2, 4),
4709 BPF_MOV64_IMM(BPF_REG_3, 0),
4710 BPF_MOV64_IMM(BPF_REG_4, 0),
4711 BPF_MOV64_IMM(BPF_REG_5, 0),
4712 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4713 BPF_FUNC_csum_diff),
4714 BPF_MOV64_IMM(BPF_REG_0, 0),
4718 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4721 "helper access to packet: test14, cls helper ok sub",
4723 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4724 offsetof(struct __sk_buff, data)),
4725 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4726 offsetof(struct __sk_buff, data_end)),
4727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4728 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4730 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4731 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4732 BPF_MOV64_IMM(BPF_REG_2, 4),
4733 BPF_MOV64_IMM(BPF_REG_3, 0),
4734 BPF_MOV64_IMM(BPF_REG_4, 0),
4735 BPF_MOV64_IMM(BPF_REG_5, 0),
4736 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4737 BPF_FUNC_csum_diff),
4738 BPF_MOV64_IMM(BPF_REG_0, 0),
4742 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4745 "helper access to packet: test15, cls helper fail sub",
4747 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4748 offsetof(struct __sk_buff, data)),
4749 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4750 offsetof(struct __sk_buff, data_end)),
4751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4752 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4754 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4755 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4756 BPF_MOV64_IMM(BPF_REG_2, 4),
4757 BPF_MOV64_IMM(BPF_REG_3, 0),
4758 BPF_MOV64_IMM(BPF_REG_4, 0),
4759 BPF_MOV64_IMM(BPF_REG_5, 0),
4760 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4761 BPF_FUNC_csum_diff),
4762 BPF_MOV64_IMM(BPF_REG_0, 0),
4766 .errstr = "invalid access to packet",
4767 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4770 "helper access to packet: test16, cls helper fail range 1",
4772 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4773 offsetof(struct __sk_buff, data)),
4774 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4775 offsetof(struct __sk_buff, data_end)),
4776 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4777 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4778 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4779 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4780 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4781 BPF_MOV64_IMM(BPF_REG_2, 8),
4782 BPF_MOV64_IMM(BPF_REG_3, 0),
4783 BPF_MOV64_IMM(BPF_REG_4, 0),
4784 BPF_MOV64_IMM(BPF_REG_5, 0),
4785 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4786 BPF_FUNC_csum_diff),
4787 BPF_MOV64_IMM(BPF_REG_0, 0),
4791 .errstr = "invalid access to packet",
4792 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4795 "helper access to packet: test17, cls helper fail range 2",
4797 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4798 offsetof(struct __sk_buff, data)),
4799 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4800 offsetof(struct __sk_buff, data_end)),
4801 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4802 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4803 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4804 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4805 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4806 BPF_MOV64_IMM(BPF_REG_2, -9),
4807 BPF_MOV64_IMM(BPF_REG_3, 0),
4808 BPF_MOV64_IMM(BPF_REG_4, 0),
4809 BPF_MOV64_IMM(BPF_REG_5, 0),
4810 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4811 BPF_FUNC_csum_diff),
4812 BPF_MOV64_IMM(BPF_REG_0, 0),
4816 .errstr = "R2 min value is negative",
4817 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4820 "helper access to packet: test18, cls helper fail range 3",
4822 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4823 offsetof(struct __sk_buff, data)),
4824 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4825 offsetof(struct __sk_buff, data_end)),
4826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4827 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4829 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4831 BPF_MOV64_IMM(BPF_REG_2, ~0),
4832 BPF_MOV64_IMM(BPF_REG_3, 0),
4833 BPF_MOV64_IMM(BPF_REG_4, 0),
4834 BPF_MOV64_IMM(BPF_REG_5, 0),
4835 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4836 BPF_FUNC_csum_diff),
4837 BPF_MOV64_IMM(BPF_REG_0, 0),
4841 .errstr = "R2 min value is negative",
4842 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4845 "helper access to packet: test19, cls helper range zero",
4847 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4848 offsetof(struct __sk_buff, data)),
4849 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4850 offsetof(struct __sk_buff, data_end)),
4851 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4852 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4854 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4855 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4856 BPF_MOV64_IMM(BPF_REG_2, 0),
4857 BPF_MOV64_IMM(BPF_REG_3, 0),
4858 BPF_MOV64_IMM(BPF_REG_4, 0),
4859 BPF_MOV64_IMM(BPF_REG_5, 0),
4860 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4861 BPF_FUNC_csum_diff),
4862 BPF_MOV64_IMM(BPF_REG_0, 0),
4866 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4869 "helper access to packet: test20, pkt end as input",
4871 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4872 offsetof(struct __sk_buff, data)),
4873 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4874 offsetof(struct __sk_buff, data_end)),
4875 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4876 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4878 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4879 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4880 BPF_MOV64_IMM(BPF_REG_2, 4),
4881 BPF_MOV64_IMM(BPF_REG_3, 0),
4882 BPF_MOV64_IMM(BPF_REG_4, 0),
4883 BPF_MOV64_IMM(BPF_REG_5, 0),
4884 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4885 BPF_FUNC_csum_diff),
4886 BPF_MOV64_IMM(BPF_REG_0, 0),
4890 .errstr = "R1 type=pkt_end expected=fp",
4891 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4894 "helper access to packet: test21, wrong reg",
4896 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4897 offsetof(struct __sk_buff, data)),
4898 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4899 offsetof(struct __sk_buff, data_end)),
4900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4901 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4902 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4903 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4904 BPF_MOV64_IMM(BPF_REG_2, 4),
4905 BPF_MOV64_IMM(BPF_REG_3, 0),
4906 BPF_MOV64_IMM(BPF_REG_4, 0),
4907 BPF_MOV64_IMM(BPF_REG_5, 0),
4908 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4909 BPF_FUNC_csum_diff),
4910 BPF_MOV64_IMM(BPF_REG_0, 0),
4914 .errstr = "invalid access to packet",
4915 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4918 "prevent map lookup in sockmap",
4920 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4921 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4922 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4923 BPF_LD_MAP_FD(BPF_REG_1, 0),
4924 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4925 BPF_FUNC_map_lookup_elem),
4928 .fixup_map_sockmap = { 3 },
4930 .errstr = "cannot pass map_type 15 into func bpf_map_lookup_elem",
4931 .prog_type = BPF_PROG_TYPE_SOCK_OPS,
4934 "prevent map lookup in sockhash",
4936 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4937 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4938 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4939 BPF_LD_MAP_FD(BPF_REG_1, 0),
4940 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4941 BPF_FUNC_map_lookup_elem),
4944 .fixup_map_sockhash = { 3 },
4946 .errstr = "cannot pass map_type 18 into func bpf_map_lookup_elem",
4947 .prog_type = BPF_PROG_TYPE_SOCK_OPS,
4950 "prevent map lookup in xskmap",
4952 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4953 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4954 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4955 BPF_LD_MAP_FD(BPF_REG_1, 0),
4956 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4957 BPF_FUNC_map_lookup_elem),
4960 .fixup_map_xskmap = { 3 },
4962 .errstr = "cannot pass map_type 17 into func bpf_map_lookup_elem",
4963 .prog_type = BPF_PROG_TYPE_XDP,
4966 "prevent map lookup in stack trace",
4968 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4969 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4971 BPF_LD_MAP_FD(BPF_REG_1, 0),
4972 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4973 BPF_FUNC_map_lookup_elem),
4976 .fixup_map_stacktrace = { 3 },
4978 .errstr = "cannot pass map_type 7 into func bpf_map_lookup_elem",
4979 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
4982 "prevent map lookup in prog array",
4984 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4985 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4986 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4987 BPF_LD_MAP_FD(BPF_REG_1, 0),
4988 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4989 BPF_FUNC_map_lookup_elem),
4992 .fixup_prog2 = { 3 },
4994 .errstr = "cannot pass map_type 3 into func bpf_map_lookup_elem",
4997 "valid map access into an array with a constant",
4999 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5000 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5001 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5002 BPF_LD_MAP_FD(BPF_REG_1, 0),
5003 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5004 BPF_FUNC_map_lookup_elem),
5005 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5006 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5007 offsetof(struct test_val, foo)),
5010 .fixup_map_hash_48b = { 3 },
5011 .errstr_unpriv = "R0 leaks addr",
5012 .result_unpriv = REJECT,
5016 "valid map access into an array with a register",
5018 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5019 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5020 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5021 BPF_LD_MAP_FD(BPF_REG_1, 0),
5022 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5023 BPF_FUNC_map_lookup_elem),
5024 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5025 BPF_MOV64_IMM(BPF_REG_1, 4),
5026 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5027 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5028 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5029 offsetof(struct test_val, foo)),
5032 .fixup_map_hash_48b = { 3 },
5033 .errstr_unpriv = "R0 leaks addr",
5034 .result_unpriv = REJECT,
5036 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5039 "valid map access into an array with a variable",
5041 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5042 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5043 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5044 BPF_LD_MAP_FD(BPF_REG_1, 0),
5045 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5046 BPF_FUNC_map_lookup_elem),
5047 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5048 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5049 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
5050 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5051 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5052 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5053 offsetof(struct test_val, foo)),
5056 .fixup_map_hash_48b = { 3 },
5057 .errstr_unpriv = "R0 leaks addr",
5058 .result_unpriv = REJECT,
5060 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5063 "valid map access into an array with a signed variable",
5065 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5066 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5067 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5068 BPF_LD_MAP_FD(BPF_REG_1, 0),
5069 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5070 BPF_FUNC_map_lookup_elem),
5071 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5072 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5073 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
5074 BPF_MOV32_IMM(BPF_REG_1, 0),
5075 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
5076 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
5077 BPF_MOV32_IMM(BPF_REG_1, 0),
5078 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
5079 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5080 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5081 offsetof(struct test_val, foo)),
5084 .fixup_map_hash_48b = { 3 },
5085 .errstr_unpriv = "R0 leaks addr",
5086 .result_unpriv = REJECT,
5088 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5091 "invalid map access into an array with a constant",
5093 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5094 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5096 BPF_LD_MAP_FD(BPF_REG_1, 0),
5097 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5098 BPF_FUNC_map_lookup_elem),
5099 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5100 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
5101 offsetof(struct test_val, foo)),
5104 .fixup_map_hash_48b = { 3 },
5105 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
5109 "invalid map access into an array with a register",
5111 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5112 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5114 BPF_LD_MAP_FD(BPF_REG_1, 0),
5115 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5116 BPF_FUNC_map_lookup_elem),
5117 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5118 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
5119 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5120 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5121 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5122 offsetof(struct test_val, foo)),
5125 .fixup_map_hash_48b = { 3 },
5126 .errstr = "R0 min value is outside of the array range",
5128 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5131 "invalid map access into an array with a variable",
5133 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5134 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5135 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5136 BPF_LD_MAP_FD(BPF_REG_1, 0),
5137 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5138 BPF_FUNC_map_lookup_elem),
5139 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5140 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5141 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5142 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5143 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5144 offsetof(struct test_val, foo)),
5147 .fixup_map_hash_48b = { 3 },
5148 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
5150 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5153 "invalid map access into an array with no floor check",
5155 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5156 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5157 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5158 BPF_LD_MAP_FD(BPF_REG_1, 0),
5159 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5160 BPF_FUNC_map_lookup_elem),
5161 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5162 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5163 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
5164 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
5165 BPF_MOV32_IMM(BPF_REG_1, 0),
5166 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
5167 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5168 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5169 offsetof(struct test_val, foo)),
5172 .fixup_map_hash_48b = { 3 },
5173 .errstr_unpriv = "R0 leaks addr",
5174 .errstr = "R0 unbounded memory access",
5175 .result_unpriv = REJECT,
5177 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5180 "invalid map access into an array with a invalid max check",
5182 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5183 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5184 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5185 BPF_LD_MAP_FD(BPF_REG_1, 0),
5186 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5187 BPF_FUNC_map_lookup_elem),
5188 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5189 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5190 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
5191 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
5192 BPF_MOV32_IMM(BPF_REG_1, 0),
5193 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
5194 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5195 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5196 offsetof(struct test_val, foo)),
5199 .fixup_map_hash_48b = { 3 },
5200 .errstr_unpriv = "R0 leaks addr",
5201 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
5202 .result_unpriv = REJECT,
5204 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5207 "invalid map access into an array with a invalid max check",
5209 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5210 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5212 BPF_LD_MAP_FD(BPF_REG_1, 0),
5213 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5214 BPF_FUNC_map_lookup_elem),
5215 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5216 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5217 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5218 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5220 BPF_LD_MAP_FD(BPF_REG_1, 0),
5221 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5222 BPF_FUNC_map_lookup_elem),
5223 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5224 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
5225 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
5226 offsetof(struct test_val, foo)),
5229 .fixup_map_hash_48b = { 3, 11 },
5230 .errstr = "R0 pointer += pointer",
5232 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5235 "direct packet read test#1 for CGROUP_SKB",
5237 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5238 offsetof(struct __sk_buff, data)),
5239 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5240 offsetof(struct __sk_buff, data_end)),
5241 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5242 offsetof(struct __sk_buff, len)),
5243 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5244 offsetof(struct __sk_buff, pkt_type)),
5245 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5246 offsetof(struct __sk_buff, mark)),
5247 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
5248 offsetof(struct __sk_buff, mark)),
5249 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5250 offsetof(struct __sk_buff, queue_mapping)),
5251 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5252 offsetof(struct __sk_buff, protocol)),
5253 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5254 offsetof(struct __sk_buff, vlan_present)),
5255 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5256 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5257 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5258 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5259 BPF_MOV64_IMM(BPF_REG_0, 0),
5263 .result_unpriv = REJECT,
5264 .errstr_unpriv = "invalid bpf_context access off=76 size=4",
5265 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5268 "direct packet read test#2 for CGROUP_SKB",
5270 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5271 offsetof(struct __sk_buff, vlan_tci)),
5272 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5273 offsetof(struct __sk_buff, vlan_proto)),
5274 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5275 offsetof(struct __sk_buff, priority)),
5276 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
5277 offsetof(struct __sk_buff, priority)),
5278 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5279 offsetof(struct __sk_buff,
5281 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5282 offsetof(struct __sk_buff, tc_index)),
5283 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5284 offsetof(struct __sk_buff, hash)),
5285 BPF_MOV64_IMM(BPF_REG_0, 0),
5289 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5292 "direct packet read test#3 for CGROUP_SKB",
5294 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5295 offsetof(struct __sk_buff, cb[0])),
5296 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5297 offsetof(struct __sk_buff, cb[1])),
5298 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5299 offsetof(struct __sk_buff, cb[2])),
5300 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5301 offsetof(struct __sk_buff, cb[3])),
5302 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5303 offsetof(struct __sk_buff, cb[4])),
5304 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5305 offsetof(struct __sk_buff, napi_id)),
5306 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_4,
5307 offsetof(struct __sk_buff, cb[0])),
5308 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_5,
5309 offsetof(struct __sk_buff, cb[1])),
5310 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
5311 offsetof(struct __sk_buff, cb[2])),
5312 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_7,
5313 offsetof(struct __sk_buff, cb[3])),
5314 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_8,
5315 offsetof(struct __sk_buff, cb[4])),
5316 BPF_MOV64_IMM(BPF_REG_0, 0),
5320 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5323 "direct packet read test#4 for CGROUP_SKB",
5325 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5326 offsetof(struct __sk_buff, family)),
5327 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5328 offsetof(struct __sk_buff, remote_ip4)),
5329 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5330 offsetof(struct __sk_buff, local_ip4)),
5331 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5332 offsetof(struct __sk_buff, remote_ip6[0])),
5333 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5334 offsetof(struct __sk_buff, remote_ip6[1])),
5335 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5336 offsetof(struct __sk_buff, remote_ip6[2])),
5337 BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5338 offsetof(struct __sk_buff, remote_ip6[3])),
5339 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5340 offsetof(struct __sk_buff, local_ip6[0])),
5341 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5342 offsetof(struct __sk_buff, local_ip6[1])),
5343 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5344 offsetof(struct __sk_buff, local_ip6[2])),
5345 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5346 offsetof(struct __sk_buff, local_ip6[3])),
5347 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5348 offsetof(struct __sk_buff, remote_port)),
5349 BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5350 offsetof(struct __sk_buff, local_port)),
5351 BPF_MOV64_IMM(BPF_REG_0, 0),
5355 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5358 "invalid access of tc_classid for CGROUP_SKB",
5360 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5361 offsetof(struct __sk_buff, tc_classid)),
5362 BPF_MOV64_IMM(BPF_REG_0, 0),
5366 .errstr = "invalid bpf_context access",
5367 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5370 "invalid access of data_meta for CGROUP_SKB",
5372 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5373 offsetof(struct __sk_buff, data_meta)),
5374 BPF_MOV64_IMM(BPF_REG_0, 0),
5378 .errstr = "invalid bpf_context access",
5379 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5382 "invalid access of flow_keys for CGROUP_SKB",
5384 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5385 offsetof(struct __sk_buff, flow_keys)),
5386 BPF_MOV64_IMM(BPF_REG_0, 0),
5390 .errstr = "invalid bpf_context access",
5391 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5394 "invalid write access to napi_id for CGROUP_SKB",
5396 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5397 offsetof(struct __sk_buff, napi_id)),
5398 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_9,
5399 offsetof(struct __sk_buff, napi_id)),
5400 BPF_MOV64_IMM(BPF_REG_0, 0),
5404 .errstr = "invalid bpf_context access",
5405 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5408 "valid cgroup storage access",
5410 BPF_MOV64_IMM(BPF_REG_2, 0),
5411 BPF_LD_MAP_FD(BPF_REG_1, 0),
5412 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5413 BPF_FUNC_get_local_storage),
5414 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5415 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5416 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5419 .fixup_cgroup_storage = { 1 },
5421 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5424 "invalid cgroup storage access 1",
5426 BPF_MOV64_IMM(BPF_REG_2, 0),
5427 BPF_LD_MAP_FD(BPF_REG_1, 0),
5428 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5429 BPF_FUNC_get_local_storage),
5430 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5431 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5432 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5435 .fixup_map_hash_8b = { 1 },
5437 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5438 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5441 "invalid cgroup storage access 2",
5443 BPF_MOV64_IMM(BPF_REG_2, 0),
5444 BPF_LD_MAP_FD(BPF_REG_1, 1),
5445 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5446 BPF_FUNC_get_local_storage),
5447 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5451 .errstr = "fd 1 is not pointing to valid bpf_map",
5452 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5455 "invalid cgroup storage access 3",
5457 BPF_MOV64_IMM(BPF_REG_2, 0),
5458 BPF_LD_MAP_FD(BPF_REG_1, 0),
5459 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5460 BPF_FUNC_get_local_storage),
5461 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5462 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5463 BPF_MOV64_IMM(BPF_REG_0, 0),
5466 .fixup_cgroup_storage = { 1 },
5468 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
5469 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5472 "invalid cgroup storage access 4",
5474 BPF_MOV64_IMM(BPF_REG_2, 0),
5475 BPF_LD_MAP_FD(BPF_REG_1, 0),
5476 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5477 BPF_FUNC_get_local_storage),
5478 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5479 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5483 .fixup_cgroup_storage = { 1 },
5485 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5486 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5487 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5490 "invalid cgroup storage access 5",
5492 BPF_MOV64_IMM(BPF_REG_2, 7),
5493 BPF_LD_MAP_FD(BPF_REG_1, 0),
5494 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5495 BPF_FUNC_get_local_storage),
5496 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5497 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5498 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5501 .fixup_cgroup_storage = { 1 },
5503 .errstr = "get_local_storage() doesn't support non-zero flags",
5504 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5507 "invalid cgroup storage access 6",
5509 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5510 BPF_LD_MAP_FD(BPF_REG_1, 0),
5511 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5512 BPF_FUNC_get_local_storage),
5513 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5514 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5515 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5518 .fixup_cgroup_storage = { 1 },
5520 .errstr = "get_local_storage() doesn't support non-zero flags",
5521 .errstr_unpriv = "R2 leaks addr into helper function",
5522 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5525 "valid per-cpu cgroup storage access",
5527 BPF_MOV64_IMM(BPF_REG_2, 0),
5528 BPF_LD_MAP_FD(BPF_REG_1, 0),
5529 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5530 BPF_FUNC_get_local_storage),
5531 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5532 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5533 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5536 .fixup_percpu_cgroup_storage = { 1 },
5538 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5541 "invalid per-cpu cgroup storage access 1",
5543 BPF_MOV64_IMM(BPF_REG_2, 0),
5544 BPF_LD_MAP_FD(BPF_REG_1, 0),
5545 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5546 BPF_FUNC_get_local_storage),
5547 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5548 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5549 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5552 .fixup_map_hash_8b = { 1 },
5554 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5555 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5558 "invalid per-cpu cgroup storage access 2",
5560 BPF_MOV64_IMM(BPF_REG_2, 0),
5561 BPF_LD_MAP_FD(BPF_REG_1, 1),
5562 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5563 BPF_FUNC_get_local_storage),
5564 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5568 .errstr = "fd 1 is not pointing to valid bpf_map",
5569 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5572 "invalid per-cpu cgroup storage access 3",
5574 BPF_MOV64_IMM(BPF_REG_2, 0),
5575 BPF_LD_MAP_FD(BPF_REG_1, 0),
5576 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5577 BPF_FUNC_get_local_storage),
5578 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5579 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5580 BPF_MOV64_IMM(BPF_REG_0, 0),
5583 .fixup_percpu_cgroup_storage = { 1 },
5585 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
5586 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5589 "invalid per-cpu cgroup storage access 4",
5591 BPF_MOV64_IMM(BPF_REG_2, 0),
5592 BPF_LD_MAP_FD(BPF_REG_1, 0),
5593 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5594 BPF_FUNC_get_local_storage),
5595 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5596 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5597 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5600 .fixup_cgroup_storage = { 1 },
5602 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5603 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5604 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5607 "invalid per-cpu cgroup storage access 5",
5609 BPF_MOV64_IMM(BPF_REG_2, 7),
5610 BPF_LD_MAP_FD(BPF_REG_1, 0),
5611 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5612 BPF_FUNC_get_local_storage),
5613 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5614 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5615 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5618 .fixup_percpu_cgroup_storage = { 1 },
5620 .errstr = "get_local_storage() doesn't support non-zero flags",
5621 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5624 "invalid per-cpu cgroup storage access 6",
5626 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5627 BPF_LD_MAP_FD(BPF_REG_1, 0),
5628 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5629 BPF_FUNC_get_local_storage),
5630 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5631 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5632 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5635 .fixup_percpu_cgroup_storage = { 1 },
5637 .errstr = "get_local_storage() doesn't support non-zero flags",
5638 .errstr_unpriv = "R2 leaks addr into helper function",
5639 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5642 "write tstamp from CGROUP_SKB",
5644 BPF_MOV64_IMM(BPF_REG_0, 0),
5645 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5646 offsetof(struct __sk_buff, tstamp)),
5647 BPF_MOV64_IMM(BPF_REG_0, 0),
5651 .result_unpriv = REJECT,
5652 .errstr_unpriv = "invalid bpf_context access off=152 size=8",
5653 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5656 "read tstamp from CGROUP_SKB",
5658 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
5659 offsetof(struct __sk_buff, tstamp)),
5660 BPF_MOV64_IMM(BPF_REG_0, 0),
5664 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5667 "multiple registers share map_lookup_elem result",
5669 BPF_MOV64_IMM(BPF_REG_1, 10),
5670 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5671 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5672 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5673 BPF_LD_MAP_FD(BPF_REG_1, 0),
5674 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5675 BPF_FUNC_map_lookup_elem),
5676 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5677 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5678 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5681 .fixup_map_hash_8b = { 4 },
5683 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5686 "alu ops on ptr_to_map_value_or_null, 1",
5688 BPF_MOV64_IMM(BPF_REG_1, 10),
5689 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5690 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5691 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5692 BPF_LD_MAP_FD(BPF_REG_1, 0),
5693 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5694 BPF_FUNC_map_lookup_elem),
5695 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5696 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
5697 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
5698 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5699 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5702 .fixup_map_hash_8b = { 4 },
5703 .errstr = "R4 pointer arithmetic on map_value_or_null",
5705 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5708 "alu ops on ptr_to_map_value_or_null, 2",
5710 BPF_MOV64_IMM(BPF_REG_1, 10),
5711 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5712 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5714 BPF_LD_MAP_FD(BPF_REG_1, 0),
5715 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5716 BPF_FUNC_map_lookup_elem),
5717 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5718 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
5719 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5720 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5723 .fixup_map_hash_8b = { 4 },
5724 .errstr = "R4 pointer arithmetic on map_value_or_null",
5726 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5729 "alu ops on ptr_to_map_value_or_null, 3",
5731 BPF_MOV64_IMM(BPF_REG_1, 10),
5732 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5733 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5734 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5735 BPF_LD_MAP_FD(BPF_REG_1, 0),
5736 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5737 BPF_FUNC_map_lookup_elem),
5738 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5739 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
5740 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5741 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5744 .fixup_map_hash_8b = { 4 },
5745 .errstr = "R4 pointer arithmetic on map_value_or_null",
5747 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5750 "invalid memory access with multiple map_lookup_elem calls",
5752 BPF_MOV64_IMM(BPF_REG_1, 10),
5753 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5754 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5756 BPF_LD_MAP_FD(BPF_REG_1, 0),
5757 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5758 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5759 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5760 BPF_FUNC_map_lookup_elem),
5761 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5762 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5763 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5764 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5765 BPF_FUNC_map_lookup_elem),
5766 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5767 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5770 .fixup_map_hash_8b = { 4 },
5772 .errstr = "R4 !read_ok",
5773 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5776 "valid indirect map_lookup_elem access with 2nd lookup in branch",
5778 BPF_MOV64_IMM(BPF_REG_1, 10),
5779 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5780 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5781 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5782 BPF_LD_MAP_FD(BPF_REG_1, 0),
5783 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5784 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5785 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5786 BPF_FUNC_map_lookup_elem),
5787 BPF_MOV64_IMM(BPF_REG_2, 10),
5788 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
5789 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5790 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5791 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5792 BPF_FUNC_map_lookup_elem),
5793 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5795 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5798 .fixup_map_hash_8b = { 4 },
5800 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5803 "invalid map access from else condition",
5805 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5806 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5807 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5808 BPF_LD_MAP_FD(BPF_REG_1, 0),
5809 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
5810 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5811 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5812 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
5813 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5814 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5815 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5816 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
5819 .fixup_map_hash_48b = { 3 },
5820 .errstr = "R0 unbounded memory access",
5822 .errstr_unpriv = "R0 leaks addr",
5823 .result_unpriv = REJECT,
5824 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5827 "constant register |= constant should keep constant type",
5829 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5831 BPF_MOV64_IMM(BPF_REG_2, 34),
5832 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
5833 BPF_MOV64_IMM(BPF_REG_3, 0),
5834 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5838 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5841 "constant register |= constant should not bypass stack boundary checks",
5843 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5845 BPF_MOV64_IMM(BPF_REG_2, 34),
5846 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
5847 BPF_MOV64_IMM(BPF_REG_3, 0),
5848 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5851 .errstr = "invalid stack type R1 off=-48 access_size=58",
5853 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5856 "constant register |= constant register should keep constant type",
5858 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5859 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5860 BPF_MOV64_IMM(BPF_REG_2, 34),
5861 BPF_MOV64_IMM(BPF_REG_4, 13),
5862 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5863 BPF_MOV64_IMM(BPF_REG_3, 0),
5864 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5868 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5871 "constant register |= constant register should not bypass stack boundary checks",
5873 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5874 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5875 BPF_MOV64_IMM(BPF_REG_2, 34),
5876 BPF_MOV64_IMM(BPF_REG_4, 24),
5877 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5878 BPF_MOV64_IMM(BPF_REG_3, 0),
5879 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5882 .errstr = "invalid stack type R1 off=-48 access_size=58",
5884 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5887 "invalid direct packet write for LWT_IN",
5889 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5890 offsetof(struct __sk_buff, data)),
5891 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5892 offsetof(struct __sk_buff, data_end)),
5893 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5894 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5895 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5896 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5897 BPF_MOV64_IMM(BPF_REG_0, 0),
5900 .errstr = "cannot write into packet",
5902 .prog_type = BPF_PROG_TYPE_LWT_IN,
5905 "invalid direct packet write for LWT_OUT",
5907 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5908 offsetof(struct __sk_buff, data)),
5909 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5910 offsetof(struct __sk_buff, data_end)),
5911 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5912 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5913 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5914 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5915 BPF_MOV64_IMM(BPF_REG_0, 0),
5918 .errstr = "cannot write into packet",
5920 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5923 "direct packet write for LWT_XMIT",
5925 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5926 offsetof(struct __sk_buff, data)),
5927 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5928 offsetof(struct __sk_buff, data_end)),
5929 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5930 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5931 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5932 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5933 BPF_MOV64_IMM(BPF_REG_0, 0),
5937 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5940 "direct packet read for LWT_IN",
5942 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5943 offsetof(struct __sk_buff, data)),
5944 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5945 offsetof(struct __sk_buff, data_end)),
5946 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5947 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5948 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5949 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5950 BPF_MOV64_IMM(BPF_REG_0, 0),
5954 .prog_type = BPF_PROG_TYPE_LWT_IN,
5957 "direct packet read for LWT_OUT",
5959 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5960 offsetof(struct __sk_buff, data)),
5961 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5962 offsetof(struct __sk_buff, data_end)),
5963 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5964 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5965 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5966 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5967 BPF_MOV64_IMM(BPF_REG_0, 0),
5971 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5974 "direct packet read for LWT_XMIT",
5976 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5977 offsetof(struct __sk_buff, data)),
5978 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5979 offsetof(struct __sk_buff, data_end)),
5980 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5982 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5983 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5984 BPF_MOV64_IMM(BPF_REG_0, 0),
5988 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5991 "overlapping checks for direct packet access",
5993 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5994 offsetof(struct __sk_buff, data)),
5995 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5996 offsetof(struct __sk_buff, data_end)),
5997 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5998 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5999 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
6000 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
6001 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
6002 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
6003 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
6004 BPF_MOV64_IMM(BPF_REG_0, 0),
6008 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
6011 "make headroom for LWT_XMIT",
6013 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6014 BPF_MOV64_IMM(BPF_REG_2, 34),
6015 BPF_MOV64_IMM(BPF_REG_3, 0),
6016 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
6017 /* split for s390 to succeed */
6018 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6019 BPF_MOV64_IMM(BPF_REG_2, 42),
6020 BPF_MOV64_IMM(BPF_REG_3, 0),
6021 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
6022 BPF_MOV64_IMM(BPF_REG_0, 0),
6026 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
6029 "invalid access of tc_classid for LWT_IN",
6031 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6032 offsetof(struct __sk_buff, tc_classid)),
6036 .errstr = "invalid bpf_context access",
6039 "invalid access of tc_classid for LWT_OUT",
6041 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6042 offsetof(struct __sk_buff, tc_classid)),
6046 .errstr = "invalid bpf_context access",
6049 "invalid access of tc_classid for LWT_XMIT",
6051 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6052 offsetof(struct __sk_buff, tc_classid)),
6056 .errstr = "invalid bpf_context access",
6059 "leak pointer into ctx 1",
6061 BPF_MOV64_IMM(BPF_REG_0, 0),
6062 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
6063 offsetof(struct __sk_buff, cb[0])),
6064 BPF_LD_MAP_FD(BPF_REG_2, 0),
6065 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
6066 offsetof(struct __sk_buff, cb[0])),
6069 .fixup_map_hash_8b = { 2 },
6070 .errstr_unpriv = "R2 leaks addr into mem",
6071 .result_unpriv = REJECT,
6073 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
6076 "leak pointer into ctx 2",
6078 BPF_MOV64_IMM(BPF_REG_0, 0),
6079 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
6080 offsetof(struct __sk_buff, cb[0])),
6081 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
6082 offsetof(struct __sk_buff, cb[0])),
6085 .errstr_unpriv = "R10 leaks addr into mem",
6086 .result_unpriv = REJECT,
6088 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
6091 "leak pointer into ctx 3",
6093 BPF_MOV64_IMM(BPF_REG_0, 0),
6094 BPF_LD_MAP_FD(BPF_REG_2, 0),
6095 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
