2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of version 2 of the GNU General Public
8 * License as published by the Free Software Foundation.
19 #include <sys/resource.h>
21 #include <linux/unistd.h>
22 #include <linux/filter.h>
23 #include <linux/bpf_perf_event.h>
24 #include <linux/bpf.h>
26 #include "../../../include/linux/filter.h"
31 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
39 struct bpf_insn insns[MAX_INSNS];
40 int fixup_map1[MAX_FIXUPS];
41 int fixup_map2[MAX_FIXUPS];
42 int fixup_prog[MAX_FIXUPS];
44 const char *errstr_unpriv;
49 } result, result_unpriv;
50 enum bpf_prog_type prog_type;
53 /* Note we want this to be 64 bit aligned so that the end of our array is
54 * actually the end of the structure.
56 #define MAX_ENTRIES 11
63 static struct bpf_test tests[] = {
67 BPF_MOV64_IMM(BPF_REG_1, 1),
68 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
69 BPF_MOV64_IMM(BPF_REG_2, 3),
70 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
71 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
72 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
73 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
84 .errstr = "unreachable",
90 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
91 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
94 .errstr = "unreachable",
100 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
103 .errstr = "jump out of range",
107 "out of range jump2",
109 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
112 .errstr = "jump out of range",
118 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
119 BPF_LD_IMM64(BPF_REG_0, 0),
120 BPF_LD_IMM64(BPF_REG_0, 0),
121 BPF_LD_IMM64(BPF_REG_0, 1),
122 BPF_LD_IMM64(BPF_REG_0, 1),
123 BPF_MOV64_IMM(BPF_REG_0, 2),
126 .errstr = "invalid BPF_LD_IMM insn",
127 .errstr_unpriv = "R1 pointer comparison",
133 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
134 BPF_LD_IMM64(BPF_REG_0, 0),
135 BPF_LD_IMM64(BPF_REG_0, 0),
136 BPF_LD_IMM64(BPF_REG_0, 1),
137 BPF_LD_IMM64(BPF_REG_0, 1),
140 .errstr = "invalid BPF_LD_IMM insn",
141 .errstr_unpriv = "R1 pointer comparison",
147 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
148 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
149 BPF_LD_IMM64(BPF_REG_0, 0),
150 BPF_LD_IMM64(BPF_REG_0, 0),
151 BPF_LD_IMM64(BPF_REG_0, 1),
152 BPF_LD_IMM64(BPF_REG_0, 1),
155 .errstr = "invalid bpf_ld_imm64 insn",
161 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
164 .errstr = "invalid bpf_ld_imm64 insn",
170 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
172 .errstr = "invalid bpf_ld_imm64 insn",
178 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
180 .errstr = "jump out of range",
186 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
189 .errstr = "back-edge",
195 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
196 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
197 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
198 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
201 .errstr = "back-edge",
207 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
208 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
209 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
210 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
213 .errstr = "back-edge",
217 "read uninitialized register",
219 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
222 .errstr = "R2 !read_ok",
226 "read invalid register",
228 BPF_MOV64_REG(BPF_REG_0, -1),
231 .errstr = "R15 is invalid",
235 "program doesn't init R0 before exit",
237 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
240 .errstr = "R0 !read_ok",
244 "program doesn't init R0 before exit in all branches",
246 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
247 BPF_MOV64_IMM(BPF_REG_0, 1),
248 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
251 .errstr = "R0 !read_ok",
252 .errstr_unpriv = "R1 pointer comparison",
256 "stack out of bounds",
258 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
261 .errstr = "invalid stack",
265 "invalid call insn1",
267 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
270 .errstr = "BPF_CALL uses reserved",
274 "invalid call insn2",
276 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
279 .errstr = "BPF_CALL uses reserved",
283 "invalid function call",
285 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
288 .errstr = "invalid func unknown#1234567",
292 "uninitialized stack1",
294 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
295 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
296 BPF_LD_MAP_FD(BPF_REG_1, 0),
297 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
298 BPF_FUNC_map_lookup_elem),
302 .errstr = "invalid indirect read from stack",
306 "uninitialized stack2",
308 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
309 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
312 .errstr = "invalid read from stack",
316 "invalid argument register",
318 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
319 BPF_FUNC_get_cgroup_classid),
320 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
321 BPF_FUNC_get_cgroup_classid),
324 .errstr = "R1 !read_ok",
326 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
329 "non-invalid argument register",
331 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
332 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
333 BPF_FUNC_get_cgroup_classid),
334 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
335 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
336 BPF_FUNC_get_cgroup_classid),
340 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
343 "check valid spill/fill",
345 /* spill R1(ctx) into stack */
346 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
347 /* fill it back into R2 */
348 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
349 /* should be able to access R0 = *(R2 + 8) */
350 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
351 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
354 .errstr_unpriv = "R0 leaks addr",
356 .result_unpriv = REJECT,
359 "check valid spill/fill, skb mark",
361 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
362 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
363 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
364 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
365 offsetof(struct __sk_buff, mark)),
369 .result_unpriv = ACCEPT,
372 "check corrupted spill/fill",
374 /* spill R1(ctx) into stack */
375 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
376 /* mess up with R1 pointer on stack */
377 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
378 /* fill back into R0 should fail */
379 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
382 .errstr_unpriv = "attempt to corrupt spilled",
383 .errstr = "corrupted spill",
387 "invalid src register in STX",
389 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
392 .errstr = "R15 is invalid",
396 "invalid dst register in STX",
398 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
401 .errstr = "R14 is invalid",
405 "invalid dst register in ST",
407 BPF_ST_MEM(BPF_B, 14, -1, -1),
410 .errstr = "R14 is invalid",
414 "invalid src register in LDX",
416 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
419 .errstr = "R12 is invalid",
423 "invalid dst register in LDX",
425 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
428 .errstr = "R11 is invalid",
434 BPF_RAW_INSN(0, 0, 0, 0, 0),
437 .errstr = "invalid BPF_LD_IMM",
443 BPF_RAW_INSN(1, 0, 0, 0, 0),
446 .errstr = "BPF_LDX uses reserved fields",
452 BPF_RAW_INSN(-1, 0, 0, 0, 0),
455 .errstr = "invalid BPF_ALU opcode f0",
461 BPF_RAW_INSN(-1, -1, -1, -1, -1),
464 .errstr = "invalid BPF_ALU opcode f0",
470 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
473 .errstr = "BPF_ALU uses reserved fields",
477 "misaligned read from stack",
479 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
480 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
483 .errstr = "misaligned access",
487 "invalid map_fd for function call",
489 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
490 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
492 BPF_LD_MAP_FD(BPF_REG_1, 0),
493 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
494 BPF_FUNC_map_delete_elem),
