2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of version 2 of the GNU General Public
8 * License as published by the Free Software Foundation.
12 #include <asm/types.h>
13 #include <linux/types.h>
24 #include <sys/capability.h>
25 #include <sys/resource.h>
27 #include <linux/unistd.h>
28 #include <linux/filter.h>
29 #include <linux/bpf_perf_event.h>
30 #include <linux/bpf.h>
35 # include "autoconf.h"
37 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
38 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
42 #include "../../../include/linux/filter.h"
45 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
52 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
53 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
57 struct bpf_insn insns[MAX_INSNS];
58 int fixup_map1[MAX_FIXUPS];
59 int fixup_map2[MAX_FIXUPS];
60 int fixup_prog[MAX_FIXUPS];
61 int fixup_map_in_map[MAX_FIXUPS];
63 const char *errstr_unpriv;
68 } result, result_unpriv;
69 enum bpf_prog_type prog_type;
73 /* Note we want this to be 64 bit aligned so that the end of our array is
74 * actually the end of the structure.
76 #define MAX_ENTRIES 11
83 static struct bpf_test tests[] = {
87 BPF_MOV64_IMM(BPF_REG_1, 1),
88 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
89 BPF_MOV64_IMM(BPF_REG_2, 3),
90 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
91 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
92 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
93 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
104 .errstr = "unreachable",
110 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
111 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
114 .errstr = "unreachable",
120 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
123 .errstr = "jump out of range",
127 "out of range jump2",
129 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
132 .errstr = "jump out of range",
138 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
139 BPF_LD_IMM64(BPF_REG_0, 0),
140 BPF_LD_IMM64(BPF_REG_0, 0),
141 BPF_LD_IMM64(BPF_REG_0, 1),
142 BPF_LD_IMM64(BPF_REG_0, 1),
143 BPF_MOV64_IMM(BPF_REG_0, 2),
146 .errstr = "invalid BPF_LD_IMM insn",
147 .errstr_unpriv = "R1 pointer comparison",
153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
154 BPF_LD_IMM64(BPF_REG_0, 0),
155 BPF_LD_IMM64(BPF_REG_0, 0),
156 BPF_LD_IMM64(BPF_REG_0, 1),
157 BPF_LD_IMM64(BPF_REG_0, 1),
160 .errstr = "invalid BPF_LD_IMM insn",
161 .errstr_unpriv = "R1 pointer comparison",
167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
168 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
169 BPF_LD_IMM64(BPF_REG_0, 0),
170 BPF_LD_IMM64(BPF_REG_0, 0),
171 BPF_LD_IMM64(BPF_REG_0, 1),
172 BPF_LD_IMM64(BPF_REG_0, 1),
175 .errstr = "invalid bpf_ld_imm64 insn",
181 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
184 .errstr = "invalid bpf_ld_imm64 insn",
190 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
192 .errstr = "invalid bpf_ld_imm64 insn",
198 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
199 BPF_RAW_INSN(0, 0, 0, 0, 0),
207 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
208 BPF_RAW_INSN(0, 0, 0, 0, 1),
216 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
217 BPF_RAW_INSN(0, 0, 0, 0, 1),
220 .errstr = "uses reserved fields",
226 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
227 BPF_RAW_INSN(0, 0, 0, 1, 1),
230 .errstr = "invalid bpf_ld_imm64 insn",
236 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
237 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
240 .errstr = "invalid bpf_ld_imm64 insn",
246 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
247 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
250 .errstr = "invalid bpf_ld_imm64 insn",
256 BPF_MOV64_IMM(BPF_REG_1, 0),
257 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
258 BPF_RAW_INSN(0, 0, 0, 0, 1),
261 .errstr = "not pointing to valid bpf_map",
267 BPF_MOV64_IMM(BPF_REG_1, 0),
268 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
269 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
272 .errstr = "invalid bpf_ld_imm64 insn",
278 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
280 .errstr = "jump out of range",
286 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
289 .errstr = "back-edge",
295 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
296 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
297 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
298 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
301 .errstr = "back-edge",
307 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
308 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
309 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
310 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
313 .errstr = "back-edge",
317 "read uninitialized register",
319 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
322 .errstr = "R2 !read_ok",
326 "read invalid register",
328 BPF_MOV64_REG(BPF_REG_0, -1),
331 .errstr = "R15 is invalid",
335 "program doesn't init R0 before exit",
337 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
340 .errstr = "R0 !read_ok",
344 "program doesn't init R0 before exit in all branches",
346 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
347 BPF_MOV64_IMM(BPF_REG_0, 1),
348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
351 .errstr = "R0 !read_ok",
352 .errstr_unpriv = "R1 pointer comparison",
356 "stack out of bounds",
358 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
361 .errstr = "invalid stack",
365 "invalid call insn1",
367 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
370 .errstr = "BPF_CALL uses reserved",
374 "invalid call insn2",
376 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
379 .errstr = "BPF_CALL uses reserved",
383 "invalid function call",
385 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
388 .errstr = "invalid func unknown#1234567",
392 "uninitialized stack1",
394 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
395 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
396 BPF_LD_MAP_FD(BPF_REG_1, 0),
397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
398 BPF_FUNC_map_lookup_elem),
402 .errstr = "invalid indirect read from stack",
406 "uninitialized stack2",
408 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
409 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
412 .errstr = "invalid read from stack",
416 "invalid fp arithmetic",
417 /* If this gets ever changed, make sure JITs can deal with it. */
419 BPF_MOV64_IMM(BPF_REG_0, 0),
420 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
421 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
422 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
425 .errstr_unpriv = "R1 pointer arithmetic",
426 .result_unpriv = REJECT,
427 .errstr = "R1 invalid mem access",
431 "non-invalid fp arithmetic",
433 BPF_MOV64_IMM(BPF_REG_0, 0),
434 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
440 "invalid argument register",
442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
443 BPF_FUNC_get_cgroup_classid),
444 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
445 BPF_FUNC_get_cgroup_classid),
448 .errstr = "R1 !read_ok",
450 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
453 "non-invalid argument register",
455 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
456 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
457 BPF_FUNC_get_cgroup_classid),
458 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
459 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
460 BPF_FUNC_get_cgroup_classid),
464 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
467 "check valid spill/fill",
469 /* spill R1(ctx) into stack */
470 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
471 /* fill it back into R2 */
472 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
473 /* should be able to access R0 = *(R2 + 8) */
474 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
475 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
478 .errstr_unpriv = "R0 leaks addr",
480 .result_unpriv = REJECT,
483 "check valid spill/fill, skb mark",
485 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
486 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
487 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
488 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
489 offsetof(struct __sk_buff, mark)),
493 .result_unpriv = ACCEPT,
496 "check corrupted spill/fill",
498 /* spill R1(ctx) into stack */
499 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
500 /* mess up with R1 pointer on stack */
501 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
502 /* fill back into R0 should fail */
503 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
506 .errstr_unpriv = "attempt to corrupt spilled",
507 .errstr = "corrupted spill",
511 "invalid src register in STX",
513 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
516 .errstr = "R15 is invalid",
520 "invalid dst register in STX",
522 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
525 .errstr = "R14 is invalid",
529 "invalid dst register in ST",
531 BPF_ST_MEM(BPF_B, 14, -1, -1),
534 .errstr = "R14 is invalid",
538 "invalid src register in LDX",
540 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
543 .errstr = "R12 is invalid",
547 "invalid dst register in LDX",
549 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
552 .errstr = "R11 is invalid",
558 BPF_RAW_INSN(0, 0, 0, 0, 0),
561 .errstr = "invalid BPF_LD_IMM",
567 BPF_RAW_INSN(1, 0, 0, 0, 0),
570 .errstr = "BPF_LDX uses reserved fields",
576 BPF_RAW_INSN(-1, 0, 0, 0, 0),
579 .errstr = "invalid BPF_ALU opcode f0",
585 BPF_RAW_INSN(-1, -1, -1, -1, -1),
588 .errstr = "invalid BPF_ALU opcode f0",
594 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
597 .errstr = "BPF_ALU uses reserved fields",
601 "misaligned read from stack",
603 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
604 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
607 .errstr = "misaligned access",
611 "invalid map_fd for function call",
613 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
614 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
616 BPF_LD_MAP_FD(BPF_REG_1, 0),
617 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
618 BPF_FUNC_map_delete_elem),
621 .errstr = "fd 0 is not pointing to valid bpf_map",
625 "don't check return value before access",
627 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
628 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
629 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
630 BPF_LD_MAP_FD(BPF_REG_1, 0),
631 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
632 BPF_FUNC_map_lookup_elem),
633 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
637 .errstr = "R0 invalid mem access 'map_value_or_null'",
641 "access memory with incorrect alignment",
643 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
644 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
645 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
646 BPF_LD_MAP_FD(BPF_REG_1, 0),
647 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
648 BPF_FUNC_map_lookup_elem),
649 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
650 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
654 .errstr = "misaligned access",
658 "sometimes access memory with incorrect alignment",
660 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
661 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
662 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
663 BPF_LD_MAP_FD(BPF_REG_1, 0),
664 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
665 BPF_FUNC_map_lookup_elem),
666 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
667 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
669 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
673 .errstr = "R0 invalid mem access",
674 .errstr_unpriv = "R0 leaks addr",
680 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
681 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
682 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
683 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
684 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
685 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
686 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
687 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
688 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
689 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
690 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
691 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
692 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
693 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
694 BPF_MOV64_IMM(BPF_REG_0, 0),
697 .errstr_unpriv = "R1 pointer comparison",
698 .result_unpriv = REJECT,
704 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
705 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
706 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
707 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
708 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
709 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
710 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
711 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
712 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
713 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
714 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
715 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
716 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
718 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
719 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
720 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
721 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
722 BPF_MOV64_IMM(BPF_REG_0, 0),
725 .errstr_unpriv = "R1 pointer comparison",
726 .result_unpriv = REJECT,
732 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
733 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
734 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
735 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
736 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
737 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
738 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
739 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
740 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
741 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
742 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
743 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
744 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
745 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
746 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
747 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
748 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
749 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
750 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
752 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
753 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
754 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
756 BPF_LD_MAP_FD(BPF_REG_1, 0),
757 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
758 BPF_FUNC_map_delete_elem),
761 .fixup_map1 = { 24 },
762 .errstr_unpriv = "R1 pointer comparison",
763 .result_unpriv = REJECT,
769 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
771 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
772 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
773 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
779 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
783 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
784 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
786 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
788 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
793 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
798 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
799 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
801 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
804 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
805 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
806 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
807 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
808 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
809 BPF_MOV64_IMM(BPF_REG_0, 0),
812 .errstr_unpriv = "R1 pointer comparison",
813 .result_unpriv = REJECT,
819 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
820 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
821 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
822 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
823 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
824 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
825 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
826 BPF_MOV64_IMM(BPF_REG_0, 0),
827 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
828 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
829 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
830 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
831 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
832 BPF_MOV64_IMM(BPF_REG_0, 0),
833 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
834 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
835 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
836 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
837 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
838 BPF_MOV64_IMM(BPF_REG_0, 0),
839 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
840 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
841 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
842 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
843 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
844 BPF_MOV64_IMM(BPF_REG_0, 0),
845 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
846 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
847 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
848 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
849 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
850 BPF_MOV64_IMM(BPF_REG_0, 0),
853 .errstr_unpriv = "R1 pointer comparison",
854 .result_unpriv = REJECT,
858 "access skb fields ok",
860 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
861 offsetof(struct __sk_buff, len)),
862 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
863 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
864 offsetof(struct __sk_buff, mark)),
865 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
866 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
867 offsetof(struct __sk_buff, pkt_type)),
868 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
869 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
870 offsetof(struct __sk_buff, queue_mapping)),
871 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
872 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
873 offsetof(struct __sk_buff, protocol)),
874 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
875 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
876 offsetof(struct __sk_buff, vlan_present)),
877 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
878 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
879 offsetof(struct __sk_buff, vlan_tci)),
880 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
881 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
882 offsetof(struct __sk_buff, napi_id)),
883 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
889 "access skb fields bad1",
891 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
894 .errstr = "invalid bpf_context access",
898 "access skb fields bad2",
900 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
901 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
902 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
903 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
904 BPF_LD_MAP_FD(BPF_REG_1, 0),
905 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
906 BPF_FUNC_map_lookup_elem),
907 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
909 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
910 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
911 offsetof(struct __sk_buff, pkt_type)),
915 .errstr = "different pointers",
916 .errstr_unpriv = "R1 pointer comparison",
920 "access skb fields bad3",
922 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
923 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
924 offsetof(struct __sk_buff, pkt_type)),
926 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
927 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
929 BPF_LD_MAP_FD(BPF_REG_1, 0),
930 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
931 BPF_FUNC_map_lookup_elem),
932 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
934 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
935 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
938 .errstr = "different pointers",
939 .errstr_unpriv = "R1 pointer comparison",
943 "access skb fields bad4",
945 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
946 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
947 offsetof(struct __sk_buff, len)),
948 BPF_MOV64_IMM(BPF_REG_0, 0),
950 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
951 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
952 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
953 BPF_LD_MAP_FD(BPF_REG_1, 0),
954 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
955 BPF_FUNC_map_lookup_elem),
956 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
958 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
959 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
962 .errstr = "different pointers",
963 .errstr_unpriv = "R1 pointer comparison",
967 "check skb->mark is not writeable by sockets",
969 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
970 offsetof(struct __sk_buff, mark)),
973 .errstr = "invalid bpf_context access",
974 .errstr_unpriv = "R1 leaks addr",
978 "check skb->tc_index is not writeable by sockets",
980 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
981 offsetof(struct __sk_buff, tc_index)),
984 .errstr = "invalid bpf_context access",
985 .errstr_unpriv = "R1 leaks addr",
989 "check cb access: byte",
991 BPF_MOV64_IMM(BPF_REG_0, 0),
992 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
993 offsetof(struct __sk_buff, cb[0])),
994 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
995 offsetof(struct __sk_buff, cb[0]) + 1),
996 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
997 offsetof(struct __sk_buff, cb[0]) + 2),
998 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
999 offsetof(struct __sk_buff, cb[0]) + 3),
1000 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1001 offsetof(struct __sk_buff, cb[1])),
1002 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1003 offsetof(struct __sk_buff, cb[1]) + 1),
1004 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1005 offsetof(struct __sk_buff, cb[1]) + 2),
1006 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1007 offsetof(struct __sk_buff, cb[1]) + 3),
1008 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1009 offsetof(struct __sk_buff, cb[2])),
1010 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1011 offsetof(struct __sk_buff, cb[2]) + 1),
1012 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1013 offsetof(struct __sk_buff, cb[2]) + 2),
1014 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1015 offsetof(struct __sk_buff, cb[2]) + 3),
1016 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1017 offsetof(struct __sk_buff, cb[3])),
1018 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1019 offsetof(struct __sk_buff, cb[3]) + 1),
1020 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1021 offsetof(struct __sk_buff, cb[3]) + 2),
1022 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1023 offsetof(struct __sk_buff, cb[3]) + 3),
1024 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1025 offsetof(struct __sk_buff, cb[4])),
1026 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1027 offsetof(struct __sk_buff, cb[4]) + 1),
1028 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1029 offsetof(struct __sk_buff, cb[4]) + 2),
1030 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1031 offsetof(struct __sk_buff, cb[4]) + 3),