6096 offsetof(struct __sk_buff, cb[0])),
6099 .fixup_map_hash_8b = { 1 },
6100 .errstr_unpriv = "R2 leaks addr into ctx",
6101 .result_unpriv = REJECT,
6105 "leak pointer into map val",
6107 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6108 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6109 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6111 BPF_LD_MAP_FD(BPF_REG_1, 0),
6112 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6113 BPF_FUNC_map_lookup_elem),
6114 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6115 BPF_MOV64_IMM(BPF_REG_3, 0),
6116 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
6117 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
6118 BPF_MOV64_IMM(BPF_REG_0, 0),
6121 .fixup_map_hash_8b = { 4 },
6122 .errstr_unpriv = "R6 leaks addr into mem",
6123 .result_unpriv = REJECT,
6127 "helper access to map: full range",
6129 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6131 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6132 BPF_LD_MAP_FD(BPF_REG_1, 0),
6133 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6134 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6135 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6136 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6137 BPF_MOV64_IMM(BPF_REG_3, 0),
6138 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6141 .fixup_map_hash_48b = { 3 },
6143 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6146 "helper access to map: partial range",
6148 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6149 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6150 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6151 BPF_LD_MAP_FD(BPF_REG_1, 0),
6152 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6154 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6155 BPF_MOV64_IMM(BPF_REG_2, 8),
6156 BPF_MOV64_IMM(BPF_REG_3, 0),
6157 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6160 .fixup_map_hash_48b = { 3 },
6162 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6165 "helper access to map: empty range",
6167 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6168 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6169 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6170 BPF_LD_MAP_FD(BPF_REG_1, 0),
6171 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6172 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6173 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6174 BPF_MOV64_IMM(BPF_REG_2, 0),
6175 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6178 .fixup_map_hash_48b = { 3 },
6179 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
6181 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6184 "helper access to map: out-of-bound range",
6186 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6187 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6188 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6189 BPF_LD_MAP_FD(BPF_REG_1, 0),
6190 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6191 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6192 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6193 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
6194 BPF_MOV64_IMM(BPF_REG_3, 0),
6195 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6198 .fixup_map_hash_48b = { 3 },
6199 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
6201 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6204 "helper access to map: negative range",
6206 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6207 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6208 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6209 BPF_LD_MAP_FD(BPF_REG_1, 0),
6210 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6211 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6212 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6213 BPF_MOV64_IMM(BPF_REG_2, -8),
6214 BPF_MOV64_IMM(BPF_REG_3, 0),
6215 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6218 .fixup_map_hash_48b = { 3 },
6219 .errstr = "R2 min value is negative",
6221 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6224 "helper access to adjusted map (via const imm): full range",
6226 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6227 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6228 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6229 BPF_LD_MAP_FD(BPF_REG_1, 0),
6230 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6231 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6232 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6233 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6234 offsetof(struct test_val, foo)),
6235 BPF_MOV64_IMM(BPF_REG_2,
6236 sizeof(struct test_val) -
6237 offsetof(struct test_val, foo)),
6238 BPF_MOV64_IMM(BPF_REG_3, 0),
6239 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6242 .fixup_map_hash_48b = { 3 },
6244 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6247 "helper access to adjusted map (via const imm): partial range",
6249 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6251 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6252 BPF_LD_MAP_FD(BPF_REG_1, 0),
6253 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6255 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6256 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6257 offsetof(struct test_val, foo)),
6258 BPF_MOV64_IMM(BPF_REG_2, 8),
6259 BPF_MOV64_IMM(BPF_REG_3, 0),
6260 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6263 .fixup_map_hash_48b = { 3 },
6265 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6268 "helper access to adjusted map (via const imm): empty range",
6270 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6271 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6272 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6273 BPF_LD_MAP_FD(BPF_REG_1, 0),
6274 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6275 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6276 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6277 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6278 offsetof(struct test_val, foo)),
6279 BPF_MOV64_IMM(BPF_REG_2, 0),
6280 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6283 .fixup_map_hash_48b = { 3 },
6284 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
6286 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6289 "helper access to adjusted map (via const imm): out-of-bound range",
6291 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6292 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6293 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6294 BPF_LD_MAP_FD(BPF_REG_1, 0),
6295 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6296 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6297 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6298 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6299 offsetof(struct test_val, foo)),
6300 BPF_MOV64_IMM(BPF_REG_2,
6301 sizeof(struct test_val) -
6302 offsetof(struct test_val, foo) + 8),
6303 BPF_MOV64_IMM(BPF_REG_3, 0),
6304 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6307 .fixup_map_hash_48b = { 3 },
6308 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
6310 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6313 "helper access to adjusted map (via const imm): negative range (> adjustment)",
6315 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6316 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6317 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6318 BPF_LD_MAP_FD(BPF_REG_1, 0),
6319 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6320 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6321 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6322 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6323 offsetof(struct test_val, foo)),
6324 BPF_MOV64_IMM(BPF_REG_2, -8),
6325 BPF_MOV64_IMM(BPF_REG_3, 0),
6326 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6329 .fixup_map_hash_48b = { 3 },
6330 .errstr = "R2 min value is negative",
6332 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6335 "helper access to adjusted map (via const imm): negative range (< adjustment)",
6337 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6339 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6340 BPF_LD_MAP_FD(BPF_REG_1, 0),
6341 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6342 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6343 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6344 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6345 offsetof(struct test_val, foo)),
6346 BPF_MOV64_IMM(BPF_REG_2, -1),
6347 BPF_MOV64_IMM(BPF_REG_3, 0),
6348 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6351 .fixup_map_hash_48b = { 3 },
6352 .errstr = "R2 min value is negative",
6354 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6357 "helper access to adjusted map (via const reg): full range",
6359 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6361 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6362 BPF_LD_MAP_FD(BPF_REG_1, 0),
6363 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6364 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6365 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6366 BPF_MOV64_IMM(BPF_REG_3,
6367 offsetof(struct test_val, foo)),
6368 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6369 BPF_MOV64_IMM(BPF_REG_2,
6370 sizeof(struct test_val) -
6371 offsetof(struct test_val, foo)),
6372 BPF_MOV64_IMM(BPF_REG_3, 0),
6373 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6376 .fixup_map_hash_48b = { 3 },
6378 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6381 "helper access to adjusted map (via const reg): partial range",
6383 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6384 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6385 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6386 BPF_LD_MAP_FD(BPF_REG_1, 0),
6387 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6388 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6389 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6390 BPF_MOV64_IMM(BPF_REG_3,
6391 offsetof(struct test_val, foo)),
6392 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6393 BPF_MOV64_IMM(BPF_REG_2, 8),
6394 BPF_MOV64_IMM(BPF_REG_3, 0),
6395 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6398 .fixup_map_hash_48b = { 3 },
6400 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6403 "helper access to adjusted map (via const reg): empty range",
6405 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6406 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6407 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6408 BPF_LD_MAP_FD(BPF_REG_1, 0),
6409 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6410 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6411 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6412 BPF_MOV64_IMM(BPF_REG_3, 0),
6413 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6414 BPF_MOV64_IMM(BPF_REG_2, 0),
6415 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6418 .fixup_map_hash_48b = { 3 },
6419 .errstr = "R1 min value is outside of the array range",
6421 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6424 "helper access to adjusted map (via const reg): out-of-bound range",
6426 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6427 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6428 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6429 BPF_LD_MAP_FD(BPF_REG_1, 0),
6430 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6431 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6432 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6433 BPF_MOV64_IMM(BPF_REG_3,
6434 offsetof(struct test_val, foo)),
6435 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6436 BPF_MOV64_IMM(BPF_REG_2,
6437 sizeof(struct test_val) -
6438 offsetof(struct test_val, foo) + 8),
6439 BPF_MOV64_IMM(BPF_REG_3, 0),
6440 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6443 .fixup_map_hash_48b = { 3 },
6444 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
6446 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6449 "helper access to adjusted map (via const reg): negative range (> adjustment)",
6451 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6452 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6453 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6454 BPF_LD_MAP_FD(BPF_REG_1, 0),
6455 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6456 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6457 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6458 BPF_MOV64_IMM(BPF_REG_3,
6459 offsetof(struct test_val, foo)),
6460 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6461 BPF_MOV64_IMM(BPF_REG_2, -8),
6462 BPF_MOV64_IMM(BPF_REG_3, 0),
6463 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6466 .fixup_map_hash_48b = { 3 },
6467 .errstr = "R2 min value is negative",
6469 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6472 "helper access to adjusted map (via const reg): negative range (< adjustment)",
6474 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6475 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6476 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6477 BPF_LD_MAP_FD(BPF_REG_1, 0),
6478 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6479 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6480 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6481 BPF_MOV64_IMM(BPF_REG_3,
6482 offsetof(struct test_val, foo)),
6483 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6484 BPF_MOV64_IMM(BPF_REG_2, -1),
6485 BPF_MOV64_IMM(BPF_REG_3, 0),
6486 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6489 .fixup_map_hash_48b = { 3 },
6490 .errstr = "R2 min value is negative",
6492 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6495 "helper access to adjusted map (via variable): full range",
6497 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6498 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6499 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6500 BPF_LD_MAP_FD(BPF_REG_1, 0),
6501 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6502 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6503 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6504 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6505 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6506 offsetof(struct test_val, foo), 4),
6507 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6508 BPF_MOV64_IMM(BPF_REG_2,
6509 sizeof(struct test_val) -
6510 offsetof(struct test_val, foo)),
6511 BPF_MOV64_IMM(BPF_REG_3, 0),
6512 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6515 .fixup_map_hash_48b = { 3 },
6517 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6520 "helper access to adjusted map (via variable): partial range",
6522 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6523 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6524 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6525 BPF_LD_MAP_FD(BPF_REG_1, 0),
6526 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6527 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6528 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6529 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6530 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6531 offsetof(struct test_val, foo), 4),
6532 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6533 BPF_MOV64_IMM(BPF_REG_2, 8),
6534 BPF_MOV64_IMM(BPF_REG_3, 0),
6535 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6538 .fixup_map_hash_48b = { 3 },
6540 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6543 "helper access to adjusted map (via variable): empty range",
6545 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6546 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6547 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6548 BPF_LD_MAP_FD(BPF_REG_1, 0),
6549 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6550 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6551 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6552 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6553 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6554 offsetof(struct test_val, foo), 3),
6555 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6556 BPF_MOV64_IMM(BPF_REG_2, 0),
6557 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6560 .fixup_map_hash_48b = { 3 },
6561 .errstr = "R1 min value is outside of the array range",
6563 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6566 "helper access to adjusted map (via variable): no max check",
6568 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6570 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6571 BPF_LD_MAP_FD(BPF_REG_1, 0),
6572 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6573 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6574 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6575 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6576 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6577 BPF_MOV64_IMM(BPF_REG_2, 1),
6578 BPF_MOV64_IMM(BPF_REG_3, 0),
6579 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6582 .fixup_map_hash_48b = { 3 },
6583 .errstr = "R1 unbounded memory access",
6585 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6588 "helper access to adjusted map (via variable): wrong max check",
6590 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6591 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6592 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6593 BPF_LD_MAP_FD(BPF_REG_1, 0),
6594 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6595 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6596 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6597 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6598 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6599 offsetof(struct test_val, foo), 4),
6600 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6601 BPF_MOV64_IMM(BPF_REG_2,
6602 sizeof(struct test_val) -
6603 offsetof(struct test_val, foo) + 1),
6604 BPF_MOV64_IMM(BPF_REG_3, 0),
6605 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6608 .fixup_map_hash_48b = { 3 },
6609 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
6611 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6614 "helper access to map: bounds check using <, good access",
6616 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6617 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6618 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6619 BPF_LD_MAP_FD(BPF_REG_1, 0),
6620 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6621 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6622 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6623 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6624 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
6625 BPF_MOV64_IMM(BPF_REG_0, 0),
6627 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6628 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6629 BPF_MOV64_IMM(BPF_REG_0, 0),
6632 .fixup_map_hash_48b = { 3 },
6634 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6637 "helper access to map: bounds check using <, bad access",
6639 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6641 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6642 BPF_LD_MAP_FD(BPF_REG_1, 0),
6643 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6644 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6645 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6646 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6647 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
6648 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6649 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6650 BPF_MOV64_IMM(BPF_REG_0, 0),
6652 BPF_MOV64_IMM(BPF_REG_0, 0),
6655 .fixup_map_hash_48b = { 3 },
6657 .errstr = "R1 unbounded memory access",
6658 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6661 "helper access to map: bounds check using <=, good access",
6663 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6665 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6666 BPF_LD_MAP_FD(BPF_REG_1, 0),
6667 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6668 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6669 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6670 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6671 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
6672 BPF_MOV64_IMM(BPF_REG_0, 0),
6674 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6675 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6676 BPF_MOV64_IMM(BPF_REG_0, 0),
6679 .fixup_map_hash_48b = { 3 },
6681 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6684 "helper access to map: bounds check using <=, bad access",
6686 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6688 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6689 BPF_LD_MAP_FD(BPF_REG_1, 0),
6690 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6691 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6692 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6693 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6694 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
6695 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6696 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6697 BPF_MOV64_IMM(BPF_REG_0, 0),
6699 BPF_MOV64_IMM(BPF_REG_0, 0),
6702 .fixup_map_hash_48b = { 3 },
6704 .errstr = "R1 unbounded memory access",
6705 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6708 "helper access to map: bounds check using s<, good access",
6710 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6711 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6712 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6713 BPF_LD_MAP_FD(BPF_REG_1, 0),
6714 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6715 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6716 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6717 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6718 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6719 BPF_MOV64_IMM(BPF_REG_0, 0),
6721 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
6722 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6723 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6724 BPF_MOV64_IMM(BPF_REG_0, 0),
6727 .fixup_map_hash_48b = { 3 },
6729 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6732 "helper access to map: bounds check using s<, good access 2",
6734 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6735 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6736 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6737 BPF_LD_MAP_FD(BPF_REG_1, 0),
6738 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6739 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6740 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6741 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6742 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6743 BPF_MOV64_IMM(BPF_REG_0, 0),
6745 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6746 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6747 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6748 BPF_MOV64_IMM(BPF_REG_0, 0),
6751 .fixup_map_hash_48b = { 3 },
6753 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6756 "helper access to map: bounds check using s<, bad access",
6758 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6759 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6760 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6761 BPF_LD_MAP_FD(BPF_REG_1, 0),
6762 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6763 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6764 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6765 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6766 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6767 BPF_MOV64_IMM(BPF_REG_0, 0),
6769 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6770 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6771 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6772 BPF_MOV64_IMM(BPF_REG_0, 0),
6775 .fixup_map_hash_48b = { 3 },
6777 .errstr = "R1 min value is negative",
6778 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6781 "helper access to map: bounds check using s<=, good access",
6783 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6784 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6785 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6786 BPF_LD_MAP_FD(BPF_REG_1, 0),
6787 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6788 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6789 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6790 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6791 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6792 BPF_MOV64_IMM(BPF_REG_0, 0),
6794 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
6795 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6796 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6797 BPF_MOV64_IMM(BPF_REG_0, 0),
6800 .fixup_map_hash_48b = { 3 },
6802 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6805 "helper access to map: bounds check using s<=, good access 2",
6807 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6808 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6809 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6810 BPF_LD_MAP_FD(BPF_REG_1, 0),
6811 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6812 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6813 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6814 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6815 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6816 BPF_MOV64_IMM(BPF_REG_0, 0),
6818 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6819 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6820 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6821 BPF_MOV64_IMM(BPF_REG_0, 0),
6824 .fixup_map_hash_48b = { 3 },
6826 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6829 "helper access to map: bounds check using s<=, bad access",
6831 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6832 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6833 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6834 BPF_LD_MAP_FD(BPF_REG_1, 0),
6835 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6836 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6837 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6838 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6839 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6840 BPF_MOV64_IMM(BPF_REG_0, 0),
6842 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6843 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6844 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6845 BPF_MOV64_IMM(BPF_REG_0, 0),
6848 .fixup_map_hash_48b = { 3 },
6850 .errstr = "R1 min value is negative",
6851 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6854 "map access: known scalar += value_ptr from different maps",
6856 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6857 offsetof(struct __sk_buff, len)),
6858 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6859 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6860 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6861 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
6862 BPF_LD_MAP_FD(BPF_REG_1, 0),
6863 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
6864 BPF_LD_MAP_FD(BPF_REG_1, 0),
6865 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6866 BPF_FUNC_map_lookup_elem),
6867 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6868 BPF_MOV64_IMM(BPF_REG_1, 4),
6869 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
6870 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6871 BPF_MOV64_IMM(BPF_REG_0, 1),
6874 .fixup_map_hash_16b = { 5 },
6875 .fixup_map_array_48b = { 8 },
6877 .result_unpriv = REJECT,
6878 .errstr_unpriv = "R1 tried to add from different maps",
6882 "map access: value_ptr -= known scalar from different maps",
6884 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6885 offsetof(struct __sk_buff, len)),
6886 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6887 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6888 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6889 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
6890 BPF_LD_MAP_FD(BPF_REG_1, 0),
6891 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
6892 BPF_LD_MAP_FD(BPF_REG_1, 0),
6893 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6894 BPF_FUNC_map_lookup_elem),
6895 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6896 BPF_MOV64_IMM(BPF_REG_1, 4),
6897 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6898 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6899 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6900 BPF_MOV64_IMM(BPF_REG_0, 1),
6903 .fixup_map_hash_16b = { 5 },
6904 .fixup_map_array_48b = { 8 },
6906 .result_unpriv = REJECT,
6907 .errstr_unpriv = "R0 min value is outside of the array range",
6911 "map access: known scalar += value_ptr from different maps, but same value properties",
6913 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6914 offsetof(struct __sk_buff, len)),
6915 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6916 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6918 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
6919 BPF_LD_MAP_FD(BPF_REG_1, 0),
6920 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
6921 BPF_LD_MAP_FD(BPF_REG_1, 0),
6922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6923 BPF_FUNC_map_lookup_elem),
6924 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6925 BPF_MOV64_IMM(BPF_REG_1, 4),
6926 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
6927 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6928 BPF_MOV64_IMM(BPF_REG_0, 1),
6931 .fixup_map_hash_48b = { 5 },
6932 .fixup_map_array_48b = { 8 },
6937 "map access: value_ptr += known scalar, upper oob arith, test 1",
6939 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6940 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6942 BPF_LD_MAP_FD(BPF_REG_1, 0),
6943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6944 BPF_FUNC_map_lookup_elem),
6945 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6946 BPF_MOV64_IMM(BPF_REG_1, 48),
6947 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6948 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6949 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6950 BPF_MOV64_IMM(BPF_REG_0, 1),
6953 .fixup_map_array_48b = { 3 },
6955 .result_unpriv = REJECT,
6956 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
6960 "map access: value_ptr += known scalar, upper oob arith, test 2",
6962 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6963 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6964 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6965 BPF_LD_MAP_FD(BPF_REG_1, 0),
6966 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6967 BPF_FUNC_map_lookup_elem),
6968 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6969 BPF_MOV64_IMM(BPF_REG_1, 49),
6970 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6971 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6972 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6973 BPF_MOV64_IMM(BPF_REG_0, 1),
6976 .fixup_map_array_48b = { 3 },
6978 .result_unpriv = REJECT,
6979 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
6983 "map access: value_ptr += known scalar, upper oob arith, test 3",
6985 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6986 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6987 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6988 BPF_LD_MAP_FD(BPF_REG_1, 0),
6989 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6990 BPF_FUNC_map_lookup_elem),
6991 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6992 BPF_MOV64_IMM(BPF_REG_1, 47),
6993 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6994 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6995 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6996 BPF_MOV64_IMM(BPF_REG_0, 1),
6999 .fixup_map_array_48b = { 3 },
7001 .result_unpriv = REJECT,
7002 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7006 "map access: value_ptr -= known scalar, lower oob arith, test 1",
7008 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7009 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7010 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7011 BPF_LD_MAP_FD(BPF_REG_1, 0),
7012 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7013 BPF_FUNC_map_lookup_elem),
7014 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7015 BPF_MOV64_IMM(BPF_REG_1, 47),
7016 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7017 BPF_MOV64_IMM(BPF_REG_1, 48),
7018 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7019 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7020 BPF_MOV64_IMM(BPF_REG_0, 1),
7023 .fixup_map_array_48b = { 3 },
7025 .errstr = "R0 min value is outside of the array range",
7026 .result_unpriv = REJECT,
7027 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7030 "map access: value_ptr -= known scalar, lower oob arith, test 2",
7032 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7033 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7035 BPF_LD_MAP_FD(BPF_REG_1, 0),
7036 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7037 BPF_FUNC_map_lookup_elem),
7038 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7039 BPF_MOV64_IMM(BPF_REG_1, 47),
7040 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7041 BPF_MOV64_IMM(BPF_REG_1, 48),
7042 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7043 BPF_MOV64_IMM(BPF_REG_1, 1),
7044 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7045 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7046 BPF_MOV64_IMM(BPF_REG_0, 1),
7049 .fixup_map_array_48b = { 3 },
7051 .result_unpriv = REJECT,
7052 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7056 "map access: value_ptr -= known scalar, lower oob arith, test 3",
7058 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7059 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7061 BPF_LD_MAP_FD(BPF_REG_1, 0),
7062 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7063 BPF_FUNC_map_lookup_elem),
7064 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7065 BPF_MOV64_IMM(BPF_REG_1, 47),
7066 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7067 BPF_MOV64_IMM(BPF_REG_1, 47),
7068 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7069 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7070 BPF_MOV64_IMM(BPF_REG_0, 1),
7073 .fixup_map_array_48b = { 3 },
7075 .result_unpriv = REJECT,
7076 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7080 "map access: known scalar += value_ptr",
7082 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7083 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7085 BPF_LD_MAP_FD(BPF_REG_1, 0),
7086 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7087 BPF_FUNC_map_lookup_elem),
7088 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7089 BPF_MOV64_IMM(BPF_REG_1, 4),
7090 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7091 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
7092 BPF_MOV64_IMM(BPF_REG_0, 1),
7095 .fixup_map_array_48b = { 3 },
7100 "map access: value_ptr += known scalar, 1",
7102 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7103 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7105 BPF_LD_MAP_FD(BPF_REG_1, 0),
7106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7107 BPF_FUNC_map_lookup_elem),
7108 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7109 BPF_MOV64_IMM(BPF_REG_1, 4),
7110 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7111 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7112 BPF_MOV64_IMM(BPF_REG_0, 1),
7115 .fixup_map_array_48b = { 3 },
7120 "map access: value_ptr += known scalar, 2",
7122 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7123 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7124 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7125 BPF_LD_MAP_FD(BPF_REG_1, 0),
7126 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7127 BPF_FUNC_map_lookup_elem),
7128 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7129 BPF_MOV64_IMM(BPF_REG_1, 49),
7130 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7131 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7132 BPF_MOV64_IMM(BPF_REG_0, 1),
7135 .fixup_map_array_48b = { 3 },
7137 .errstr = "invalid access to map value",
7140 "map access: value_ptr += known scalar, 3",
7142 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7143 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7145 BPF_LD_MAP_FD(BPF_REG_1, 0),
7146 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7147 BPF_FUNC_map_lookup_elem),
7148 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7149 BPF_MOV64_IMM(BPF_REG_1, -1),
7150 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7151 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7152 BPF_MOV64_IMM(BPF_REG_0, 1),
7155 .fixup_map_array_48b = { 3 },
7157 .errstr = "invalid access to map value",
7160 "map access: value_ptr += known scalar, 4",
7162 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7164 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7165 BPF_LD_MAP_FD(BPF_REG_1, 0),
7166 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7167 BPF_FUNC_map_lookup_elem),
7168 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7169 BPF_MOV64_IMM(BPF_REG_1, 5),
7170 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7171 BPF_MOV64_IMM(BPF_REG_1, -2),
7172 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7173 BPF_MOV64_IMM(BPF_REG_1, -1),
7174 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7175 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7176 BPF_MOV64_IMM(BPF_REG_0, 1),
7179 .fixup_map_array_48b = { 3 },
7181 .result_unpriv = REJECT,
7182 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7186 "map access: value_ptr += known scalar, 5",
7188 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7189 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7190 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7191 BPF_LD_MAP_FD(BPF_REG_1, 0),
7192 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7193 BPF_FUNC_map_lookup_elem),
7194 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7195 BPF_MOV64_IMM(BPF_REG_1, (6 + 1) * sizeof(int)),
7196 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7197 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7200 .fixup_map_array_48b = { 3 },
7202 .retval = 0xabcdef12,
7205 "map access: value_ptr += known scalar, 6",
7207 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7208 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7210 BPF_LD_MAP_FD(BPF_REG_1, 0),
7211 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7212 BPF_FUNC_map_lookup_elem),
7213 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7214 BPF_MOV64_IMM(BPF_REG_1, (3 + 1) * sizeof(int)),
7215 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7216 BPF_MOV64_IMM(BPF_REG_1, 3 * sizeof(int)),
7217 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7218 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
7221 .fixup_map_array_48b = { 3 },
7223 .retval = 0xabcdef12,
7226 "map access: unknown scalar += value_ptr, 1",
7228 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7229 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7231 BPF_LD_MAP_FD(BPF_REG_1, 0),
7232 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7233 BPF_FUNC_map_lookup_elem),
7234 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7235 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7236 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7237 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7238 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
7239 BPF_MOV64_IMM(BPF_REG_0, 1),
7242 .fixup_map_array_48b = { 3 },
7247 "map access: unknown scalar += value_ptr, 2",
7249 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7250 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7251 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7252 BPF_LD_MAP_FD(BPF_REG_1, 0),
7253 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7254 BPF_FUNC_map_lookup_elem),
7255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7256 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7257 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
7258 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7259 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7262 .fixup_map_array_48b = { 3 },
7264 .retval = 0xabcdef12,
7267 "map access: unknown scalar += value_ptr, 3",
7269 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7270 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7271 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7272 BPF_LD_MAP_FD(BPF_REG_1, 0),
7273 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7274 BPF_FUNC_map_lookup_elem),
7275 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7276 BPF_MOV64_IMM(BPF_REG_1, -1),
7277 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7278 BPF_MOV64_IMM(BPF_REG_1, 1),
7279 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7280 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7281 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
7282 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7283 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7286 .fixup_map_array_48b = { 3 },
7288 .result_unpriv = REJECT,
7289 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7290 .retval = 0xabcdef12,
7293 "map access: unknown scalar += value_ptr, 4",
7295 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7296 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7298 BPF_LD_MAP_FD(BPF_REG_1, 0),
7299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7300 BPF_FUNC_map_lookup_elem),
7301 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7302 BPF_MOV64_IMM(BPF_REG_1, 19),
7303 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7304 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7305 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
7306 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7307 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7310 .fixup_map_array_48b = { 3 },
7312 .errstr = "R1 max value is outside of the array range",
7313 .errstr_unpriv = "R1 pointer arithmetic of map value goes out of range",
7316 "map access: value_ptr += unknown scalar, 1",
7318 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7319 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7321 BPF_LD_MAP_FD(BPF_REG_1, 0),
7322 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7323 BPF_FUNC_map_lookup_elem),
7324 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7325 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7326 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7327 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7328 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7329 BPF_MOV64_IMM(BPF_REG_0, 1),
7332 .fixup_map_array_48b = { 3 },
7337 "map access: value_ptr += unknown scalar, 2",
7339 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7340 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7341 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7342 BPF_LD_MAP_FD(BPF_REG_1, 0),
7343 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7344 BPF_FUNC_map_lookup_elem),
7345 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7346 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7347 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
7348 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7349 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
7352 .fixup_map_array_48b = { 3 },
7354 .retval = 0xabcdef12,
7357 "map access: value_ptr += unknown scalar, 3",
7359 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7360 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7362 BPF_LD_MAP_FD(BPF_REG_1, 0),
7363 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7364 BPF_FUNC_map_lookup_elem),
7365 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7366 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7367 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 8),
7368 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 16),
7369 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7370 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 1),
7371 BPF_ALU64_IMM(BPF_OR, BPF_REG_3, 1),
7372 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_3, 4),
7373 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
7374 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7375 BPF_MOV64_IMM(BPF_REG_0, 1),
7377 BPF_MOV64_IMM(BPF_REG_0, 2),
7378 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
7380 .fixup_map_array_48b = { 3 },
7385 "map access: value_ptr += value_ptr",
7387 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7388 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7389 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7390 BPF_LD_MAP_FD(BPF_REG_1, 0),
7391 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7392 BPF_FUNC_map_lookup_elem),
7393 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7394 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_0),
7395 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7396 BPF_MOV64_IMM(BPF_REG_0, 1),
7399 .fixup_map_array_48b = { 3 },
7401 .errstr = "R0 pointer += pointer prohibited",
7404 "map access: known scalar -= value_ptr",
7406 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7407 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7409 BPF_LD_MAP_FD(BPF_REG_1, 0),
7410 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7411 BPF_FUNC_map_lookup_elem),
7412 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7413 BPF_MOV64_IMM(BPF_REG_1, 4),