497 .errstr = "fd 0 is not pointing to valid bpf_map",
501 "don't check return value before access",
503 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
504 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
506 BPF_LD_MAP_FD(BPF_REG_1, 0),
507 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
508 BPF_FUNC_map_lookup_elem),
509 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
513 .errstr = "R0 invalid mem access 'map_value_or_null'",
517 "access memory with incorrect alignment",
519 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
520 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
522 BPF_LD_MAP_FD(BPF_REG_1, 0),
523 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
524 BPF_FUNC_map_lookup_elem),
525 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
526 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
530 .errstr = "misaligned access",
534 "sometimes access memory with incorrect alignment",
536 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
537 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
539 BPF_LD_MAP_FD(BPF_REG_1, 0),
540 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
541 BPF_FUNC_map_lookup_elem),
542 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
543 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
545 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
549 .errstr = "R0 invalid mem access",
550 .errstr_unpriv = "R0 leaks addr",
556 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
557 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
558 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
559 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
560 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
561 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
562 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
563 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
564 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
565 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
566 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
567 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
568 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
569 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
570 BPF_MOV64_IMM(BPF_REG_0, 0),
573 .errstr_unpriv = "R1 pointer comparison",
574 .result_unpriv = REJECT,
580 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
581 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
582 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
583 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
584 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
585 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
586 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
587 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
588 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
589 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
590 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
591 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
592 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
593 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
594 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
595 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
596 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
597 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
598 BPF_MOV64_IMM(BPF_REG_0, 0),
601 .errstr_unpriv = "R1 pointer comparison",
602 .result_unpriv = REJECT,
608 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
609 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
610 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
611 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
612 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
613 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
614 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
616 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
617 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
618 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
619 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
620 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
621 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
622 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
623 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
624 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
625 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
626 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
627 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
628 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
629 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
630 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
632 BPF_LD_MAP_FD(BPF_REG_1, 0),
633 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
634 BPF_FUNC_map_delete_elem),
637 .fixup_map1 = { 24 },
638 .errstr_unpriv = "R1 pointer comparison",
639 .result_unpriv = REJECT,
645 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
646 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
647 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
648 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
649 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
650 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
651 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
652 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
653 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
654 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
655 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
656 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
657 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
658 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
659 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
660 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
661 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
662 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
663 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
664 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
665 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
666 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
667 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
668 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
669 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
670 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
671 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
672 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
673 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
674 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
675 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
676 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
677 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
678 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
679 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
680 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
681 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
682 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
683 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
684 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
685 BPF_MOV64_IMM(BPF_REG_0, 0),
688 .errstr_unpriv = "R1 pointer comparison",
689 .result_unpriv = REJECT,
695 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
696 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
697 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
698 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
699 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
700 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
701 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
702 BPF_MOV64_IMM(BPF_REG_0, 0),
703 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
704 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
705 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
706 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
707 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
708 BPF_MOV64_IMM(BPF_REG_0, 0),
709 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
710 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