1032 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1033 offsetof(struct __sk_buff, cb[0])),
1034 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1035 offsetof(struct __sk_buff, cb[0]) + 1),
1036 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1037 offsetof(struct __sk_buff, cb[0]) + 2),
1038 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1039 offsetof(struct __sk_buff, cb[0]) + 3),
1040 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1041 offsetof(struct __sk_buff, cb[1])),
1042 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1043 offsetof(struct __sk_buff, cb[1]) + 1),
1044 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1045 offsetof(struct __sk_buff, cb[1]) + 2),
1046 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1047 offsetof(struct __sk_buff, cb[1]) + 3),
1048 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1049 offsetof(struct __sk_buff, cb[2])),
1050 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1051 offsetof(struct __sk_buff, cb[2]) + 1),
1052 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1053 offsetof(struct __sk_buff, cb[2]) + 2),
1054 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1055 offsetof(struct __sk_buff, cb[2]) + 3),
1056 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1057 offsetof(struct __sk_buff, cb[3])),
1058 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1059 offsetof(struct __sk_buff, cb[3]) + 1),
1060 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1061 offsetof(struct __sk_buff, cb[3]) + 2),
1062 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1063 offsetof(struct __sk_buff, cb[3]) + 3),
1064 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1065 offsetof(struct __sk_buff, cb[4])),
1066 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1067 offsetof(struct __sk_buff, cb[4]) + 1),
1068 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1069 offsetof(struct __sk_buff, cb[4]) + 2),
1070 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1071 offsetof(struct __sk_buff, cb[4]) + 3),
1077 "__sk_buff->hash, offset 0, byte store not permitted",
1079 BPF_MOV64_IMM(BPF_REG_0, 0),
1080 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1081 offsetof(struct __sk_buff, hash)),
1084 .errstr = "invalid bpf_context access",
1088 "__sk_buff->tc_index, offset 3, byte store not permitted",
1090 BPF_MOV64_IMM(BPF_REG_0, 0),
1091 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1092 offsetof(struct __sk_buff, tc_index) + 3),
1095 .errstr = "invalid bpf_context access",
1099 "check skb->hash byte load permitted",
1101 BPF_MOV64_IMM(BPF_REG_0, 0),
1102 #if __BYTE_ORDER == __LITTLE_ENDIAN
1103 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1104 offsetof(struct __sk_buff, hash)),
1106 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1107 offsetof(struct __sk_buff, hash) + 3),
1114 "check skb->hash byte load not permitted 1",
1116 BPF_MOV64_IMM(BPF_REG_0, 0),
1117 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1118 offsetof(struct __sk_buff, hash) + 1),
1121 .errstr = "invalid bpf_context access",
1125 "check skb->hash byte load not permitted 2",
1127 BPF_MOV64_IMM(BPF_REG_0, 0),
1128 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1129 offsetof(struct __sk_buff, hash) + 2),
1132 .errstr = "invalid bpf_context access",
1136 "check skb->hash byte load not permitted 3",
1138 BPF_MOV64_IMM(BPF_REG_0, 0),
1139 #if __BYTE_ORDER == __LITTLE_ENDIAN
1140 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1141 offsetof(struct __sk_buff, hash) + 3),
1143 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1144 offsetof(struct __sk_buff, hash)),
1148 .errstr = "invalid bpf_context access",
1152 "check cb access: byte, wrong type",
1154 BPF_MOV64_IMM(BPF_REG_0, 0),
1155 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1156 offsetof(struct __sk_buff, cb[0])),
1159 .errstr = "invalid bpf_context access",
1161 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1164 "check cb access: half",
1166 BPF_MOV64_IMM(BPF_REG_0, 0),
1167 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1168 offsetof(struct __sk_buff, cb[0])),
1169 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1170 offsetof(struct __sk_buff, cb[0]) + 2),
1171 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1172 offsetof(struct __sk_buff, cb[1])),
1173 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1174 offsetof(struct __sk_buff, cb[1]) + 2),
1175 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1176 offsetof(struct __sk_buff, cb[2])),
1177 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1178 offsetof(struct __sk_buff, cb[2]) + 2),
1179 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1180 offsetof(struct __sk_buff, cb[3])),
1181 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1182 offsetof(struct __sk_buff, cb[3]) + 2),
1183 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1184 offsetof(struct __sk_buff, cb[4])),
1185 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1186 offsetof(struct __sk_buff, cb[4]) + 2),
1187 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1188 offsetof(struct __sk_buff, cb[0])),
1189 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1190 offsetof(struct __sk_buff, cb[0]) + 2),
1191 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1192 offsetof(struct __sk_buff, cb[1])),
1193 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1194 offsetof(struct __sk_buff, cb[1]) + 2),
1195 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1196 offsetof(struct __sk_buff, cb[2])),
1197 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1198 offsetof(struct __sk_buff, cb[2]) + 2),
1199 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1200 offsetof(struct __sk_buff, cb[3])),
1201 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1202 offsetof(struct __sk_buff, cb[3]) + 2),
1203 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1204 offsetof(struct __sk_buff, cb[4])),
1205 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1206 offsetof(struct __sk_buff, cb[4]) + 2),
1212 "check cb access: half, unaligned",
1214 BPF_MOV64_IMM(BPF_REG_0, 0),
1215 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1216 offsetof(struct __sk_buff, cb[0]) + 1),
1219 .errstr = "misaligned access",
1223 "check __sk_buff->hash, offset 0, half store not permitted",
1225 BPF_MOV64_IMM(BPF_REG_0, 0),
1226 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1227 offsetof(struct __sk_buff, hash)),
1230 .errstr = "invalid bpf_context access",
1234 "check __sk_buff->tc_index, offset 2, half store not permitted",
1236 BPF_MOV64_IMM(BPF_REG_0, 0),
1237 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1238 offsetof(struct __sk_buff, tc_index) + 2),
1241 .errstr = "invalid bpf_context access",
1245 "check skb->hash half load permitted",
1247 BPF_MOV64_IMM(BPF_REG_0, 0),
1248 #if __BYTE_ORDER == __LITTLE_ENDIAN
1249 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1250 offsetof(struct __sk_buff, hash)),
1252 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1253 offsetof(struct __sk_buff, hash) + 2),
1260 "check skb->hash half load not permitted",
1262 BPF_MOV64_IMM(BPF_REG_0, 0),
1263 #if __BYTE_ORDER == __LITTLE_ENDIAN
1264 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1265 offsetof(struct __sk_buff, hash) + 2),
1267 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1268 offsetof(struct __sk_buff, hash)),
1272 .errstr = "invalid bpf_context access",
1276 "check cb access: half, wrong type",
1278 BPF_MOV64_IMM(BPF_REG_0, 0),
1279 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1280 offsetof(struct __sk_buff, cb[0])),
1283 .errstr = "invalid bpf_context access",
1285 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1288 "check cb access: word",
1290 BPF_MOV64_IMM(BPF_REG_0, 0),
1291 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1292 offsetof(struct __sk_buff, cb[0])),
1293 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1294 offsetof(struct __sk_buff, cb[1])),
1295 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1296 offsetof(struct __sk_buff, cb[2])),
1297 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1298 offsetof(struct __sk_buff, cb[3])),
1299 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1300 offsetof(struct __sk_buff, cb[4])),
1301 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1302 offsetof(struct __sk_buff, cb[0])),
1303 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1304 offsetof(struct __sk_buff, cb[1])),
1305 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1306 offsetof(struct __sk_buff, cb[2])),
1307 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1308 offsetof(struct __sk_buff, cb[3])),
1309 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1310 offsetof(struct __sk_buff, cb[4])),
1316 "check cb access: word, unaligned 1",
1318 BPF_MOV64_IMM(BPF_REG_0, 0),
1319 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1320 offsetof(struct __sk_buff, cb[0]) + 2),
1323 .errstr = "misaligned access",
1327 "check cb access: word, unaligned 2",
1329 BPF_MOV64_IMM(BPF_REG_0, 0),
1330 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1331 offsetof(struct __sk_buff, cb[4]) + 1),
1334 .errstr = "misaligned access",
1338 "check cb access: word, unaligned 3",
1340 BPF_MOV64_IMM(BPF_REG_0, 0),
1341 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1342 offsetof(struct __sk_buff, cb[4]) + 2),
1345 .errstr = "misaligned access",
1349 "check cb access: word, unaligned 4",
1351 BPF_MOV64_IMM(BPF_REG_0, 0),
1352 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1353 offsetof(struct __sk_buff, cb[4]) + 3),
1356 .errstr = "misaligned access",
1360 "check cb access: double",
1362 BPF_MOV64_IMM(BPF_REG_0, 0),
1363 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1364 offsetof(struct __sk_buff, cb[0])),
1365 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1366 offsetof(struct __sk_buff, cb[2])),
1367 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1368 offsetof(struct __sk_buff, cb[0])),
1369 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1370 offsetof(struct __sk_buff, cb[2])),
1376 "check cb access: double, unaligned 1",
1378 BPF_MOV64_IMM(BPF_REG_0, 0),
1379 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1380 offsetof(struct __sk_buff, cb[1])),
1383 .errstr = "misaligned access",
1387 "check cb access: double, unaligned 2",
1389 BPF_MOV64_IMM(BPF_REG_0, 0),
1390 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1391 offsetof(struct __sk_buff, cb[3])),
1394 .errstr = "misaligned access",
1398 "check cb access: double, oob 1",
1400 BPF_MOV64_IMM(BPF_REG_0, 0),
1401 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1402 offsetof(struct __sk_buff, cb[4])),
1405 .errstr = "invalid bpf_context access",
1409 "check cb access: double, oob 2",
1411 BPF_MOV64_IMM(BPF_REG_0, 0),
1412 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1413 offsetof(struct __sk_buff, cb[4])),
1416 .errstr = "invalid bpf_context access",
1420 "check __sk_buff->ifindex dw store not permitted",
1422 BPF_MOV64_IMM(BPF_REG_0, 0),
1423 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1424 offsetof(struct __sk_buff, ifindex)),
1427 .errstr = "invalid bpf_context access",
1431 "check __sk_buff->ifindex dw load not permitted",
1433 BPF_MOV64_IMM(BPF_REG_0, 0),
1434 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1435 offsetof(struct __sk_buff, ifindex)),
1438 .errstr = "invalid bpf_context access",
1442 "check cb access: double, wrong type",
1444 BPF_MOV64_IMM(BPF_REG_0, 0),
1445 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1446 offsetof(struct __sk_buff, cb[0])),
1449 .errstr = "invalid bpf_context access",
1451 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1454 "check out of range skb->cb access",
1456 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1457 offsetof(struct __sk_buff, cb[0]) + 256),
1460 .errstr = "invalid bpf_context access",
1461 .errstr_unpriv = "",
1463 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
1466 "write skb fields from socket prog",
1468 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1469 offsetof(struct __sk_buff, cb[4])),
1470 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1471 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1472 offsetof(struct __sk_buff, mark)),
1473 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1474 offsetof(struct __sk_buff, tc_index)),
1475 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1476 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1477 offsetof(struct __sk_buff, cb[0])),
1478 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1479 offsetof(struct __sk_buff, cb[2])),
1483 .errstr_unpriv = "R1 leaks addr",
1484 .result_unpriv = REJECT,
1487 "write skb fields from tc_cls_act prog",
1489 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1490 offsetof(struct __sk_buff, cb[0])),
1491 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1492 offsetof(struct __sk_buff, mark)),
1493 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1494 offsetof(struct __sk_buff, tc_index)),
1495 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1496 offsetof(struct __sk_buff, tc_index)),
1497 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1498 offsetof(struct __sk_buff, cb[3])),
1501 .errstr_unpriv = "",
1502 .result_unpriv = REJECT,
1504 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1507 "PTR_TO_STACK store/load",
1509 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1511 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1512 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1518 "PTR_TO_STACK store/load - bad alignment on off",
1520 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1522 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1523 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1527 .errstr = "misaligned access off -6 size 8",
1530 "PTR_TO_STACK store/load - bad alignment on reg",
1532 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1534 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1535 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1539 .errstr = "misaligned access off -2 size 8",
1542 "PTR_TO_STACK store/load - out of bounds low",
1544 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
1546 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1547 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1551 .errstr = "invalid stack off=-79992 size=8",
1554 "PTR_TO_STACK store/load - out of bounds high",
1556 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1557 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1558 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1559 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1563 .errstr = "invalid stack off=0 size=8",
1566 "unpriv: return pointer",
1568 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
1572 .result_unpriv = REJECT,
1573 .errstr_unpriv = "R0 leaks addr",
1576 "unpriv: add const to pointer",
1578 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
1579 BPF_MOV64_IMM(BPF_REG_0, 0),
1583 .result_unpriv = REJECT,
1584 .errstr_unpriv = "R1 pointer arithmetic",
1587 "unpriv: add pointer to pointer",
1589 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
1590 BPF_MOV64_IMM(BPF_REG_0, 0),
1594 .result_unpriv = REJECT,
1595 .errstr_unpriv = "R1 pointer arithmetic",
1598 "unpriv: neg pointer",
1600 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
1601 BPF_MOV64_IMM(BPF_REG_0, 0),
1605 .result_unpriv = REJECT,
1606 .errstr_unpriv = "R1 pointer arithmetic",
1609 "unpriv: cmp pointer with const",
1611 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1612 BPF_MOV64_IMM(BPF_REG_0, 0),
1616 .result_unpriv = REJECT,
1617 .errstr_unpriv = "R1 pointer comparison",
1620 "unpriv: cmp pointer with pointer",
1622 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1623 BPF_MOV64_IMM(BPF_REG_0, 0),
1627 .result_unpriv = REJECT,
1628 .errstr_unpriv = "R10 pointer comparison",
1631 "unpriv: check that printk is disallowed",
1633 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1634 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1635 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1636 BPF_MOV64_IMM(BPF_REG_2, 8),
1637 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
1638 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1639 BPF_FUNC_trace_printk),
1640 BPF_MOV64_IMM(BPF_REG_0, 0),
1643 .errstr_unpriv = "unknown func bpf_trace_printk#6",
1644 .result_unpriv = REJECT,
1648 "unpriv: pass pointer to helper function",
1650 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1651 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1652 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1653 BPF_LD_MAP_FD(BPF_REG_1, 0),
1654 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1655 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
1656 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1657 BPF_FUNC_map_update_elem),
1658 BPF_MOV64_IMM(BPF_REG_0, 0),
1661 .fixup_map1 = { 3 },
1662 .errstr_unpriv = "R4 leaks addr",
1663 .result_unpriv = REJECT,
1667 "unpriv: indirectly pass pointer on stack to helper function",
1669 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1670 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1671 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1672 BPF_LD_MAP_FD(BPF_REG_1, 0),
1673 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1674 BPF_FUNC_map_lookup_elem),
1675 BPF_MOV64_IMM(BPF_REG_0, 0),
1678 .fixup_map1 = { 3 },
1679 .errstr = "invalid indirect read from stack off -8+0 size 8",
1683 "unpriv: mangle pointer on stack 1",
1685 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1686 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
1687 BPF_MOV64_IMM(BPF_REG_0, 0),
1690 .errstr_unpriv = "attempt to corrupt spilled",
1691 .result_unpriv = REJECT,
1695 "unpriv: mangle pointer on stack 2",
1697 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1698 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
1699 BPF_MOV64_IMM(BPF_REG_0, 0),
1702 .errstr_unpriv = "attempt to corrupt spilled",
1703 .result_unpriv = REJECT,
1707 "unpriv: read pointer from stack in small chunks",
1709 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1710 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
1711 BPF_MOV64_IMM(BPF_REG_0, 0),
1714 .errstr = "invalid size",
1718 "unpriv: write pointer into ctx",
1720 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
1721 BPF_MOV64_IMM(BPF_REG_0, 0),
1724 .errstr_unpriv = "R1 leaks addr",
1725 .result_unpriv = REJECT,
1726 .errstr = "invalid bpf_context access",
1730 "unpriv: spill/fill of ctx",
1732 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1733 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1734 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1735 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1736 BPF_MOV64_IMM(BPF_REG_0, 0),
1742 "unpriv: spill/fill of ctx 2",
1744 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1745 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1746 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1747 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1748 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1749 BPF_FUNC_get_hash_recalc),
1753 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1756 "unpriv: spill/fill of ctx 3",
1758 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1759 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1760 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1761 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
1762 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1763 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1764 BPF_FUNC_get_hash_recalc),
1768 .errstr = "R1 type=fp expected=ctx",
1769 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1772 "unpriv: spill/fill of ctx 4",
1774 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1775 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1776 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1777 BPF_MOV64_IMM(BPF_REG_0, 1),
1778 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
1780 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1781 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1782 BPF_FUNC_get_hash_recalc),
1786 .errstr = "R1 type=inv expected=ctx",
1787 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1790 "unpriv: spill/fill of different pointers stx",
1792 BPF_MOV64_IMM(BPF_REG_3, 42),
1793 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1794 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1796 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1797 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1798 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
1799 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
1800 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1801 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1802 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
1803 offsetof(struct __sk_buff, mark)),
1804 BPF_MOV64_IMM(BPF_REG_0, 0),
1808 .errstr = "same insn cannot be used with different pointers",
1809 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1812 "unpriv: spill/fill of different pointers ldx",
1814 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1815 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1816 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
1819 -(__s32)offsetof(struct bpf_perf_event_data,
1820 sample_period) - 8),
1821 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
1822 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
1823 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1824 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1825 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
1826 offsetof(struct bpf_perf_event_data,
1828 BPF_MOV64_IMM(BPF_REG_0, 0),
1832 .errstr = "same insn cannot be used with different pointers",
1833 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
1836 "unpriv: write pointer into map elem value",
1838 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1839 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1840 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1841 BPF_LD_MAP_FD(BPF_REG_1, 0),
1842 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1843 BPF_FUNC_map_lookup_elem),
1844 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1845 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
1848 .fixup_map1 = { 3 },
1849 .errstr_unpriv = "R0 leaks addr",
1850 .result_unpriv = REJECT,
1854 "unpriv: partial copy of pointer",
1856 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
1857 BPF_MOV64_IMM(BPF_REG_0, 0),
1860 .errstr_unpriv = "R10 partial copy",
1861 .result_unpriv = REJECT,
1865 "unpriv: pass pointer to tail_call",
1867 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
1868 BPF_LD_MAP_FD(BPF_REG_2, 0),
1869 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1870 BPF_FUNC_tail_call),
1871 BPF_MOV64_IMM(BPF_REG_0, 0),
1874 .fixup_prog = { 1 },
1875 .errstr_unpriv = "R3 leaks addr into helper",
1876 .result_unpriv = REJECT,
1880 "unpriv: cmp map pointer with zero",
1882 BPF_MOV64_IMM(BPF_REG_1, 0),
1883 BPF_LD_MAP_FD(BPF_REG_1, 0),
1884 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1885 BPF_MOV64_IMM(BPF_REG_0, 0),
1888 .fixup_map1 = { 1 },
1889 .errstr_unpriv = "R1 pointer comparison",
1890 .result_unpriv = REJECT,
1894 "unpriv: write into frame pointer",
1896 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
1897 BPF_MOV64_IMM(BPF_REG_0, 0),
1900 .errstr = "frame pointer is read only",
1904 "unpriv: spill/fill frame pointer",
1906 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1908 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
1909 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
1910 BPF_MOV64_IMM(BPF_REG_0, 0),
1913 .errstr = "frame pointer is read only",
1917 "unpriv: cmp of frame pointer",
1919 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
1920 BPF_MOV64_IMM(BPF_REG_0, 0),
1923 .errstr_unpriv = "R10 pointer comparison",
1924 .result_unpriv = REJECT,
1928 "unpriv: adding of fp",
1930 BPF_MOV64_IMM(BPF_REG_0, 0),
1931 BPF_MOV64_IMM(BPF_REG_1, 0),
1932 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
1933 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
1936 .errstr_unpriv = "pointer arithmetic prohibited",
1937 .result_unpriv = REJECT,
1938 .errstr = "R1 invalid mem access",
1942 "unpriv: cmp of stack pointer",
1944 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1945 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1946 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