7414 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
7415 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
7416 BPF_MOV64_IMM(BPF_REG_0, 1),
7419 .fixup_map_array_48b = { 3 },
7421 .errstr = "R1 tried to subtract pointer from scalar",
7424 "map access: value_ptr -= known scalar",
7426 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7427 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7428 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7429 BPF_LD_MAP_FD(BPF_REG_1, 0),
7430 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7431 BPF_FUNC_map_lookup_elem),
7432 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7433 BPF_MOV64_IMM(BPF_REG_1, 4),
7434 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7435 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7436 BPF_MOV64_IMM(BPF_REG_0, 1),
7439 .fixup_map_array_48b = { 3 },
7441 .errstr = "R0 min value is outside of the array range",
7444 "map access: value_ptr -= known scalar, 2",
7446 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7447 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7449 BPF_LD_MAP_FD(BPF_REG_1, 0),
7450 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7451 BPF_FUNC_map_lookup_elem),
7452 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7453 BPF_MOV64_IMM(BPF_REG_1, 6),
7454 BPF_MOV64_IMM(BPF_REG_2, 4),
7455 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7456 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
7457 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7458 BPF_MOV64_IMM(BPF_REG_0, 1),
7461 .fixup_map_array_48b = { 3 },
7463 .result_unpriv = REJECT,
7464 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7468 "map access: unknown scalar -= value_ptr",
7470 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7471 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7472 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7473 BPF_LD_MAP_FD(BPF_REG_1, 0),
7474 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7475 BPF_FUNC_map_lookup_elem),
7476 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7477 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7478 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7479 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
7480 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
7481 BPF_MOV64_IMM(BPF_REG_0, 1),
7484 .fixup_map_array_48b = { 3 },
7486 .errstr = "R1 tried to subtract pointer from scalar",
7489 "map access: value_ptr -= unknown scalar",
7491 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7492 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7494 BPF_LD_MAP_FD(BPF_REG_1, 0),
7495 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7496 BPF_FUNC_map_lookup_elem),
7497 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7498 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7499 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7500 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7501 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7502 BPF_MOV64_IMM(BPF_REG_0, 1),
7505 .fixup_map_array_48b = { 3 },
7507 .errstr = "R0 min value is negative",
7510 "map access: value_ptr -= unknown scalar, 2",
7512 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7513 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7514 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7515 BPF_LD_MAP_FD(BPF_REG_1, 0),
7516 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7517 BPF_FUNC_map_lookup_elem),
7518 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7519 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7520 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7521 BPF_ALU64_IMM(BPF_OR, BPF_REG_1, 0x7),
7522 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7523 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7524 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
7525 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7526 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7527 BPF_MOV64_IMM(BPF_REG_0, 1),
7530 .fixup_map_array_48b = { 3 },
7532 .result_unpriv = REJECT,
7533 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7537 "map access: value_ptr -= value_ptr",
7539 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7540 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7541 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7542 BPF_LD_MAP_FD(BPF_REG_1, 0),
7543 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7544 BPF_FUNC_map_lookup_elem),
7545 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7546 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_0),
7547 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7548 BPF_MOV64_IMM(BPF_REG_0, 1),
7551 .fixup_map_array_48b = { 3 },
7553 .errstr = "R0 invalid mem access 'inv'",
7554 .errstr_unpriv = "R0 pointer -= pointer prohibited",
7557 "map lookup helper access to map",
7559 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7560 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7561 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7562 BPF_LD_MAP_FD(BPF_REG_1, 0),
7563 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7564 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7565 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7566 BPF_LD_MAP_FD(BPF_REG_1, 0),
7567 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7570 .fixup_map_hash_16b = { 3, 8 },
7572 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7575 "map update helper access to map",
7577 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7578 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7579 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7580 BPF_LD_MAP_FD(BPF_REG_1, 0),
7581 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7582 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7583 BPF_MOV64_IMM(BPF_REG_4, 0),
7584 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
7585 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7586 BPF_LD_MAP_FD(BPF_REG_1, 0),
7587 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
7590 .fixup_map_hash_16b = { 3, 10 },
7592 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7595 "map update helper access to map: wrong size",
7597 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7598 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7599 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7600 BPF_LD_MAP_FD(BPF_REG_1, 0),
7601 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7602 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7603 BPF_MOV64_IMM(BPF_REG_4, 0),
7604 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
7605 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7606 BPF_LD_MAP_FD(BPF_REG_1, 0),
7607 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
7610 .fixup_map_hash_8b = { 3 },
7611 .fixup_map_hash_16b = { 10 },
7613 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
7614 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7617 "map helper access to adjusted map (via const imm)",
7619 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7620 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7621 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7622 BPF_LD_MAP_FD(BPF_REG_1, 0),
7623 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7624 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7625 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
7627 offsetof(struct other_val, bar)),
7628 BPF_LD_MAP_FD(BPF_REG_1, 0),
7629 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7632 .fixup_map_hash_16b = { 3, 9 },
7634 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7637 "map helper access to adjusted map (via const imm): out-of-bound 1",
7639 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7641 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7642 BPF_LD_MAP_FD(BPF_REG_1, 0),
7643 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7644 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7645 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7646 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
7647 sizeof(struct other_val) - 4),
7648 BPF_LD_MAP_FD(BPF_REG_1, 0),
7649 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7652 .fixup_map_hash_16b = { 3, 9 },
7654 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
7655 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7658 "map helper access to adjusted map (via const imm): out-of-bound 2",
7660 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7662 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7663 BPF_LD_MAP_FD(BPF_REG_1, 0),
7664 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7665 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7666 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7668 BPF_LD_MAP_FD(BPF_REG_1, 0),
7669 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7672 .fixup_map_hash_16b = { 3, 9 },
7674 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
7675 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7678 "map helper access to adjusted map (via const reg)",
7680 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7681 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7682 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7683 BPF_LD_MAP_FD(BPF_REG_1, 0),
7684 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7685 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7686 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7687 BPF_MOV64_IMM(BPF_REG_3,
7688 offsetof(struct other_val, bar)),
7689 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7690 BPF_LD_MAP_FD(BPF_REG_1, 0),
7691 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7694 .fixup_map_hash_16b = { 3, 10 },
7696 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7699 "map helper access to adjusted map (via const reg): out-of-bound 1",
7701 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7702 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7703 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7704 BPF_LD_MAP_FD(BPF_REG_1, 0),
7705 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7706 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7707 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7708 BPF_MOV64_IMM(BPF_REG_3,
7709 sizeof(struct other_val) - 4),
7710 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7711 BPF_LD_MAP_FD(BPF_REG_1, 0),
7712 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7715 .fixup_map_hash_16b = { 3, 10 },
7717 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
7718 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7721 "map helper access to adjusted map (via const reg): out-of-bound 2",
7723 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7725 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7726 BPF_LD_MAP_FD(BPF_REG_1, 0),
7727 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7728 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7729 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7730 BPF_MOV64_IMM(BPF_REG_3, -4),
7731 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7732 BPF_LD_MAP_FD(BPF_REG_1, 0),
7733 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7736 .fixup_map_hash_16b = { 3, 10 },
7738 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
7739 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7742 "map helper access to adjusted map (via variable)",
7744 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7745 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7746 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7747 BPF_LD_MAP_FD(BPF_REG_1, 0),
7748 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7749 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7750 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7751 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
7752 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
7753 offsetof(struct other_val, bar), 4),
7754 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7755 BPF_LD_MAP_FD(BPF_REG_1, 0),
7756 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7759 .fixup_map_hash_16b = { 3, 11 },
7761 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7764 "map helper access to adjusted map (via variable): no max check",
7766 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7767 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7768 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7769 BPF_LD_MAP_FD(BPF_REG_1, 0),
7770 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7771 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7772 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7773 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
7774 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7775 BPF_LD_MAP_FD(BPF_REG_1, 0),
7776 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7779 .fixup_map_hash_16b = { 3, 10 },
7781 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
7782 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7785 "map helper access to adjusted map (via variable): wrong max check",
7787 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7789 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7790 BPF_LD_MAP_FD(BPF_REG_1, 0),
7791 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7793 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7794 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
7795 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
7796 offsetof(struct other_val, bar) + 1, 4),
7797 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7798 BPF_LD_MAP_FD(BPF_REG_1, 0),
7799 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7802 .fixup_map_hash_16b = { 3, 11 },
7804 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
7805 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7808 "map element value is preserved across register spilling",
7810 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7812 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7813 BPF_LD_MAP_FD(BPF_REG_1, 0),
7814 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7815 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7816 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
7817 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
7819 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7820 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
7821 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
7824 .fixup_map_hash_48b = { 3 },
7825 .errstr_unpriv = "R0 leaks addr",
7827 .result_unpriv = REJECT,
7830 "map element value or null is marked on register spilling",
7832 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7833 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7834 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7835 BPF_LD_MAP_FD(BPF_REG_1, 0),
7836 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7837 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7838 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
7839 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7840 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7841 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
7842 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
7845 .fixup_map_hash_48b = { 3 },
7846 .errstr_unpriv = "R0 leaks addr",
7848 .result_unpriv = REJECT,
7851 "map element value store of cleared call register",
7853 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7854 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7855 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7856 BPF_LD_MAP_FD(BPF_REG_1, 0),
7857 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7858 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
7859 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
7862 .fixup_map_hash_48b = { 3 },
7863 .errstr_unpriv = "R1 !read_ok",
7864 .errstr = "R1 !read_ok",
7866 .result_unpriv = REJECT,
7869 "map element value with unaligned store",
7871 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7873 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7874 BPF_LD_MAP_FD(BPF_REG_1, 0),
7875 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7876 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
7877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
7878 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
7879 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
7880 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
7881 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
7882 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
7883 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
7884 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
7885 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
7886 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
7887 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
7888 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
7889 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
7890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
7891 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
7892 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
7893 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
7896 .fixup_map_hash_48b = { 3 },
7897 .errstr_unpriv = "R0 leaks addr",
7899 .result_unpriv = REJECT,
7900 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7903 "map element value with unaligned load",
7905 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7906 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7907 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7908 BPF_LD_MAP_FD(BPF_REG_1, 0),
7909 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7910 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7911 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7912 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
7913 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
7914 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
7915 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
7916 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
7917 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
7918 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
7919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
7920 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
7921 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
7924 .fixup_map_hash_48b = { 3 },
7925 .errstr_unpriv = "R0 leaks addr",
7927 .result_unpriv = REJECT,
7928 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7931 "map element value illegal alu op, 1",
7933 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7934 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7935 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7936 BPF_LD_MAP_FD(BPF_REG_1, 0),
7937 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7938 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7939 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
7940 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7943 .fixup_map_hash_48b = { 3 },
7944 .errstr = "R0 bitwise operator &= on pointer",
7948 "map element value illegal alu op, 2",
7950 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7951 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7952 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7953 BPF_LD_MAP_FD(BPF_REG_1, 0),
7954 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7955 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7956 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
7957 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7960 .fixup_map_hash_48b = { 3 },
7961 .errstr = "R0 32-bit pointer arithmetic prohibited",
7965 "map element value illegal alu op, 3",
7967 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7968 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7969 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7970 BPF_LD_MAP_FD(BPF_REG_1, 0),
7971 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7972 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7973 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
7974 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7977 .fixup_map_hash_48b = { 3 },
7978 .errstr = "R0 pointer arithmetic with /= operator",
7982 "map element value illegal alu op, 4",
7984 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7985 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7986 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7987 BPF_LD_MAP_FD(BPF_REG_1, 0),
7988 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7989 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7990 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
7991 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7994 .fixup_map_hash_48b = { 3 },
7995 .errstr_unpriv = "R0 pointer arithmetic prohibited",
7996 .errstr = "invalid mem access 'inv'",
7998 .result_unpriv = REJECT,
7999 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8002 "map element value illegal alu op, 5",
8004 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8006 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8007 BPF_LD_MAP_FD(BPF_REG_1, 0),
8008 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8009 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8010 BPF_MOV64_IMM(BPF_REG_3, 4096),
8011 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8012 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8013 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8014 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
8015 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
8016 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
8019 .fixup_map_hash_48b = { 3 },
8020 .errstr = "R0 invalid mem access 'inv'",
8022 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8025 "map element value is preserved across register spilling",
8027 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8028 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8029 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8030 BPF_LD_MAP_FD(BPF_REG_1, 0),
8031 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8032 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
8034 offsetof(struct test_val, foo)),
8035 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
8036 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8037 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
8038 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
8039 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
8040 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
8043 .fixup_map_hash_48b = { 3 },
8044 .errstr_unpriv = "R0 leaks addr",
8046 .result_unpriv = REJECT,
8047 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8050 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
8052 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8053 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8054 BPF_MOV64_IMM(BPF_REG_0, 0),
8055 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8056 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
8057 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
8058 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
8059 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
8060 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
8061 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
8062 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
8063 BPF_MOV64_IMM(BPF_REG_2, 16),
8064 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8065 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8066 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
8067 BPF_MOV64_IMM(BPF_REG_4, 0),
8068 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
8069 BPF_MOV64_IMM(BPF_REG_3, 0),
8070 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8071 BPF_MOV64_IMM(BPF_REG_0, 0),
8075 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8078 "helper access to variable memory: stack, bitwise AND, zero included",
8080 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8082 BPF_MOV64_IMM(BPF_REG_2, 16),
8083 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8084 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8085 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
8086 BPF_MOV64_IMM(BPF_REG_3, 0),
8087 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8090 .errstr = "invalid indirect read from stack off -64+0 size 64",
8092 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8095 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
8097 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8098 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8099 BPF_MOV64_IMM(BPF_REG_2, 16),
8100 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8101 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8102 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
8103 BPF_MOV64_IMM(BPF_REG_4, 0),
8104 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
8105 BPF_MOV64_IMM(BPF_REG_3, 0),
8106 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8107 BPF_MOV64_IMM(BPF_REG_0, 0),
8110 .errstr = "invalid stack type R1 off=-64 access_size=65",
8112 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8115 "helper access to variable memory: stack, JMP, correct bounds",
8117 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8118 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8119 BPF_MOV64_IMM(BPF_REG_0, 0),
8120 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8121 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
8122 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
8123 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
8124 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
8125 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
8126 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
8127 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
8128 BPF_MOV64_IMM(BPF_REG_2, 16),
8129 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8130 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8131 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
8132 BPF_MOV64_IMM(BPF_REG_4, 0),
8133 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
8134 BPF_MOV64_IMM(BPF_REG_3, 0),
8135 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8136 BPF_MOV64_IMM(BPF_REG_0, 0),
8140 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8143 "helper access to variable memory: stack, JMP (signed), correct bounds",
8145 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8146 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8147 BPF_MOV64_IMM(BPF_REG_0, 0),
8148 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8149 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
8150 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
8151 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
8152 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
8153 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
8154 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
8155 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
8156 BPF_MOV64_IMM(BPF_REG_2, 16),
8157 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8158 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8159 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
8160 BPF_MOV64_IMM(BPF_REG_4, 0),
8161 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
8162 BPF_MOV64_IMM(BPF_REG_3, 0),
8163 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8164 BPF_MOV64_IMM(BPF_REG_0, 0),
8168 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8171 "helper access to variable memory: stack, JMP, bounds + offset",
8173 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8174 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8175 BPF_MOV64_IMM(BPF_REG_2, 16),
8176 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8177 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8178 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
8179 BPF_MOV64_IMM(BPF_REG_4, 0),
8180 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
8181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
8182 BPF_MOV64_IMM(BPF_REG_3, 0),
8183 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8184 BPF_MOV64_IMM(BPF_REG_0, 0),
8187 .errstr = "invalid stack type R1 off=-64 access_size=65",
8189 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8192 "helper access to variable memory: stack, JMP, wrong max",
8194 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8196 BPF_MOV64_IMM(BPF_REG_2, 16),
8197 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8198 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8199 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
8200 BPF_MOV64_IMM(BPF_REG_4, 0),
8201 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
8202 BPF_MOV64_IMM(BPF_REG_3, 0),
8203 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8204 BPF_MOV64_IMM(BPF_REG_0, 0),
8207 .errstr = "invalid stack type R1 off=-64 access_size=65",
8209 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8212 "helper access to variable memory: stack, JMP, no max check",
8214 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8215 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8216 BPF_MOV64_IMM(BPF_REG_2, 16),
8217 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8218 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8219 BPF_MOV64_IMM(BPF_REG_4, 0),
8220 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
8221 BPF_MOV64_IMM(BPF_REG_3, 0),
8222 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8223 BPF_MOV64_IMM(BPF_REG_0, 0),
8226 /* because max wasn't checked, signed min is negative */
8227 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
8229 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8232 "helper access to variable memory: stack, JMP, no min check",
8234 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8235 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8236 BPF_MOV64_IMM(BPF_REG_2, 16),
8237 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8238 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8239 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
8240 BPF_MOV64_IMM(BPF_REG_3, 0),
8241 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8242 BPF_MOV64_IMM(BPF_REG_0, 0),
8245 .errstr = "invalid indirect read from stack off -64+0 size 64",
8247 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8250 "helper access to variable memory: stack, JMP (signed), no min check",
8252 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8253 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8254 BPF_MOV64_IMM(BPF_REG_2, 16),
8255 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8256 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8257 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
8258 BPF_MOV64_IMM(BPF_REG_3, 0),
8259 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8260 BPF_MOV64_IMM(BPF_REG_0, 0),
8263 .errstr = "R2 min value is negative",
8265 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8268 "helper access to variable memory: map, JMP, correct bounds",
8270 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8271 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8272 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8273 BPF_LD_MAP_FD(BPF_REG_1, 0),
8274 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8275 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
8276 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8277 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
8278 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8279 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8280 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
8281 sizeof(struct test_val), 4),
8282 BPF_MOV64_IMM(BPF_REG_4, 0),
8283 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
8284 BPF_MOV64_IMM(BPF_REG_3, 0),
8285 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8286 BPF_MOV64_IMM(BPF_REG_0, 0),
8289 .fixup_map_hash_48b = { 3 },
8291 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8294 "helper access to variable memory: map, JMP, wrong max",
8296 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8298 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8299 BPF_LD_MAP_FD(BPF_REG_1, 0),
8300 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8301 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
8302 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8303 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
8304 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8305 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8306 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
8307 sizeof(struct test_val) + 1, 4),
8308 BPF_MOV64_IMM(BPF_REG_4, 0),
8309 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
8310 BPF_MOV64_IMM(BPF_REG_3, 0),
8311 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8312 BPF_MOV64_IMM(BPF_REG_0, 0),
8315 .fixup_map_hash_48b = { 3 },
8316 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
8318 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8321 "helper access to variable memory: map adjusted, JMP, correct bounds",
8323 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8324 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8325 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8326 BPF_LD_MAP_FD(BPF_REG_1, 0),
8327 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8328 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
8329 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
8331 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
8332 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8333 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8334 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
8335 sizeof(struct test_val) - 20, 4),
8336 BPF_MOV64_IMM(BPF_REG_4, 0),
8337 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
8338 BPF_MOV64_IMM(BPF_REG_3, 0),
8339 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8340 BPF_MOV64_IMM(BPF_REG_0, 0),
8343 .fixup_map_hash_48b = { 3 },
8345 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8348 "helper access to variable memory: map adjusted, JMP, wrong max",
8350 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8351 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8352 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8353 BPF_LD_MAP_FD(BPF_REG_1, 0),
8354 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8355 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
8356 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
8358 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
8359 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8360 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8361 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
8362 sizeof(struct test_val) - 19, 4),
8363 BPF_MOV64_IMM(BPF_REG_4, 0),
8364 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
8365 BPF_MOV64_IMM(BPF_REG_3, 0),
8366 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8367 BPF_MOV64_IMM(BPF_REG_0, 0),
8370 .fixup_map_hash_48b = { 3 },
8371 .errstr = "R1 min value is outside of the array range",
8373 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8376 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
8378 BPF_MOV64_IMM(BPF_REG_1, 0),
8379 BPF_MOV64_IMM(BPF_REG_2, 0),
8380 BPF_MOV64_IMM(BPF_REG_3, 0),
8381 BPF_MOV64_IMM(BPF_REG_4, 0),
8382 BPF_MOV64_IMM(BPF_REG_5, 0),
8383 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8387 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8390 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
8392 BPF_MOV64_IMM(BPF_REG_1, 0),
8393 BPF_MOV64_IMM(BPF_REG_2, 1),
8394 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8395 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8396 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
8397 BPF_MOV64_IMM(BPF_REG_3, 0),
8398 BPF_MOV64_IMM(BPF_REG_4, 0),
8399 BPF_MOV64_IMM(BPF_REG_5, 0),
8400 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8403 .errstr = "R1 type=inv expected=fp",
8405 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8408 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
8410 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8411 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
8412 BPF_MOV64_IMM(BPF_REG_2, 0),
8413 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
8414 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
8415 BPF_MOV64_IMM(BPF_REG_3, 0),
8416 BPF_MOV64_IMM(BPF_REG_4, 0),
8417 BPF_MOV64_IMM(BPF_REG_5, 0),
8418 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8422 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8425 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
8427 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8428 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8429 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8430 BPF_LD_MAP_FD(BPF_REG_1, 0),
8431 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8432 BPF_FUNC_map_lookup_elem),
8433 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8434 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8435 BPF_MOV64_IMM(BPF_REG_2, 0),
8436 BPF_MOV64_IMM(BPF_REG_3, 0),
8437 BPF_MOV64_IMM(BPF_REG_4, 0),
8438 BPF_MOV64_IMM(BPF_REG_5, 0),
8439 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8442 .fixup_map_hash_8b = { 3 },
8444 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8447 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
8449 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8450 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8451 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8452 BPF_LD_MAP_FD(BPF_REG_1, 0),
8453 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8454 BPF_FUNC_map_lookup_elem),
8455 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8456 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8457 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
8458 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
8460 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
8461 BPF_MOV64_IMM(BPF_REG_3, 0),
8462 BPF_MOV64_IMM(BPF_REG_4, 0),
8463 BPF_MOV64_IMM(BPF_REG_5, 0),
8464 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8467 .fixup_map_hash_8b = { 3 },
8469 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8472 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
8474 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8475 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8476 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8477 BPF_LD_MAP_FD(BPF_REG_1, 0),
8478 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8479 BPF_FUNC_map_lookup_elem),
8480 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8481 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8482 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8483 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
8484 BPF_MOV64_IMM(BPF_REG_3, 0),
8485 BPF_MOV64_IMM(BPF_REG_4, 0),
8486 BPF_MOV64_IMM(BPF_REG_5, 0),
8487 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8490 .fixup_map_hash_8b = { 3 },
8492 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8495 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
8497 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8498 offsetof(struct __sk_buff, data)),
8499 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8500 offsetof(struct __sk_buff, data_end)),
8501 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
8502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8503 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
8504 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
8505 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
8506 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
8507 BPF_MOV64_IMM(BPF_REG_3, 0),
8508 BPF_MOV64_IMM(BPF_REG_4, 0),
8509 BPF_MOV64_IMM(BPF_REG_5, 0),
8510 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8514 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8515 .retval = 0 /* csum_diff of 64-byte packet */,
8516 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8519 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
8521 BPF_MOV64_IMM(BPF_REG_1, 0),
8522 BPF_MOV64_IMM(BPF_REG_2, 0),
8523 BPF_MOV64_IMM(BPF_REG_3, 0),
8524 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8527 .errstr = "R1 type=inv expected=fp",
8529 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8532 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
8534 BPF_MOV64_IMM(BPF_REG_1, 0),
8535 BPF_MOV64_IMM(BPF_REG_2, 1),
8536 BPF_MOV64_IMM(BPF_REG_3, 0),
8537 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8540 .errstr = "R1 type=inv expected=fp",
8542 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8545 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
8547 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8548 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
8549 BPF_MOV64_IMM(BPF_REG_2, 0),
8550 BPF_MOV64_IMM(BPF_REG_3, 0),
8551 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8555 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8558 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
8560 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8561 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8562 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8563 BPF_LD_MAP_FD(BPF_REG_1, 0),
8564 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8565 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8566 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8567 BPF_MOV64_IMM(BPF_REG_2, 0),
8568 BPF_MOV64_IMM(BPF_REG_3, 0),
8569 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8572 .fixup_map_hash_8b = { 3 },
8574 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8577 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
8579 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8580 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8582 BPF_LD_MAP_FD(BPF_REG_1, 0),
8583 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8584 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8585 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8586 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
8587 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
8589 BPF_MOV64_IMM(BPF_REG_3, 0),
8590 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8593 .fixup_map_hash_8b = { 3 },
8595 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8598 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
8600 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8601 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8603 BPF_LD_MAP_FD(BPF_REG_1, 0),
8604 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8605 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8606 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8607 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8608 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
8609 BPF_MOV64_IMM(BPF_REG_3, 0),
8610 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8613 .fixup_map_hash_8b = { 3 },
8615 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8618 "helper access to variable memory: 8 bytes leak",
8620 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8621 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8622 BPF_MOV64_IMM(BPF_REG_0, 0),
8623 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8624 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
8625 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
8626 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
8627 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
8628 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
8629 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
8630 BPF_MOV64_IMM(BPF_REG_2, 1),
8631 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8632 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8633 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
8634 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
8635 BPF_MOV64_IMM(BPF_REG_3, 0),
8636 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8637 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8640 .errstr = "invalid indirect read from stack off -64+32 size 64",
8642 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8645 "helper access to variable memory: 8 bytes no leak (init memory)",
8647 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8648 BPF_MOV64_IMM(BPF_REG_0, 0),
8649 BPF_MOV64_IMM(BPF_REG_0, 0),
8650 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8651 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
8652 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
8653 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
8654 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
8655 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
8656 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
8657 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
8658 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8659 BPF_MOV64_IMM(BPF_REG_2, 0),
8660 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
8661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
8662 BPF_MOV64_IMM(BPF_REG_3, 0),
8663 BPF_EMIT_CALL(BPF_FUNC_probe_read),
8664 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8668 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
8671 "invalid and of negative number",
8673 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8674 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8676 BPF_LD_MAP_FD(BPF_REG_1, 0),
8677 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8678 BPF_FUNC_map_lookup_elem),
8679 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8680 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8681 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
8682 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
8683 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8684 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
8685 offsetof(struct test_val, foo)),
8688 .fixup_map_hash_48b = { 3 },
8689 .errstr = "R0 max value is outside of the array range",