1947 BPF_MOV64_IMM(BPF_REG_0, 0),
1950 .errstr_unpriv = "R2 pointer comparison",
1951 .result_unpriv = REJECT,
1955 "stack pointer arithmetic",
1957 BPF_MOV64_IMM(BPF_REG_1, 4),
1958 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1959 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
1960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
1961 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
1962 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
1963 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
1964 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
1965 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
1966 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
1967 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
1968 BPF_MOV64_IMM(BPF_REG_0, 0),
1974 "raw_stack: no skb_load_bytes",
1976 BPF_MOV64_IMM(BPF_REG_2, 4),
1977 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1978 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1979 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1980 BPF_MOV64_IMM(BPF_REG_4, 8),
1981 /* Call to skb_load_bytes() omitted. */
1982 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1986 .errstr = "invalid read from stack off -8+0 size 8",
1987 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1990 "raw_stack: skb_load_bytes, negative len",
1992 BPF_MOV64_IMM(BPF_REG_2, 4),
1993 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1994 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1995 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1996 BPF_MOV64_IMM(BPF_REG_4, -8),
1997 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1998 BPF_FUNC_skb_load_bytes),
1999 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2003 .errstr = "invalid stack type R3",
2004 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2007 "raw_stack: skb_load_bytes, negative len 2",
2009 BPF_MOV64_IMM(BPF_REG_2, 4),
2010 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2012 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2013 BPF_MOV64_IMM(BPF_REG_4, ~0),
2014 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2015 BPF_FUNC_skb_load_bytes),
2016 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2020 .errstr = "invalid stack type R3",
2021 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2024 "raw_stack: skb_load_bytes, zero len",
2026 BPF_MOV64_IMM(BPF_REG_2, 4),
2027 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2028 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2029 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2030 BPF_MOV64_IMM(BPF_REG_4, 0),
2031 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2032 BPF_FUNC_skb_load_bytes),
2033 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2037 .errstr = "invalid stack type R3",
2038 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2041 "raw_stack: skb_load_bytes, no init",
2043 BPF_MOV64_IMM(BPF_REG_2, 4),
2044 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2045 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2046 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2047 BPF_MOV64_IMM(BPF_REG_4, 8),
2048 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2049 BPF_FUNC_skb_load_bytes),
2050 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2054 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2057 "raw_stack: skb_load_bytes, init",
2059 BPF_MOV64_IMM(BPF_REG_2, 4),
2060 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2061 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2062 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2063 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2064 BPF_MOV64_IMM(BPF_REG_4, 8),
2065 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2066 BPF_FUNC_skb_load_bytes),
2067 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2071 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2074 "raw_stack: skb_load_bytes, spilled regs around bounds",
2076 BPF_MOV64_IMM(BPF_REG_2, 4),
2077 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2078 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2079 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2080 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2081 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2082 BPF_MOV64_IMM(BPF_REG_4, 8),
2083 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2084 BPF_FUNC_skb_load_bytes),
2085 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2086 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2087 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2088 offsetof(struct __sk_buff, mark)),
2089 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2090 offsetof(struct __sk_buff, priority)),
2091 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2095 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2098 "raw_stack: skb_load_bytes, spilled regs corruption",
2100 BPF_MOV64_IMM(BPF_REG_2, 4),
2101 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2103 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2104 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2105 BPF_MOV64_IMM(BPF_REG_4, 8),
2106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2107 BPF_FUNC_skb_load_bytes),
2108 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2109 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2110 offsetof(struct __sk_buff, mark)),
2114 .errstr = "R0 invalid mem access 'inv'",
2115 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2118 "raw_stack: skb_load_bytes, spilled regs corruption 2",
2120 BPF_MOV64_IMM(BPF_REG_2, 4),
2121 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2122 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2123 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2124 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2125 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2126 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2127 BPF_MOV64_IMM(BPF_REG_4, 8),
2128 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2129 BPF_FUNC_skb_load_bytes),
2130 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2131 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2132 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
2133 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2134 offsetof(struct __sk_buff, mark)),
2135 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2136 offsetof(struct __sk_buff, priority)),
2137 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2138 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
2139 offsetof(struct __sk_buff, pkt_type)),
2140 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2144 .errstr = "R3 invalid mem access 'inv'",
2145 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2148 "raw_stack: skb_load_bytes, spilled regs + data",
2150 BPF_MOV64_IMM(BPF_REG_2, 4),
2151 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2153 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2154 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2155 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2156 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2157 BPF_MOV64_IMM(BPF_REG_4, 8),
2158 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2159 BPF_FUNC_skb_load_bytes),
2160 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2161 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2162 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
2163 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2164 offsetof(struct __sk_buff, mark)),
2165 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2166 offsetof(struct __sk_buff, priority)),
2167 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2168 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2172 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2175 "raw_stack: skb_load_bytes, invalid access 1",
2177 BPF_MOV64_IMM(BPF_REG_2, 4),
2178 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2180 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2181 BPF_MOV64_IMM(BPF_REG_4, 8),
2182 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2183 BPF_FUNC_skb_load_bytes),
2184 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2188 .errstr = "invalid stack type R3 off=-513 access_size=8",
2189 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2192 "raw_stack: skb_load_bytes, invalid access 2",
2194 BPF_MOV64_IMM(BPF_REG_2, 4),
2195 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2196 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2197 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2198 BPF_MOV64_IMM(BPF_REG_4, 8),
2199 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2200 BPF_FUNC_skb_load_bytes),
2201 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2205 .errstr = "invalid stack type R3 off=-1 access_size=8",
2206 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2209 "raw_stack: skb_load_bytes, invalid access 3",
2211 BPF_MOV64_IMM(BPF_REG_2, 4),
2212 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2213 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2214 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2215 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2216 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2217 BPF_FUNC_skb_load_bytes),
2218 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2222 .errstr = "invalid stack type R3 off=-1 access_size=-1",
2223 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2226 "raw_stack: skb_load_bytes, invalid access 4",
2228 BPF_MOV64_IMM(BPF_REG_2, 4),
2229 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2231 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2232 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2233 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2234 BPF_FUNC_skb_load_bytes),
2235 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2239 .errstr = "invalid stack type R3 off=-1 access_size=2147483647",
2240 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2243 "raw_stack: skb_load_bytes, invalid access 5",
2245 BPF_MOV64_IMM(BPF_REG_2, 4),
2246 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2248 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2249 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2250 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2251 BPF_FUNC_skb_load_bytes),
2252 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2256 .errstr = "invalid stack type R3 off=-512 access_size=2147483647",
2257 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2260 "raw_stack: skb_load_bytes, invalid access 6",
2262 BPF_MOV64_IMM(BPF_REG_2, 4),
2263 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2265 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2266 BPF_MOV64_IMM(BPF_REG_4, 0),
2267 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2268 BPF_FUNC_skb_load_bytes),
2269 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2273 .errstr = "invalid stack type R3 off=-512 access_size=0",
2274 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2277 "raw_stack: skb_load_bytes, large access",
2279 BPF_MOV64_IMM(BPF_REG_2, 4),
2280 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2282 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2283 BPF_MOV64_IMM(BPF_REG_4, 512),
2284 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2285 BPF_FUNC_skb_load_bytes),
2286 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2290 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2293 "direct packet access: test1",
2295 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2296 offsetof(struct __sk_buff, data)),
2297 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2298 offsetof(struct __sk_buff, data_end)),
2299 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2300 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2301 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2302 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2303 BPF_MOV64_IMM(BPF_REG_0, 0),
2307 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2310 "direct packet access: test2",
2312 BPF_MOV64_IMM(BPF_REG_0, 1),
2313 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
2314 offsetof(struct __sk_buff, data_end)),
2315 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2316 offsetof(struct __sk_buff, data)),
2317 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2318 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
2319 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
2320 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
2321 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
2322 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
2323 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2324 offsetof(struct __sk_buff, data)),
2325 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
2326 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
2327 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 48),
2328 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 48),
2329 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
2330 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
2331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2332 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2333 offsetof(struct __sk_buff, data_end)),
2334 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
2335 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
2336 BPF_MOV64_IMM(BPF_REG_0, 0),
2340 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2343 "direct packet access: test3",
2345 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2346 offsetof(struct __sk_buff, data)),
2347 BPF_MOV64_IMM(BPF_REG_0, 0),
2350 .errstr = "invalid bpf_context access off=76",
2352 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2355 "direct packet access: test4 (write)",
2357 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2358 offsetof(struct __sk_buff, data)),
2359 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2360 offsetof(struct __sk_buff, data_end)),
2361 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2363 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2364 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2365 BPF_MOV64_IMM(BPF_REG_0, 0),
2369 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2372 "direct packet access: test5 (pkt_end >= reg, good access)",
2374 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2375 offsetof(struct __sk_buff, data)),
2376 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2377 offsetof(struct __sk_buff, data_end)),
2378 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2380 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2381 BPF_MOV64_IMM(BPF_REG_0, 1),
2383 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2384 BPF_MOV64_IMM(BPF_REG_0, 0),
2388 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2391 "direct packet access: test6 (pkt_end >= reg, bad access)",
2393 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2394 offsetof(struct __sk_buff, data)),
2395 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2396 offsetof(struct __sk_buff, data_end)),
2397 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2399 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2400 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2401 BPF_MOV64_IMM(BPF_REG_0, 1),
2403 BPF_MOV64_IMM(BPF_REG_0, 0),
2406 .errstr = "invalid access to packet",
2408 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2411 "direct packet access: test7 (pkt_end >= reg, both accesses)",
2413 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2414 offsetof(struct __sk_buff, data)),
2415 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2416 offsetof(struct __sk_buff, data_end)),
2417 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2418 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2419 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2420 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2421 BPF_MOV64_IMM(BPF_REG_0, 1),
2423 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2424 BPF_MOV64_IMM(BPF_REG_0, 0),
2427 .errstr = "invalid access to packet",
2429 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2432 "direct packet access: test8 (double test, variant 1)",
2434 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2435 offsetof(struct __sk_buff, data)),
2436 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2437 offsetof(struct __sk_buff, data_end)),
2438 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2440 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
2441 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2442 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2443 BPF_MOV64_IMM(BPF_REG_0, 1),
2445 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2446 BPF_MOV64_IMM(BPF_REG_0, 0),
2450 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2453 "direct packet access: test9 (double test, variant 2)",
2455 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2456 offsetof(struct __sk_buff, data)),
2457 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2458 offsetof(struct __sk_buff, data_end)),
2459 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2461 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2462 BPF_MOV64_IMM(BPF_REG_0, 1),
2464 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2465 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2466 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2467 BPF_MOV64_IMM(BPF_REG_0, 0),
2471 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2474 "direct packet access: test10 (write invalid)",
2476 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2477 offsetof(struct __sk_buff, data)),
2478 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2479 offsetof(struct __sk_buff, data_end)),
2480 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2482 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
2483 BPF_MOV64_IMM(BPF_REG_0, 0),
2485 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2486 BPF_MOV64_IMM(BPF_REG_0, 0),
2489 .errstr = "invalid access to packet",
2491 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2494 "direct packet access: test11 (shift, good access)",
2496 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2497 offsetof(struct __sk_buff, data)),
2498 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2499 offsetof(struct __sk_buff, data_end)),
2500 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2501 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2502 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2503 BPF_MOV64_IMM(BPF_REG_3, 144),
2504 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2506 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
2507 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2508 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2509 BPF_MOV64_IMM(BPF_REG_0, 1),
2511 BPF_MOV64_IMM(BPF_REG_0, 0),
2515 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2518 "direct packet access: test12 (and, good access)",
2520 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2521 offsetof(struct __sk_buff, data)),
2522 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2523 offsetof(struct __sk_buff, data_end)),
2524 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2525 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2526 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2527 BPF_MOV64_IMM(BPF_REG_3, 144),
2528 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2529 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2530 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2531 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2532 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2533 BPF_MOV64_IMM(BPF_REG_0, 1),
2535 BPF_MOV64_IMM(BPF_REG_0, 0),
2539 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2542 "direct packet access: test13 (branches, good access)",
2544 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2545 offsetof(struct __sk_buff, data)),
2546 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2547 offsetof(struct __sk_buff, data_end)),
2548 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2549 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2550 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
2551 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2552 offsetof(struct __sk_buff, mark)),
2553 BPF_MOV64_IMM(BPF_REG_4, 1),
2554 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
2555 BPF_MOV64_IMM(BPF_REG_3, 14),
2556 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
2557 BPF_MOV64_IMM(BPF_REG_3, 24),
2558 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2559 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2560 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2561 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2562 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2563 BPF_MOV64_IMM(BPF_REG_0, 1),
2565 BPF_MOV64_IMM(BPF_REG_0, 0),
2569 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2572 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
2574 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2575 offsetof(struct __sk_buff, data)),
2576 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2577 offsetof(struct __sk_buff, data_end)),
2578 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2579 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2580 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
2581 BPF_MOV64_IMM(BPF_REG_5, 12),
2582 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
2583 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2584 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2585 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
2586 BPF_MOV64_IMM(BPF_REG_0, 1),
2588 BPF_MOV64_IMM(BPF_REG_0, 0),
2592 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2595 "direct packet access: test15 (spill with xadd)",
2597 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2598 offsetof(struct __sk_buff, data)),
2599 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2600 offsetof(struct __sk_buff, data_end)),
2601 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2603 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2604 BPF_MOV64_IMM(BPF_REG_5, 4096),
2605 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2606 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2607 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2608 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
2609 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
2610 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
2611 BPF_MOV64_IMM(BPF_REG_0, 0),
2614 .errstr = "R2 invalid mem access 'inv'",
2616 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2619 "direct packet access: test16 (arith on data_end)",
2621 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2622 offsetof(struct __sk_buff, data)),
2623 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2624 offsetof(struct __sk_buff, data_end)),
2625 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2627 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
2628 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2629 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2630 BPF_MOV64_IMM(BPF_REG_0, 0),
2633 .errstr = "invalid access to packet",
2635 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2638 "direct packet access: test17 (pruning, alignment)",
2640 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2641 offsetof(struct __sk_buff, data)),
2642 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2643 offsetof(struct __sk_buff, data_end)),
2644 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2645 offsetof(struct __sk_buff, mark)),
2646 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2647 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
2648 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
2649 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2650 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
2651 BPF_MOV64_IMM(BPF_REG_0, 0),
2653 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
2656 .errstr = "misaligned packet access off 2+15+-4 size 4",
2658 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2659 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2662 "direct packet access: test18 (imm += pkt_ptr, 1)",
2664 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2665 offsetof(struct __sk_buff, data)),
2666 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2667 offsetof(struct __sk_buff, data_end)),
2668 BPF_MOV64_IMM(BPF_REG_0, 8),
2669 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2670 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2671 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2672 BPF_MOV64_IMM(BPF_REG_0, 0),
2676 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2679 "direct packet access: test19 (imm += pkt_ptr, 2)",
2681 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2682 offsetof(struct __sk_buff, data)),
2683 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2684 offsetof(struct __sk_buff, data_end)),
2685 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2687 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
2688 BPF_MOV64_IMM(BPF_REG_4, 4),
2689 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2690 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
2691 BPF_MOV64_IMM(BPF_REG_0, 0),
2695 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2698 "direct packet access: test20 (x += pkt_ptr, 1)",
2700 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2701 offsetof(struct __sk_buff, data)),
2702 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2703 offsetof(struct __sk_buff, data_end)),
2704 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
2705 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
2706 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
2707 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
2708 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
2709 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2710 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2711 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xffff - 1),
2712 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
2713 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
2714 BPF_MOV64_IMM(BPF_REG_0, 0),
2717 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2721 "direct packet access: test21 (x += pkt_ptr, 2)",
2723 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2724 offsetof(struct __sk_buff, data)),
2725 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2726 offsetof(struct __sk_buff, data_end)),
2727 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2728 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2729 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
2730 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2731 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
2732 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
2733 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0xffff),
2734 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2735 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xffff - 1),
2737 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
2738 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
2739 BPF_MOV64_IMM(BPF_REG_0, 0),
2742 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2746 "direct packet access: test22 (x += pkt_ptr, 3)",
2748 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2749 offsetof(struct __sk_buff, data)),
2750 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2751 offsetof(struct __sk_buff, data_end)),
2752 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2754 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
2755 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
2756 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
2757 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
2758 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
2759 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2760 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
2761 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
2762 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 48),
2763 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2764 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
2765 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
2766 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
2767 BPF_MOV64_IMM(BPF_REG_2, 1),
2768 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
2769 BPF_MOV64_IMM(BPF_REG_0, 0),
2772 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2776 "direct packet access: test23 (x += pkt_ptr, 4)",
2778 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2779 offsetof(struct __sk_buff, data)),
2780 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2781 offsetof(struct __sk_buff, data_end)),
2782 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
2783 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
2784 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
2785 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
2786 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
2787 BPF_MOV64_IMM(BPF_REG_0, 31),
2788 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
2789 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2790 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
2791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
2792 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2793 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
2794 BPF_MOV64_IMM(BPF_REG_0, 0),
2797 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2799 .errstr = "cannot add integer value with 47 upper zero bits to ptr_to_packet",
2802 "direct packet access: test24 (x += pkt_ptr, 5)",
2804 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2805 offsetof(struct __sk_buff, data)),
2806 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2807 offsetof(struct __sk_buff, data_end)),
2808 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
2809 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
2810 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
2811 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
2812 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
2813 BPF_MOV64_IMM(BPF_REG_0, 64),
2814 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
2815 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2816 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
2817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
2818 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2819 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
2820 BPF_MOV64_IMM(BPF_REG_0, 0),
2823 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2827 "helper access to packet: test1, valid packet_ptr range",
2829 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2830 offsetof(struct xdp_md, data)),
2831 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2832 offsetof(struct xdp_md, data_end)),
2833 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
2834 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2835 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
2836 BPF_LD_MAP_FD(BPF_REG_1, 0),
2837 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2838 BPF_MOV64_IMM(BPF_REG_4, 0),
2839 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2840 BPF_FUNC_map_update_elem),
2841 BPF_MOV64_IMM(BPF_REG_0, 0),
2844 .fixup_map1 = { 5 },
2845 .result_unpriv = ACCEPT,
2847 .prog_type = BPF_PROG_TYPE_XDP,
2850 "helper access to packet: test2, unchecked packet_ptr",
2852 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2853 offsetof(struct xdp_md, data)),
2854 BPF_LD_MAP_FD(BPF_REG_1, 0),
2855 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2856 BPF_FUNC_map_lookup_elem),
2857 BPF_MOV64_IMM(BPF_REG_0, 0),
2860 .fixup_map1 = { 1 },
2862 .errstr = "invalid access to packet",
2863 .prog_type = BPF_PROG_TYPE_XDP,
2866 "helper access to packet: test3, variable add",
2868 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2869 offsetof(struct xdp_md, data)),
2870 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2871 offsetof(struct xdp_md, data_end)),
2872 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2873 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
2874 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
2875 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
2876 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2877 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
2878 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2879 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
2880 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
2881 BPF_LD_MAP_FD(BPF_REG_1, 0),
2882 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
2883 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2884 BPF_FUNC_map_lookup_elem),
2885 BPF_MOV64_IMM(BPF_REG_0, 0),
2888 .fixup_map1 = { 11 },
2890 .prog_type = BPF_PROG_TYPE_XDP,
2893 "helper access to packet: test4, packet_ptr with bad range",
2895 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2896 offsetof(struct xdp_md, data)),
2897 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2898 offsetof(struct xdp_md, data_end)),
2899 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
2901 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
2902 BPF_MOV64_IMM(BPF_REG_0, 0),
2904 BPF_LD_MAP_FD(BPF_REG_1, 0),
2905 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2906 BPF_FUNC_map_lookup_elem),
2907 BPF_MOV64_IMM(BPF_REG_0, 0),
2910 .fixup_map1 = { 7 },
2912 .errstr = "invalid access to packet",
2913 .prog_type = BPF_PROG_TYPE_XDP,
2916 "helper access to packet: test5, packet_ptr with too short range",
2918 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2919 offsetof(struct xdp_md, data)),
2920 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2921 offsetof(struct xdp_md, data_end)),
2922 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
2923 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
2925 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
2926 BPF_LD_MAP_FD(BPF_REG_1, 0),
2927 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2928 BPF_FUNC_map_lookup_elem),
2929 BPF_MOV64_IMM(BPF_REG_0, 0),
2932 .fixup_map1 = { 6 },
2934 .errstr = "invalid access to packet",
2935 .prog_type = BPF_PROG_TYPE_XDP,
2938 "helper access to packet: test6, cls valid packet_ptr range",
2940 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2941 offsetof(struct __sk_buff, data)),
2942 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2943 offsetof(struct __sk_buff, data_end)),
2944 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
2945 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2946 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
2947 BPF_LD_MAP_FD(BPF_REG_1, 0),
2948 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2949 BPF_MOV64_IMM(BPF_REG_4, 0),
2950 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2951 BPF_FUNC_map_update_elem),
2952 BPF_MOV64_IMM(BPF_REG_0, 0),
2955 .fixup_map1 = { 5 },
2957 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2960 "helper access to packet: test7, cls unchecked packet_ptr",
2962 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2963 offsetof(struct __sk_buff, data)),
2964 BPF_LD_MAP_FD(BPF_REG_1, 0),
2965 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2966 BPF_FUNC_map_lookup_elem),
2967 BPF_MOV64_IMM(BPF_REG_0, 0),
2970 .fixup_map1 = { 1 },
2972 .errstr = "invalid access to packet",
2973 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2976 "helper access to packet: test8, cls variable add",
2978 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2979 offsetof(struct __sk_buff, data)),
2980 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2981 offsetof(struct __sk_buff, data_end)),
2982 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
2984 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
2985 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
2986 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2987 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
2988 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2989 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
2990 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
2991 BPF_LD_MAP_FD(BPF_REG_1, 0),
2992 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
2993 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2994 BPF_FUNC_map_lookup_elem),
2995 BPF_MOV64_IMM(BPF_REG_0, 0),
2998 .fixup_map1 = { 11 },
3000 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3003 "helper access to packet: test9, cls packet_ptr with bad range",
3005 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3006 offsetof(struct __sk_buff, data)),
3007 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3008 offsetof(struct __sk_buff, data_end)),
3009 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3010 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3011 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3012 BPF_MOV64_IMM(BPF_REG_0, 0),
3014 BPF_LD_MAP_FD(BPF_REG_1, 0),
3015 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3016 BPF_FUNC_map_lookup_elem),
3017 BPF_MOV64_IMM(BPF_REG_0, 0),
3020 .fixup_map1 = { 7 },
3022 .errstr = "invalid access to packet",
3023 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3026 "helper access to packet: test10, cls packet_ptr with too short range",
3028 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3029 offsetof(struct __sk_buff, data)),
3030 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3031 offsetof(struct __sk_buff, data_end)),
3032 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3033 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3035 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3036 BPF_LD_MAP_FD(BPF_REG_1, 0),
3037 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3038 BPF_FUNC_map_lookup_elem),
3039 BPF_MOV64_IMM(BPF_REG_0, 0),
3042 .fixup_map1 = { 6 },
3044 .errstr = "invalid access to packet",
3045 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3048 "helper access to packet: test11, cls unsuitable helper 1",
3050 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3051 offsetof(struct __sk_buff, data)),
3052 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3053 offsetof(struct __sk_buff, data_end)),
3054 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3055 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3056 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
3057 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
3058 BPF_MOV64_IMM(BPF_REG_2, 0),
3059 BPF_MOV64_IMM(BPF_REG_4, 42),
3060 BPF_MOV64_IMM(BPF_REG_5, 0),
3061 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3062 BPF_FUNC_skb_store_bytes),
3063 BPF_MOV64_IMM(BPF_REG_0, 0),
3067 .errstr = "helper access to the packet",
3068 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3071 "helper access to packet: test12, cls unsuitable helper 2",
3073 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3074 offsetof(struct __sk_buff, data)),
3075 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3076 offsetof(struct __sk_buff, data_end)),
3077 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3078 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
3079 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
3080 BPF_MOV64_IMM(BPF_REG_2, 0),
3081 BPF_MOV64_IMM(BPF_REG_4, 4),
3082 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3083 BPF_FUNC_skb_load_bytes),
3084 BPF_MOV64_IMM(BPF_REG_0, 0),
3088 .errstr = "helper access to the packet",
3089 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3092 "helper access to packet: test13, cls helper ok",
3094 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3095 offsetof(struct __sk_buff, data)),
3096 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3097 offsetof(struct __sk_buff, data_end)),
3098 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3099 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3100 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3101 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3102 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3103 BPF_MOV64_IMM(BPF_REG_2, 4),
3104 BPF_MOV64_IMM(BPF_REG_3, 0),
3105 BPF_MOV64_IMM(BPF_REG_4, 0),
3106 BPF_MOV64_IMM(BPF_REG_5, 0),
3107 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3108 BPF_FUNC_csum_diff),
3109 BPF_MOV64_IMM(BPF_REG_0, 0),
3113 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3116 "helper access to packet: test14, cls helper fail sub",
3118 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3119 offsetof(struct __sk_buff, data)),
3120 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3121 offsetof(struct __sk_buff, data_end)),
3122 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3123 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3124 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3125 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3126 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
3127 BPF_MOV64_IMM(BPF_REG_2, 4),
3128 BPF_MOV64_IMM(BPF_REG_3, 0),
3129 BPF_MOV64_IMM(BPF_REG_4, 0),
3130 BPF_MOV64_IMM(BPF_REG_5, 0),
3131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3132 BPF_FUNC_csum_diff),
3133 BPF_MOV64_IMM(BPF_REG_0, 0),
3137 .errstr = "type=inv expected=fp",
3138 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3141 "helper access to packet: test15, cls helper fail range 1",
3143 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3144 offsetof(struct __sk_buff, data)),
3145 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3146 offsetof(struct __sk_buff, data_end)),
3147 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3148 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3149 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3150 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3151 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3152 BPF_MOV64_IMM(BPF_REG_2, 8),
3153 BPF_MOV64_IMM(BPF_REG_3, 0),
3154 BPF_MOV64_IMM(BPF_REG_4, 0),
3155 BPF_MOV64_IMM(BPF_REG_5, 0),
3156 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3157 BPF_FUNC_csum_diff),
3158 BPF_MOV64_IMM(BPF_REG_0, 0),
3162 .errstr = "invalid access to packet",
3163 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3166 "helper access to packet: test16, cls helper fail range 2",
3168 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3169 offsetof(struct __sk_buff, data)),
3170 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3171 offsetof(struct __sk_buff, data_end)),
3172 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3173 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3174 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3175 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3176 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3177 BPF_MOV64_IMM(BPF_REG_2, -9),
3178 BPF_MOV64_IMM(BPF_REG_3, 0),
3179 BPF_MOV64_IMM(BPF_REG_4, 0),
3180 BPF_MOV64_IMM(BPF_REG_5, 0),
3181 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3182 BPF_FUNC_csum_diff),
3183 BPF_MOV64_IMM(BPF_REG_0, 0),
3187 .errstr = "invalid access to packet",
3188 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3191 "helper access to packet: test17, cls helper fail range 3",
3193 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3194 offsetof(struct __sk_buff, data)),
3195 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3196 offsetof(struct __sk_buff, data_end)),
3197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3198 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3199 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3200 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3201 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3202 BPF_MOV64_IMM(BPF_REG_2, ~0),
3203 BPF_MOV64_IMM(BPF_REG_3, 0),
3204 BPF_MOV64_IMM(BPF_REG_4, 0),
3205 BPF_MOV64_IMM(BPF_REG_5, 0),
3206 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3207 BPF_FUNC_csum_diff),
3208 BPF_MOV64_IMM(BPF_REG_0, 0),
3212 .errstr = "invalid access to packet",
3213 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3216 "helper access to packet: test18, cls helper fail range zero",
3218 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3219 offsetof(struct __sk_buff, data)),
3220 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3221 offsetof(struct __sk_buff, data_end)),
3222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3223 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3224 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3225 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3226 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3227 BPF_MOV64_IMM(BPF_REG_2, 0),
3228 BPF_MOV64_IMM(BPF_REG_3, 0),
3229 BPF_MOV64_IMM(BPF_REG_4, 0),
3230 BPF_MOV64_IMM(BPF_REG_5, 0),
3231 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3232 BPF_FUNC_csum_diff),
3233 BPF_MOV64_IMM(BPF_REG_0, 0),
3237 .errstr = "invalid access to packet",
3238 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3241 "helper access to packet: test19, pkt end as input",
3243 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3244 offsetof(struct __sk_buff, data)),
3245 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3246 offsetof(struct __sk_buff, data_end)),
3247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3248 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3250 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3251 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
3252 BPF_MOV64_IMM(BPF_REG_2, 4),
3253 BPF_MOV64_IMM(BPF_REG_3, 0),
3254 BPF_MOV64_IMM(BPF_REG_4, 0),
3255 BPF_MOV64_IMM(BPF_REG_5, 0),
3256 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3257 BPF_FUNC_csum_diff),
3258 BPF_MOV64_IMM(BPF_REG_0, 0),
3262 .errstr = "R1 type=pkt_end expected=fp",
3263 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3266 "helper access to packet: test20, wrong reg",
3268 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3269 offsetof(struct __sk_buff, data)),
3270 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3271 offsetof(struct __sk_buff, data_end)),
3272 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3273 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3275 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3276 BPF_MOV64_IMM(BPF_REG_2, 4),
3277 BPF_MOV64_IMM(BPF_REG_3, 0),
3278 BPF_MOV64_IMM(BPF_REG_4, 0),
3279 BPF_MOV64_IMM(BPF_REG_5, 0),
3280 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3281 BPF_FUNC_csum_diff),
3282 BPF_MOV64_IMM(BPF_REG_0, 0),
3286 .errstr = "invalid access to packet",
3287 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3290 "valid map access into an array with a constant",
3292 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3293 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3294 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3295 BPF_LD_MAP_FD(BPF_REG_1, 0),
3296 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3297 BPF_FUNC_map_lookup_elem),
3298 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3299 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3300 offsetof(struct test_val, foo)),
3303 .fixup_map2 = { 3 },
3304 .errstr_unpriv = "R0 leaks addr",
3305 .result_unpriv = REJECT,
3309 "valid map access into an array with a register",
3311 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3312 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3313 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3314 BPF_LD_MAP_FD(BPF_REG_1, 0),
3315 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3316 BPF_FUNC_map_lookup_elem),
3317 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3318 BPF_MOV64_IMM(BPF_REG_1, 4),
3319 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3320 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3321 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3322 offsetof(struct test_val, foo)),
3325 .fixup_map2 = { 3 },
3326 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3327 .result_unpriv = REJECT,
3329 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3332 "valid map access into an array with a variable",
3334 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3335 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3337 BPF_LD_MAP_FD(BPF_REG_1, 0),
3338 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3339 BPF_FUNC_map_lookup_elem),
3340 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3341 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3342 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
3343 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3344 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3345 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3346 offsetof(struct test_val, foo)),
3349 .fixup_map2 = { 3 },
3350 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3351 .result_unpriv = REJECT,
3353 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3356 "valid map access into an array with a signed variable",