8691 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8694 "invalid range check",
8696 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8697 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8698 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8699 BPF_LD_MAP_FD(BPF_REG_1, 0),
8700 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8701 BPF_FUNC_map_lookup_elem),
8702 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
8703 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
8704 BPF_MOV64_IMM(BPF_REG_9, 1),
8705 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
8706 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
8707 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
8708 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
8709 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
8710 BPF_MOV32_IMM(BPF_REG_3, 1),
8711 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
8712 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
8713 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
8714 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
8715 BPF_MOV64_REG(BPF_REG_0, 0),
8718 .fixup_map_hash_48b = { 3 },
8719 .errstr = "R0 max value is outside of the array range",
8721 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8724 "map in map access",
8726 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8727 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8728 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8729 BPF_LD_MAP_FD(BPF_REG_1, 0),
8730 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8731 BPF_FUNC_map_lookup_elem),
8732 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8733 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8734 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8735 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8736 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8737 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8738 BPF_FUNC_map_lookup_elem),
8739 BPF_MOV64_IMM(BPF_REG_0, 0),
8742 .fixup_map_in_map = { 3 },
8746 "invalid inner map pointer",
8748 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8749 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8751 BPF_LD_MAP_FD(BPF_REG_1, 0),
8752 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8753 BPF_FUNC_map_lookup_elem),
8754 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8755 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8756 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8757 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8758 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8759 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8760 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8761 BPF_FUNC_map_lookup_elem),
8762 BPF_MOV64_IMM(BPF_REG_0, 0),
8765 .fixup_map_in_map = { 3 },
8766 .errstr = "R1 pointer arithmetic on map_ptr prohibited",
8770 "forgot null checking on the inner map pointer",
8772 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8773 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8775 BPF_LD_MAP_FD(BPF_REG_1, 0),
8776 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8777 BPF_FUNC_map_lookup_elem),
8778 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8779 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8780 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8781 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8782 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8783 BPF_FUNC_map_lookup_elem),
8784 BPF_MOV64_IMM(BPF_REG_0, 0),
8787 .fixup_map_in_map = { 3 },
8788 .errstr = "R1 type=map_value_or_null expected=map_ptr",
8792 "ld_abs: check calling conv, r1",
8794 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8795 BPF_MOV64_IMM(BPF_REG_1, 0),
8796 BPF_LD_ABS(BPF_W, -0x200000),
8797 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8800 .errstr = "R1 !read_ok",
8804 "ld_abs: check calling conv, r2",
8806 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8807 BPF_MOV64_IMM(BPF_REG_2, 0),
8808 BPF_LD_ABS(BPF_W, -0x200000),
8809 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8812 .errstr = "R2 !read_ok",
8816 "ld_abs: check calling conv, r3",
8818 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8819 BPF_MOV64_IMM(BPF_REG_3, 0),
8820 BPF_LD_ABS(BPF_W, -0x200000),
8821 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8824 .errstr = "R3 !read_ok",
8828 "ld_abs: check calling conv, r4",
8830 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8831 BPF_MOV64_IMM(BPF_REG_4, 0),
8832 BPF_LD_ABS(BPF_W, -0x200000),
8833 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8836 .errstr = "R4 !read_ok",
8840 "ld_abs: check calling conv, r5",
8842 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8843 BPF_MOV64_IMM(BPF_REG_5, 0),
8844 BPF_LD_ABS(BPF_W, -0x200000),
8845 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
8848 .errstr = "R5 !read_ok",
8852 "ld_abs: check calling conv, r7",
8854 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8855 BPF_MOV64_IMM(BPF_REG_7, 0),
8856 BPF_LD_ABS(BPF_W, -0x200000),
8857 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
8863 "ld_abs: tests on r6 and skb data reload helper",
8865 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8866 BPF_LD_ABS(BPF_B, 0),
8867 BPF_LD_ABS(BPF_H, 0),
8868 BPF_LD_ABS(BPF_W, 0),
8869 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
8870 BPF_MOV64_IMM(BPF_REG_6, 0),
8871 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
8872 BPF_MOV64_IMM(BPF_REG_2, 1),
8873 BPF_MOV64_IMM(BPF_REG_3, 2),
8874 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8875 BPF_FUNC_skb_vlan_push),
8876 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
8877 BPF_LD_ABS(BPF_B, 0),
8878 BPF_LD_ABS(BPF_H, 0),
8879 BPF_LD_ABS(BPF_W, 0),
8880 BPF_MOV64_IMM(BPF_REG_0, 42),
8883 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8885 .retval = 42 /* ultimate return value */,
8888 "ld_ind: check calling conv, r1",
8890 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8891 BPF_MOV64_IMM(BPF_REG_1, 1),
8892 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
8893 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8896 .errstr = "R1 !read_ok",
8900 "ld_ind: check calling conv, r2",
8902 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8903 BPF_MOV64_IMM(BPF_REG_2, 1),
8904 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
8905 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8908 .errstr = "R2 !read_ok",
8912 "ld_ind: check calling conv, r3",
8914 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8915 BPF_MOV64_IMM(BPF_REG_3, 1),
8916 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
8917 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8920 .errstr = "R3 !read_ok",
8924 "ld_ind: check calling conv, r4",
8926 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8927 BPF_MOV64_IMM(BPF_REG_4, 1),
8928 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
8929 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8932 .errstr = "R4 !read_ok",
8936 "ld_ind: check calling conv, r5",
8938 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8939 BPF_MOV64_IMM(BPF_REG_5, 1),
8940 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
8941 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
8944 .errstr = "R5 !read_ok",
8948 "ld_ind: check calling conv, r7",
8950 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8951 BPF_MOV64_IMM(BPF_REG_7, 1),
8952 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
8953 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
8960 "check bpf_perf_event_data->sample_period byte load permitted",
8962 BPF_MOV64_IMM(BPF_REG_0, 0),
8963 #if __BYTE_ORDER == __LITTLE_ENDIAN
8964 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
8965 offsetof(struct bpf_perf_event_data, sample_period)),
8967 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
8968 offsetof(struct bpf_perf_event_data, sample_period) + 7),
8973 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8976 "check bpf_perf_event_data->sample_period half load permitted",
8978 BPF_MOV64_IMM(BPF_REG_0, 0),
8979 #if __BYTE_ORDER == __LITTLE_ENDIAN
8980 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8981 offsetof(struct bpf_perf_event_data, sample_period)),
8983 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8984 offsetof(struct bpf_perf_event_data, sample_period) + 6),
8989 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
8992 "check bpf_perf_event_data->sample_period word load permitted",
8994 BPF_MOV64_IMM(BPF_REG_0, 0),
8995 #if __BYTE_ORDER == __LITTLE_ENDIAN
8996 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8997 offsetof(struct bpf_perf_event_data, sample_period)),
8999 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9000 offsetof(struct bpf_perf_event_data, sample_period) + 4),
9005 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
9008 "check bpf_perf_event_data->sample_period dword load permitted",
9010 BPF_MOV64_IMM(BPF_REG_0, 0),
9011 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
9012 offsetof(struct bpf_perf_event_data, sample_period)),
9016 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
9019 "check skb->data half load not permitted",
9021 BPF_MOV64_IMM(BPF_REG_0, 0),
9022 #if __BYTE_ORDER == __LITTLE_ENDIAN
9023 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
9024 offsetof(struct __sk_buff, data)),
9026 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
9027 offsetof(struct __sk_buff, data) + 2),
9032 .errstr = "invalid bpf_context access",
9035 "check skb->tc_classid half load not permitted for lwt prog",
9037 BPF_MOV64_IMM(BPF_REG_0, 0),
9038 #if __BYTE_ORDER == __LITTLE_ENDIAN
9039 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
9040 offsetof(struct __sk_buff, tc_classid)),
9042 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
9043 offsetof(struct __sk_buff, tc_classid) + 2),
9048 .errstr = "invalid bpf_context access",
9049 .prog_type = BPF_PROG_TYPE_LWT_IN,
9052 "bounds checks mixing signed and unsigned, positive bounds",
9054 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9055 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9056 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9057 BPF_LD_MAP_FD(BPF_REG_1, 0),
9058 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9059 BPF_FUNC_map_lookup_elem),
9060 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
9061 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9062 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9063 BPF_MOV64_IMM(BPF_REG_2, 2),
9064 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
9065 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
9066 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9067 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9068 BPF_MOV64_IMM(BPF_REG_0, 0),
9071 .fixup_map_hash_8b = { 3 },
9072 .errstr = "unbounded min value",
9073 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9077 "bounds checks mixing signed and unsigned",
9079 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9080 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9082 BPF_LD_MAP_FD(BPF_REG_1, 0),
9083 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9084 BPF_FUNC_map_lookup_elem),
9085 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
9086 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9087 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9088 BPF_MOV64_IMM(BPF_REG_2, -1),
9089 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
9090 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9091 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9092 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9093 BPF_MOV64_IMM(BPF_REG_0, 0),
9096 .fixup_map_hash_8b = { 3 },
9097 .errstr = "unbounded min value",
9098 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9102 "bounds checks mixing signed and unsigned, variant 2",
9104 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9105 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9106 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9107 BPF_LD_MAP_FD(BPF_REG_1, 0),
9108 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9109 BPF_FUNC_map_lookup_elem),
9110 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9111 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9112 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9113 BPF_MOV64_IMM(BPF_REG_2, -1),
9114 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
9115 BPF_MOV64_IMM(BPF_REG_8, 0),
9116 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
9117 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
9118 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
9119 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
9120 BPF_MOV64_IMM(BPF_REG_0, 0),
9123 .fixup_map_hash_8b = { 3 },
9124 .errstr = "unbounded min value",
9125 .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
9129 "bounds checks mixing signed and unsigned, variant 3",
9131 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9132 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9134 BPF_LD_MAP_FD(BPF_REG_1, 0),
9135 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9136 BPF_FUNC_map_lookup_elem),
9137 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
9138 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9139 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9140 BPF_MOV64_IMM(BPF_REG_2, -1),
9141 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
9142 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
9143 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
9144 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
9145 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
9146 BPF_MOV64_IMM(BPF_REG_0, 0),
9149 .fixup_map_hash_8b = { 3 },
9150 .errstr = "unbounded min value",
9151 .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
9155 "bounds checks mixing signed and unsigned, variant 4",
9157 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9158 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9159 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9160 BPF_LD_MAP_FD(BPF_REG_1, 0),
9161 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9162 BPF_FUNC_map_lookup_elem),
9163 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
9164 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9165 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9166 BPF_MOV64_IMM(BPF_REG_2, 1),
9167 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9168 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9169 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9170 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9171 BPF_MOV64_IMM(BPF_REG_0, 0),
9174 .fixup_map_hash_8b = { 3 },
9178 "bounds checks mixing signed and unsigned, variant 5",
9180 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9181 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9183 BPF_LD_MAP_FD(BPF_REG_1, 0),
9184 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9185 BPF_FUNC_map_lookup_elem),
9186 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9187 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9188 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9189 BPF_MOV64_IMM(BPF_REG_2, -1),
9190 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
9191 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
9192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
9193 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9194 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9195 BPF_MOV64_IMM(BPF_REG_0, 0),
9198 .fixup_map_hash_8b = { 3 },
9199 .errstr = "unbounded min value",
9200 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9204 "bounds checks mixing signed and unsigned, variant 6",
9206 BPF_MOV64_IMM(BPF_REG_2, 0),
9207 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
9208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
9209 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9210 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
9211 BPF_MOV64_IMM(BPF_REG_6, -1),
9212 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
9213 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
9214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
9215 BPF_MOV64_IMM(BPF_REG_5, 0),
9216 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
9217 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9218 BPF_FUNC_skb_load_bytes),
9219 BPF_MOV64_IMM(BPF_REG_0, 0),
9222 .errstr = "R4 min value is negative, either use unsigned",
9226 "bounds checks mixing signed and unsigned, variant 7",
9228 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9229 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9231 BPF_LD_MAP_FD(BPF_REG_1, 0),
9232 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9233 BPF_FUNC_map_lookup_elem),
9234 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
9235 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9236 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9237 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
9238 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
9239 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9240 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9241 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9242 BPF_MOV64_IMM(BPF_REG_0, 0),
9245 .fixup_map_hash_8b = { 3 },
9249 "bounds checks mixing signed and unsigned, variant 8",
9251 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9252 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9253 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9254 BPF_LD_MAP_FD(BPF_REG_1, 0),
9255 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9256 BPF_FUNC_map_lookup_elem),
9257 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9258 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9259 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9260 BPF_MOV64_IMM(BPF_REG_2, -1),
9261 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
9262 BPF_MOV64_IMM(BPF_REG_0, 0),
9264 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9265 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9266 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9267 BPF_MOV64_IMM(BPF_REG_0, 0),
9270 .fixup_map_hash_8b = { 3 },
9271 .errstr = "unbounded min value",
9272 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9276 "bounds checks mixing signed and unsigned, variant 9",
9278 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9279 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9281 BPF_LD_MAP_FD(BPF_REG_1, 0),
9282 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9283 BPF_FUNC_map_lookup_elem),
9284 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
9285 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9286 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9287 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
9288 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
9289 BPF_MOV64_IMM(BPF_REG_0, 0),
9291 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9292 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9293 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9294 BPF_MOV64_IMM(BPF_REG_0, 0),
9297 .fixup_map_hash_8b = { 3 },
9301 "bounds checks mixing signed and unsigned, variant 10",
9303 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9304 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9305 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9306 BPF_LD_MAP_FD(BPF_REG_1, 0),
9307 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9308 BPF_FUNC_map_lookup_elem),
9309 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9310 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9311 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9312 BPF_MOV64_IMM(BPF_REG_2, 0),
9313 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
9314 BPF_MOV64_IMM(BPF_REG_0, 0),
9316 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9317 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9318 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9319 BPF_MOV64_IMM(BPF_REG_0, 0),
9322 .fixup_map_hash_8b = { 3 },
9323 .errstr = "unbounded min value",
9324 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9328 "bounds checks mixing signed and unsigned, variant 11",
9330 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9331 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9333 BPF_LD_MAP_FD(BPF_REG_1, 0),
9334 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9335 BPF_FUNC_map_lookup_elem),
9336 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9337 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9338 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9339 BPF_MOV64_IMM(BPF_REG_2, -1),
9340 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
9342 BPF_MOV64_IMM(BPF_REG_0, 0),
9344 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9345 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9346 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9347 BPF_MOV64_IMM(BPF_REG_0, 0),
9350 .fixup_map_hash_8b = { 3 },
9351 .errstr = "unbounded min value",
9352 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9356 "bounds checks mixing signed and unsigned, variant 12",
9358 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9359 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9361 BPF_LD_MAP_FD(BPF_REG_1, 0),
9362 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9363 BPF_FUNC_map_lookup_elem),
9364 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9365 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9366 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9367 BPF_MOV64_IMM(BPF_REG_2, -6),
9368 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
9369 BPF_MOV64_IMM(BPF_REG_0, 0),
9371 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9372 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9373 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9374 BPF_MOV64_IMM(BPF_REG_0, 0),
9377 .fixup_map_hash_8b = { 3 },
9378 .errstr = "unbounded min value",
9379 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9383 "bounds checks mixing signed and unsigned, variant 13",
9385 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9386 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9388 BPF_LD_MAP_FD(BPF_REG_1, 0),
9389 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9390 BPF_FUNC_map_lookup_elem),
9391 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
9392 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9393 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9394 BPF_MOV64_IMM(BPF_REG_2, 2),
9395 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
9396 BPF_MOV64_IMM(BPF_REG_7, 1),
9397 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
9398 BPF_MOV64_IMM(BPF_REG_0, 0),
9400 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
9401 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
9402 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
9403 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9404 BPF_MOV64_IMM(BPF_REG_0, 0),
9407 .fixup_map_hash_8b = { 3 },
9408 .errstr = "unbounded min value",
9409 .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds",
9413 "bounds checks mixing signed and unsigned, variant 14",
9415 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
9416 offsetof(struct __sk_buff, mark)),
9417 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9418 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9420 BPF_LD_MAP_FD(BPF_REG_1, 0),
9421 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9422 BPF_FUNC_map_lookup_elem),
9423 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
9424 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9425 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9426 BPF_MOV64_IMM(BPF_REG_2, -1),
9427 BPF_MOV64_IMM(BPF_REG_8, 2),
9428 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
9429 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
9430 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9431 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9432 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9433 BPF_MOV64_IMM(BPF_REG_0, 0),
9435 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
9436 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
9438 .fixup_map_hash_8b = { 4 },
9439 .errstr = "unbounded min value",
9440 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9444 "bounds checks mixing signed and unsigned, variant 15",
9446 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9447 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9449 BPF_LD_MAP_FD(BPF_REG_1, 0),
9450 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9451 BPF_FUNC_map_lookup_elem),
9452 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9453 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9454 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9455 BPF_MOV64_IMM(BPF_REG_2, -6),
9456 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
9457 BPF_MOV64_IMM(BPF_REG_0, 0),
9459 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9460 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
9461 BPF_MOV64_IMM(BPF_REG_0, 0),
9463 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9464 BPF_MOV64_IMM(BPF_REG_0, 0),
9467 .fixup_map_hash_8b = { 3 },
9468 .errstr = "unbounded min value",
9469 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9471 .result_unpriv = REJECT,
9474 "subtraction bounds (map value) variant 1",
9476 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9477 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9479 BPF_LD_MAP_FD(BPF_REG_1, 0),
9480 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9481 BPF_FUNC_map_lookup_elem),
9482 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9483 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9484 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
9485 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
9486 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
9487 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
9488 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
9489 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9490 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9492 BPF_MOV64_IMM(BPF_REG_0, 0),
9495 .fixup_map_hash_8b = { 3 },
9496 .errstr = "R0 max value is outside of the array range",
9500 "subtraction bounds (map value) variant 2",
9502 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9503 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9504 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9505 BPF_LD_MAP_FD(BPF_REG_1, 0),
9506 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9507 BPF_FUNC_map_lookup_elem),
9508 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
9509 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9510 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
9511 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
9512 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
9513 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
9514 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9515 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9517 BPF_MOV64_IMM(BPF_REG_0, 0),
9520 .fixup_map_hash_8b = { 3 },
9521 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
9522 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9526 "check subtraction on pointers for unpriv",
9528 BPF_MOV64_IMM(BPF_REG_0, 0),
9529 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
9530 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
9531 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8),
9532 BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 9),
9533 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9534 BPF_FUNC_map_lookup_elem),
9535 BPF_MOV64_REG(BPF_REG_9, BPF_REG_FP),
9536 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_0),
9537 BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
9538 BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
9539 BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8),
9540 BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 0),
9541 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9542 BPF_FUNC_map_lookup_elem),
9543 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9545 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_9, 0),
9546 BPF_MOV64_IMM(BPF_REG_0, 0),
9549 .fixup_map_hash_8b = { 1, 9 },
9551 .result_unpriv = REJECT,
9552 .errstr_unpriv = "R9 pointer -= pointer prohibited",
9555 "bounds check based on zero-extended MOV",
9557 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9558 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9559 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9560 BPF_LD_MAP_FD(BPF_REG_1, 0),
9561 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9562 BPF_FUNC_map_lookup_elem),
9563 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9564 /* r2 = 0x0000'0000'ffff'ffff */
9565 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
9567 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
9569 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
9570 /* access at offset 0 */
9571 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9573 BPF_MOV64_IMM(BPF_REG_0, 0),
9576 .fixup_map_hash_8b = { 3 },
9580 "bounds check based on sign-extended MOV. test1",
9582 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9583 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9584 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9585 BPF_LD_MAP_FD(BPF_REG_1, 0),
9586 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9587 BPF_FUNC_map_lookup_elem),
9588 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9589 /* r2 = 0xffff'ffff'ffff'ffff */
9590 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
9591 /* r2 = 0xffff'ffff */
9592 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
9593 /* r0 = <oob pointer> */
9594 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
9595 /* access to OOB pointer */
9596 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9598 BPF_MOV64_IMM(BPF_REG_0, 0),
9601 .fixup_map_hash_8b = { 3 },
9602 .errstr = "map_value pointer and 4294967295",
9606 "bounds check based on sign-extended MOV. test2",
9608 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9609 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9610 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9611 BPF_LD_MAP_FD(BPF_REG_1, 0),
9612 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9613 BPF_FUNC_map_lookup_elem),
9614 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9615 /* r2 = 0xffff'ffff'ffff'ffff */
9616 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
9617 /* r2 = 0xfff'ffff */
9618 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
9619 /* r0 = <oob pointer> */
9620 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
9621 /* access to OOB pointer */
9622 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9624 BPF_MOV64_IMM(BPF_REG_0, 0),
9627 .fixup_map_hash_8b = { 3 },
9628 .errstr = "R0 min value is outside of the array range",
9632 "bounds check based on reg_off + var_off + insn_off. test1",
9634 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
9635 offsetof(struct __sk_buff, mark)),
9636 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9637 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9638 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9639 BPF_LD_MAP_FD(BPF_REG_1, 0),
9640 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9641 BPF_FUNC_map_lookup_elem),
9642 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9643 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
9644 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
9645 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
9646 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
9647 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
9648 BPF_MOV64_IMM(BPF_REG_0, 0),
9651 .fixup_map_hash_8b = { 4 },
9652 .errstr = "value_size=8 off=1073741825",
9654 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9657 "bounds check based on reg_off + var_off + insn_off. test2",
9659 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
9660 offsetof(struct __sk_buff, mark)),
9661 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9662 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9663 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9664 BPF_LD_MAP_FD(BPF_REG_1, 0),
9665 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9666 BPF_FUNC_map_lookup_elem),
9667 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9668 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
9669 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
9670 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
9671 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
9672 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
9673 BPF_MOV64_IMM(BPF_REG_0, 0),
9676 .fixup_map_hash_8b = { 4 },
9677 .errstr = "value 1073741823",
9679 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9682 "bounds check after truncation of non-boundary-crossing range",
9684 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9685 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9687 BPF_LD_MAP_FD(BPF_REG_1, 0),
9688 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9689 BPF_FUNC_map_lookup_elem),
9690 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9691 /* r1 = [0x00, 0xff] */
9692 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9693 BPF_MOV64_IMM(BPF_REG_2, 1),
9694 /* r2 = 0x10'0000'0000 */
9695 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
9696 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
9697 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
9698 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
9699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
9700 /* r1 = [0x00, 0xff] */
9701 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
9703 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
9705 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9706 /* access at offset 0 */
9707 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9709 BPF_MOV64_IMM(BPF_REG_0, 0),
9712 .fixup_map_hash_8b = { 3 },
9716 "bounds check after truncation of boundary-crossing range (1)",
9718 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9719 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9720 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9721 BPF_LD_MAP_FD(BPF_REG_1, 0),
9722 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9723 BPF_FUNC_map_lookup_elem),
9724 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9725 /* r1 = [0x00, 0xff] */
9726 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
9728 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
9729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
9730 /* r1 = [0xffff'ff80, 0xffff'ffff] or
9731 * [0x0000'0000, 0x0000'007f]
9733 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
9734 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
9735 /* r1 = [0x00, 0xff] or
9736 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
9738 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
9740 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
9742 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
9743 /* no-op or OOB pointer computation */
9744 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9745 /* potentially OOB access */
9746 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9748 BPF_MOV64_IMM(BPF_REG_0, 0),
9751 .fixup_map_hash_8b = { 3 },
9752 /* not actually fully unbounded, but the bound is very high */
9753 .errstr = "R0 unbounded memory access",
9757 "bounds check after truncation of boundary-crossing range (2)",
9759 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9760 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9762 BPF_LD_MAP_FD(BPF_REG_1, 0),
9763 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9764 BPF_FUNC_map_lookup_elem),
9765 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9766 /* r1 = [0x00, 0xff] */
9767 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9768 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
9769 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
9770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
9771 /* r1 = [0xffff'ff80, 0xffff'ffff] or
9772 * [0x0000'0000, 0x0000'007f]
9773 * difference to previous test: truncation via MOV32
9776 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
9777 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
9778 /* r1 = [0x00, 0xff] or
9779 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
9781 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
9783 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
9785 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
9786 /* no-op or OOB pointer computation */
9787 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9788 /* potentially OOB access */
9789 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9791 BPF_MOV64_IMM(BPF_REG_0, 0),
9794 .fixup_map_hash_8b = { 3 },
9795 /* not actually fully unbounded, but the bound is very high */
9796 .errstr = "R0 unbounded memory access",
9800 "bounds check after wrapping 32-bit addition",
9802 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9803 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9804 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9805 BPF_LD_MAP_FD(BPF_REG_1, 0),
9806 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9807 BPF_FUNC_map_lookup_elem),
9808 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
9809 /* r1 = 0x7fff'ffff */
9810 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
9811 /* r1 = 0xffff'fffe */
9812 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
9814 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
9816 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9817 /* access at offset 0 */
9818 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9820 BPF_MOV64_IMM(BPF_REG_0, 0),
9823 .fixup_map_hash_8b = { 3 },
9827 "bounds check after shift with oversized count operand",
9829 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9830 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9832 BPF_LD_MAP_FD(BPF_REG_1, 0),
9833 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9834 BPF_FUNC_map_lookup_elem),
9835 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
9836 BPF_MOV64_IMM(BPF_REG_2, 32),
9837 BPF_MOV64_IMM(BPF_REG_1, 1),
9838 /* r1 = (u32)1 << (u32)32 = ? */
9839 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
9840 /* r1 = [0x0000, 0xffff] */
9841 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
9842 /* computes unknown pointer, potentially OOB */
9843 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9844 /* potentially OOB access */
9845 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9847 BPF_MOV64_IMM(BPF_REG_0, 0),
9850 .fixup_map_hash_8b = { 3 },
9851 .errstr = "R0 max value is outside of the array range",
9855 "bounds check after right shift of maybe-negative number",
9857 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9858 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9859 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9860 BPF_LD_MAP_FD(BPF_REG_1, 0),
9861 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9862 BPF_FUNC_map_lookup_elem),
9863 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
9864 /* r1 = [0x00, 0xff] */
9865 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9866 /* r1 = [-0x01, 0xfe] */
9867 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
9868 /* r1 = 0 or 0xff'ffff'ffff'ffff */
9869 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
9870 /* r1 = 0 or 0xffff'ffff'ffff */
9871 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
9872 /* computes unknown pointer, potentially OOB */
9873 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9874 /* potentially OOB access */
9875 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9877 BPF_MOV64_IMM(BPF_REG_0, 0),
9880 .fixup_map_hash_8b = { 3 },
9881 .errstr = "R0 unbounded memory access",
9885 "bounds check after 32-bit right shift with 64-bit input",
9887 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9888 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9889 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9890 BPF_LD_MAP_FD(BPF_REG_1, 0),
9891 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9892 BPF_FUNC_map_lookup_elem),
9893 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
9895 BPF_MOV64_IMM(BPF_REG_1, 2),
9897 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 31),
9898 /* r1 = 0 (NOT 2!) */
9899 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 31),
9900 /* r1 = 0xffff'fffe (NOT 0!) */
9901 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 2),
9902 /* computes OOB pointer */
9903 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9905 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9907 BPF_MOV64_IMM(BPF_REG_0, 0),
9910 .fixup_map_hash_8b = { 3 },
9911 .errstr = "R0 invalid mem access",
9915 "bounds check map access with off+size signed 32bit overflow. test1",
9917 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9918 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9920 BPF_LD_MAP_FD(BPF_REG_1, 0),
9921 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9922 BPF_FUNC_map_lookup_elem),
9923 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9925 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
9926 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9930 .fixup_map_hash_8b = { 3 },
9931 .errstr = "map_value pointer and 2147483646",
9935 "bounds check map access with off+size signed 32bit overflow. test2",
9937 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9938 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9939 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9940 BPF_LD_MAP_FD(BPF_REG_1, 0),
9941 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9942 BPF_FUNC_map_lookup_elem),
9943 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9945 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9946 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9947 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9948 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9952 .fixup_map_hash_8b = { 3 },
9953 .errstr = "pointer offset 1073741822",
9954 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
9958 "bounds check map access with off+size signed 32bit overflow. test3",
9960 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9961 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9962 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9963 BPF_LD_MAP_FD(BPF_REG_1, 0),
9964 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9965 BPF_FUNC_map_lookup_elem),
9966 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9968 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
9969 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
9970 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
9974 .fixup_map_hash_8b = { 3 },
9975 .errstr = "pointer offset -1073741822",
9976 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
9980 "bounds check map access with off+size signed 32bit overflow. test4",
9982 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9983 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9984 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9985 BPF_LD_MAP_FD(BPF_REG_1, 0),
9986 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9987 BPF_FUNC_map_lookup_elem),
9988 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9990 BPF_MOV64_IMM(BPF_REG_1, 1000000),
9991 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
9992 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9993 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
9997 .fixup_map_hash_8b = { 3 },
9998 .errstr = "map_value pointer and 1000000000000",
10002 "pointer/scalar confusion in state equality check (way 1)",
10004 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10005 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10007 BPF_LD_MAP_FD(BPF_REG_1, 0),
10008 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10009 BPF_FUNC_map_lookup_elem),
10010 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
10011 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
10013 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10017 .fixup_map_hash_8b = { 3 },
10019 .retval = POINTER_VALUE,
10020 .result_unpriv = REJECT,
10021 .errstr_unpriv = "R0 leaks addr as return value"
10024 "pointer/scalar confusion in state equality check (way 2)",
10026 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10027 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10028 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10029 BPF_LD_MAP_FD(BPF_REG_1, 0),
10030 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10031 BPF_FUNC_map_lookup_elem),
10032 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10033 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10035 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
10038 .fixup_map_hash_8b = { 3 },
10040 .retval = POINTER_VALUE,
10041 .result_unpriv = REJECT,
10042 .errstr_unpriv = "R0 leaks addr as return value"
10045 "variable-offset ctx access",
10047 /* Get an unknown value */
10048 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
10049 /* Make it small and 4-byte aligned */
10050 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
10051 /* add it to skb. We now have either &skb->len or
10052 * &skb->pkt_type, but we don't know which
10054 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
10055 /* dereference it */
10056 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10059 .errstr = "variable ctx access var_off=(0x0; 0x4)",
10061 .prog_type = BPF_PROG_TYPE_LWT_IN,
10064 "variable-offset stack access",
10066 /* Fill the top 8 bytes of the stack */
10067 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10068 /* Get an unknown value */
10069 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
10070 /* Make it small and 4-byte aligned */
10071 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