3358 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3359 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3361 BPF_LD_MAP_FD(BPF_REG_1, 0),
3362 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3363 BPF_FUNC_map_lookup_elem),
3364 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
3365 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3366 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
3367 BPF_MOV32_IMM(BPF_REG_1, 0),
3368 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3369 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3370 BPF_MOV32_IMM(BPF_REG_1, 0),
3371 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3372 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3373 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3374 offsetof(struct test_val, foo)),
3377 .fixup_map2 = { 3 },
3378 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3379 .result_unpriv = REJECT,
3381 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3384 "invalid map access into an array with a constant",
3386 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3387 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3389 BPF_LD_MAP_FD(BPF_REG_1, 0),
3390 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3391 BPF_FUNC_map_lookup_elem),
3392 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3393 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
3394 offsetof(struct test_val, foo)),
3397 .fixup_map2 = { 3 },
3398 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
3402 "invalid map access into an array with a register",
3404 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3405 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3406 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3407 BPF_LD_MAP_FD(BPF_REG_1, 0),
3408 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3409 BPF_FUNC_map_lookup_elem),
3410 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3411 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
3412 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3413 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3414 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3415 offsetof(struct test_val, foo)),
3418 .fixup_map2 = { 3 },
3419 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3420 .errstr = "R0 min value is outside of the array range",
3421 .result_unpriv = REJECT,
3423 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3426 "invalid map access into an array with a variable",
3428 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3429 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3430 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3431 BPF_LD_MAP_FD(BPF_REG_1, 0),
3432 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3433 BPF_FUNC_map_lookup_elem),
3434 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3435 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3436 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3437 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3438 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3439 offsetof(struct test_val, foo)),
3442 .fixup_map2 = { 3 },
3443 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3444 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
3445 .result_unpriv = REJECT,
3447 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3450 "invalid map access into an array with no floor check",
3452 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3453 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3454 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3455 BPF_LD_MAP_FD(BPF_REG_1, 0),
3456 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3457 BPF_FUNC_map_lookup_elem),
3458 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3459 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3460 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3461 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3462 BPF_MOV32_IMM(BPF_REG_1, 0),
3463 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3464 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3465 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3466 offsetof(struct test_val, foo)),
3469 .fixup_map2 = { 3 },
3470 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3471 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
3472 .result_unpriv = REJECT,
3474 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3477 "invalid map access into an array with a invalid max check",
3479 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3480 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3482 BPF_LD_MAP_FD(BPF_REG_1, 0),
3483 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3484 BPF_FUNC_map_lookup_elem),
3485 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3486 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3487 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
3488 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3489 BPF_MOV32_IMM(BPF_REG_1, 0),
3490 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3491 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3492 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3493 offsetof(struct test_val, foo)),
3496 .fixup_map2 = { 3 },
3497 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3498 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
3499 .result_unpriv = REJECT,
3501 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3504 "invalid map access into an array with a invalid max check",
3506 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3507 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3508 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3509 BPF_LD_MAP_FD(BPF_REG_1, 0),
3510 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3511 BPF_FUNC_map_lookup_elem),
3512 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
3513 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
3514 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3515 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3516 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3517 BPF_LD_MAP_FD(BPF_REG_1, 0),
3518 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3519 BPF_FUNC_map_lookup_elem),
3520 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
3521 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
3522 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3523 offsetof(struct test_val, foo)),
3526 .fixup_map2 = { 3, 11 },
3527 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3528 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
3529 .result_unpriv = REJECT,
3531 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3534 "multiple registers share map_lookup_elem result",
3536 BPF_MOV64_IMM(BPF_REG_1, 10),
3537 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3538 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3539 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3540 BPF_LD_MAP_FD(BPF_REG_1, 0),
3541 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3542 BPF_FUNC_map_lookup_elem),
3543 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3544 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3545 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3548 .fixup_map1 = { 4 },
3550 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3553 "alu ops on ptr_to_map_value_or_null, 1",
3555 BPF_MOV64_IMM(BPF_REG_1, 10),
3556 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3557 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3559 BPF_LD_MAP_FD(BPF_REG_1, 0),
3560 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3561 BPF_FUNC_map_lookup_elem),
3562 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
3564 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
3565 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3566 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3569 .fixup_map1 = { 4 },
3570 .errstr = "R4 invalid mem access",
3572 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3575 "alu ops on ptr_to_map_value_or_null, 2",
3577 BPF_MOV64_IMM(BPF_REG_1, 10),
3578 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3579 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3580 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3581 BPF_LD_MAP_FD(BPF_REG_1, 0),
3582 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3583 BPF_FUNC_map_lookup_elem),
3584 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3585 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
3586 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3587 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3590 .fixup_map1 = { 4 },
3591 .errstr = "R4 invalid mem access",
3593 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3596 "alu ops on ptr_to_map_value_or_null, 3",
3598 BPF_MOV64_IMM(BPF_REG_1, 10),
3599 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3600 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3601 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3602 BPF_LD_MAP_FD(BPF_REG_1, 0),
3603 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3604 BPF_FUNC_map_lookup_elem),
3605 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3606 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
3607 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3608 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3611 .fixup_map1 = { 4 },
3612 .errstr = "R4 invalid mem access",
3614 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3617 "invalid memory access with multiple map_lookup_elem calls",
3619 BPF_MOV64_IMM(BPF_REG_1, 10),
3620 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3621 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3622 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3623 BPF_LD_MAP_FD(BPF_REG_1, 0),
3624 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
3625 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
3626 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3627 BPF_FUNC_map_lookup_elem),
3628 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3629 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
3630 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3631 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3632 BPF_FUNC_map_lookup_elem),
3633 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3634 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3637 .fixup_map1 = { 4 },
3639 .errstr = "R4 !read_ok",
3640 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3643 "valid indirect map_lookup_elem access with 2nd lookup in branch",
3645 BPF_MOV64_IMM(BPF_REG_1, 10),
3646 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3647 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3649 BPF_LD_MAP_FD(BPF_REG_1, 0),
3650 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
3651 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
3652 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3653 BPF_FUNC_map_lookup_elem),
3654 BPF_MOV64_IMM(BPF_REG_2, 10),
3655 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
3656 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
3657 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3658 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3659 BPF_FUNC_map_lookup_elem),
3660 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3661 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3662 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3665 .fixup_map1 = { 4 },
3667 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3670 "multiple registers share map_lookup_elem bad reg type",
3672 BPF_MOV64_IMM(BPF_REG_1, 10),
3673 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3674 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3676 BPF_LD_MAP_FD(BPF_REG_1, 0),
3677 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3678 BPF_FUNC_map_lookup_elem),
3679 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
3680 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
3681 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3682 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3683 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3684 BPF_MOV64_IMM(BPF_REG_1, 1),
3685 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3686 BPF_MOV64_IMM(BPF_REG_1, 2),
3687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0, 1),
3688 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 0),
3689 BPF_MOV64_IMM(BPF_REG_1, 3),
3692 .fixup_map1 = { 4 },
3694 .errstr = "R3 invalid mem access 'inv'",
3695 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3698 "invalid map access from else condition",
3700 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3701 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3702 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3703 BPF_LD_MAP_FD(BPF_REG_1, 0),
3704 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
3705 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3706 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3707 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
3708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
3709 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3710 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3711 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
3714 .fixup_map2 = { 3 },
3715 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
3717 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3718 .result_unpriv = REJECT,
3719 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3722 "constant register |= constant should keep constant type",
3724 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3725 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3726 BPF_MOV64_IMM(BPF_REG_2, 34),
3727 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
3728 BPF_MOV64_IMM(BPF_REG_3, 0),
3729 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3733 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3736 "constant register |= constant should not bypass stack boundary checks",
3738 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3739 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3740 BPF_MOV64_IMM(BPF_REG_2, 34),
3741 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
3742 BPF_MOV64_IMM(BPF_REG_3, 0),
3743 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3746 .errstr = "invalid stack type R1 off=-48 access_size=58",
3748 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3751 "constant register |= constant register should keep constant type",
3753 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3755 BPF_MOV64_IMM(BPF_REG_2, 34),
3756 BPF_MOV64_IMM(BPF_REG_4, 13),
3757 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
3758 BPF_MOV64_IMM(BPF_REG_3, 0),
3759 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3763 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3766 "constant register |= constant register should not bypass stack boundary checks",
3768 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3769 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3770 BPF_MOV64_IMM(BPF_REG_2, 34),
3771 BPF_MOV64_IMM(BPF_REG_4, 24),
3772 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
3773 BPF_MOV64_IMM(BPF_REG_3, 0),
3774 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3777 .errstr = "invalid stack type R1 off=-48 access_size=58",
3779 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3782 "invalid direct packet write for LWT_IN",
3784 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3785 offsetof(struct __sk_buff, data)),
3786 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3787 offsetof(struct __sk_buff, data_end)),
3788 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3789 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3790 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3791 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3792 BPF_MOV64_IMM(BPF_REG_0, 0),
3795 .errstr = "cannot write into packet",
3797 .prog_type = BPF_PROG_TYPE_LWT_IN,
3800 "invalid direct packet write for LWT_OUT",
3802 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3803 offsetof(struct __sk_buff, data)),
3804 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3805 offsetof(struct __sk_buff, data_end)),
3806 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3807 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3808 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3809 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3810 BPF_MOV64_IMM(BPF_REG_0, 0),
3813 .errstr = "cannot write into packet",
3815 .prog_type = BPF_PROG_TYPE_LWT_OUT,
3818 "direct packet write for LWT_XMIT",
3820 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3821 offsetof(struct __sk_buff, data)),
3822 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3823 offsetof(struct __sk_buff, data_end)),
3824 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3825 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3826 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3827 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3828 BPF_MOV64_IMM(BPF_REG_0, 0),
3832 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
3835 "direct packet read for LWT_IN",
3837 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3838 offsetof(struct __sk_buff, data)),
3839 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3840 offsetof(struct __sk_buff, data_end)),
3841 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3843 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3844 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3845 BPF_MOV64_IMM(BPF_REG_0, 0),
3849 .prog_type = BPF_PROG_TYPE_LWT_IN,
3852 "direct packet read for LWT_OUT",
3854 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3855 offsetof(struct __sk_buff, data)),
3856 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3857 offsetof(struct __sk_buff, data_end)),
3858 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3859 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3860 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3861 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3862 BPF_MOV64_IMM(BPF_REG_0, 0),
3866 .prog_type = BPF_PROG_TYPE_LWT_OUT,
3869 "direct packet read for LWT_XMIT",
3871 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3872 offsetof(struct __sk_buff, data)),
3873 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3874 offsetof(struct __sk_buff, data_end)),
3875 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3876 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3877 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3878 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3879 BPF_MOV64_IMM(BPF_REG_0, 0),
3883 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
3886 "overlapping checks for direct packet access",
3888 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3889 offsetof(struct __sk_buff, data)),
3890 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3891 offsetof(struct __sk_buff, data_end)),
3892 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3893 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3894 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
3895 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
3897 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
3898 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
3899 BPF_MOV64_IMM(BPF_REG_0, 0),
3903 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
3906 "invalid access of tc_classid for LWT_IN",
3908 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
3909 offsetof(struct __sk_buff, tc_classid)),
3913 .errstr = "invalid bpf_context access",
3916 "invalid access of tc_classid for LWT_OUT",
3918 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
3919 offsetof(struct __sk_buff, tc_classid)),
3923 .errstr = "invalid bpf_context access",
3926 "invalid access of tc_classid for LWT_XMIT",
3928 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
3929 offsetof(struct __sk_buff, tc_classid)),
3933 .errstr = "invalid bpf_context access",
3936 "leak pointer into ctx 1",
3938 BPF_MOV64_IMM(BPF_REG_0, 0),
3939 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
3940 offsetof(struct __sk_buff, cb[0])),
3941 BPF_LD_MAP_FD(BPF_REG_2, 0),
3942 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
3943 offsetof(struct __sk_buff, cb[0])),
3946 .fixup_map1 = { 2 },
3947 .errstr_unpriv = "R2 leaks addr into mem",
3948 .result_unpriv = REJECT,
3952 "leak pointer into ctx 2",
3954 BPF_MOV64_IMM(BPF_REG_0, 0),
3955 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
3956 offsetof(struct __sk_buff, cb[0])),
3957 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
3958 offsetof(struct __sk_buff, cb[0])),
3961 .errstr_unpriv = "R10 leaks addr into mem",
3962 .result_unpriv = REJECT,
3966 "leak pointer into ctx 3",
3968 BPF_MOV64_IMM(BPF_REG_0, 0),
3969 BPF_LD_MAP_FD(BPF_REG_2, 0),
3970 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
3971 offsetof(struct __sk_buff, cb[0])),
3974 .fixup_map1 = { 1 },
3975 .errstr_unpriv = "R2 leaks addr into ctx",
3976 .result_unpriv = REJECT,
3980 "leak pointer into map val",
3982 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
3983 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3984 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3985 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3986 BPF_LD_MAP_FD(BPF_REG_1, 0),
3987 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3988 BPF_FUNC_map_lookup_elem),
3989 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
3990 BPF_MOV64_IMM(BPF_REG_3, 0),
3991 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
3992 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3993 BPF_MOV64_IMM(BPF_REG_0, 0),
3996 .fixup_map1 = { 4 },
3997 .errstr_unpriv = "R6 leaks addr into mem",
3998 .result_unpriv = REJECT,
4002 "helper access to map: full range",
4004 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4006 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4007 BPF_LD_MAP_FD(BPF_REG_1, 0),
4008 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4009 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4010 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4011 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4012 BPF_MOV64_IMM(BPF_REG_3, 0),
4013 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4016 .fixup_map2 = { 3 },
4018 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4021 "helper access to map: partial range",
4023 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4024 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4025 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4026 BPF_LD_MAP_FD(BPF_REG_1, 0),
4027 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4028 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4029 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4030 BPF_MOV64_IMM(BPF_REG_2, 8),
4031 BPF_MOV64_IMM(BPF_REG_3, 0),
4032 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4035 .fixup_map2 = { 3 },
4037 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4040 "helper access to map: empty range",
4042 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4043 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4044 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4045 BPF_LD_MAP_FD(BPF_REG_1, 0),
4046 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4047 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4048 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4049 BPF_MOV64_IMM(BPF_REG_2, 0),
4050 BPF_MOV64_IMM(BPF_REG_3, 0),
4051 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4054 .fixup_map2 = { 3 },
4055 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
4057 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4060 "helper access to map: out-of-bound range",
4062 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4063 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4064 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4065 BPF_LD_MAP_FD(BPF_REG_1, 0),
4066 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4067 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4068 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4069 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
4070 BPF_MOV64_IMM(BPF_REG_3, 0),
4071 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4074 .fixup_map2 = { 3 },
4075 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
4077 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4080 "helper access to map: negative range",