10072 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
10073 /* add it to fp. We now have either fp-4 or fp-8, but
10074 * we don't know which
10076 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
10077 /* dereference it */
10078 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
10081 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
10083 .prog_type = BPF_PROG_TYPE_LWT_IN,
10086 "indirect variable-offset stack access",
10088 /* Fill the top 8 bytes of the stack */
10089 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10090 /* Get an unknown value */
10091 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
10092 /* Make it small and 4-byte aligned */
10093 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
10094 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
10095 /* add it to fp. We now have either fp-4 or fp-8, but
10096 * we don't know which
10098 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
10099 /* dereference it indirectly */
10100 BPF_LD_MAP_FD(BPF_REG_1, 0),
10101 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10102 BPF_FUNC_map_lookup_elem),
10103 BPF_MOV64_IMM(BPF_REG_0, 0),
10106 .fixup_map_hash_8b = { 5 },
10107 .errstr = "variable stack read R2",
10109 .prog_type = BPF_PROG_TYPE_LWT_IN,
10112 "direct stack access with 32-bit wraparound. test1",
10114 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
10116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
10117 BPF_MOV32_IMM(BPF_REG_0, 0),
10118 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
10121 .errstr = "fp pointer and 2147483647",
10125 "direct stack access with 32-bit wraparound. test2",
10127 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10128 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
10129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
10130 BPF_MOV32_IMM(BPF_REG_0, 0),
10131 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
10134 .errstr = "fp pointer and 1073741823",
10138 "direct stack access with 32-bit wraparound. test3",
10140 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10141 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
10142 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
10143 BPF_MOV32_IMM(BPF_REG_0, 0),
10144 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
10147 .errstr = "fp pointer offset 1073741822",
10148 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
10152 "liveness pruning and write screening",
10154 /* Get an unknown value */
10155 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
10156 /* branch conditions teach us nothing about R2 */
10157 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
10158 BPF_MOV64_IMM(BPF_REG_0, 0),
10159 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
10160 BPF_MOV64_IMM(BPF_REG_0, 0),
10163 .errstr = "R0 !read_ok",
10165 .prog_type = BPF_PROG_TYPE_LWT_IN,
10168 "varlen_map_value_access pruning",
10170 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10171 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10172 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10173 BPF_LD_MAP_FD(BPF_REG_1, 0),
10174 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10175 BPF_FUNC_map_lookup_elem),
10176 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
10177 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
10178 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
10179 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
10180 BPF_MOV32_IMM(BPF_REG_1, 0),
10181 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
10182 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
10183 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
10184 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
10185 offsetof(struct test_val, foo)),
10188 .fixup_map_hash_48b = { 3 },
10189 .errstr_unpriv = "R0 leaks addr",
10190 .errstr = "R0 unbounded memory access",
10191 .result_unpriv = REJECT,
10193 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10196 "invalid 64-bit BPF_END",
10198 BPF_MOV32_IMM(BPF_REG_0, 0),
10200 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
10201 .dst_reg = BPF_REG_0,
10208 .errstr = "unknown opcode d7",
10212 "XDP, using ifindex from netdev",
10214 BPF_MOV64_IMM(BPF_REG_0, 0),
10215 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10216 offsetof(struct xdp_md, ingress_ifindex)),
10217 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
10218 BPF_MOV64_IMM(BPF_REG_0, 1),
10222 .prog_type = BPF_PROG_TYPE_XDP,
10226 "meta access, test1",
10228 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10229 offsetof(struct xdp_md, data_meta)),
10230 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10231 offsetof(struct xdp_md, data)),
10232 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10233 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10234 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
10235 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10236 BPF_MOV64_IMM(BPF_REG_0, 0),
10240 .prog_type = BPF_PROG_TYPE_XDP,
10243 "meta access, test2",
10245 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10246 offsetof(struct xdp_md, data_meta)),
10247 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10248 offsetof(struct xdp_md, data)),
10249 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10250 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
10251 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
10252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
10253 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
10254 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10255 BPF_MOV64_IMM(BPF_REG_0, 0),
10259 .errstr = "invalid access to packet, off=-8",
10260 .prog_type = BPF_PROG_TYPE_XDP,
10263 "meta access, test3",
10265 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10266 offsetof(struct xdp_md, data_meta)),
10267 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10268 offsetof(struct xdp_md, data_end)),
10269 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10271 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
10272 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10273 BPF_MOV64_IMM(BPF_REG_0, 0),
10277 .errstr = "invalid access to packet",
10278 .prog_type = BPF_PROG_TYPE_XDP,
10281 "meta access, test4",
10283 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10284 offsetof(struct xdp_md, data_meta)),
10285 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10286 offsetof(struct xdp_md, data_end)),
10287 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
10288 offsetof(struct xdp_md, data)),
10289 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
10290 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10291 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
10292 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10293 BPF_MOV64_IMM(BPF_REG_0, 0),
10297 .errstr = "invalid access to packet",
10298 .prog_type = BPF_PROG_TYPE_XDP,
10301 "meta access, test5",
10303 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10304 offsetof(struct xdp_md, data_meta)),
10305 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
10306 offsetof(struct xdp_md, data)),
10307 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
10308 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10309 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
10310 BPF_MOV64_IMM(BPF_REG_2, -8),
10311 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10312 BPF_FUNC_xdp_adjust_meta),
10313 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
10314 BPF_MOV64_IMM(BPF_REG_0, 0),
10318 .errstr = "R3 !read_ok",
10319 .prog_type = BPF_PROG_TYPE_XDP,
10322 "meta access, test6",
10324 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10325 offsetof(struct xdp_md, data_meta)),
10326 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10327 offsetof(struct xdp_md, data)),
10328 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
10329 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10330 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
10331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
10332 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
10333 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10334 BPF_MOV64_IMM(BPF_REG_0, 0),
10338 .errstr = "invalid access to packet",
10339 .prog_type = BPF_PROG_TYPE_XDP,
10342 "meta access, test7",
10344 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10345 offsetof(struct xdp_md, data_meta)),
10346 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10347 offsetof(struct xdp_md, data)),
10348 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
10349 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10350 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
10351 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
10352 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
10353 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10354 BPF_MOV64_IMM(BPF_REG_0, 0),
10358 .prog_type = BPF_PROG_TYPE_XDP,
10361 "meta access, test8",
10363 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10364 offsetof(struct xdp_md, data_meta)),
10365 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10366 offsetof(struct xdp_md, data)),
10367 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
10368 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
10369 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
10370 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10371 BPF_MOV64_IMM(BPF_REG_0, 0),
10375 .prog_type = BPF_PROG_TYPE_XDP,
10378 "meta access, test9",
10380 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10381 offsetof(struct xdp_md, data_meta)),
10382 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10383 offsetof(struct xdp_md, data)),
10384 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
10385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
10386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
10387 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
10388 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10389 BPF_MOV64_IMM(BPF_REG_0, 0),
10393 .errstr = "invalid access to packet",
10394 .prog_type = BPF_PROG_TYPE_XDP,
10397 "meta access, test10",
10399 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10400 offsetof(struct xdp_md, data_meta)),
10401 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10402 offsetof(struct xdp_md, data)),
10403 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
10404 offsetof(struct xdp_md, data_end)),
10405 BPF_MOV64_IMM(BPF_REG_5, 42),
10406 BPF_MOV64_IMM(BPF_REG_6, 24),
10407 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
10408 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
10409 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
10410 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
10411 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
10412 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
10413 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
10414 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
10415 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
10416 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
10417 BPF_MOV64_IMM(BPF_REG_0, 0),
10421 .errstr = "invalid access to packet",
10422 .prog_type = BPF_PROG_TYPE_XDP,
10425 "meta access, test11",
10427 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10428 offsetof(struct xdp_md, data_meta)),
10429 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10430 offsetof(struct xdp_md, data)),
10431 BPF_MOV64_IMM(BPF_REG_5, 42),
10432 BPF_MOV64_IMM(BPF_REG_6, 24),
10433 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
10434 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
10435 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
10436 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
10437 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
10438 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
10439 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
10440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
10441 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
10442 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
10443 BPF_MOV64_IMM(BPF_REG_0, 0),
10447 .prog_type = BPF_PROG_TYPE_XDP,
10450 "meta access, test12",
10452 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10453 offsetof(struct xdp_md, data_meta)),
10454 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10455 offsetof(struct xdp_md, data)),
10456 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
10457 offsetof(struct xdp_md, data_end)),
10458 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
10459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
10460 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
10461 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
10462 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
10463 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
10464 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
10465 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10466 BPF_MOV64_IMM(BPF_REG_0, 0),
10470 .prog_type = BPF_PROG_TYPE_XDP,
10473 "arithmetic ops make PTR_TO_CTX unusable",
10475 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
10476 offsetof(struct __sk_buff, data) -
10477 offsetof(struct __sk_buff, mark)),
10478 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10479 offsetof(struct __sk_buff, mark)),
10482 .errstr = "dereference of modified ctx ptr",
10484 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10487 "pkt_end - pkt_start is allowed",
10489 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10490 offsetof(struct __sk_buff, data_end)),
10491 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10492 offsetof(struct __sk_buff, data)),
10493 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
10497 .retval = TEST_DATA_LEN,
10498 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10501 "XDP pkt read, pkt_end mangling, bad access 1",
10503 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10504 offsetof(struct xdp_md, data)),
10505 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10506 offsetof(struct xdp_md, data_end)),
10507 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10508 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10509 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
10510 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10511 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10512 BPF_MOV64_IMM(BPF_REG_0, 0),
10515 .errstr = "R3 pointer arithmetic on pkt_end",
10517 .prog_type = BPF_PROG_TYPE_XDP,
10520 "XDP pkt read, pkt_end mangling, bad access 2",
10522 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10523 offsetof(struct xdp_md, data)),
10524 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10525 offsetof(struct xdp_md, data_end)),
10526 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10527 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10528 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
10529 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10530 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10531 BPF_MOV64_IMM(BPF_REG_0, 0),
10534 .errstr = "R3 pointer arithmetic on pkt_end",
10536 .prog_type = BPF_PROG_TYPE_XDP,
10539 "XDP pkt read, pkt_data' > pkt_end, good access",
10541 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10542 offsetof(struct xdp_md, data)),
10543 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10544 offsetof(struct xdp_md, data_end)),
10545 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10546 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10547 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10548 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10549 BPF_MOV64_IMM(BPF_REG_0, 0),
10553 .prog_type = BPF_PROG_TYPE_XDP,
10554 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10557 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
10559 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10560 offsetof(struct xdp_md, data)),
10561 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10562 offsetof(struct xdp_md, data_end)),
10563 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10564 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10565 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10566 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10567 BPF_MOV64_IMM(BPF_REG_0, 0),
10570 .errstr = "R1 offset is outside of the packet",
10572 .prog_type = BPF_PROG_TYPE_XDP,
10573 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10576 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
10578 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10579 offsetof(struct xdp_md, data)),
10580 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10581 offsetof(struct xdp_md, data_end)),
10582 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10584 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
10585 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10586 BPF_MOV64_IMM(BPF_REG_0, 0),
10589 .errstr = "R1 offset is outside of the packet",
10591 .prog_type = BPF_PROG_TYPE_XDP,
10592 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10595 "XDP pkt read, pkt_end > pkt_data', good access",
10597 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10598 offsetof(struct xdp_md, data)),
10599 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10600 offsetof(struct xdp_md, data_end)),
10601 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10603 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10604 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10605 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10606 BPF_MOV64_IMM(BPF_REG_0, 0),
10610 .prog_type = BPF_PROG_TYPE_XDP,
10611 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10614 "XDP pkt read, pkt_end > pkt_data', bad access 1",
10616 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10617 offsetof(struct xdp_md, data)),
10618 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10619 offsetof(struct xdp_md, data_end)),
10620 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10621 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10622 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10623 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10624 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10625 BPF_MOV64_IMM(BPF_REG_0, 0),
10628 .errstr = "R1 offset is outside of the packet",
10630 .prog_type = BPF_PROG_TYPE_XDP,
10631 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10634 "XDP pkt read, pkt_end > pkt_data', bad access 2",
10636 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10637 offsetof(struct xdp_md, data)),
10638 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10639 offsetof(struct xdp_md, data_end)),
10640 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10641 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10642 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10643 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10644 BPF_MOV64_IMM(BPF_REG_0, 0),
10647 .errstr = "R1 offset is outside of the packet",
10649 .prog_type = BPF_PROG_TYPE_XDP,
10650 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10653 "XDP pkt read, pkt_data' < pkt_end, good access",
10655 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10656 offsetof(struct xdp_md, data)),
10657 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10658 offsetof(struct xdp_md, data_end)),
10659 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10661 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10662 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10663 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10664 BPF_MOV64_IMM(BPF_REG_0, 0),
10668 .prog_type = BPF_PROG_TYPE_XDP,
10669 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10672 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
10674 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10675 offsetof(struct xdp_md, data)),
10676 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10677 offsetof(struct xdp_md, data_end)),
10678 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10679 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10680 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10681 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10682 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10683 BPF_MOV64_IMM(BPF_REG_0, 0),
10686 .errstr = "R1 offset is outside of the packet",
10688 .prog_type = BPF_PROG_TYPE_XDP,
10689 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10692 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
10694 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10695 offsetof(struct xdp_md, data)),
10696 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10697 offsetof(struct xdp_md, data_end)),
10698 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10700 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10701 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10702 BPF_MOV64_IMM(BPF_REG_0, 0),
10705 .errstr = "R1 offset is outside of the packet",
10707 .prog_type = BPF_PROG_TYPE_XDP,
10708 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10711 "XDP pkt read, pkt_end < pkt_data', good access",
10713 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10714 offsetof(struct xdp_md, data)),
10715 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10716 offsetof(struct xdp_md, data_end)),
10717 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10718 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10719 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
10720 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10721 BPF_MOV64_IMM(BPF_REG_0, 0),
10725 .prog_type = BPF_PROG_TYPE_XDP,
10726 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10729 "XDP pkt read, pkt_end < pkt_data', bad access 1",
10731 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10732 offsetof(struct xdp_md, data)),
10733 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10734 offsetof(struct xdp_md, data_end)),
10735 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10737 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
10738 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10739 BPF_MOV64_IMM(BPF_REG_0, 0),
10742 .errstr = "R1 offset is outside of the packet",
10744 .prog_type = BPF_PROG_TYPE_XDP,
10745 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10748 "XDP pkt read, pkt_end < pkt_data', bad access 2",
10750 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10751 offsetof(struct xdp_md, data)),
10752 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10753 offsetof(struct xdp_md, data_end)),
10754 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10756 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
10757 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10758 BPF_MOV64_IMM(BPF_REG_0, 0),
10761 .errstr = "R1 offset is outside of the packet",
10763 .prog_type = BPF_PROG_TYPE_XDP,
10764 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10767 "XDP pkt read, pkt_data' >= pkt_end, good access",
10769 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10770 offsetof(struct xdp_md, data)),
10771 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10772 offsetof(struct xdp_md, data_end)),
10773 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10775 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10776 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10777 BPF_MOV64_IMM(BPF_REG_0, 0),
10781 .prog_type = BPF_PROG_TYPE_XDP,
10782 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10785 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
10787 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10788 offsetof(struct xdp_md, data)),
10789 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10790 offsetof(struct xdp_md, data_end)),
10791 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10792 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10793 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10794 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10795 BPF_MOV64_IMM(BPF_REG_0, 0),
10798 .errstr = "R1 offset is outside of the packet",
10800 .prog_type = BPF_PROG_TYPE_XDP,
10801 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10804 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
10806 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10807 offsetof(struct xdp_md, data)),
10808 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10809 offsetof(struct xdp_md, data_end)),
10810 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10812 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
10813 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10814 BPF_MOV64_IMM(BPF_REG_0, 0),
10817 .errstr = "R1 offset is outside of the packet",
10819 .prog_type = BPF_PROG_TYPE_XDP,
10820 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10823 "XDP pkt read, pkt_end >= pkt_data', good access",
10825 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10826 offsetof(struct xdp_md, data)),
10827 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10828 offsetof(struct xdp_md, data_end)),
10829 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10831 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10832 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10833 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10834 BPF_MOV64_IMM(BPF_REG_0, 0),
10838 .prog_type = BPF_PROG_TYPE_XDP,
10839 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10842 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
10844 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10845 offsetof(struct xdp_md, data)),
10846 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10847 offsetof(struct xdp_md, data_end)),
10848 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10849 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10850 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10851 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10852 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10853 BPF_MOV64_IMM(BPF_REG_0, 0),
10856 .errstr = "R1 offset is outside of the packet",
10858 .prog_type = BPF_PROG_TYPE_XDP,
10859 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10862 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
10864 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10865 offsetof(struct xdp_md, data)),
10866 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10867 offsetof(struct xdp_md, data_end)),
10868 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10870 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10871 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10872 BPF_MOV64_IMM(BPF_REG_0, 0),
10875 .errstr = "R1 offset is outside of the packet",
10877 .prog_type = BPF_PROG_TYPE_XDP,
10878 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10881 "XDP pkt read, pkt_data' <= pkt_end, good access",
10883 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10884 offsetof(struct xdp_md, data)),
10885 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10886 offsetof(struct xdp_md, data_end)),
10887 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10888 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10889 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10890 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10891 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10892 BPF_MOV64_IMM(BPF_REG_0, 0),
10896 .prog_type = BPF_PROG_TYPE_XDP,
10897 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10900 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
10902 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10903 offsetof(struct xdp_md, data)),
10904 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10905 offsetof(struct xdp_md, data_end)),
10906 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10908 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10909 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10910 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10911 BPF_MOV64_IMM(BPF_REG_0, 0),
10914 .errstr = "R1 offset is outside of the packet",
10916 .prog_type = BPF_PROG_TYPE_XDP,
10917 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10920 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
10922 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10923 offsetof(struct xdp_md, data)),
10924 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10925 offsetof(struct xdp_md, data_end)),
10926 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10928 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10929 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10930 BPF_MOV64_IMM(BPF_REG_0, 0),
10933 .errstr = "R1 offset is outside of the packet",
10935 .prog_type = BPF_PROG_TYPE_XDP,
10936 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10939 "XDP pkt read, pkt_end <= pkt_data', good access",
10941 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10942 offsetof(struct xdp_md, data)),
10943 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10944 offsetof(struct xdp_md, data_end)),
10945 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10946 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10947 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10948 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10949 BPF_MOV64_IMM(BPF_REG_0, 0),
10953 .prog_type = BPF_PROG_TYPE_XDP,
10954 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10957 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
10959 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10960 offsetof(struct xdp_md, data)),
10961 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10962 offsetof(struct xdp_md, data_end)),
10963 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10964 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10965 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10966 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10967 BPF_MOV64_IMM(BPF_REG_0, 0),
10970 .errstr = "R1 offset is outside of the packet",
10972 .prog_type = BPF_PROG_TYPE_XDP,
10973 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10976 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
10978 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10979 offsetof(struct xdp_md, data)),
10980 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10981 offsetof(struct xdp_md, data_end)),
10982 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10984 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
10985 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10986 BPF_MOV64_IMM(BPF_REG_0, 0),
10989 .errstr = "R1 offset is outside of the packet",
10991 .prog_type = BPF_PROG_TYPE_XDP,
10992 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10995 "XDP pkt read, pkt_meta' > pkt_data, good access",
10997 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10998 offsetof(struct xdp_md, data_meta)),
10999 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11000 offsetof(struct xdp_md, data)),
11001 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11003 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
11004 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11005 BPF_MOV64_IMM(BPF_REG_0, 0),
11009 .prog_type = BPF_PROG_TYPE_XDP,
11010 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11013 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
11015 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11016 offsetof(struct xdp_md, data_meta)),
11017 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11018 offsetof(struct xdp_md, data)),
11019 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11020 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11021 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
11022 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
11023 BPF_MOV64_IMM(BPF_REG_0, 0),
11026 .errstr = "R1 offset is outside of the packet",
11028 .prog_type = BPF_PROG_TYPE_XDP,
11029 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11032 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
11034 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11035 offsetof(struct xdp_md, data_meta)),
11036 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11037 offsetof(struct xdp_md, data)),
11038 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11039 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11040 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
11041 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11042 BPF_MOV64_IMM(BPF_REG_0, 0),
11045 .errstr = "R1 offset is outside of the packet",
11047 .prog_type = BPF_PROG_TYPE_XDP,
11048 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11051 "XDP pkt read, pkt_data > pkt_meta', good access",
11053 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11054 offsetof(struct xdp_md, data_meta)),
11055 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11056 offsetof(struct xdp_md, data)),
11057 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11059 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
11060 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11061 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11062 BPF_MOV64_IMM(BPF_REG_0, 0),
11066 .prog_type = BPF_PROG_TYPE_XDP,
11067 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11070 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
11072 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11073 offsetof(struct xdp_md, data_meta)),
11074 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11075 offsetof(struct xdp_md, data)),
11076 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11077 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11078 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
11079 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11080 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11081 BPF_MOV64_IMM(BPF_REG_0, 0),
11084 .errstr = "R1 offset is outside of the packet",
11086 .prog_type = BPF_PROG_TYPE_XDP,
11087 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11090 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
11092 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11093 offsetof(struct xdp_md, data_meta)),
11094 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11095 offsetof(struct xdp_md, data)),
11096 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11098 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
11099 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11100 BPF_MOV64_IMM(BPF_REG_0, 0),
11103 .errstr = "R1 offset is outside of the packet",
11105 .prog_type = BPF_PROG_TYPE_XDP,
11106 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11109 "XDP pkt read, pkt_meta' < pkt_data, good access",
11111 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11112 offsetof(struct xdp_md, data_meta)),
11113 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11114 offsetof(struct xdp_md, data)),
11115 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11117 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
11118 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11119 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11120 BPF_MOV64_IMM(BPF_REG_0, 0),
11124 .prog_type = BPF_PROG_TYPE_XDP,
11125 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11128 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
11130 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11131 offsetof(struct xdp_md, data_meta)),
11132 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11133 offsetof(struct xdp_md, data)),
11134 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11135 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11136 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
11137 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11138 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11139 BPF_MOV64_IMM(BPF_REG_0, 0),
11142 .errstr = "R1 offset is outside of the packet",
11144 .prog_type = BPF_PROG_TYPE_XDP,
11145 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11148 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
11150 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11151 offsetof(struct xdp_md, data_meta)),
11152 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11153 offsetof(struct xdp_md, data)),
11154 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11155 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11156 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
11157 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11158 BPF_MOV64_IMM(BPF_REG_0, 0),
11161 .errstr = "R1 offset is outside of the packet",
11163 .prog_type = BPF_PROG_TYPE_XDP,
11164 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11167 "XDP pkt read, pkt_data < pkt_meta', good access",
11169 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11170 offsetof(struct xdp_md, data_meta)),
11171 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11172 offsetof(struct xdp_md, data)),
11173 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11174 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11175 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
11176 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11177 BPF_MOV64_IMM(BPF_REG_0, 0),
11181 .prog_type = BPF_PROG_TYPE_XDP,
11182 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11185 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
11187 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11188 offsetof(struct xdp_md, data_meta)),
11189 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11190 offsetof(struct xdp_md, data)),
11191 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11193 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
11194 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
11195 BPF_MOV64_IMM(BPF_REG_0, 0),
11198 .errstr = "R1 offset is outside of the packet",
11200 .prog_type = BPF_PROG_TYPE_XDP,
11201 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11204 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
11206 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11207 offsetof(struct xdp_md, data_meta)),
11208 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11209 offsetof(struct xdp_md, data)),
11210 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11212 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
11213 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11214 BPF_MOV64_IMM(BPF_REG_0, 0),
11217 .errstr = "R1 offset is outside of the packet",
11219 .prog_type = BPF_PROG_TYPE_XDP,
11220 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11223 "XDP pkt read, pkt_meta' >= pkt_data, good access",
11225 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11226 offsetof(struct xdp_md, data_meta)),
11227 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11228 offsetof(struct xdp_md, data)),
11229 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11231 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
11232 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11233 BPF_MOV64_IMM(BPF_REG_0, 0),
11237 .prog_type = BPF_PROG_TYPE_XDP,
11238 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11241 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
11243 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11244 offsetof(struct xdp_md, data_meta)),
11245 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11246 offsetof(struct xdp_md, data)),
11247 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11248 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11249 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
11250 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11251 BPF_MOV64_IMM(BPF_REG_0, 0),
11254 .errstr = "R1 offset is outside of the packet",
11256 .prog_type = BPF_PROG_TYPE_XDP,
11257 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11260 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
11262 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11263 offsetof(struct xdp_md, data_meta)),
11264 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11265 offsetof(struct xdp_md, data)),
11266 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11267 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11268 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
11269 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11270 BPF_MOV64_IMM(BPF_REG_0, 0),
11273 .errstr = "R1 offset is outside of the packet",
11275 .prog_type = BPF_PROG_TYPE_XDP,
11276 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11279 "XDP pkt read, pkt_data >= pkt_meta', good access",
11281 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11282 offsetof(struct xdp_md, data_meta)),
11283 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11284 offsetof(struct xdp_md, data)),
11285 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11287 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
11288 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11289 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11290 BPF_MOV64_IMM(BPF_REG_0, 0),
11294 .prog_type = BPF_PROG_TYPE_XDP,
11295 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11298 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
11300 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11301 offsetof(struct xdp_md, data_meta)),
11302 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11303 offsetof(struct xdp_md, data)),
11304 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11305 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11306 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
11307 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11308 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
11309 BPF_MOV64_IMM(BPF_REG_0, 0),
11312 .errstr = "R1 offset is outside of the packet",
11314 .prog_type = BPF_PROG_TYPE_XDP,
11315 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11318 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
11320 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11321 offsetof(struct xdp_md, data_meta)),
11322 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11323 offsetof(struct xdp_md, data)),
11324 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11326 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
11327 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11328 BPF_MOV64_IMM(BPF_REG_0, 0),
11331 .errstr = "R1 offset is outside of the packet",
11333 .prog_type = BPF_PROG_TYPE_XDP,
11334 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11337 "XDP pkt read, pkt_meta' <= pkt_data, good access",
11339 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11340 offsetof(struct xdp_md, data_meta)),
11341 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11342 offsetof(struct xdp_md, data)),
11343 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11344 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11345 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
11346 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11347 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11348 BPF_MOV64_IMM(BPF_REG_0, 0),
11352 .prog_type = BPF_PROG_TYPE_XDP,
11353 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11356 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
11358 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11359 offsetof(struct xdp_md, data_meta)),
11360 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11361 offsetof(struct xdp_md, data)),
11362 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11364 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
11365 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11366 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
11367 BPF_MOV64_IMM(BPF_REG_0, 0),
11370 .errstr = "R1 offset is outside of the packet",
11372 .prog_type = BPF_PROG_TYPE_XDP,
11373 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11376 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
11378 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11379 offsetof(struct xdp_md, data_meta)),
11380 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11381 offsetof(struct xdp_md, data)),
11382 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11384 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
11385 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11386 BPF_MOV64_IMM(BPF_REG_0, 0),
11389 .errstr = "R1 offset is outside of the packet",
11391 .prog_type = BPF_PROG_TYPE_XDP,
11392 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11395 "XDP pkt read, pkt_data <= pkt_meta', good access",
11397 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11398 offsetof(struct xdp_md, data_meta)),
11399 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11400 offsetof(struct xdp_md, data)),
11401 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11403 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
11404 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11405 BPF_MOV64_IMM(BPF_REG_0, 0),
11409 .prog_type = BPF_PROG_TYPE_XDP,
11410 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11413 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
11415 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11416 offsetof(struct xdp_md, data_meta)),
11417 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11418 offsetof(struct xdp_md, data)),
11419 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11421 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
11422 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11423 BPF_MOV64_IMM(BPF_REG_0, 0),
11426 .errstr = "R1 offset is outside of the packet",
11428 .prog_type = BPF_PROG_TYPE_XDP,
11429 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11432 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
11434 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11435 offsetof(struct xdp_md, data_meta)),
11436 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11437 offsetof(struct xdp_md, data)),
11438 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11440 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