4082 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4084 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4085 BPF_LD_MAP_FD(BPF_REG_1, 0),
4086 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4087 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4088 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4089 BPF_MOV64_IMM(BPF_REG_2, -8),
4090 BPF_MOV64_IMM(BPF_REG_3, 0),
4091 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4094 .fixup_map2 = { 3 },
4095 .errstr = "invalid access to map value, value_size=48 off=0 size=-8",
4097 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4100 "helper access to adjusted map (via const imm): full range",
4102 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4104 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4105 BPF_LD_MAP_FD(BPF_REG_1, 0),
4106 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4107 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4108 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4109 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4110 offsetof(struct test_val, foo)),
4111 BPF_MOV64_IMM(BPF_REG_2,
4112 sizeof(struct test_val) -
4113 offsetof(struct test_val, foo)),
4114 BPF_MOV64_IMM(BPF_REG_3, 0),
4115 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4118 .fixup_map2 = { 3 },
4120 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4123 "helper access to adjusted map (via const imm): partial range",
4125 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4126 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4127 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4128 BPF_LD_MAP_FD(BPF_REG_1, 0),
4129 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4130 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4131 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4132 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4133 offsetof(struct test_val, foo)),
4134 BPF_MOV64_IMM(BPF_REG_2, 8),
4135 BPF_MOV64_IMM(BPF_REG_3, 0),
4136 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4139 .fixup_map2 = { 3 },
4141 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4144 "helper access to adjusted map (via const imm): empty range",
4146 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4147 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4148 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4149 BPF_LD_MAP_FD(BPF_REG_1, 0),
4150 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4151 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4152 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4153 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4154 offsetof(struct test_val, foo)),
4155 BPF_MOV64_IMM(BPF_REG_2, 0),
4156 BPF_MOV64_IMM(BPF_REG_3, 0),
4157 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4160 .fixup_map2 = { 3 },
4161 .errstr = "R1 min value is outside of the array range",
4163 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4166 "helper access to adjusted map (via const imm): out-of-bound range",
4168 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4169 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4170 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4171 BPF_LD_MAP_FD(BPF_REG_1, 0),
4172 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4174 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4175 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4176 offsetof(struct test_val, foo)),
4177 BPF_MOV64_IMM(BPF_REG_2,
4178 sizeof(struct test_val) -
4179 offsetof(struct test_val, foo) + 8),
4180 BPF_MOV64_IMM(BPF_REG_3, 0),
4181 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4184 .fixup_map2 = { 3 },
4185 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4187 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4190 "helper access to adjusted map (via const imm): negative range (> adjustment)",
4192 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4193 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4194 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4195 BPF_LD_MAP_FD(BPF_REG_1, 0),
4196 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4197 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4198 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4199 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4200 offsetof(struct test_val, foo)),
4201 BPF_MOV64_IMM(BPF_REG_2, -8),
4202 BPF_MOV64_IMM(BPF_REG_3, 0),
4203 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4206 .fixup_map2 = { 3 },
4207 .errstr = "invalid access to map value, value_size=48 off=4 size=-8",
4209 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4212 "helper access to adjusted map (via const imm): negative range (< adjustment)",
4214 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4215 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4216 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4217 BPF_LD_MAP_FD(BPF_REG_1, 0),
4218 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4219 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4220 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4221 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4222 offsetof(struct test_val, foo)),
4223 BPF_MOV64_IMM(BPF_REG_2, -1),
4224 BPF_MOV64_IMM(BPF_REG_3, 0),
4225 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4228 .fixup_map2 = { 3 },
4229 .errstr = "R1 min value is outside of the array range",
4231 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4234 "helper access to adjusted map (via const reg): full range",
4236 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4237 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4238 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4239 BPF_LD_MAP_FD(BPF_REG_1, 0),
4240 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4241 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4242 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4243 BPF_MOV64_IMM(BPF_REG_3,
4244 offsetof(struct test_val, foo)),
4245 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4246 BPF_MOV64_IMM(BPF_REG_2,
4247 sizeof(struct test_val) -
4248 offsetof(struct test_val, foo)),
4249 BPF_MOV64_IMM(BPF_REG_3, 0),
4250 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4253 .fixup_map2 = { 3 },
4255 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4258 "helper access to adjusted map (via const reg): partial range",
4260 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4261 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4262 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4263 BPF_LD_MAP_FD(BPF_REG_1, 0),
4264 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4266 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4267 BPF_MOV64_IMM(BPF_REG_3,
4268 offsetof(struct test_val, foo)),
4269 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4270 BPF_MOV64_IMM(BPF_REG_2, 8),
4271 BPF_MOV64_IMM(BPF_REG_3, 0),
4272 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4275 .fixup_map2 = { 3 },
4277 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4280 "helper access to adjusted map (via const reg): empty range",
4282 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4283 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4284 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4285 BPF_LD_MAP_FD(BPF_REG_1, 0),
4286 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4287 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4288 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4289 BPF_MOV64_IMM(BPF_REG_3, 0),
4290 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4291 BPF_MOV64_IMM(BPF_REG_2, 0),
4292 BPF_MOV64_IMM(BPF_REG_3, 0),
4293 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4296 .fixup_map2 = { 3 },
4297 .errstr = "R1 min value is outside of the array range",
4299 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4302 "helper access to adjusted map (via const reg): out-of-bound range",
4304 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4305 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4306 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4307 BPF_LD_MAP_FD(BPF_REG_1, 0),
4308 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4309 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4310 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4311 BPF_MOV64_IMM(BPF_REG_3,
4312 offsetof(struct test_val, foo)),
4313 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4314 BPF_MOV64_IMM(BPF_REG_2,
4315 sizeof(struct test_val) -
4316 offsetof(struct test_val, foo) + 8),
4317 BPF_MOV64_IMM(BPF_REG_3, 0),
4318 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4321 .fixup_map2 = { 3 },
4322 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4324 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4327 "helper access to adjusted map (via const reg): negative range (> adjustment)",
4329 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4331 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4332 BPF_LD_MAP_FD(BPF_REG_1, 0),
4333 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4334 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4335 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4336 BPF_MOV64_IMM(BPF_REG_3,
4337 offsetof(struct test_val, foo)),
4338 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4339 BPF_MOV64_IMM(BPF_REG_2, -8),
4340 BPF_MOV64_IMM(BPF_REG_3, 0),
4341 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4344 .fixup_map2 = { 3 },
4345 .errstr = "invalid access to map value, value_size=48 off=4 size=-8",
4347 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4350 "helper access to adjusted map (via const reg): negative range (< adjustment)",
4352 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4354 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4355 BPF_LD_MAP_FD(BPF_REG_1, 0),
4356 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4357 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4358 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4359 BPF_MOV64_IMM(BPF_REG_3,
4360 offsetof(struct test_val, foo)),
4361 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4362 BPF_MOV64_IMM(BPF_REG_2, -1),
4363 BPF_MOV64_IMM(BPF_REG_3, 0),
4364 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4367 .fixup_map2 = { 3 },
4368 .errstr = "R1 min value is outside of the array range",
4370 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4373 "helper access to adjusted map (via variable): full range",
4375 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4377 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4378 BPF_LD_MAP_FD(BPF_REG_1, 0),
4379 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4380 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4381 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4382 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4383 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4384 offsetof(struct test_val, foo), 4),
4385 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4386 BPF_MOV64_IMM(BPF_REG_2,
4387 sizeof(struct test_val) -
4388 offsetof(struct test_val, foo)),
4389 BPF_MOV64_IMM(BPF_REG_3, 0),
4390 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4393 .fixup_map2 = { 3 },
4395 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4398 "helper access to adjusted map (via variable): partial range",
4400 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4401 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4402 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4403 BPF_LD_MAP_FD(BPF_REG_1, 0),
4404 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4405 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4406 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4407 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4408 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4409 offsetof(struct test_val, foo), 4),
4410 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4411 BPF_MOV64_IMM(BPF_REG_2, 8),
4412 BPF_MOV64_IMM(BPF_REG_3, 0),
4413 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4416 .fixup_map2 = { 3 },
4418 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4421 "helper access to adjusted map (via variable): empty range",
4423 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4425 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4426 BPF_LD_MAP_FD(BPF_REG_1, 0),
4427 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4428 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4429 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4430 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4431 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4432 offsetof(struct test_val, foo), 4),
4433 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4434 BPF_MOV64_IMM(BPF_REG_2, 0),
4435 BPF_MOV64_IMM(BPF_REG_3, 0),
4436 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4439 .fixup_map2 = { 3 },
4440 .errstr = "R1 min value is outside of the array range",
4442 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4445 "helper access to adjusted map (via variable): no max check",
4447 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4449 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4450 BPF_LD_MAP_FD(BPF_REG_1, 0),
4451 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4452 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4453 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4454 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4455 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4456 BPF_MOV64_IMM(BPF_REG_2, 0),
4457 BPF_MOV64_IMM(BPF_REG_3, 0),
4458 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4461 .fixup_map2 = { 3 },
4462 .errstr = "R1 min value is negative, either use unsigned index or do a if (index >=0) check",
4464 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4467 "helper access to adjusted map (via variable): wrong max check",
4469 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4470 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4471 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4472 BPF_LD_MAP_FD(BPF_REG_1, 0),
4473 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4474 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4475 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4476 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4477 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4478 offsetof(struct test_val, foo), 4),
4479 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4480 BPF_MOV64_IMM(BPF_REG_2,
4481 sizeof(struct test_val) -
4482 offsetof(struct test_val, foo) + 1),
4483 BPF_MOV64_IMM(BPF_REG_3, 0),
4484 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4487 .fixup_map2 = { 3 },
4488 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
4490 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4493 "map element value is preserved across register spilling",
4495 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4496 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4497 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4498 BPF_LD_MAP_FD(BPF_REG_1, 0),
4499 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4500 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4501 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
4502 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4503 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
4504 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4505 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
4506 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
4509 .fixup_map2 = { 3 },
4510 .errstr_unpriv = "R0 leaks addr",
4512 .result_unpriv = REJECT,
4515 "map element value or null is marked on register spilling",
4517 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4518 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4519 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4520 BPF_LD_MAP_FD(BPF_REG_1, 0),
4521 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4522 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4523 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
4524 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4525 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4526 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
4527 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
4530 .fixup_map2 = { 3 },
4531 .errstr_unpriv = "R0 leaks addr",
4533 .result_unpriv = REJECT,
4536 "map element value store of cleared call register",
4538 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4539 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4540 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4541 BPF_LD_MAP_FD(BPF_REG_1, 0),
4542 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4543 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4544 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
4547 .fixup_map2 = { 3 },
4548 .errstr_unpriv = "R1 !read_ok",
4549 .errstr = "R1 !read_ok",
4551 .result_unpriv = REJECT,
4554 "map element value with unaligned store",
4556 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4557 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4558 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4559 BPF_LD_MAP_FD(BPF_REG_1, 0),
4560 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4561 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
4562 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
4563 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
4564 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
4565 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
4566 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4567 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
4568 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
4569 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
4570 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
4571 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
4572 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
4573 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
4574 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
4575 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
4576 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
4577 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
4578 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
4581 .fixup_map2 = { 3 },
4582 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4584 .result_unpriv = REJECT,
4585 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4588 "map element value with unaligned load",
4590 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4591 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4592 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4593 BPF_LD_MAP_FD(BPF_REG_1, 0),
4594 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4595 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
4596 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4597 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
4598 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
4599 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
4600 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
4601 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4602 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
4603 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
4604 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
4605 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
4606 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
4609 .fixup_map2 = { 3 },
4610 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4612 .result_unpriv = REJECT,
4613 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4616 "map element value illegal alu op, 1",
4618 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4619 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4620 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4621 BPF_LD_MAP_FD(BPF_REG_1, 0),
4622 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4623 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4624 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
4625 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4628 .fixup_map2 = { 3 },
4629 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4630 .errstr = "invalid mem access 'inv'",
4632 .result_unpriv = REJECT,
4635 "map element value illegal alu op, 2",
4637 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4638 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4639 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4640 BPF_LD_MAP_FD(BPF_REG_1, 0),
4641 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4642 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4643 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
4644 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4647 .fixup_map2 = { 3 },
4648 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4649 .errstr = "invalid mem access 'inv'",
4651 .result_unpriv = REJECT,
4654 "map element value illegal alu op, 3",
4656 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4657 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4658 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4659 BPF_LD_MAP_FD(BPF_REG_1, 0),
4660 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4661 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4662 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
4663 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4666 .fixup_map2 = { 3 },
4667 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4668 .errstr = "invalid mem access 'inv'",
4670 .result_unpriv = REJECT,
4673 "map element value illegal alu op, 4",
4675 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4677 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4678 BPF_LD_MAP_FD(BPF_REG_1, 0),
4679 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4680 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4681 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
4682 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4685 .fixup_map2 = { 3 },
4686 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4687 .errstr = "invalid mem access 'inv'",
4689 .result_unpriv = REJECT,
4692 "map element value illegal alu op, 5",
4694 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4696 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4697 BPF_LD_MAP_FD(BPF_REG_1, 0),
4698 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4699 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4700 BPF_MOV64_IMM(BPF_REG_3, 4096),
4701 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4702 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4703 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
4704 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
4705 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
4706 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4709 .fixup_map2 = { 3 },
4710 .errstr_unpriv = "R0 invalid mem access 'inv'",
4711 .errstr = "R0 invalid mem access 'inv'",
4713 .result_unpriv = REJECT,
4716 "map element value is preserved across register spilling",
4718 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4719 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4720 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4721 BPF_LD_MAP_FD(BPF_REG_1, 0),
4722 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4723 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
4725 offsetof(struct test_val, foo)),
4726 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
4727 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4728 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
4729 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4730 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
4731 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
4734 .fixup_map2 = { 3 },
4735 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4737 .result_unpriv = REJECT,
4738 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4741 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
4743 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4745 BPF_MOV64_IMM(BPF_REG_0, 0),
4746 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4747 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4748 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4749 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4750 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
4751 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4752 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4753 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4754 BPF_MOV64_IMM(BPF_REG_2, 16),
4755 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4756 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4757 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
4758 BPF_MOV64_IMM(BPF_REG_4, 0),
4759 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4760 BPF_MOV64_IMM(BPF_REG_3, 0),
4761 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4762 BPF_MOV64_IMM(BPF_REG_0, 0),
4766 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4769 "helper access to variable memory: stack, bitwise AND, zero included",
4771 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4772 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4773 BPF_MOV64_IMM(BPF_REG_2, 16),
4774 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4775 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4776 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
4777 BPF_MOV64_IMM(BPF_REG_3, 0),
4778 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4781 .errstr = "invalid stack type R1 off=-64 access_size=0",
4783 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4786 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
4788 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4789 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4790 BPF_MOV64_IMM(BPF_REG_2, 16),
4791 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4792 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4793 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
4794 BPF_MOV64_IMM(BPF_REG_4, 0),
4795 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4796 BPF_MOV64_IMM(BPF_REG_3, 0),
4797 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4798 BPF_MOV64_IMM(BPF_REG_0, 0),
4801 .errstr = "invalid stack type R1 off=-64 access_size=65",
4803 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4806 "helper access to variable memory: stack, JMP, correct bounds",
4808 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4809 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4810 BPF_MOV64_IMM(BPF_REG_0, 0),
4811 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4812 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4813 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4814 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4815 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
4816 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4817 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4818 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4819 BPF_MOV64_IMM(BPF_REG_2, 16),
4820 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4821 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4822 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
4823 BPF_MOV64_IMM(BPF_REG_4, 0),
4824 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4825 BPF_MOV64_IMM(BPF_REG_3, 0),
4826 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4827 BPF_MOV64_IMM(BPF_REG_0, 0),
4831 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4834 "helper access to variable memory: stack, JMP (signed), correct bounds",
4836 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4838 BPF_MOV64_IMM(BPF_REG_0, 0),
4839 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4840 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4841 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4842 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4843 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
4844 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4845 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4846 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4847 BPF_MOV64_IMM(BPF_REG_2, 16),
4848 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4849 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4850 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
4851 BPF_MOV64_IMM(BPF_REG_4, 0),
4852 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
4853 BPF_MOV64_IMM(BPF_REG_3, 0),
4854 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4855 BPF_MOV64_IMM(BPF_REG_0, 0),
4859 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4862 "helper access to variable memory: stack, JMP, bounds + offset",
4864 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4865 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4866 BPF_MOV64_IMM(BPF_REG_2, 16),
4867 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4868 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4869 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
4870 BPF_MOV64_IMM(BPF_REG_4, 0),
4871 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
4872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4873 BPF_MOV64_IMM(BPF_REG_3, 0),
4874 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4875 BPF_MOV64_IMM(BPF_REG_0, 0),
4878 .errstr = "invalid stack type R1 off=-64 access_size=65",
4880 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4883 "helper access to variable memory: stack, JMP, wrong max",
4885 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4886 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4887 BPF_MOV64_IMM(BPF_REG_2, 16),
4888 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4889 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4890 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
4891 BPF_MOV64_IMM(BPF_REG_4, 0),
4892 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4893 BPF_MOV64_IMM(BPF_REG_3, 0),
4894 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4895 BPF_MOV64_IMM(BPF_REG_0, 0),
4898 .errstr = "invalid stack type R1 off=-64 access_size=65",
4900 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4903 "helper access to variable memory: stack, JMP, no max check",
4905 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4906 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4907 BPF_MOV64_IMM(BPF_REG_2, 16),
4908 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4909 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4910 BPF_MOV64_IMM(BPF_REG_4, 0),
4911 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4912 BPF_MOV64_IMM(BPF_REG_3, 0),
4913 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4914 BPF_MOV64_IMM(BPF_REG_0, 0),
4917 .errstr = "R2 unbounded memory access",
4919 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4922 "helper access to variable memory: stack, JMP, no min check",
4924 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4925 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4926 BPF_MOV64_IMM(BPF_REG_2, 16),
4927 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4928 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4929 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
4930 BPF_MOV64_IMM(BPF_REG_3, 0),
4931 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4932 BPF_MOV64_IMM(BPF_REG_0, 0),
4935 .errstr = "invalid stack type R1 off=-64 access_size=0",
4937 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4940 "helper access to variable memory: stack, JMP (signed), no min check",
4942 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4944 BPF_MOV64_IMM(BPF_REG_2, 16),
4945 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4946 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4947 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
4948 BPF_MOV64_IMM(BPF_REG_3, 0),
4949 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4950 BPF_MOV64_IMM(BPF_REG_0, 0),
4953 .errstr = "R2 min value is negative",
4955 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4958 "helper access to variable memory: map, JMP, correct bounds",
4960 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4961 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4962 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4963 BPF_LD_MAP_FD(BPF_REG_1, 0),
4964 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4965 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4966 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4967 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4968 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4969 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4970 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
4971 sizeof(struct test_val), 4),
4972 BPF_MOV64_IMM(BPF_REG_4, 0),
4973 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
4974 BPF_MOV64_IMM(BPF_REG_3, 0),
4975 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4976 BPF_MOV64_IMM(BPF_REG_0, 0),
4979 .fixup_map2 = { 3 },
4981 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4984 "helper access to variable memory: map, JMP, wrong max",
4986 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4987 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4988 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4989 BPF_LD_MAP_FD(BPF_REG_1, 0),
4990 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4991 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4992 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4993 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4994 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4995 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4996 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
4997 sizeof(struct test_val) + 1, 4),
4998 BPF_MOV64_IMM(BPF_REG_4, 0),
4999 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5000 BPF_MOV64_IMM(BPF_REG_3, 0),
5001 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5002 BPF_MOV64_IMM(BPF_REG_0, 0),
5005 .fixup_map2 = { 3 },
5006 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
5008 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5011 "helper access to variable memory: map adjusted, JMP, correct bounds",
5013 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5014 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5015 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5016 BPF_LD_MAP_FD(BPF_REG_1, 0),
5017 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5018 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5019 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5020 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5021 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5022 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5023 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5024 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5025 sizeof(struct test_val) - 20, 4),
5026 BPF_MOV64_IMM(BPF_REG_4, 0),
5027 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5028 BPF_MOV64_IMM(BPF_REG_3, 0),
5029 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5030 BPF_MOV64_IMM(BPF_REG_0, 0),
5033 .fixup_map2 = { 3 },
5035 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5038 "helper access to variable memory: map adjusted, JMP, wrong max",
5040 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5042 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5043 BPF_LD_MAP_FD(BPF_REG_1, 0),
5044 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5045 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5046 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5047 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5048 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5049 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5050 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5051 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5052 sizeof(struct test_val) - 19, 4),
5053 BPF_MOV64_IMM(BPF_REG_4, 0),
5054 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5055 BPF_MOV64_IMM(BPF_REG_3, 0),
5056 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5057 BPF_MOV64_IMM(BPF_REG_0, 0),
5060 .fixup_map2 = { 3 },
5061 .errstr = "R1 min value is outside of the array range",
5063 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5066 "helper access to variable memory: size > 0 not allowed on NULL",
5068 BPF_MOV64_IMM(BPF_REG_1, 0),
5069 BPF_MOV64_IMM(BPF_REG_2, 0),
5070 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5071 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5072 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5073 BPF_MOV64_IMM(BPF_REG_3, 0),
5074 BPF_MOV64_IMM(BPF_REG_4, 0),
5075 BPF_MOV64_IMM(BPF_REG_5, 0),
5076 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5079 .errstr = "R1 type=imm expected=fp",
5081 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5084 "helper access to variable memory: size = 0 not allowed on != NULL",
5086 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5088 BPF_MOV64_IMM(BPF_REG_2, 0),
5089 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5090 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
5091 BPF_MOV64_IMM(BPF_REG_3, 0),
5092 BPF_MOV64_IMM(BPF_REG_4, 0),
5093 BPF_MOV64_IMM(BPF_REG_5, 0),
5094 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5097 .errstr = "invalid stack type R1 off=-8 access_size=0",
5099 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5102 "helper access to variable memory: 8 bytes leak",
5104 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5105 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5106 BPF_MOV64_IMM(BPF_REG_0, 0),
5107 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5108 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5109 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5110 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5111 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5112 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5113 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5114 BPF_MOV64_IMM(BPF_REG_2, 0),
5115 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5116 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5117 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
5118 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5119 BPF_MOV64_IMM(BPF_REG_3, 0),
5120 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5121 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5124 .errstr = "invalid indirect read from stack off -64+32 size 64",
5126 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5129 "helper access to variable memory: 8 bytes no leak (init memory)",
5131 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5132 BPF_MOV64_IMM(BPF_REG_0, 0),
5133 BPF_MOV64_IMM(BPF_REG_0, 0),
5134 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5135 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5136 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5137 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5138 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5139 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5140 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5141 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5142 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5143 BPF_MOV64_IMM(BPF_REG_2, 0),
5144 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
5145 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
5146 BPF_MOV64_IMM(BPF_REG_3, 0),
5147 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5148 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5152 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5155 "invalid and of negative number",
5157 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5158 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5159 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5160 BPF_LD_MAP_FD(BPF_REG_1, 0),
5161 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5162 BPF_FUNC_map_lookup_elem),
5163 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5164 BPF_MOV64_IMM(BPF_REG_1, 6),
5165 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
5166 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5167 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5168 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5169 offsetof(struct test_val, foo)),
5172 .fixup_map2 = { 3 },
5173 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5174 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
5176 .result_unpriv = REJECT,
5177 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5180 "invalid range check",
5182 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5183 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5184 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5185 BPF_LD_MAP_FD(BPF_REG_1, 0),
5186 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5187 BPF_FUNC_map_lookup_elem),
5188 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
5189 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5190 BPF_MOV64_IMM(BPF_REG_9, 1),
5191 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
5192 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
5193 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
5194 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
5195 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
5196 BPF_MOV32_IMM(BPF_REG_3, 1),
5197 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
5198 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
5199 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
5200 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
5201 BPF_MOV64_REG(BPF_REG_0, 0),
5204 .fixup_map2 = { 3 },
5205 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5206 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
5208 .result_unpriv = REJECT,
5209 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5212 "map in map access",
5214 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5215 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5217 BPF_LD_MAP_FD(BPF_REG_1, 0),
5218 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5219 BPF_FUNC_map_lookup_elem),
5220 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5221 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5222 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5224 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5225 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5226 BPF_FUNC_map_lookup_elem),
5227 BPF_MOV64_REG(BPF_REG_0, 0),
5230 .fixup_map_in_map = { 3 },
5234 "invalid inner map pointer",
5236 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5237 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5239 BPF_LD_MAP_FD(BPF_REG_1, 0),
5240 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5241 BPF_FUNC_map_lookup_elem),
5242 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5243 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5244 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5245 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5246 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
5248 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5249 BPF_FUNC_map_lookup_elem),
5250 BPF_MOV64_REG(BPF_REG_0, 0),
5253 .fixup_map_in_map = { 3 },
5254 .errstr = "R1 type=inv expected=map_ptr",
5255 .errstr_unpriv = "R1 pointer arithmetic prohibited",
5259 "forgot null checking on the inner map pointer",
5261 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5262 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5264 BPF_LD_MAP_FD(BPF_REG_1, 0),
5265 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5266 BPF_FUNC_map_lookup_elem),
5267 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5268 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5269 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5270 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5271 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5272 BPF_FUNC_map_lookup_elem),
5273 BPF_MOV64_REG(BPF_REG_0, 0),
5276 .fixup_map_in_map = { 3 },
5277 .errstr = "R1 type=map_value_or_null expected=map_ptr",
5281 "ld_abs: check calling conv, r1",
5283 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5284 BPF_MOV64_IMM(BPF_REG_1, 0),
5285 BPF_LD_ABS(BPF_W, -0x200000),
5286 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5289 .errstr = "R1 !read_ok",
5293 "ld_abs: check calling conv, r2",
5295 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5296 BPF_MOV64_IMM(BPF_REG_2, 0),
5297 BPF_LD_ABS(BPF_W, -0x200000),
5298 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5301 .errstr = "R2 !read_ok",
5305 "ld_abs: check calling conv, r3",
5307 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5308 BPF_MOV64_IMM(BPF_REG_3, 0),
5309 BPF_LD_ABS(BPF_W, -0x200000),
5310 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
5313 .errstr = "R3 !read_ok",
5317 "ld_abs: check calling conv, r4",
5319 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5320 BPF_MOV64_IMM(BPF_REG_4, 0),
5321 BPF_LD_ABS(BPF_W, -0x200000),
5322 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
5325 .errstr = "R4 !read_ok",
5329 "ld_abs: check calling conv, r5",
5331 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5332 BPF_MOV64_IMM(BPF_REG_5, 0),
5333 BPF_LD_ABS(BPF_W, -0x200000),
5334 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
5337 .errstr = "R5 !read_ok",
5341 "ld_abs: check calling conv, r7",
5343 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5344 BPF_MOV64_IMM(BPF_REG_7, 0),
5345 BPF_LD_ABS(BPF_W, -0x200000),
5346 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
5352 "ld_ind: check calling conv, r1",
5354 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5355 BPF_MOV64_IMM(BPF_REG_1, 1),
5356 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
5357 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5360 .errstr = "R1 !read_ok",
5364 "ld_ind: check calling conv, r2",
5366 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5367 BPF_MOV64_IMM(BPF_REG_2, 1),
5368 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
5369 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5372 .errstr = "R2 !read_ok",
5376 "ld_ind: check calling conv, r3",
5378 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5379 BPF_MOV64_IMM(BPF_REG_3, 1),
5380 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
5381 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
5384 .errstr = "R3 !read_ok",
5388 "ld_ind: check calling conv, r4",
5390 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5391 BPF_MOV64_IMM(BPF_REG_4, 1),
5392 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
5393 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
5396 .errstr = "R4 !read_ok",
5400 "ld_ind: check calling conv, r5",
5402 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5403 BPF_MOV64_IMM(BPF_REG_5, 1),
5404 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
5405 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
5408 .errstr = "R5 !read_ok",
5412 "ld_ind: check calling conv, r7",
5414 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5415 BPF_MOV64_IMM(BPF_REG_7, 1),
5416 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
5417 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
5423 "check bpf_perf_event_data->sample_period byte load permitted",
5425 BPF_MOV64_IMM(BPF_REG_0, 0),
5426 #if __BYTE_ORDER == __LITTLE_ENDIAN
5427 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
5428 offsetof(struct bpf_perf_event_data, sample_period)),
5430 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
5431 offsetof(struct bpf_perf_event_data, sample_period) + 7),
5436 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
5439 "check bpf_perf_event_data->sample_period half load permitted",
5441 BPF_MOV64_IMM(BPF_REG_0, 0),
5442 #if __BYTE_ORDER == __LITTLE_ENDIAN
5443 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5444 offsetof(struct bpf_perf_event_data, sample_period)),
5446 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5447 offsetof(struct bpf_perf_event_data, sample_period) + 6),
5452 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
5455 "check bpf_perf_event_data->sample_period word load permitted",
5457 BPF_MOV64_IMM(BPF_REG_0, 0),
5458 #if __BYTE_ORDER == __LITTLE_ENDIAN
5459 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5460 offsetof(struct bpf_perf_event_data, sample_period)),
5462 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5463 offsetof(struct bpf_perf_event_data, sample_period) + 4),
5468 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
5471 "check bpf_perf_event_data->sample_period dword load permitted",
5473 BPF_MOV64_IMM(BPF_REG_0, 0),
5474 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
5475 offsetof(struct bpf_perf_event_data, sample_period)),
5479 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
5482 "check skb->data half load not permitted",
5484 BPF_MOV64_IMM(BPF_REG_0, 0),
5485 #if __BYTE_ORDER == __LITTLE_ENDIAN