11441 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11442 BPF_MOV64_IMM(BPF_REG_0, 0),
11445 .errstr = "R1 offset is outside of the packet",
11447 .prog_type = BPF_PROG_TYPE_XDP,
11448 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11451 "check deducing bounds from const, 1",
11453 BPF_MOV64_IMM(BPF_REG_0, 1),
11454 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
11455 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11459 .errstr = "R0 tried to subtract pointer from scalar",
11462 "check deducing bounds from const, 2",
11464 BPF_MOV64_IMM(BPF_REG_0, 1),
11465 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
11467 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
11469 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
11476 "check deducing bounds from const, 3",
11478 BPF_MOV64_IMM(BPF_REG_0, 0),
11479 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
11480 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11484 .errstr = "R0 tried to subtract pointer from scalar",
11487 "check deducing bounds from const, 4",
11489 BPF_MOV64_IMM(BPF_REG_0, 0),
11490 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
11492 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
11494 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
11500 "check deducing bounds from const, 5",
11502 BPF_MOV64_IMM(BPF_REG_0, 0),
11503 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
11504 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11508 .errstr = "R0 tried to subtract pointer from scalar",
11511 "check deducing bounds from const, 6",
11513 BPF_MOV64_IMM(BPF_REG_0, 0),
11514 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
11516 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11520 .errstr = "R0 tried to subtract pointer from scalar",
11523 "check deducing bounds from const, 7",
11525 BPF_MOV64_IMM(BPF_REG_0, ~0),
11526 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
11527 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
11528 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11529 offsetof(struct __sk_buff, mark)),
11533 .errstr = "dereference of modified ctx ptr",
11534 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11537 "check deducing bounds from const, 8",
11539 BPF_MOV64_IMM(BPF_REG_0, ~0),
11540 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
11541 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
11542 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11543 offsetof(struct __sk_buff, mark)),
11547 .errstr = "dereference of modified ctx ptr",
11548 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11551 "check deducing bounds from const, 9",
11553 BPF_MOV64_IMM(BPF_REG_0, 0),
11554 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
11555 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11559 .errstr = "R0 tried to subtract pointer from scalar",
11562 "check deducing bounds from const, 10",
11564 BPF_MOV64_IMM(BPF_REG_0, 0),
11565 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
11566 /* Marks reg as unknown. */
11567 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
11568 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11572 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
11575 "bpf_exit with invalid return code. test1",
11577 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11580 .errstr = "R0 has value (0x0; 0xffffffff)",
11582 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11585 "bpf_exit with invalid return code. test2",
11587 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11588 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
11592 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11595 "bpf_exit with invalid return code. test3",
11597 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11598 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
11601 .errstr = "R0 has value (0x0; 0x3)",
11603 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11606 "bpf_exit with invalid return code. test4",
11608 BPF_MOV64_IMM(BPF_REG_0, 1),
11612 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11615 "bpf_exit with invalid return code. test5",
11617 BPF_MOV64_IMM(BPF_REG_0, 2),
11620 .errstr = "R0 has value (0x2; 0x0)",
11622 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11625 "bpf_exit with invalid return code. test6",
11627 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
11630 .errstr = "R0 is not a known value (ctx)",
11632 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11635 "bpf_exit with invalid return code. test7",
11637 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11638 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
11639 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
11642 .errstr = "R0 has unknown scalar value",
11644 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11647 "calls: basic sanity",
11649 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11650 BPF_MOV64_IMM(BPF_REG_0, 1),
11652 BPF_MOV64_IMM(BPF_REG_0, 2),
11655 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11659 "calls: not on unpriviledged",
11661 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11662 BPF_MOV64_IMM(BPF_REG_0, 1),
11664 BPF_MOV64_IMM(BPF_REG_0, 2),
11667 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
11668 .result_unpriv = REJECT,
11673 "calls: div by 0 in subprog",
11675 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11676 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11677 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11678 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
11679 offsetof(struct __sk_buff, data_end)),
11680 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
11681 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
11682 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
11683 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
11684 BPF_MOV64_IMM(BPF_REG_0, 1),
11686 BPF_MOV32_IMM(BPF_REG_2, 0),
11687 BPF_MOV32_IMM(BPF_REG_3, 1),
11688 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
11689 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11690 offsetof(struct __sk_buff, data)),
11693 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11698 "calls: multiple ret types in subprog 1",
11700 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11701 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11702 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11703 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
11704 offsetof(struct __sk_buff, data_end)),
11705 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
11706 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
11707 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
11708 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
11709 BPF_MOV64_IMM(BPF_REG_0, 1),
11711 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11712 offsetof(struct __sk_buff, data)),
11713 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
11714 BPF_MOV32_IMM(BPF_REG_0, 42),
11717 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11719 .errstr = "R0 invalid mem access 'inv'",
11722 "calls: multiple ret types in subprog 2",
11724 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11725 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11726 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11727 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
11728 offsetof(struct __sk_buff, data_end)),
11729 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
11730 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
11731 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
11732 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
11733 BPF_MOV64_IMM(BPF_REG_0, 1),
11735 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11736 offsetof(struct __sk_buff, data)),
11737 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11738 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
11739 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11740 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11741 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11742 BPF_LD_MAP_FD(BPF_REG_1, 0),
11743 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11744 BPF_FUNC_map_lookup_elem),
11745 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
11746 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
11747 offsetof(struct __sk_buff, data)),
11748 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
11751 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11752 .fixup_map_hash_8b = { 16 },
11754 .errstr = "R0 min value is outside of the array range",
11757 "calls: overlapping caller/callee",
11759 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
11760 BPF_MOV64_IMM(BPF_REG_0, 1),
11763 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11764 .errstr = "last insn is not an exit or jmp",
11768 "calls: wrong recursive calls",
11770 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
11771 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
11772 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
11773 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
11774 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
11775 BPF_MOV64_IMM(BPF_REG_0, 1),
11778 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11779 .errstr = "jump out of range",
11783 "calls: wrong src reg",
11785 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
11786 BPF_MOV64_IMM(BPF_REG_0, 1),
11789 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11790 .errstr = "BPF_CALL uses reserved fields",
11794 "calls: wrong off value",
11796 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
11797 BPF_MOV64_IMM(BPF_REG_0, 1),
11799 BPF_MOV64_IMM(BPF_REG_0, 2),
11802 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11803 .errstr = "BPF_CALL uses reserved fields",
11807 "calls: jump back loop",
11809 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
11810 BPF_MOV64_IMM(BPF_REG_0, 1),
11813 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11814 .errstr = "back-edge from insn 0 to 0",
11818 "calls: conditional call",
11820 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11821 offsetof(struct __sk_buff, mark)),
11822 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11823 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11824 BPF_MOV64_IMM(BPF_REG_0, 1),
11826 BPF_MOV64_IMM(BPF_REG_0, 2),
11829 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11830 .errstr = "jump out of range",
11834 "calls: conditional call 2",
11836 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11837 offsetof(struct __sk_buff, mark)),
11838 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11839 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11840 BPF_MOV64_IMM(BPF_REG_0, 1),
11842 BPF_MOV64_IMM(BPF_REG_0, 2),
11844 BPF_MOV64_IMM(BPF_REG_0, 3),
11847 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11851 "calls: conditional call 3",
11853 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11854 offsetof(struct __sk_buff, mark)),
11855 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11856 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
11857 BPF_MOV64_IMM(BPF_REG_0, 1),
11859 BPF_MOV64_IMM(BPF_REG_0, 1),
11860 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
11861 BPF_MOV64_IMM(BPF_REG_0, 3),
11862 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
11864 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11865 .errstr = "back-edge from insn",
11869 "calls: conditional call 4",
11871 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11872 offsetof(struct __sk_buff, mark)),
11873 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11874 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11875 BPF_MOV64_IMM(BPF_REG_0, 1),
11877 BPF_MOV64_IMM(BPF_REG_0, 1),
11878 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
11879 BPF_MOV64_IMM(BPF_REG_0, 3),
11882 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11886 "calls: conditional call 5",
11888 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11889 offsetof(struct __sk_buff, mark)),
11890 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11891 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11892 BPF_MOV64_IMM(BPF_REG_0, 1),
11894 BPF_MOV64_IMM(BPF_REG_0, 1),
11895 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
11896 BPF_MOV64_IMM(BPF_REG_0, 3),
11899 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11900 .errstr = "back-edge from insn",
11904 "calls: conditional call 6",
11906 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11907 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
11909 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11910 offsetof(struct __sk_buff, mark)),
11913 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11914 .errstr = "back-edge from insn",
11918 "calls: using r0 returned by callee",
11920 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11922 BPF_MOV64_IMM(BPF_REG_0, 2),
11925 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11929 "calls: using uninit r0 from callee",
11931 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11935 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11936 .errstr = "!read_ok",
11940 "calls: callee is using r1",
11942 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11944 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11945 offsetof(struct __sk_buff, len)),
11948 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
11950 .retval = TEST_DATA_LEN,
11953 "calls: callee using args1",
11955 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11957 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
11960 .errstr_unpriv = "allowed for root only",
11961 .result_unpriv = REJECT,
11963 .retval = POINTER_VALUE,
11966 "calls: callee using wrong args2",
11968 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11970 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11973 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11974 .errstr = "R2 !read_ok",
11978 "calls: callee using two args",
11980 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11981 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
11982 offsetof(struct __sk_buff, len)),
11983 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
11984 offsetof(struct __sk_buff, len)),
11985 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11987 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
11988 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
11991 .errstr_unpriv = "allowed for root only",
11992 .result_unpriv = REJECT,
11994 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
11997 "calls: callee changing pkt pointers",
11999 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12000 offsetof(struct xdp_md, data)),
12001 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
12002 offsetof(struct xdp_md, data_end)),
12003 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
12004 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
12005 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
12006 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12007 /* clear_all_pkt_pointers() has to walk all frames
12008 * to make sure that pkt pointers in the caller
12009 * are cleared when callee is calling a helper that
12010 * adjusts packet size
12012 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
12013 BPF_MOV32_IMM(BPF_REG_0, 0),
12015 BPF_MOV64_IMM(BPF_REG_2, 0),
12016 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12017 BPF_FUNC_xdp_adjust_head),
12021 .errstr = "R6 invalid mem access 'inv'",
12022 .prog_type = BPF_PROG_TYPE_XDP,
12023 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
12026 "calls: two calls with args",
12028 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12030 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12031 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
12032 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12033 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12034 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12035 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
12036 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
12038 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
12039 offsetof(struct __sk_buff, len)),
12042 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12044 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
12047 "calls: calls with stack arith",
12049 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12050 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
12051 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12053 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
12054 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12056 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
12057 BPF_MOV64_IMM(BPF_REG_0, 42),
12058 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
12061 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12066 "calls: calls with misaligned stack access",
12068 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12069 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
12070 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
12073 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12075 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
12076 BPF_MOV64_IMM(BPF_REG_0, 42),
12077 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
12080 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12081 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
12082 .errstr = "misaligned stack access",
12086 "calls: calls control flow, jump test",
12088 BPF_MOV64_IMM(BPF_REG_0, 42),
12089 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12090 BPF_MOV64_IMM(BPF_REG_0, 43),
12091 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12092 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
12095 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12100 "calls: calls control flow, jump test 2",
12102 BPF_MOV64_IMM(BPF_REG_0, 42),
12103 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12104 BPF_MOV64_IMM(BPF_REG_0, 43),
12105 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
12109 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12110 .errstr = "jump out of range from insn 1 to 4",
12114 "calls: two calls with bad jump",
12116 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12118 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12119 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
12120 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12121 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12122 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12123 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
12124 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
12126 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
12127 offsetof(struct __sk_buff, len)),
12128 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
12131 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12132 .errstr = "jump out of range from insn 11 to 9",
12136 "calls: recursive call. test1",
12138 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12140 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
12143 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12144 .errstr = "back-edge",
12148 "calls: recursive call. test2",
12150 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12152 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
12155 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12156 .errstr = "back-edge",
12160 "calls: unreachable code",
12162 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12164 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12166 BPF_MOV64_IMM(BPF_REG_0, 0),
12168 BPF_MOV64_IMM(BPF_REG_0, 0),
12171 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12172 .errstr = "unreachable insn 6",
12176 "calls: invalid call",
12178 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12180 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
12183 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12184 .errstr = "invalid destination",
12188 "calls: invalid call 2",
12190 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12192 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
12195 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12196 .errstr = "invalid destination",
12200 "calls: jumping across function bodies. test1",
12202 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12203 BPF_MOV64_IMM(BPF_REG_0, 0),
12205 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
12208 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12209 .errstr = "jump out of range",
12213 "calls: jumping across function bodies. test2",
12215 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
12216 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12217 BPF_MOV64_IMM(BPF_REG_0, 0),
12221 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12222 .errstr = "jump out of range",
12226 "calls: call without exit",
12228 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12230 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12232 BPF_MOV64_IMM(BPF_REG_0, 0),
12233 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
12235 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12236 .errstr = "not an exit",
12240 "calls: call into middle of ld_imm64",
12242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12243 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12244 BPF_MOV64_IMM(BPF_REG_0, 0),
12246 BPF_LD_IMM64(BPF_REG_0, 0),
12249 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12250 .errstr = "last insn",
12254 "calls: call into middle of other call",
12256 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12257 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12258 BPF_MOV64_IMM(BPF_REG_0, 0),
12260 BPF_MOV64_IMM(BPF_REG_0, 0),
12261 BPF_MOV64_IMM(BPF_REG_0, 0),
12264 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12265 .errstr = "last insn",
12269 "calls: ld_abs with changing ctx data in callee",
12271 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12272 BPF_LD_ABS(BPF_B, 0),
12273 BPF_LD_ABS(BPF_H, 0),
12274 BPF_LD_ABS(BPF_W, 0),
12275 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
12276 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
12277 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
12278 BPF_LD_ABS(BPF_B, 0),
12279 BPF_LD_ABS(BPF_H, 0),
12280 BPF_LD_ABS(BPF_W, 0),
12282 BPF_MOV64_IMM(BPF_REG_2, 1),
12283 BPF_MOV64_IMM(BPF_REG_3, 2),
12284 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12285 BPF_FUNC_skb_vlan_push),
12288 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12289 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
12293 "calls: two calls with bad fallthrough",
12295 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12297 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12298 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
12299 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12300 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12301 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12302 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
12303 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
12304 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
12305 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
12306 offsetof(struct __sk_buff, len)),
12309 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12310 .errstr = "not an exit",
12314 "calls: two calls with stack read",
12316 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12317 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12318 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12319 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12321 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12322 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
12323 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12324 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12325 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12326 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
12327 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
12329 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
12332 .prog_type = BPF_PROG_TYPE_XDP,
12336 "calls: two calls with stack write",
12339 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12340 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12341 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12342 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12343 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12344 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12345 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
12349 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12350 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12351 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
12352 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
12353 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12354 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12355 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12356 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
12357 /* write into stack frame of main prog */
12358 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12362 /* read from stack frame of main prog */
12363 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
12366 .prog_type = BPF_PROG_TYPE_XDP,
12370 "calls: stack overflow using two frames (pre-call access)",
12373 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12374 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
12378 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12379 BPF_MOV64_IMM(BPF_REG_0, 0),
12382 .prog_type = BPF_PROG_TYPE_XDP,
12383 .errstr = "combined stack size",
12387 "calls: stack overflow using two frames (post-call access)",
12390 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
12391 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12395 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12396 BPF_MOV64_IMM(BPF_REG_0, 0),
12399 .prog_type = BPF_PROG_TYPE_XDP,
12400 .errstr = "combined stack size",
12404 "calls: stack depth check using three frames. test1",
12407 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
12408 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
12409 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
12410 BPF_MOV64_IMM(BPF_REG_0, 0),
12413 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
12416 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
12417 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
12420 .prog_type = BPF_PROG_TYPE_XDP,
12421 /* stack_main=32, stack_A=256, stack_B=64
12422 * and max(main+A, main+A+B) < 512
12427 "calls: stack depth check using three frames. test2",
12430 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
12431 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
12432 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
12433 BPF_MOV64_IMM(BPF_REG_0, 0),
12436 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
12439 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
12440 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
12443 .prog_type = BPF_PROG_TYPE_XDP,
12444 /* stack_main=32, stack_A=64, stack_B=256
12445 * and max(main+A, main+A+B) < 512
12450 "calls: stack depth check using three frames. test3",
12453 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12454 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
12455 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12456 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
12457 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
12458 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
12459 BPF_MOV64_IMM(BPF_REG_0, 0),
12462 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
12464 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
12465 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
12467 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
12468 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
12469 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
12472 .prog_type = BPF_PROG_TYPE_XDP,
12473 /* stack_main=64, stack_A=224, stack_B=256
12474 * and max(main+A, main+A+B) > 512
12476 .errstr = "combined stack",
12480 "calls: stack depth check using three frames. test4",
12481 /* void main(void) {
12486 * void func1(int alloc_or_recurse) {
12487 * if (alloc_or_recurse) {
12488 * frame_pointer[-300] = 1;
12490 * func2(alloc_or_recurse);
12493 * void func2(int alloc_or_recurse) {
12494 * if (alloc_or_recurse) {
12495 * frame_pointer[-300] = 1;
12501 BPF_MOV64_IMM(BPF_REG_1, 0),
12502 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
12503 BPF_MOV64_IMM(BPF_REG_1, 1),
12504 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
12505 BPF_MOV64_IMM(BPF_REG_1, 1),
12506 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
12507 BPF_MOV64_IMM(BPF_REG_0, 0),
12510 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
12511 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12513 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
12516 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
12517 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12520 .prog_type = BPF_PROG_TYPE_XDP,
12522 .errstr = "combined stack",
12525 "calls: stack depth check using three frames. test5",
12528 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
12531 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
12534 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
12537 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
12540 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
12543 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
12546 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
12549 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
12552 BPF_MOV64_IMM(BPF_REG_0, 0),
12555 .prog_type = BPF_PROG_TYPE_XDP,
12556 .errstr = "call stack",
12560 "calls: spill into caller stack frame",
12562 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12563 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12564 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12565 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12567 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
12568 BPF_MOV64_IMM(BPF_REG_0, 0),
12571 .prog_type = BPF_PROG_TYPE_XDP,
12572 .errstr = "cannot spill",
12576 "calls: write into caller stack frame",
12578 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12579 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12580 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12581 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12582 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
12584 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
12585 BPF_MOV64_IMM(BPF_REG_0, 0),
12588 .prog_type = BPF_PROG_TYPE_XDP,
12593 "calls: write into callee stack frame",
12595 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12596 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
12598 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
12599 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
12602 .prog_type = BPF_PROG_TYPE_XDP,
12603 .errstr = "cannot return stack pointer",
12607 "calls: two calls with stack write and void return",
12610 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12611 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12612 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12613 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12615 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12616 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
12620 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12621 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12622 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12623 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12624 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12628 /* write into stack frame of main prog */
12629 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
12630 BPF_EXIT_INSN(), /* void return */
12632 .prog_type = BPF_PROG_TYPE_XDP,
12636 "calls: ambiguous return value",
12638 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12639 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
12640 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12641 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12642 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12643 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12645 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
12646 BPF_MOV64_IMM(BPF_REG_0, 0),
12649 .errstr_unpriv = "allowed for root only",
12650 .result_unpriv = REJECT,
12651 .errstr = "R0 !read_ok",
12655 "calls: two calls that return map_value",
12658 /* pass fp-16, fp-8 into a function */
12659 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12661 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12662 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12663 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
12665 /* fetch map_value_ptr from the stack of this function */
12666 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12667 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
12668 /* write into map value */
12669 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12670 /* fetch secound map_value_ptr from the stack */
12671 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
12672 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
12673 /* write into map value */
12674 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12675 BPF_MOV64_IMM(BPF_REG_0, 0),
12679 /* call 3rd function twice */
12680 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12681 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12682 /* first time with fp-8 */
12683 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12684 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12685 /* second time with fp-16 */
12686 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12690 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12691 /* lookup from map */
12692 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12693 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12694 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12695 BPF_LD_MAP_FD(BPF_REG_1, 0),
12696 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12697 BPF_FUNC_map_lookup_elem),
12698 /* write map_value_ptr into stack frame of main prog */
12699 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12700 BPF_MOV64_IMM(BPF_REG_0, 0),
12701 BPF_EXIT_INSN(), /* return 0 */
12703 .prog_type = BPF_PROG_TYPE_XDP,
12704 .fixup_map_hash_8b = { 23 },
12708 "calls: two calls that return map_value with bool condition",
12711 /* pass fp-16, fp-8 into a function */
12712 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12714 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12715 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12716 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12717 BPF_MOV64_IMM(BPF_REG_0, 0),
12721 /* call 3rd function twice */
12722 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12723 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12724 /* first time with fp-8 */
12725 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
12726 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
12727 /* fetch map_value_ptr from the stack of this function */
12728 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
12729 /* write into map value */
12730 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12731 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12732 /* second time with fp-16 */
12733 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12734 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
12735 /* fetch secound map_value_ptr from the stack */
12736 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
12737 /* write into map value */
12738 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12742 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12743 /* lookup from map */
12744 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12745 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12747 BPF_LD_MAP_FD(BPF_REG_1, 0),
12748 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12749 BPF_FUNC_map_lookup_elem),
12750 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12751 BPF_MOV64_IMM(BPF_REG_0, 0),
12752 BPF_EXIT_INSN(), /* return 0 */
12753 /* write map_value_ptr into stack frame of main prog */
12754 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12755 BPF_MOV64_IMM(BPF_REG_0, 1),
12756 BPF_EXIT_INSN(), /* return 1 */
12758 .prog_type = BPF_PROG_TYPE_XDP,
12759 .fixup_map_hash_8b = { 23 },
12763 "calls: two calls that return map_value with incorrect bool check",
12766 /* pass fp-16, fp-8 into a function */
12767 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12768 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12769 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12771 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12772 BPF_MOV64_IMM(BPF_REG_0, 0),
12776 /* call 3rd function twice */
12777 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12778 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12779 /* first time with fp-8 */
12780 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
12781 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
12782 /* fetch map_value_ptr from the stack of this function */
12783 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
12784 /* write into map value */
12785 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12786 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12787 /* second time with fp-16 */
12788 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12789 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12790 /* fetch secound map_value_ptr from the stack */
12791 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
12792 /* write into map value */
12793 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12797 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12798 /* lookup from map */
12799 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12800 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12801 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12802 BPF_LD_MAP_FD(BPF_REG_1, 0),
12803 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12804 BPF_FUNC_map_lookup_elem),
12805 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12806 BPF_MOV64_IMM(BPF_REG_0, 0),
12807 BPF_EXIT_INSN(), /* return 0 */
12808 /* write map_value_ptr into stack frame of main prog */
12809 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12810 BPF_MOV64_IMM(BPF_REG_0, 1),
12811 BPF_EXIT_INSN(), /* return 1 */
12813 .prog_type = BPF_PROG_TYPE_XDP,
12814 .fixup_map_hash_8b = { 23 },
12816 .errstr = "invalid read from stack off -16+0 size 8",
12819 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
12822 /* pass fp-16, fp-8 into a function */
12823 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12825 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12827 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12828 BPF_MOV64_IMM(BPF_REG_0, 0),
12832 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12833 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12834 /* 1st lookup from map */
12835 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12838 BPF_LD_MAP_FD(BPF_REG_1, 0),
12839 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12840 BPF_FUNC_map_lookup_elem),
12841 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12842 BPF_MOV64_IMM(BPF_REG_8, 0),
12843 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12844 /* write map_value_ptr into stack frame of main prog at fp-8 */
12845 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12846 BPF_MOV64_IMM(BPF_REG_8, 1),
12848 /* 2nd lookup from map */
12849 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
12850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12851 BPF_LD_MAP_FD(BPF_REG_1, 0),
12852 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
12853 BPF_FUNC_map_lookup_elem),
12854 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12855 BPF_MOV64_IMM(BPF_REG_9, 0),
12856 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12857 /* write map_value_ptr into stack frame of main prog at fp-16 */
12858 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12859 BPF_MOV64_IMM(BPF_REG_9, 1),
12861 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12862 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
12863 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12864 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12865 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12866 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
12870 /* if arg2 == 1 do *arg1 = 0 */
12871 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12872 /* fetch map_value_ptr from the stack of this function */
12873 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12874 /* write into map value */
12875 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12877 /* if arg4 == 1 do *arg3 = 0 */
12878 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
12879 /* fetch map_value_ptr from the stack of this function */
12880 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12881 /* write into map value */
12882 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
12885 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12886 .fixup_map_hash_8b = { 12, 22 },
12888 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
12889 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
12892 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
12895 /* pass fp-16, fp-8 into a function */
12896 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12898 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12899 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12900 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12901 BPF_MOV64_IMM(BPF_REG_0, 0),
12905 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12906 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12907 /* 1st lookup from map */
12908 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12909 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12910 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12911 BPF_LD_MAP_FD(BPF_REG_1, 0),
12912 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12913 BPF_FUNC_map_lookup_elem),
12914 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12915 BPF_MOV64_IMM(BPF_REG_8, 0),
12916 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12917 /* write map_value_ptr into stack frame of main prog at fp-8 */
12918 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12919 BPF_MOV64_IMM(BPF_REG_8, 1),
12921 /* 2nd lookup from map */
12922 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
12923 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12924 BPF_LD_MAP_FD(BPF_REG_1, 0),
12925 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
12926 BPF_FUNC_map_lookup_elem),
12927 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12928 BPF_MOV64_IMM(BPF_REG_9, 0),
12929 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12930 /* write map_value_ptr into stack frame of main prog at fp-16 */
12931 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12932 BPF_MOV64_IMM(BPF_REG_9, 1),
12934 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12935 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
12936 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12937 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12938 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12939 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
12943 /* if arg2 == 1 do *arg1 = 0 */
12944 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12945 /* fetch map_value_ptr from the stack of this function */
12946 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12947 /* write into map value */
12948 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12950 /* if arg4 == 1 do *arg3 = 0 */
12951 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
12952 /* fetch map_value_ptr from the stack of this function */
12953 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12954 /* write into map value */
12955 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12958 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12959 .fixup_map_hash_8b = { 12, 22 },
12963 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
12966 /* pass fp-16, fp-8 into a function */
12967 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12968 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12969 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12971 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12972 BPF_MOV64_IMM(BPF_REG_0, 0),
12976 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12977 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12978 /* 1st lookup from map */
12979 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
12980 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
12982 BPF_LD_MAP_FD(BPF_REG_1, 0),
12983 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12984 BPF_FUNC_map_lookup_elem),
12985 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12986 BPF_MOV64_IMM(BPF_REG_8, 0),
12987 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12988 /* write map_value_ptr into stack frame of main prog at fp-8 */
12989 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12990 BPF_MOV64_IMM(BPF_REG_8, 1),
12992 /* 2nd lookup from map */
12993 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12994 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
12995 BPF_LD_MAP_FD(BPF_REG_1, 0),
12996 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12997 BPF_FUNC_map_lookup_elem),
12998 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12999 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
13000 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
13001 /* write map_value_ptr into stack frame of main prog at fp-16 */
13002 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
13003 BPF_MOV64_IMM(BPF_REG_9, 1),
13005 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
13006 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
13007 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
13008 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
13009 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
13010 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
13011 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
13014 /* if arg2 == 1 do *arg1 = 0 */
13015 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
13016 /* fetch map_value_ptr from the stack of this function */
13017 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
13018 /* write into map value */
13019 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13021 /* if arg4 == 1 do *arg3 = 0 */
13022 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
13023 /* fetch map_value_ptr from the stack of this function */
13024 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
13025 /* write into map value */
13026 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
13027 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
13029 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13030 .fixup_map_hash_8b = { 12, 22 },
13032 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
13033 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13036 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
13039 /* pass fp-16, fp-8 into a function */
13040 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
13041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
13042 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13043 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
13044 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13045 BPF_MOV64_IMM(BPF_REG_0, 0),
13049 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13050 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
13051 /* 1st lookup from map */
13052 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13053 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13054 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13055 BPF_LD_MAP_FD(BPF_REG_1, 0),
13056 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13057 BPF_FUNC_map_lookup_elem),
13058 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
13059 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13060 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13061 BPF_MOV64_IMM(BPF_REG_8, 0),
13062 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13063 BPF_MOV64_IMM(BPF_REG_8, 1),
13065 /* 2nd lookup from map */
13066 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13067 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13068 BPF_LD_MAP_FD(BPF_REG_1, 0),
13069 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13070 BPF_FUNC_map_lookup_elem),
13071 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
13072 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
13073 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13074 BPF_MOV64_IMM(BPF_REG_9, 0),
13075 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13076 BPF_MOV64_IMM(BPF_REG_9, 1),
13078 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
13079 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13080 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
13081 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
13082 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
13083 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
13087 /* if arg2 == 1 do *arg1 = 0 */
13088 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
13089 /* fetch map_value_ptr from the stack of this function */
13090 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
13091 /* write into map value */
13092 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13094 /* if arg4 == 1 do *arg3 = 0 */
13095 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
13096 /* fetch map_value_ptr from the stack of this function */
13097 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
13098 /* write into map value */
13099 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13102 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13103 .fixup_map_hash_8b = { 12, 22 },
13107 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
13110 /* pass fp-16, fp-8 into a function */
13111 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
13112 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
13113 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
13115 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13116 BPF_MOV64_IMM(BPF_REG_0, 0),
13120 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13121 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
13122 /* 1st lookup from map */
13123 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13124 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13125 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13126 BPF_LD_MAP_FD(BPF_REG_1, 0),
13127 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13128 BPF_FUNC_map_lookup_elem),
13129 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
13130 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13131 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13132 BPF_MOV64_IMM(BPF_REG_8, 0),
13133 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13134 BPF_MOV64_IMM(BPF_REG_8, 1),
13136 /* 2nd lookup from map */
13137 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13139 BPF_LD_MAP_FD(BPF_REG_1, 0),
13140 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13141 BPF_FUNC_map_lookup_elem),
13142 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
13143 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
13144 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13145 BPF_MOV64_IMM(BPF_REG_9, 0),
13146 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13147 BPF_MOV64_IMM(BPF_REG_9, 1),
13149 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
13150 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13151 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
13152 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
13153 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
13154 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
13158 /* if arg2 == 1 do *arg1 = 0 */
13159 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
13160 /* fetch map_value_ptr from the stack of this function */
13161 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
13162 /* write into map value */
13163 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13165 /* if arg4 == 0 do *arg3 = 0 */
13166 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
13167 /* fetch map_value_ptr from the stack of this function */
13168 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
13169 /* write into map value */
13170 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13173 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13174 .fixup_map_hash_8b = { 12, 22 },
13176 .errstr = "R0 invalid mem access 'inv'",
13179 "calls: pkt_ptr spill into caller stack",
13181 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13183 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
13187 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13188 offsetof(struct __sk_buff, data)),
13189 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13190 offsetof(struct __sk_buff, data_end)),
13191 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13193 /* spill unchecked pkt_ptr into stack of caller */
13194 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13195 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
13196 /* now the pkt range is verified, read pkt_ptr from stack */
13197 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
13198 /* write 4 bytes into packet */
13199 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13203 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13204 .retval = POINTER_VALUE,
13205 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13208 "calls: pkt_ptr spill into caller stack 2",
13210 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13212 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13213 /* Marking is still kept, but not in all cases safe. */
13214 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13215 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
13219 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13220 offsetof(struct __sk_buff, data)),
13221 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13222 offsetof(struct __sk_buff, data_end)),
13223 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13224 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13225 /* spill unchecked pkt_ptr into stack of caller */
13226 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13227 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
13228 /* now the pkt range is verified, read pkt_ptr from stack */
13229 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
13230 /* write 4 bytes into packet */
13231 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13234 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13235 .errstr = "invalid access to packet",
13237 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13240 "calls: pkt_ptr spill into caller stack 3",
13242 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13243 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13244 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
13245 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13246 /* Marking is still kept and safe here. */
13247 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13248 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
13252 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13253 offsetof(struct __sk_buff, data)),
13254 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13255 offsetof(struct __sk_buff, data_end)),
13256 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13257 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13258 /* spill unchecked pkt_ptr into stack of caller */
13259 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13260 BPF_MOV64_IMM(BPF_REG_5, 0),
13261 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
13262 BPF_MOV64_IMM(BPF_REG_5, 1),
13263 /* now the pkt range is verified, read pkt_ptr from stack */
13264 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
13265 /* write 4 bytes into packet */
13266 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13267 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13270 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13273 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13276 "calls: pkt_ptr spill into caller stack 4",
13278 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13279 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13280 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
13281 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13282 /* Check marking propagated. */
13283 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13284 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
13288 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13289 offsetof(struct __sk_buff, data)),
13290 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13291 offsetof(struct __sk_buff, data_end)),
13292 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13293 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13294 /* spill unchecked pkt_ptr into stack of caller */
13295 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13296 BPF_MOV64_IMM(BPF_REG_5, 0),
13297 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
13298 BPF_MOV64_IMM(BPF_REG_5, 1),
13299 /* don't read back pkt_ptr from stack here */
13300 /* write 4 bytes into packet */
13301 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13302 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13305 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13308 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13311 "calls: pkt_ptr spill into caller stack 5",
13313 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13314 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13315 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
13316 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13317 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13318 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
13322 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13323 offsetof(struct __sk_buff, data)),
13324 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13325 offsetof(struct __sk_buff, data_end)),
13326 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13327 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13328 BPF_MOV64_IMM(BPF_REG_5, 0),
13329 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
13330 /* spill checked pkt_ptr into stack of caller */
13331 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13332 BPF_MOV64_IMM(BPF_REG_5, 1),
13333 /* don't read back pkt_ptr from stack here */
13334 /* write 4 bytes into packet */
13335 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13336 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13339 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13340 .errstr = "same insn cannot be used with different",
13342 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13345 "calls: pkt_ptr spill into caller stack 6",
13347 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13348 offsetof(struct __sk_buff, data_end)),
13349 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13350 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13351 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13353 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13354 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
13358 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13359 offsetof(struct __sk_buff, data)),
13360 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13361 offsetof(struct __sk_buff, data_end)),
13362 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13364 BPF_MOV64_IMM(BPF_REG_5, 0),
13365 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
13366 /* spill checked pkt_ptr into stack of caller */
13367 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13368 BPF_MOV64_IMM(BPF_REG_5, 1),
13369 /* don't read back pkt_ptr from stack here */
13370 /* write 4 bytes into packet */
13371 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13372 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13375 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13376 .errstr = "R4 invalid mem access",
13378 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13381 "calls: pkt_ptr spill into caller stack 7",
13383 BPF_MOV64_IMM(BPF_REG_2, 0),
13384 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13386 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13387 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13388 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13389 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
13393 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13394 offsetof(struct __sk_buff, data)),
13395 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13396 offsetof(struct __sk_buff, data_end)),
13397 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13399 BPF_MOV64_IMM(BPF_REG_5, 0),
13400 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
13401 /* spill checked pkt_ptr into stack of caller */
13402 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13403 BPF_MOV64_IMM(BPF_REG_5, 1),
13404 /* don't read back pkt_ptr from stack here */
13405 /* write 4 bytes into packet */
13406 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13407 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13410 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13411 .errstr = "R4 invalid mem access",
13413 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13416 "calls: pkt_ptr spill into caller stack 8",
13418 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13419 offsetof(struct __sk_buff, data)),
13420 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13421 offsetof(struct __sk_buff, data_end)),
13422 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13423 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13424 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13426 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13427 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13428 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13429 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13430 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13431 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
13435 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13436 offsetof(struct __sk_buff, data)),
13437 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13438 offsetof(struct __sk_buff, data_end)),
13439 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13441 BPF_MOV64_IMM(BPF_REG_5, 0),
13442 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
13443 /* spill checked pkt_ptr into stack of caller */
13444 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13445 BPF_MOV64_IMM(BPF_REG_5, 1),
13446 /* don't read back pkt_ptr from stack here */
13447 /* write 4 bytes into packet */
13448 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13449 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13452 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13454 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13457 "calls: pkt_ptr spill into caller stack 9",
13459 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13460 offsetof(struct __sk_buff, data)),
13461 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13462 offsetof(struct __sk_buff, data_end)),
13463 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13465 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13467 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13468 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13469 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13470 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13471 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13472 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
13476 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13477 offsetof(struct __sk_buff, data)),
13478 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13479 offsetof(struct __sk_buff, data_end)),
13480 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13482 BPF_MOV64_IMM(BPF_REG_5, 0),
13483 /* spill unchecked pkt_ptr into stack of caller */
13484 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13485 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
13486 BPF_MOV64_IMM(BPF_REG_5, 1),
13487 /* don't read back pkt_ptr from stack here */
13488 /* write 4 bytes into packet */
13489 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13490 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13493 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13494 .errstr = "invalid access to packet",
13496 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13499 "calls: caller stack init to zero or map_value_or_null",
13501 BPF_MOV64_IMM(BPF_REG_0, 0),
13502 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
13503 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13504 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13505 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
13506 /* fetch map_value_or_null or const_zero from stack */
13507 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
13508 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13509 /* store into map_value */
13510 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
13514 /* if (ctx == 0) return; */
13515 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
13516 /* else bpf_map_lookup() and *(fp - 8) = r0 */
13517 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
13518 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13519 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13520 BPF_LD_MAP_FD(BPF_REG_1, 0),
13521 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13522 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13523 BPF_FUNC_map_lookup_elem),
13524 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
13525 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13528 .fixup_map_hash_8b = { 13 },
13530 .prog_type = BPF_PROG_TYPE_XDP,
13533 "calls: stack init to zero and pruning",
13535 /* first make allocated_stack 16 byte */
13536 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
13537 /* now fork the execution such that the false branch
13538 * of JGT insn will be verified second and it skisp zero
13539 * init of fp-8 stack slot. If stack liveness marking
13540 * is missing live_read marks from call map_lookup
13541 * processing then pruning will incorrectly assume
13542 * that fp-8 stack slot was unused in the fall-through
13543 * branch and will accept the program incorrectly
13545 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
13546 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13547 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
13548 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13549 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13550 BPF_LD_MAP_FD(BPF_REG_1, 0),
13551 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13552 BPF_FUNC_map_lookup_elem),
13555 .fixup_map_hash_48b = { 6 },
13556 .errstr = "invalid indirect read from stack off -8+0 size 8",
13558 .prog_type = BPF_PROG_TYPE_XDP,
13561 "calls: two calls returning different map pointers for lookup (hash, array)",
13564 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
13566 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13568 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13569 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13570 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13571 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13572 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13573 BPF_FUNC_map_lookup_elem),
13574 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13575 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
13576 offsetof(struct test_val, foo)),
13577 BPF_MOV64_IMM(BPF_REG_0, 1),
13580 BPF_LD_MAP_FD(BPF_REG_0, 0),
13583 BPF_LD_MAP_FD(BPF_REG_0, 0),
13586 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13587 .fixup_map_hash_48b = { 13 },
13588 .fixup_map_array_48b = { 16 },
13593 "calls: two calls returning different map pointers for lookup (hash, map in map)",
13596 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
13598 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13600 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13601 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13602 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13604 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13605 BPF_FUNC_map_lookup_elem),
13606 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13607 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
13608 offsetof(struct test_val, foo)),
13609 BPF_MOV64_IMM(BPF_REG_0, 1),
13612 BPF_LD_MAP_FD(BPF_REG_0, 0),
13615 BPF_LD_MAP_FD(BPF_REG_0, 0),
13618 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13619 .fixup_map_in_map = { 16 },
13620 .fixup_map_array_48b = { 13 },
13622 .errstr = "R0 invalid mem access 'map_ptr'",
13625 "cond: two branches returning different map pointers for lookup (tail, tail)",
13627 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
13628 offsetof(struct __sk_buff, mark)),
13629 BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
13630 BPF_LD_MAP_FD(BPF_REG_2, 0),
13631 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
13632 BPF_LD_MAP_FD(BPF_REG_2, 0),
13633 BPF_MOV64_IMM(BPF_REG_3, 7),
13634 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13635 BPF_FUNC_tail_call),
13636 BPF_MOV64_IMM(BPF_REG_0, 1),
13639 .fixup_prog1 = { 5 },
13640 .fixup_prog2 = { 2 },
13641 .result_unpriv = REJECT,
13642 .errstr_unpriv = "tail_call abusing map_ptr",
13647 "cond: two branches returning same map pointers for lookup (tail, tail)",
13649 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
13650 offsetof(struct __sk_buff, mark)),
13651 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
13652 BPF_LD_MAP_FD(BPF_REG_2, 0),
13653 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
13654 BPF_LD_MAP_FD(BPF_REG_2, 0),
13655 BPF_MOV64_IMM(BPF_REG_3, 7),
13656 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13657 BPF_FUNC_tail_call),
13658 BPF_MOV64_IMM(BPF_REG_0, 1),
13661 .fixup_prog2 = { 2, 5 },
13662 .result_unpriv = ACCEPT,
13667 "search pruning: all branches should be verified (nop operation)",
13669 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13670 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13671 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
13672 BPF_LD_MAP_FD(BPF_REG_1, 0),
13673 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
13674 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
13675 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
13676 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
13677 BPF_MOV64_IMM(BPF_REG_4, 0),
13679 BPF_MOV64_IMM(BPF_REG_4, 1),
13680 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
13681 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
13682 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
13683 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
13684 BPF_MOV64_IMM(BPF_REG_6, 0),
13685 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
13688 .fixup_map_hash_8b = { 3 },
13689 .errstr = "R6 invalid mem access 'inv'",
13691 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
13694 "search pruning: all branches should be verified (invalid stack access)",
13696 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13697 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13698 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
13699 BPF_LD_MAP_FD(BPF_REG_1, 0),
13700 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
13701 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
13702 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
13703 BPF_MOV64_IMM(BPF_REG_4, 0),
13704 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
13705 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
13707 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
13708 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
13709 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
13712 .fixup_map_hash_8b = { 3 },
13713 .errstr = "invalid read from stack off -16+0 size 8",
13715 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
13718 "jit: lsh, rsh, arsh by 1",
13720 BPF_MOV64_IMM(BPF_REG_0, 1),
13721 BPF_MOV64_IMM(BPF_REG_1, 0xff),
13722 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
13723 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
13724 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
13726 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
13727 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
13728 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
13730 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
13731 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
13733 BPF_MOV64_IMM(BPF_REG_0, 2),
13740 "jit: mov32 for ldimm64, 1",
13742 BPF_MOV64_IMM(BPF_REG_0, 2),
13743 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
13744 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
13745 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
13746 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
13747 BPF_MOV64_IMM(BPF_REG_0, 1),
13754 "jit: mov32 for ldimm64, 2",
13756 BPF_MOV64_IMM(BPF_REG_0, 1),
13757 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
13758 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
13759 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
13760 BPF_MOV64_IMM(BPF_REG_0, 2),
13767 "jit: various mul tests",
13769 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
13770 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
13771 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
13772 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
13773 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
13774 BPF_MOV64_IMM(BPF_REG_0, 1),
13776 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
13777 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
13778 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
13779 BPF_MOV64_IMM(BPF_REG_0, 1),
13781 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
13782 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
13783 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
13784 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
13785 BPF_MOV64_IMM(BPF_REG_0, 1),
13787 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
13788 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
13789 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
13790 BPF_MOV64_IMM(BPF_REG_0, 1),
13792 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
13793 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
13794 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
13795 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
13796 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
13797 BPF_MOV64_IMM(BPF_REG_0, 1),
13799 BPF_MOV64_IMM(BPF_REG_0, 2),
13806 "xadd/w check unaligned stack",
13808 BPF_MOV64_IMM(BPF_REG_0, 1),
13809 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
13810 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
13811 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
13815 .errstr = "misaligned stack access off",
13816 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13819 "xadd/w check unaligned map",
13821 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13822 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13824 BPF_LD_MAP_FD(BPF_REG_1, 0),
13825 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13826 BPF_FUNC_map_lookup_elem),
13827 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
13829 BPF_MOV64_IMM(BPF_REG_1, 1),
13830 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
13831 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
13834 .fixup_map_hash_8b = { 3 },
13836 .errstr = "misaligned value access off",
13837 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13840 "xadd/w check unaligned pkt",
13842 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13843 offsetof(struct xdp_md, data)),
13844 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13845 offsetof(struct xdp_md, data_end)),
13846 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
13847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
13848 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
13849 BPF_MOV64_IMM(BPF_REG_0, 99),
13850 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
13851 BPF_MOV64_IMM(BPF_REG_0, 1),
13852 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13853 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
13854 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
13855 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
13856 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
13860 .errstr = "BPF_XADD stores into R2 pkt is not allowed",
13861 .prog_type = BPF_PROG_TYPE_XDP,
13862 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13865 "xadd/w check whether src/dst got mangled, 1",
13867 BPF_MOV64_IMM(BPF_REG_0, 1),
13868 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13869 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
13870 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
13871 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
13872 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
13873 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
13874 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
13875 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
13877 BPF_MOV64_IMM(BPF_REG_0, 42),
13881 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13885 "xadd/w check whether src/dst got mangled, 2",
13887 BPF_MOV64_IMM(BPF_REG_0, 1),
13888 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13889 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
13890 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
13891 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
13892 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
13893 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
13894 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
13895 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
13897 BPF_MOV64_IMM(BPF_REG_0, 42),
13901 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13905 "bpf_get_stack return R0 within range",
13907 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13908 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13909 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13910 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13911 BPF_LD_MAP_FD(BPF_REG_1, 0),
13912 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13913 BPF_FUNC_map_lookup_elem),
13914 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
13915 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
13916 BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
13917 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13918 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
13919 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
13920 BPF_MOV64_IMM(BPF_REG_4, 256),
13921 BPF_EMIT_CALL(BPF_FUNC_get_stack),
13922 BPF_MOV64_IMM(BPF_REG_1, 0),
13923 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
13924 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
13925 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
13926 BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
13927 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
13928 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
13929 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
13930 BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
13931 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
13932 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
13933 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
13934 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
13935 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13936 BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
13937 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
13938 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
13939 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13940 BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
13941 BPF_MOV64_IMM(BPF_REG_4, 0),
13942 BPF_EMIT_CALL(BPF_FUNC_get_stack),
13945 .fixup_map_hash_48b = { 4 },
13947 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
13950 "ld_abs: invalid op 1",
13952 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13953 BPF_LD_ABS(BPF_DW, 0),
13956 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13958 .errstr = "unknown opcode",
13961 "ld_abs: invalid op 2",
13963 BPF_MOV32_IMM(BPF_REG_0, 256),
13964 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13965 BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
13968 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
13970 .errstr = "unknown opcode",
13973 "ld_abs: nmap reduced",
13975 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13976 BPF_LD_ABS(BPF_H, 12),
13977 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
13978 BPF_LD_ABS(BPF_H, 12),
13979 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
13980 BPF_MOV32_IMM(BPF_REG_0, 18),
13981 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
13982 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
13983 BPF_LD_IND(BPF_W, BPF_REG_7, 14),
13984 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
13985 BPF_MOV32_IMM(BPF_REG_0, 280971478),
13986 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
13987 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
13988 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
13989 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
13990 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
13991 BPF_LD_ABS(BPF_H, 12),
13992 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
13993 BPF_MOV32_IMM(BPF_REG_0, 22),
13994 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
13995 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
13996 BPF_LD_IND(BPF_H, BPF_REG_7, 14),
13997 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
13998 BPF_MOV32_IMM(BPF_REG_0, 17366),
13999 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
14000 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
14001 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
14002 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
14003 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
14004 BPF_MOV32_IMM(BPF_REG_0, 256),
14006 BPF_MOV32_IMM(BPF_REG_0, 0),
14010 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
14011 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
14012 0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
14014 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14019 "ld_abs: div + abs, test 1",
14021 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
14022 BPF_LD_ABS(BPF_B, 3),
14023 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
14024 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
14025 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
14026 BPF_LD_ABS(BPF_B, 4),
14027 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
14028 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
14032 10, 20, 30, 40, 50,
14034 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14039 "ld_abs: div + abs, test 2",
14041 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
14042 BPF_LD_ABS(BPF_B, 3),
14043 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
14044 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
14045 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
14046 BPF_LD_ABS(BPF_B, 128),
14047 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
14048 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
14052 10, 20, 30, 40, 50,
14054 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14059 "ld_abs: div + abs, test 3",
14061 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
14062 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
14063 BPF_LD_ABS(BPF_B, 3),
14064 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
14068 10, 20, 30, 40, 50,
14070 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14075 "ld_abs: div + abs, test 4",
14077 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
14078 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
14079 BPF_LD_ABS(BPF_B, 256),
14080 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
14084 10, 20, 30, 40, 50,
14086 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14091 "ld_abs: vlan + abs, test 1",
14096 .fill_helper = bpf_fill_ld_abs_vlan_push_pop,
14097 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14102 "ld_abs: vlan + abs, test 2",
14104 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
14105 BPF_LD_ABS(BPF_B, 0),
14106 BPF_LD_ABS(BPF_H, 0),
14107 BPF_LD_ABS(BPF_W, 0),
14108 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
14109 BPF_MOV64_IMM(BPF_REG_6, 0),
14110 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
14111 BPF_MOV64_IMM(BPF_REG_2, 1),
14112 BPF_MOV64_IMM(BPF_REG_3, 2),
14113 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14114 BPF_FUNC_skb_vlan_push),
14115 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
14116 BPF_LD_ABS(BPF_B, 0),
14117 BPF_LD_ABS(BPF_H, 0),
14118 BPF_LD_ABS(BPF_W, 0),
14119 BPF_MOV64_IMM(BPF_REG_0, 42),
14125 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14130 "ld_abs: jump around ld_abs",
14135 .fill_helper = bpf_fill_jump_around_ld_abs,
14136 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14141 "ld_dw: xor semi-random 64 bit imms, test 1",
14144 .fill_helper = bpf_fill_rand_ld_dw,
14145 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14150 "ld_dw: xor semi-random 64 bit imms, test 2",
14153 .fill_helper = bpf_fill_rand_ld_dw,
14154 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14159 "ld_dw: xor semi-random 64 bit imms, test 3",
14162 .fill_helper = bpf_fill_rand_ld_dw,
14163 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14168 "ld_dw: xor semi-random 64 bit imms, test 4",
14171 .fill_helper = bpf_fill_rand_ld_dw,
14172 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14177 "pass unmodified ctx pointer to helper",
14179 BPF_MOV64_IMM(BPF_REG_2, 0),
14180 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14181 BPF_FUNC_csum_update),
14182 BPF_MOV64_IMM(BPF_REG_0, 0),
14185 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14189 "reference tracking: leak potential reference",
14192 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), /* leak reference */
14195 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14196 .errstr = "Unreleased reference",
14200 "reference tracking: leak potential reference on stack",
14203 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
14204 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
14205 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
14206 BPF_MOV64_IMM(BPF_REG_0, 0),
14209 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14210 .errstr = "Unreleased reference",
14214 "reference tracking: leak potential reference on stack 2",
14217 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
14218 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
14219 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
14220 BPF_MOV64_IMM(BPF_REG_0, 0),
14221 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
14224 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14225 .errstr = "Unreleased reference",
14229 "reference tracking: zero potential reference",
14232 BPF_MOV64_IMM(BPF_REG_0, 0), /* leak reference */
14235 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14236 .errstr = "Unreleased reference",
14240 "reference tracking: copy and zero potential references",
14243 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
14244 BPF_MOV64_IMM(BPF_REG_0, 0),
14245 BPF_MOV64_IMM(BPF_REG_7, 0), /* leak reference */
14248 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14249 .errstr = "Unreleased reference",
14253 "reference tracking: release reference without check",
14256 /* reference in r0 may be NULL */
14257 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14258 BPF_MOV64_IMM(BPF_REG_2, 0),
14259 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14262 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14263 .errstr = "type=sock_or_null expected=sock",
14267 "reference tracking: release reference",
14270 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14271 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
14272 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14275 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14279 "reference tracking: release reference 2",
14282 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14283 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
14285 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14288 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14292 "reference tracking: release reference twice",
14295 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14296 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
14297 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
14298 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14299 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
14300 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14303 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14304 .errstr = "type=inv expected=sock",
14308 "reference tracking: release reference twice inside branch",
14311 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14312 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
14313 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), /* goto end */
14314 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14315 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
14316 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14319 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14320 .errstr = "type=inv expected=sock",
14324 "reference tracking: alloc, check, free in one subbranch",
14326 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
14327 offsetof(struct __sk_buff, data)),
14328 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
14329 offsetof(struct __sk_buff, data_end)),
14330 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
14331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
14332 /* if (offsetof(skb, mark) > data_len) exit; */
14333 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
14335 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
14336 offsetof(struct __sk_buff, mark)),
14338 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 1), /* mark == 0? */
14339 /* Leak reference in R0 */
14341 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
14342 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14343 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14346 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14347 .errstr = "Unreleased reference",
14349 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
14352 "reference tracking: alloc, check, free in both subbranches",
14354 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
14355 offsetof(struct __sk_buff, data)),
14356 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
14357 offsetof(struct __sk_buff, data_end)),
14358 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
14359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
14360 /* if (offsetof(skb, mark) > data_len) exit; */
14361 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