5486 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5487 offsetof(struct __sk_buff, data)),
5489 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5490 offsetof(struct __sk_buff, data) + 2),
5495 .errstr = "invalid bpf_context access",
5498 "check skb->tc_classid half load not permitted for lwt prog",
5500 BPF_MOV64_IMM(BPF_REG_0, 0),
5501 #if __BYTE_ORDER == __LITTLE_ENDIAN
5502 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5503 offsetof(struct __sk_buff, tc_classid)),
5505 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5506 offsetof(struct __sk_buff, tc_classid) + 2),
5511 .errstr = "invalid bpf_context access",
5512 .prog_type = BPF_PROG_TYPE_LWT_IN,
5515 "bounds checks mixing signed and unsigned, positive bounds",
5517 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5518 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5519 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5520 BPF_LD_MAP_FD(BPF_REG_1, 0),
5521 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5522 BPF_FUNC_map_lookup_elem),
5523 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5524 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5525 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5526 BPF_MOV64_IMM(BPF_REG_2, 2),
5527 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
5528 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
5529 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5530 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
5531 BPF_MOV64_IMM(BPF_REG_0, 0),
5534 .fixup_map1 = { 3 },
5535 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5536 .errstr = "R0 min value is negative",
5538 .result_unpriv = REJECT,
5541 "bounds checks mixing signed and unsigned",
5543 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5544 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5546 BPF_LD_MAP_FD(BPF_REG_1, 0),
5547 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5548 BPF_FUNC_map_lookup_elem),
5549 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5550 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5551 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5552 BPF_MOV64_IMM(BPF_REG_2, -1),
5553 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
5554 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
5555 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5556 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
5557 BPF_MOV64_IMM(BPF_REG_0, 0),
5560 .fixup_map1 = { 3 },
5561 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5562 .errstr = "R0 min value is negative",
5564 .result_unpriv = REJECT,
5567 "bounds checks mixing signed and unsigned, variant 2",
5569 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5570 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5571 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5572 BPF_LD_MAP_FD(BPF_REG_1, 0),
5573 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5574 BPF_FUNC_map_lookup_elem),
5575 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5576 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5577 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5578 BPF_MOV64_IMM(BPF_REG_2, -1),
5579 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
5580 BPF_MOV64_IMM(BPF_REG_8, 0),
5581 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
5582 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
5583 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
5584 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
5585 BPF_MOV64_IMM(BPF_REG_0, 0),
5588 .fixup_map1 = { 3 },
5589 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5590 .errstr = "R8 invalid mem access 'inv'",
5592 .result_unpriv = REJECT,
5595 "bounds checks mixing signed and unsigned, variant 3",
5597 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5598 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5599 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5600 BPF_LD_MAP_FD(BPF_REG_1, 0),
5601 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5602 BPF_FUNC_map_lookup_elem),
5603 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
5604 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5605 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5606 BPF_MOV64_IMM(BPF_REG_2, -1),
5607 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
5608 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5609 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
5610 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
5611 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
5612 BPF_MOV64_IMM(BPF_REG_0, 0),
5615 .fixup_map1 = { 3 },
5616 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5617 .errstr = "R8 invalid mem access 'inv'",
5619 .result_unpriv = REJECT,
5622 "bounds checks mixing signed and unsigned, variant 4",
5624 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5625 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5627 BPF_LD_MAP_FD(BPF_REG_1, 0),
5628 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5629 BPF_FUNC_map_lookup_elem),
5630 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5631 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5632 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5633 BPF_MOV64_IMM(BPF_REG_2, 1),
5634 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
5635 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
5636 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5637 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
5638 BPF_MOV64_IMM(BPF_REG_0, 0),
5641 .fixup_map1 = { 3 },
5642 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5643 .errstr = "R0 min value is negative",
5645 .result_unpriv = REJECT,
5648 "bounds checks mixing signed and unsigned, variant 5",
5650 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5651 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5652 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5653 BPF_LD_MAP_FD(BPF_REG_1, 0),
5654 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5655 BPF_FUNC_map_lookup_elem),
5656 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5657 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5658 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5659 BPF_MOV64_IMM(BPF_REG_2, -1),
5660 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
5661 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
5662 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
5663 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
5664 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
5665 BPF_MOV64_IMM(BPF_REG_0, 0),
5668 .fixup_map1 = { 3 },
5669 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5670 .errstr = "R0 invalid mem access",
5672 .result_unpriv = REJECT,
5675 "bounds checks mixing signed and unsigned, variant 6",
5677 BPF_MOV64_IMM(BPF_REG_2, 0),
5678 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
5679 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
5680 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5681 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
5682 BPF_MOV64_IMM(BPF_REG_6, -1),
5683 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
5684 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
5685 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
5686 BPF_MOV64_IMM(BPF_REG_5, 0),
5687 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
5688 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5689 BPF_FUNC_skb_load_bytes),
5690 BPF_MOV64_IMM(BPF_REG_0, 0),
5693 .errstr_unpriv = "R4 min value is negative, either use unsigned",
5694 .errstr = "R4 min value is negative, either use unsigned",
5696 .result_unpriv = REJECT,
5699 "bounds checks mixing signed and unsigned, variant 7",
5701 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5702 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5704 BPF_LD_MAP_FD(BPF_REG_1, 0),
5705 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5706 BPF_FUNC_map_lookup_elem),
5707 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5708 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5709 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5710 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
5711 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
5712 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
5713 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5714 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
5715 BPF_MOV64_IMM(BPF_REG_0, 0),
5718 .fixup_map1 = { 3 },
5719 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5720 .errstr = "R0 min value is negative",
5722 .result_unpriv = REJECT,
5725 "bounds checks mixing signed and unsigned, variant 8",
5727 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5728 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5730 BPF_LD_MAP_FD(BPF_REG_1, 0),
5731 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5732 BPF_FUNC_map_lookup_elem),
5733 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5734 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5735 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5736 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024 + 1),
5737 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
5738 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
5739 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5740 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
5741 BPF_MOV64_IMM(BPF_REG_0, 0),
5744 .fixup_map1 = { 3 },
5745 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5746 .errstr = "R0 min value is negative",
5748 .result_unpriv = REJECT,
5751 "bounds checks mixing signed and unsigned, variant 9",
5753 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5754 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5756 BPF_LD_MAP_FD(BPF_REG_1, 0),
5757 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5758 BPF_FUNC_map_lookup_elem),
5759 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5760 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5761 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5762 BPF_MOV64_IMM(BPF_REG_2, -1),
5763 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
5764 BPF_MOV64_IMM(BPF_REG_0, 0),
5766 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
5767 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5768 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
5769 BPF_MOV64_IMM(BPF_REG_0, 0),
5772 .fixup_map1 = { 3 },
5773 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5774 .errstr = "R0 min value is negative",
5776 .result_unpriv = REJECT,
5779 "bounds checks mixing signed and unsigned, variant 10",
5781 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5782 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5783 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5784 BPF_LD_MAP_FD(BPF_REG_1, 0),
5785 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5786 BPF_FUNC_map_lookup_elem),
5787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5788 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5789 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5790 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
5791 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
5792 BPF_MOV64_IMM(BPF_REG_0, 0),
5794 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
5795 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5796 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
5797 BPF_MOV64_IMM(BPF_REG_0, 0),
5800 .fixup_map1 = { 3 },
5801 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5802 .errstr = "R0 min value is negative",
5804 .result_unpriv = REJECT,
5807 "bounds checks mixing signed and unsigned, variant 11",
5809 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5810 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5812 BPF_LD_MAP_FD(BPF_REG_1, 0),
5813 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5814 BPF_FUNC_map_lookup_elem),
5815 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5816 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5817 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5818 BPF_MOV64_IMM(BPF_REG_2, 0),
5819 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
5820 BPF_MOV64_IMM(BPF_REG_0, 0),
5822 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
5823 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5824 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
5825 BPF_MOV64_IMM(BPF_REG_0, 0),
5828 .fixup_map1 = { 3 },
5829 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5830 .errstr = "R0 min value is negative",
5832 .result_unpriv = REJECT,
5835 "bounds checks mixing signed and unsigned, variant 12",
5837 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5838 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5839 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5840 BPF_LD_MAP_FD(BPF_REG_1, 0),
5841 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5842 BPF_FUNC_map_lookup_elem),
5843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5844 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5845 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5846 BPF_MOV64_IMM(BPF_REG_2, -1),
5847 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
5849 BPF_MOV64_IMM(BPF_REG_0, 0),
5851 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
5852 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5853 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
5854 BPF_MOV64_IMM(BPF_REG_0, 0),
5857 .fixup_map1 = { 3 },
5858 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5859 .errstr = "R0 min value is negative",
5861 .result_unpriv = REJECT,
5864 "bounds checks mixing signed and unsigned, variant 13",
5866 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5867 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5869 BPF_LD_MAP_FD(BPF_REG_1, 0),
5870 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5871 BPF_FUNC_map_lookup_elem),
5872 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5873 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5874 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5875 BPF_MOV64_IMM(BPF_REG_2, -6),
5876 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
5877 BPF_MOV64_IMM(BPF_REG_0, 0),
5879 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
5880 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5881 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
5882 BPF_MOV64_IMM(BPF_REG_0, 0),
5885 .fixup_map1 = { 3 },
5886 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5887 .errstr = "R0 min value is negative",
5889 .result_unpriv = REJECT,
5892 "bounds checks mixing signed and unsigned, variant 14",
5894 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5895 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5897 BPF_LD_MAP_FD(BPF_REG_1, 0),
5898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5899 BPF_FUNC_map_lookup_elem),
5900 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5901 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5902 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5903 BPF_MOV64_IMM(BPF_REG_2, 2),
5904 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
5905 BPF_MOV64_IMM(BPF_REG_7, 1),
5906 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
5907 BPF_MOV64_IMM(BPF_REG_0, 0),
5909 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
5910 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
5911 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
5912 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
5913 BPF_MOV64_IMM(BPF_REG_0, 0),
5916 .fixup_map1 = { 3 },
5917 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5918 .errstr = "R0 min value is negative",
5920 .result_unpriv = REJECT,
5923 "bounds checks mixing signed and unsigned, variant 15",
5925 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5926 offsetof(struct __sk_buff, mark)),
5927 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5928 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5929 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5930 BPF_LD_MAP_FD(BPF_REG_1, 0),
5931 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5932 BPF_FUNC_map_lookup_elem),
5933 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
5934 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5935 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5936 BPF_MOV64_IMM(BPF_REG_2, -1),
5937 BPF_MOV64_IMM(BPF_REG_8, 2),
5938 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
5939 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
5940 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
5941 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5942 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
5943 BPF_MOV64_IMM(BPF_REG_0, 0),
5945 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
5946 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
5948 .fixup_map1 = { 4 },
5949 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5950 .errstr = "R0 min value is negative",
5952 .result_unpriv = REJECT,
5955 "bounds checks mixing signed and unsigned, variant 16",
5957 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5958 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5959 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5960 BPF_LD_MAP_FD(BPF_REG_1, 0),
5961 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5962 BPF_FUNC_map_lookup_elem),
5963 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5964 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5965 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5966 BPF_MOV64_IMM(BPF_REG_2, -6),
5967 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
5968 BPF_MOV64_IMM(BPF_REG_0, 0),
5970 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5971 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
5972 BPF_MOV64_IMM(BPF_REG_0, 0),
5974 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
5975 BPF_MOV64_IMM(BPF_REG_0, 0),
5978 .fixup_map1 = { 3 },
5979 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5980 .errstr = "R0 min value is negative",
5982 .result_unpriv = REJECT,
5985 "subtraction bounds (map value)",
5987 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5988 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5989 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5990 BPF_LD_MAP_FD(BPF_REG_1, 0),
5991 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5992 BPF_FUNC_map_lookup_elem),
5993 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5994 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
5995 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
5996 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
5997 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
5998 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
5999 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
6000 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6001 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6003 BPF_MOV64_IMM(BPF_REG_0, 0),
6006 .fixup_map1 = { 3 },
6007 .errstr_unpriv = "R0 pointer arithmetic prohibited",
6008 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
6010 .result_unpriv = REJECT,
6014 static int probe_filter_length(const struct bpf_insn *fp)
6018 for (len = MAX_INSNS - 1; len > 0; --len)
6019 if (fp[len].code != 0 || fp[len].imm != 0)
6024 static int create_map(uint32_t size_value, uint32_t max_elem)
6028 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
6029 size_value, max_elem, BPF_F_NO_PREALLOC);
6031 printf("Failed to create hash map '%s'!\n", strerror(errno));
6036 static int create_prog_array(void)
6040 fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
6043 printf("Failed to create prog array '%s'!\n", strerror(errno));
6048 static int create_map_in_map(void)
6050 int inner_map_fd, outer_map_fd;
6052 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
6054 if (inner_map_fd < 0) {
6055 printf("Failed to create array '%s'!\n", strerror(errno));
6056 return inner_map_fd;
6059 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS,
6060 sizeof(int), inner_map_fd, 1, 0);
6061 if (outer_map_fd < 0)
6062 printf("Failed to create array of maps '%s'!\n",
6065 close(inner_map_fd);
6067 return outer_map_fd;
6070 static char bpf_vlog[32768];
6072 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
6075 int *fixup_map1 = test->fixup_map1;
6076 int *fixup_map2 = test->fixup_map2;
6077 int *fixup_prog = test->fixup_prog;
6078 int *fixup_map_in_map = test->fixup_map_in_map;
6080 /* Allocating HTs with 1 elem is fine here, since we only test
6081 * for verifier and not do a runtime lookup, so the only thing
6082 * that really matters is value size in this case.
6085 map_fds[0] = create_map(sizeof(long long), 1);
6087 prog[*fixup_map1].imm = map_fds[0];
6089 } while (*fixup_map1);
6093 map_fds[1] = create_map(sizeof(struct test_val), 1);
6095 prog[*fixup_map2].imm = map_fds[1];
6097 } while (*fixup_map2);
6101 map_fds[2] = create_prog_array();
6103 prog[*fixup_prog].imm = map_fds[2];
6105 } while (*fixup_prog);
6108 if (*fixup_map_in_map) {
6109 map_fds[3] = create_map_in_map();
6111 prog[*fixup_map_in_map].imm = map_fds[3];
6113 } while (*fixup_map_in_map);
6117 static void do_test_single(struct bpf_test *test, bool unpriv,
6118 int *passes, int *errors)
6120 int fd_prog, expected_ret, reject_from_alignment;
6121 struct bpf_insn *prog = test->insns;
6122 int prog_len = probe_filter_length(prog);
6123 int prog_type = test->prog_type;
6124 int map_fds[MAX_NR_MAPS];
6125 const char *expected_err;
6128 for (i = 0; i < MAX_NR_MAPS; i++)
6131 do_test_fixup(test, prog, map_fds);
6133 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
6134 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
6135 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
6137 expected_ret = unpriv && test->result_unpriv != UNDEF ?
6138 test->result_unpriv : test->result;
6139 expected_err = unpriv && test->errstr_unpriv ?
6140 test->errstr_unpriv : test->errstr;
6142 reject_from_alignment = fd_prog < 0 &&
6143 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
6144 strstr(bpf_vlog, "Unknown alignment.");
6145 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
6146 if (reject_from_alignment) {
6147 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
6152 if (expected_ret == ACCEPT) {
6153 if (fd_prog < 0 && !reject_from_alignment) {
6154 printf("FAIL\nFailed to load prog '%s'!\n",
6160 printf("FAIL\nUnexpected success to load!\n");
6163 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
6164 printf("FAIL\nUnexpected error message!\n");
6170 printf("OK%s\n", reject_from_alignment ?
6171 " (NOTE: reject due to unknown alignment)" : "");
6174 for (i = 0; i < MAX_NR_MAPS; i++)
6180 printf("%s", bpf_vlog);
6184 static bool is_admin(void)
6187 cap_flag_value_t sysadmin = CAP_CLEAR;
6188 const cap_value_t cap_val = CAP_SYS_ADMIN;
6190 #ifdef CAP_IS_SUPPORTED
6191 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
6192 perror("cap_get_flag");
6196 caps = cap_get_proc();
6198 perror("cap_get_proc");
6201 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
6202 perror("cap_get_flag");
6205 return (sysadmin == CAP_SET);
6208 static int set_admin(bool admin)
6211 const cap_value_t cap_val = CAP_SYS_ADMIN;
6214 caps = cap_get_proc();
6216 perror("cap_get_proc");
6219 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
6220 admin ? CAP_SET : CAP_CLEAR)) {
6221 perror("cap_set_flag");
6224 if (cap_set_proc(caps)) {
6225 perror("cap_set_proc");
6235 static int do_test(bool unpriv, unsigned int from, unsigned int to)
6237 int i, passes = 0, errors = 0;
6239 for (i = from; i < to; i++) {
6240 struct bpf_test *test = &tests[i];
6242 /* Program types that are not supported by non-root we
6245 if (!test->prog_type) {
6248 printf("#%d/u %s ", i, test->descr);
6249 do_test_single(test, true, &passes, &errors);
6255 printf("#%d/p %s ", i, test->descr);
6256 do_test_single(test, false, &passes, &errors);
6260 printf("Summary: %d PASSED, %d FAILED\n", passes, errors);
6261 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
6264 int main(int argc, char **argv)
6266 struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY };
6267 struct rlimit rlim = { 1 << 20, 1 << 20 };
6268 unsigned int from = 0, to = ARRAY_SIZE(tests);
6269 bool unpriv = !is_admin();
6272 unsigned int l = atoi(argv[argc - 2]);
6273 unsigned int u = atoi(argv[argc - 1]);
6275 if (l < to && u < to) {
6279 } else if (argc == 2) {
6280 unsigned int t = atoi(argv[argc - 1]);
6288 setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf);
6289 return do_test(unpriv, from, to);
projects / karo-tx-linux.git / blob