14363 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
14364 offsetof(struct __sk_buff, mark)),
14366 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 4), /* mark == 0? */
14367 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
14368 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14369 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14371 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
14372 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14373 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14376 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14378 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
14381 "reference tracking in call: free reference in subprog",
14384 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
14385 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
14386 BPF_MOV64_IMM(BPF_REG_0, 0),
14390 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
14391 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
14392 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14395 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14399 "pass modified ctx pointer to helper, 1",
14401 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
14402 BPF_MOV64_IMM(BPF_REG_2, 0),
14403 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14404 BPF_FUNC_csum_update),
14405 BPF_MOV64_IMM(BPF_REG_0, 0),
14408 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14410 .errstr = "dereference of modified ctx ptr",
14413 "pass modified ctx pointer to helper, 2",
14415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
14416 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14417 BPF_FUNC_get_socket_cookie),
14418 BPF_MOV64_IMM(BPF_REG_0, 0),
14421 .result_unpriv = REJECT,
14423 .errstr_unpriv = "dereference of modified ctx ptr",
14424 .errstr = "dereference of modified ctx ptr",
14427 "pass modified ctx pointer to helper, 3",
14429 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
14430 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
14431 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
14432 BPF_MOV64_IMM(BPF_REG_2, 0),
14433 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14434 BPF_FUNC_csum_update),
14435 BPF_MOV64_IMM(BPF_REG_0, 0),
14438 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14440 .errstr = "variable ctx access var_off=(0x0; 0x4)",
14443 "mov64 src == dst",
14445 BPF_MOV64_IMM(BPF_REG_2, 0),
14446 BPF_MOV64_REG(BPF_REG_2, BPF_REG_2),
14447 // Check bounds are OK
14448 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
14449 BPF_MOV64_IMM(BPF_REG_0, 0),
14452 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14456 "mov64 src != dst",
14458 BPF_MOV64_IMM(BPF_REG_3, 0),
14459 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
14460 // Check bounds are OK
14461 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
14462 BPF_MOV64_IMM(BPF_REG_0, 0),
14465 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14471 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
14472 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
14473 BPF_ALU64_REG(BPF_MOV, BPF_REG_7, BPF_REG_0),
14474 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
14475 BPF_MOV64_IMM(BPF_REG_0, 0),
14476 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
14477 BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, -8),
14478 BPF_STX_MEM(BPF_B, BPF_REG_10, BPF_REG_7, -9),
14479 BPF_LDX_MEM(BPF_B, BPF_REG_7, BPF_REG_10, -9),
14480 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0),
14481 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0),
14482 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0),
14483 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0),
14487 .result_unpriv = ACCEPT,
14488 .insn_processed = 15,
14491 "masking, test out of bounds 1",
14493 BPF_MOV32_IMM(BPF_REG_1, 5),
14494 BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
14495 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14496 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14497 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14498 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14499 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14500 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14507 "masking, test out of bounds 2",
14509 BPF_MOV32_IMM(BPF_REG_1, 1),
14510 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14511 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14512 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14513 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14514 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14515 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14516 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14523 "masking, test out of bounds 3",
14525 BPF_MOV32_IMM(BPF_REG_1, 0xffffffff),
14526 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14527 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14528 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14529 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14530 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14531 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14532 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14539 "masking, test out of bounds 4",
14541 BPF_MOV32_IMM(BPF_REG_1, 0xffffffff),
14542 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14543 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14544 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14545 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14546 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14547 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14548 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14555 "masking, test out of bounds 5",
14557 BPF_MOV32_IMM(BPF_REG_1, -1),
14558 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14559 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14560 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14561 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14562 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14563 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14564 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14571 "masking, test out of bounds 6",
14573 BPF_MOV32_IMM(BPF_REG_1, -1),
14574 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14575 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14576 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14577 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14578 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14579 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14580 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14587 "masking, test out of bounds 7",
14589 BPF_MOV64_IMM(BPF_REG_1, 5),
14590 BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
14591 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14592 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14593 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14594 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14595 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14596 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14603 "masking, test out of bounds 8",
14605 BPF_MOV64_IMM(BPF_REG_1, 1),
14606 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14607 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14608 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14609 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14610 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14611 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14612 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14619 "masking, test out of bounds 9",
14621 BPF_MOV64_IMM(BPF_REG_1, 0xffffffff),
14622 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14623 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14624 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14625 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14626 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14627 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14628 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14635 "masking, test out of bounds 10",
14637 BPF_MOV64_IMM(BPF_REG_1, 0xffffffff),
14638 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14639 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14640 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14641 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14642 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14643 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14644 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14651 "masking, test out of bounds 11",
14653 BPF_MOV64_IMM(BPF_REG_1, -1),
14654 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14655 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14656 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14657 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14658 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14659 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14660 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14667 "masking, test out of bounds 12",
14669 BPF_MOV64_IMM(BPF_REG_1, -1),
14670 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14671 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14672 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14673 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14674 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14675 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14676 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14683 "masking, test in bounds 1",
14685 BPF_MOV32_IMM(BPF_REG_1, 4),
14686 BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
14687 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14688 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14689 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14690 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14691 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14692 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14699 "masking, test in bounds 2",
14701 BPF_MOV32_IMM(BPF_REG_1, 0),
14702 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14703 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14704 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14705 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14706 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14707 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14708 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14715 "masking, test in bounds 3",
14717 BPF_MOV32_IMM(BPF_REG_1, 0xfffffffe),
14718 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14719 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14720 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14721 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14722 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14723 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14724 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14728 .retval = 0xfffffffe,
14731 "masking, test in bounds 4",
14733 BPF_MOV32_IMM(BPF_REG_1, 0xabcde),
14734 BPF_MOV32_IMM(BPF_REG_2, 0xabcdef - 1),
14735 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14736 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14737 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14738 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14739 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14740 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14747 "masking, test in bounds 5",
14749 BPF_MOV32_IMM(BPF_REG_1, 0),
14750 BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14751 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14752 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14753 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14754 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14755 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14756 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14763 "masking, test in bounds 6",
14765 BPF_MOV32_IMM(BPF_REG_1, 46),
14766 BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
14767 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14768 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14769 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14770 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14771 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14772 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14779 "masking, test in bounds 7",
14781 BPF_MOV64_IMM(BPF_REG_3, -46),
14782 BPF_ALU64_IMM(BPF_MUL, BPF_REG_3, -1),
14783 BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
14784 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_3),
14785 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_3),
14786 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14787 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14788 BPF_ALU64_REG(BPF_AND, BPF_REG_3, BPF_REG_2),
14789 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
14796 "masking, test in bounds 8",
14798 BPF_MOV64_IMM(BPF_REG_3, -47),
14799 BPF_ALU64_IMM(BPF_MUL, BPF_REG_3, -1),
14800 BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
14801 BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_3),
14802 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_3),
14803 BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14804 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14805 BPF_ALU64_REG(BPF_AND, BPF_REG_3, BPF_REG_2),
14806 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
14813 "reference tracking in call: free reference in subprog and outside",
14816 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
14817 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
14818 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
14819 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
14820 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14824 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
14825 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
14826 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14829 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14830 .errstr = "type=inv expected=sock",
14834 "reference tracking in call: alloc & leak reference in subprog",
14836 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
14837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
14838 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
14839 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14840 BPF_MOV64_IMM(BPF_REG_0, 0),
14844 BPF_MOV64_REG(BPF_REG_6, BPF_REG_4),
14846 /* spill unchecked sk_ptr into stack of caller */
14847 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
14848 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14851 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14852 .errstr = "Unreleased reference",
14856 "reference tracking in call: alloc in subprog, release outside",
14858 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
14859 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
14860 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14861 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
14862 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14867 BPF_EXIT_INSN(), /* return sk */
14869 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14870 .retval = POINTER_VALUE,
14874 "reference tracking in call: sk_ptr leak into caller stack",
14876 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
14877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
14878 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
14879 BPF_MOV64_IMM(BPF_REG_0, 0),
14883 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
14884 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
14885 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
14886 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
14887 /* spill unchecked sk_ptr into stack of caller */
14888 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
14889 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
14890 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
14891 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
14898 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14899 .errstr = "Unreleased reference",
14903 "reference tracking in call: sk_ptr spill into caller stack",
14905 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
14906 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
14907 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
14908 BPF_MOV64_IMM(BPF_REG_0, 0),
14912 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
14913 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
14914 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
14915 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
14916 /* spill unchecked sk_ptr into stack of caller */
14917 BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
14918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
14919 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
14920 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
14921 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
14922 /* now the sk_ptr is verified, free the reference */
14923 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_4, 0),
14924 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14931 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14935 "reference tracking: allow LD_ABS",
14937 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
14939 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14940 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
14941 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14942 BPF_LD_ABS(BPF_B, 0),
14943 BPF_LD_ABS(BPF_H, 0),
14944 BPF_LD_ABS(BPF_W, 0),
14947 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14951 "reference tracking: forbid LD_ABS while holding reference",
14953 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
14955 BPF_LD_ABS(BPF_B, 0),
14956 BPF_LD_ABS(BPF_H, 0),
14957 BPF_LD_ABS(BPF_W, 0),
14958 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14959 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
14960 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14963 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14964 .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
14968 "reference tracking: allow LD_IND",
14970 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
14972 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14973 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
14974 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14975 BPF_MOV64_IMM(BPF_REG_7, 1),
14976 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
14977 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
14980 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14985 "reference tracking: forbid LD_IND while holding reference",
14987 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
14989 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
14990 BPF_MOV64_IMM(BPF_REG_7, 1),
14991 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
14992 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
14993 BPF_MOV64_REG(BPF_REG_1, BPF_REG_4),
14994 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
14995 BPF_EMIT_CALL(BPF_FUNC_sk_release),
14998 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
14999 .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
15003 "reference tracking: check reference or tail call",
15005 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
15007 /* if (sk) bpf_sk_release() */
15008 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15009 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 7),
15010 /* bpf_tail_call() */
15011 BPF_MOV64_IMM(BPF_REG_3, 2),
15012 BPF_LD_MAP_FD(BPF_REG_2, 0),
15013 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
15014 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15015 BPF_FUNC_tail_call),
15016 BPF_MOV64_IMM(BPF_REG_0, 0),
15018 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15021 .fixup_prog1 = { 17 },
15022 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15026 "reference tracking: release reference then tail call",
15028 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
15030 /* if (sk) bpf_sk_release() */
15031 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15032 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
15033 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15034 /* bpf_tail_call() */
15035 BPF_MOV64_IMM(BPF_REG_3, 2),
15036 BPF_LD_MAP_FD(BPF_REG_2, 0),
15037 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
15038 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15039 BPF_FUNC_tail_call),
15040 BPF_MOV64_IMM(BPF_REG_0, 0),
15043 .fixup_prog1 = { 18 },
15044 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15048 "reference tracking: leak possible reference over tail call",
15050 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
15051 /* Look up socket and store in REG_6 */
15053 /* bpf_tail_call() */
15054 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15055 BPF_MOV64_IMM(BPF_REG_3, 2),
15056 BPF_LD_MAP_FD(BPF_REG_2, 0),
15057 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
15058 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15059 BPF_FUNC_tail_call),
15060 BPF_MOV64_IMM(BPF_REG_0, 0),
15061 /* if (sk) bpf_sk_release() */
15062 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15063 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
15064 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15067 .fixup_prog1 = { 16 },
15068 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15069 .errstr = "tail_call would lead to reference leak",
15073 "reference tracking: leak checked reference over tail call",
15075 BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
15076 /* Look up socket and store in REG_6 */
15078 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15079 /* if (!sk) goto end */
15080 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
15081 /* bpf_tail_call() */
15082 BPF_MOV64_IMM(BPF_REG_3, 0),
15083 BPF_LD_MAP_FD(BPF_REG_2, 0),
15084 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
15085 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15086 BPF_FUNC_tail_call),
15087 BPF_MOV64_IMM(BPF_REG_0, 0),
15088 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15089 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15092 .fixup_prog1 = { 17 },
15093 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15094 .errstr = "tail_call would lead to reference leak",
15098 "reference tracking: mangle and release sock_or_null",
15101 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
15103 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
15104 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15107 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15108 .errstr = "R1 pointer arithmetic on sock_or_null prohibited",
15112 "reference tracking: mangle and release sock",
15115 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15116 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
15117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
15118 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15121 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15122 .errstr = "R1 pointer arithmetic on sock prohibited",
15126 "reference tracking: access member",
15129 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15130 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
15131 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
15132 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15133 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15136 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15140 "reference tracking: write to member",
15143 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15144 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
15145 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15146 BPF_LD_IMM64(BPF_REG_2, 42),
15147 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_2,
15148 offsetof(struct bpf_sock, mark)),
15149 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15150 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15151 BPF_LD_IMM64(BPF_REG_0, 0),
15154 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15155 .errstr = "cannot write into socket",
15159 "reference tracking: invalid 64-bit access of member",
15162 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15163 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
15164 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
15165 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15166 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15169 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15170 .errstr = "invalid bpf_sock access off=0 size=8",
15174 "reference tracking: access after release",
15177 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15178 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
15179 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15180 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
15183 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15184 .errstr = "!read_ok",
15188 "reference tracking: direct access for lookup",
15190 /* Check that the packet is at least 64B long */
15191 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
15192 offsetof(struct __sk_buff, data)),
15193 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
15194 offsetof(struct __sk_buff, data_end)),
15195 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
15196 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
15197 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
15198 /* sk = sk_lookup_tcp(ctx, skb->data, ...) */
15199 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)),
15200 BPF_MOV64_IMM(BPF_REG_4, 0),
15201 BPF_MOV64_IMM(BPF_REG_5, 0),
15202 BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp),
15203 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15204 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
15205 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
15206 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15207 BPF_EMIT_CALL(BPF_FUNC_sk_release),
15210 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15214 "calls: ctx read at start of subprog",
15216 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
15217 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
15218 BPF_JMP_REG(BPF_JSGT, BPF_REG_0, BPF_REG_0, 0),
15219 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15220 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
15221 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15223 BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
15224 BPF_MOV64_IMM(BPF_REG_0, 0),
15227 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15228 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
15229 .result_unpriv = REJECT,
15233 "check wire_len is not readable by sockets",
15235 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
15236 offsetof(struct __sk_buff, wire_len)),
15239 .errstr = "invalid bpf_context access",
15243 "check wire_len is readable by tc classifier",
15245 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
15246 offsetof(struct __sk_buff, wire_len)),
15249 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15253 "check wire_len is not writable by tc classifier",
15255 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
15256 offsetof(struct __sk_buff, wire_len)),
15259 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15260 .errstr = "invalid bpf_context access",
15261 .errstr_unpriv = "R1 leaks addr",
15265 "calls: cross frame pruning",
15267 /* r8 = !!random();
15270 * do something bad;
15272 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15273 BPF_FUNC_get_prandom_u32),
15274 BPF_MOV64_IMM(BPF_REG_8, 0),
15275 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
15276 BPF_MOV64_IMM(BPF_REG_8, 1),
15277 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
15278 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
15279 BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 1, 1),
15280 BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
15281 BPF_MOV64_IMM(BPF_REG_0, 0),
15283 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
15286 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15287 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
15288 .errstr = "!read_ok",
15292 "jset: functional",
15295 BPF_MOV64_IMM(BPF_REG_0, 0),
15296 /* prep for direct packet access via r2 */
15297 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
15298 offsetof(struct __sk_buff, data)),
15299 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
15300 offsetof(struct __sk_buff, data_end)),
15301 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
15302 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
15303 BPF_JMP_REG(BPF_JLE, BPF_REG_4, BPF_REG_3, 1),
15306 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_2, 0),
15308 /* reg, bit 63 or bit 0 set, taken */
15309 BPF_LD_IMM64(BPF_REG_8, 0x8000000000000001),
15310 BPF_JMP_REG(BPF_JSET, BPF_REG_7, BPF_REG_8, 1),
15313 /* reg, bit 62, not taken */
15314 BPF_LD_IMM64(BPF_REG_8, 0x4000000000000000),
15315 BPF_JMP_REG(BPF_JSET, BPF_REG_7, BPF_REG_8, 1),
15316 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
15319 /* imm, any bit set, taken */
15320 BPF_JMP_IMM(BPF_JSET, BPF_REG_7, -1, 1),
15323 /* imm, bit 31 set, taken */
15324 BPF_JMP_IMM(BPF_JSET, BPF_REG_7, 0x80000000, 1),
15327 /* all good - return r0 == 2 */
15328 BPF_MOV64_IMM(BPF_REG_0, 2),
15331 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15336 .data64 = { (1ULL << 63) | (1U << 31) | (1U << 0), }
15339 .data64 = { (1ULL << 63) | (1U << 31), }
15342 .data64 = { (1ULL << 31) | (1U << 0), }
15345 .data64 = { (__u32)-1, }
15348 .data64 = { ~0x4000000000000000ULL, }
15354 .data64 = { ~0ULL, }
15359 "jset: sign-extend",
15362 BPF_MOV64_IMM(BPF_REG_0, 0),
15363 /* prep for direct packet access via r2 */
15364 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
15365 offsetof(struct __sk_buff, data)),
15366 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
15367 offsetof(struct __sk_buff, data_end)),
15368 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
15369 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
15370 BPF_JMP_REG(BPF_JLE, BPF_REG_4, BPF_REG_3, 1),
15373 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_2, 0),
15375 BPF_JMP_IMM(BPF_JSET, BPF_REG_7, 0x80000000, 1),
15378 BPF_MOV64_IMM(BPF_REG_0, 2),
15381 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
15384 .data = { 1, 0, 0, 0, 0, 0, 0, 1, },
15387 "jset: known const compare",
15389 BPF_MOV64_IMM(BPF_REG_0, 1),
15390 BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 1, 1),
15391 BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15394 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15395 .retval_unpriv = 1,
15396 .result_unpriv = ACCEPT,
15401 "jset: known const compare bad",
15403 BPF_MOV64_IMM(BPF_REG_0, 0),
15404 BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 1, 1),
15405 BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15408 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15409 .errstr_unpriv = "!read_ok",
15410 .result_unpriv = REJECT,
15411 .errstr = "!read_ok",
15415 "jset: unknown const compare taken",
15417 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15418 BPF_FUNC_get_prandom_u32),
15419 BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 1, 1),
15420 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
15421 BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15424 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15425 .errstr_unpriv = "!read_ok",
15426 .result_unpriv = REJECT,
15427 .errstr = "!read_ok",
15431 "jset: unknown const compare not taken",
15433 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15434 BPF_FUNC_get_prandom_u32),
15435 BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 1, 1),
15436 BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15439 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15440 .errstr_unpriv = "!read_ok",
15441 .result_unpriv = REJECT,
15442 .errstr = "!read_ok",
15446 "jset: half-known const compare",
15448 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15449 BPF_FUNC_get_prandom_u32),
15450 BPF_ALU64_IMM(BPF_OR, BPF_REG_0, 2),
15451 BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 3, 1),
15452 BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15453 BPF_MOV64_IMM(BPF_REG_0, 0),
15456 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15457 .result_unpriv = ACCEPT,
15463 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15464 BPF_FUNC_get_prandom_u32),
15465 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15466 BPF_MOV64_IMM(BPF_REG_0, 0),
15467 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xff),
15468 BPF_JMP_IMM(BPF_JSET, BPF_REG_1, 0xf0, 3),
15469 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 0x10, 1),
15470 BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15472 BPF_JMP_IMM(BPF_JSET, BPF_REG_1, 0x10, 1),
15474 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0x10, 1),
15475 BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15478 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15479 .result_unpriv = ACCEPT,
15484 static int probe_filter_length(const struct bpf_insn *fp)
15488 for (len = MAX_INSNS - 1; len > 0; --len)
15489 if (fp[len].code != 0 || fp[len].imm != 0)
15494 static int create_map(uint32_t type, uint32_t size_key,
15495 uint32_t size_value, uint32_t max_elem)
15499 fd = bpf_create_map(type, size_key, size_value, max_elem,
15500 type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
15502 printf("Failed to create hash map '%s'!\n", strerror(errno));
15507 static void update_map(int fd, int index)
15509 struct test_val value = {
15510 .index = (6 + 1) * sizeof(int),
15511 .foo[6] = 0xabcdef12,
15514 assert(!bpf_map_update_elem(fd, &index, &value, 0));
15517 static int create_prog_dummy1(enum bpf_prog_type prog_type)
15519 struct bpf_insn prog[] = {
15520 BPF_MOV64_IMM(BPF_REG_0, 42),
15524 return bpf_load_program(prog_type, prog,
15525 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
15528 static int create_prog_dummy2(enum bpf_prog_type prog_type, int mfd, int idx)
15530 struct bpf_insn prog[] = {
15531 BPF_MOV64_IMM(BPF_REG_3, idx),
15532 BPF_LD_MAP_FD(BPF_REG_2, mfd),
15533 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15534 BPF_FUNC_tail_call),
15535 BPF_MOV64_IMM(BPF_REG_0, 41),
15539 return bpf_load_program(prog_type, prog,
15540 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
15543 static int create_prog_array(enum bpf_prog_type prog_type, uint32_t max_elem,
15547 int mfd, p1fd, p2fd;
15549 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
15550 sizeof(int), max_elem, 0);
15552 printf("Failed to create prog array '%s'!\n", strerror(errno));
15556 p1fd = create_prog_dummy1(prog_type);
15557 p2fd = create_prog_dummy2(prog_type, mfd, p2key);
15558 if (p1fd < 0 || p2fd < 0)
15560 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
15562 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
15575 static int create_map_in_map(void)
15577 int inner_map_fd, outer_map_fd;
15579 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
15580 sizeof(int), 1, 0);
15581 if (inner_map_fd < 0) {
15582 printf("Failed to create array '%s'!\n", strerror(errno));
15583 return inner_map_fd;
15586 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
15587 sizeof(int), inner_map_fd, 1, 0);
15588 if (outer_map_fd < 0)
15589 printf("Failed to create array of maps '%s'!\n",
15592 close(inner_map_fd);
15594 return outer_map_fd;
15597 static int create_cgroup_storage(bool percpu)
15599 enum bpf_map_type type = percpu ? BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE :
15600 BPF_MAP_TYPE_CGROUP_STORAGE;
15603 fd = bpf_create_map(type, sizeof(struct bpf_cgroup_storage_key),
15604 TEST_DATA_LEN, 0, 0);
15606 printf("Failed to create cgroup storage '%s'!\n",
15612 static char bpf_vlog[UINT_MAX >> 8];
15614 static void do_test_fixup(struct bpf_test *test, enum bpf_prog_type prog_type,
15615 struct bpf_insn *prog, int *map_fds)
15617 int *fixup_map_hash_8b = test->fixup_map_hash_8b;
15618 int *fixup_map_hash_48b = test->fixup_map_hash_48b;
15619 int *fixup_map_hash_16b = test->fixup_map_hash_16b;
15620 int *fixup_map_array_48b = test->fixup_map_array_48b;
15621 int *fixup_map_sockmap = test->fixup_map_sockmap;
15622 int *fixup_map_sockhash = test->fixup_map_sockhash;
15623 int *fixup_map_xskmap = test->fixup_map_xskmap;
15624 int *fixup_map_stacktrace = test->fixup_map_stacktrace;
15625 int *fixup_prog1 = test->fixup_prog1;
15626 int *fixup_prog2 = test->fixup_prog2;
15627 int *fixup_map_in_map = test->fixup_map_in_map;
15628 int *fixup_cgroup_storage = test->fixup_cgroup_storage;
15629 int *fixup_percpu_cgroup_storage = test->fixup_percpu_cgroup_storage;
15631 if (test->fill_helper)
15632 test->fill_helper(test);
15634 /* Allocating HTs with 1 elem is fine here, since we only test
15635 * for verifier and not do a runtime lookup, so the only thing
15636 * that really matters is value size in this case.
15638 if (*fixup_map_hash_8b) {
15639 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
15640 sizeof(long long), 1);
15642 prog[*fixup_map_hash_8b].imm = map_fds[0];
15643 fixup_map_hash_8b++;
15644 } while (*fixup_map_hash_8b);
15647 if (*fixup_map_hash_48b) {
15648 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
15649 sizeof(struct test_val), 1);
15651 prog[*fixup_map_hash_48b].imm = map_fds[1];
15652 fixup_map_hash_48b++;
15653 } while (*fixup_map_hash_48b);
15656 if (*fixup_map_hash_16b) {
15657 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
15658 sizeof(struct other_val), 1);
15660 prog[*fixup_map_hash_16b].imm = map_fds[2];
15661 fixup_map_hash_16b++;
15662 } while (*fixup_map_hash_16b);
15665 if (*fixup_map_array_48b) {
15666 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
15667 sizeof(struct test_val), 1);
15668 update_map(map_fds[3], 0);
15670 prog[*fixup_map_array_48b].imm = map_fds[3];
15671 fixup_map_array_48b++;
15672 } while (*fixup_map_array_48b);
15675 if (*fixup_prog1) {
15676 map_fds[4] = create_prog_array(prog_type, 4, 0);
15678 prog[*fixup_prog1].imm = map_fds[4];
15680 } while (*fixup_prog1);
15683 if (*fixup_prog2) {
15684 map_fds[5] = create_prog_array(prog_type, 8, 7);
15686 prog[*fixup_prog2].imm = map_fds[5];
15688 } while (*fixup_prog2);
15691 if (*fixup_map_in_map) {
15692 map_fds[6] = create_map_in_map();
15694 prog[*fixup_map_in_map].imm = map_fds[6];
15695 fixup_map_in_map++;
15696 } while (*fixup_map_in_map);
15699 if (*fixup_cgroup_storage) {
15700 map_fds[7] = create_cgroup_storage(false);
15702 prog[*fixup_cgroup_storage].imm = map_fds[7];
15703 fixup_cgroup_storage++;
15704 } while (*fixup_cgroup_storage);
15707 if (*fixup_percpu_cgroup_storage) {
15708 map_fds[8] = create_cgroup_storage(true);
15710 prog[*fixup_percpu_cgroup_storage].imm = map_fds[8];
15711 fixup_percpu_cgroup_storage++;
15712 } while (*fixup_percpu_cgroup_storage);
15714 if (*fixup_map_sockmap) {
15715 map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int),
15718 prog[*fixup_map_sockmap].imm = map_fds[9];
15719 fixup_map_sockmap++;
15720 } while (*fixup_map_sockmap);
15722 if (*fixup_map_sockhash) {
15723 map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int),
15726 prog[*fixup_map_sockhash].imm = map_fds[10];
15727 fixup_map_sockhash++;
15728 } while (*fixup_map_sockhash);
15730 if (*fixup_map_xskmap) {
15731 map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int),
15734 prog[*fixup_map_xskmap].imm = map_fds[11];
15735 fixup_map_xskmap++;
15736 } while (*fixup_map_xskmap);
15738 if (*fixup_map_stacktrace) {
15739 map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32),
15742 prog[*fixup_map_stacktrace].imm = map_fds[12];
15743 fixup_map_stacktrace++;
15744 } while (*fixup_map_stacktrace);
15748 static int set_admin(bool admin)
15751 const cap_value_t cap_val = CAP_SYS_ADMIN;
15754 caps = cap_get_proc();
15756 perror("cap_get_proc");
15759 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
15760 admin ? CAP_SET : CAP_CLEAR)) {
15761 perror("cap_set_flag");
15764 if (cap_set_proc(caps)) {
15765 perror("cap_set_proc");
15770 if (cap_free(caps))
15771 perror("cap_free");
15775 static int do_prog_test_run(int fd_prog, bool unpriv, uint32_t expected_val,
15776 void *data, size_t size_data)
15778 __u8 tmp[TEST_DATA_LEN << 2];
15779 __u32 size_tmp = sizeof(tmp);
15785 err = bpf_prog_test_run(fd_prog, 1, data, size_data,
15786 tmp, &size_tmp, &retval, NULL);
15789 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
15790 printf("Unexpected bpf_prog_test_run error ");
15793 if (!err && retval != expected_val &&
15794 expected_val != POINTER_VALUE) {
15795 printf("FAIL retval %d != %d ", retval, expected_val);
15802 static void do_test_single(struct bpf_test *test, bool unpriv,
15803 int *passes, int *errors)
15805 int fd_prog, expected_ret, alignment_prevented_execution;
15806 int prog_len, prog_type = test->prog_type;
15807 struct bpf_insn *prog = test->insns;
15808 int run_errs, run_successes;
15809 int map_fds[MAX_NR_MAPS];
15810 const char *expected_err;
15814 for (i = 0; i < MAX_NR_MAPS; i++)
15818 prog_type = BPF_PROG_TYPE_SOCKET_FILTER;
15819 do_test_fixup(test, prog_type, prog, map_fds);
15820 prog_len = probe_filter_length(prog);
15823 if (test->flags & F_LOAD_WITH_STRICT_ALIGNMENT)
15824 pflags |= BPF_F_STRICT_ALIGNMENT;
15825 if (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS)
15826 pflags |= BPF_F_ANY_ALIGNMENT;
15827 fd_prog = bpf_verify_program(prog_type, prog, prog_len, pflags,
15828 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
15830 expected_ret = unpriv && test->result_unpriv != UNDEF ?
15831 test->result_unpriv : test->result;
15832 expected_err = unpriv && test->errstr_unpriv ?
15833 test->errstr_unpriv : test->errstr;
15835 alignment_prevented_execution = 0;
15837 if (expected_ret == ACCEPT) {
15839 printf("FAIL\nFailed to load prog '%s'!\n",
15843 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
15844 if (fd_prog >= 0 &&
15845 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS))
15846 alignment_prevented_execution = 1;
15849 if (fd_prog >= 0) {
15850 printf("FAIL\nUnexpected success to load!\n");
15853 if (!strstr(bpf_vlog, expected_err)) {
15854 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
15855 expected_err, bpf_vlog);
15860 if (test->insn_processed) {
15861 uint32_t insn_processed;
15864 proc = strstr(bpf_vlog, "processed ");
15865 insn_processed = atoi(proc + 10);
15866 if (test->insn_processed != insn_processed) {
15867 printf("FAIL\nUnexpected insn_processed %u vs %u\n",
15868 insn_processed, test->insn_processed);
15875 if (!alignment_prevented_execution && fd_prog >= 0) {
15876 uint32_t expected_val;
15880 expected_val = unpriv && test->retval_unpriv ?
15881 test->retval_unpriv : test->retval;
15883 err = do_prog_test_run(fd_prog, unpriv, expected_val,
15884 test->data, sizeof(test->data));
15891 for (i = 0; i < test->runs; i++) {
15892 if (unpriv && test->retvals[i].retval_unpriv)
15893 expected_val = test->retvals[i].retval_unpriv;
15895 expected_val = test->retvals[i].retval;
15897 err = do_prog_test_run(fd_prog, unpriv, expected_val,
15898 test->retvals[i].data,
15899 sizeof(test->retvals[i].data));
15901 printf("(run %d/%d) ", i + 1, test->runs);
15911 if (run_successes > 1)
15912 printf("%d cases ", run_successes);
15914 if (alignment_prevented_execution)
15915 printf(" (NOTE: not executed due to unknown alignment)");
15923 for (i = 0; i < MAX_NR_MAPS; i++)
15929 printf("%s", bpf_vlog);
15933 static bool is_admin(void)
15936 cap_flag_value_t sysadmin = CAP_CLEAR;
15937 const cap_value_t cap_val = CAP_SYS_ADMIN;
15939 #ifdef CAP_IS_SUPPORTED
15940 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
15941 perror("cap_get_flag");
15945 caps = cap_get_proc();
15947 perror("cap_get_proc");
15950 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
15951 perror("cap_get_flag");
15952 if (cap_free(caps))
15953 perror("cap_free");
15954 return (sysadmin == CAP_SET);
15957 static void get_unpriv_disabled()
15962 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
15964 perror("fopen /proc/sys/"UNPRIV_SYSCTL);
15965 unpriv_disabled = true;
15968 if (fgets(buf, 2, fd) == buf && atoi(buf))
15969 unpriv_disabled = true;
15973 static bool test_as_unpriv(struct bpf_test *test)
15975 return !test->prog_type ||
15976 test->prog_type == BPF_PROG_TYPE_SOCKET_FILTER ||
15977 test->prog_type == BPF_PROG_TYPE_CGROUP_SKB;
15980 static int do_test(bool unpriv, unsigned int from, unsigned int to)
15982 int i, passes = 0, errors = 0, skips = 0;
15984 for (i = from; i < to; i++) {
15985 struct bpf_test *test = &tests[i];
15987 /* Program types that are not supported by non-root we
15990 if (test_as_unpriv(test) && unpriv_disabled) {
15991 printf("#%d/u %s SKIP\n", i, test->descr);
15993 } else if (test_as_unpriv(test)) {
15996 printf("#%d/u %s ", i, test->descr);
15997 do_test_single(test, true, &passes, &errors);
16003 printf("#%d/p %s SKIP\n", i, test->descr);
16006 printf("#%d/p %s ", i, test->descr);
16007 do_test_single(test, false, &passes, &errors);
16011 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
16013 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
16016 int main(int argc, char **argv)
16018 unsigned int from = 0, to = ARRAY_SIZE(tests);
16019 bool unpriv = !is_admin();
16022 unsigned int l = atoi(argv[argc - 2]);
16023 unsigned int u = atoi(argv[argc - 1]);
16025 if (l < to && u < to) {
16029 } else if (argc == 2) {
16030 unsigned int t = atoi(argv[argc - 1]);
16038 get_unpriv_disabled();
16039 if (unpriv && unpriv_disabled) {
16040 printf("Cannot run as unprivileged user with sysctl %s.\n",
16042 return EXIT_FAILURE;
16045 bpf_semi_rand_init();
16046 return do_test(unpriv, from, to);
projects / linux.git / blob