711 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
712 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
713 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
714 BPF_MOV64_IMM(BPF_REG_0, 0),
715 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
716 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
717 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
718 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
719 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
720 BPF_MOV64_IMM(BPF_REG_0, 0),
721 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
722 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
723 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
724 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
725 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
726 BPF_MOV64_IMM(BPF_REG_0, 0),
729 .errstr_unpriv = "R1 pointer comparison",
730 .result_unpriv = REJECT,
734 "access skb fields ok",
736 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
737 offsetof(struct __sk_buff, len)),
738 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
739 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
740 offsetof(struct __sk_buff, mark)),
741 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
742 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
743 offsetof(struct __sk_buff, pkt_type)),
744 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
745 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
746 offsetof(struct __sk_buff, queue_mapping)),
747 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
748 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
749 offsetof(struct __sk_buff, protocol)),
750 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
751 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
752 offsetof(struct __sk_buff, vlan_present)),
753 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
754 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
755 offsetof(struct __sk_buff, vlan_tci)),
756 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
762 "access skb fields bad1",
764 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
767 .errstr = "invalid bpf_context access",
771 "access skb fields bad2",
773 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
774 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
775 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
776 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
777 BPF_LD_MAP_FD(BPF_REG_1, 0),
778 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
779 BPF_FUNC_map_lookup_elem),
780 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
782 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
783 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
784 offsetof(struct __sk_buff, pkt_type)),
788 .errstr = "different pointers",
789 .errstr_unpriv = "R1 pointer comparison",
793 "access skb fields bad3",
795 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
796 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
797 offsetof(struct __sk_buff, pkt_type)),
799 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
800 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
801 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
802 BPF_LD_MAP_FD(BPF_REG_1, 0),
803 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
804 BPF_FUNC_map_lookup_elem),
805 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
807 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
808 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
811 .errstr = "different pointers",
812 .errstr_unpriv = "R1 pointer comparison",
816 "access skb fields bad4",
818 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
819 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
820 offsetof(struct __sk_buff, len)),
821 BPF_MOV64_IMM(BPF_REG_0, 0),
823 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
824 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
825 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
826 BPF_LD_MAP_FD(BPF_REG_1, 0),
827 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
828 BPF_FUNC_map_lookup_elem),
829 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
831 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
832 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
835 .errstr = "different pointers",
836 .errstr_unpriv = "R1 pointer comparison",
840 "check skb->mark is not writeable by sockets",
842 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
843 offsetof(struct __sk_buff, mark)),
846 .errstr = "invalid bpf_context access",
847 .errstr_unpriv = "R1 leaks addr",
851 "check skb->tc_index is not writeable by sockets",
853 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
854 offsetof(struct __sk_buff, tc_index)),
857 .errstr = "invalid bpf_context access",
858 .errstr_unpriv = "R1 leaks addr",
862 "check cb access: byte",
864 BPF_MOV64_IMM(BPF_REG_0, 0),
865 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
866 offsetof(struct __sk_buff, cb[0])),
867 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
868 offsetof(struct __sk_buff, cb[0]) + 1),
869 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
870 offsetof(struct __sk_buff, cb[0]) + 2),
871 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
872 offsetof(struct __sk_buff, cb[0]) + 3),
873 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
874 offsetof(struct __sk_buff, cb[1])),
875 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
876 offsetof(struct __sk_buff, cb[1]) + 1),
877 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
878 offsetof(struct __sk_buff, cb[1]) + 2),
879 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
880 offsetof(struct __sk_buff, cb[1]) + 3),
881 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
882 offsetof(struct __sk_buff, cb[2])),
883 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
884 offsetof(struct __sk_buff, cb[2]) + 1),
885 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
886 offsetof(struct __sk_buff, cb[2]) + 2),
887 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
888 offsetof(struct __sk_buff, cb[2]) + 3),
889 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
890 offsetof(struct __sk_buff, cb[3])),
891 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
892 offsetof(struct __sk_buff, cb[3]) + 1),
893 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
894 offsetof(struct __sk_buff, cb[3]) + 2),
895 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
896 offsetof(struct __sk_buff, cb[3]) + 3),
897 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
898 offsetof(struct __sk_buff, cb[4])),
899 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
900 offsetof(struct __sk_buff, cb[4]) + 1),
901 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
902 offsetof(struct __sk_buff, cb[4]) + 2),
903 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
904 offsetof(struct __sk_buff, cb[4]) + 3),
905 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
906 offsetof(struct __sk_buff, cb[0])),
907 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
908 offsetof(struct __sk_buff, cb[0]) + 1),
909 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
910 offsetof(struct __sk_buff, cb[0]) + 2),
911 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
912 offsetof(struct __sk_buff, cb[0]) + 3),
913 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
914 offsetof(struct __sk_buff, cb[1])),
915 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
916 offsetof(struct __sk_buff, cb[1]) + 1),
917 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
918 offsetof(struct __sk_buff, cb[1]) + 2),
919 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
920 offsetof(struct __sk_buff, cb[1]) + 3),
921 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
922 offsetof(struct __sk_buff, cb[2])),
923 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
924 offsetof(struct __sk_buff, cb[2]) + 1),
925 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
926 offsetof(struct __sk_buff, cb[2]) + 2),
927 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
928 offsetof(struct __sk_buff, cb[2]) + 3),
929 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
930 offsetof(struct __sk_buff, cb[3])),
931 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
932 offsetof(struct __sk_buff, cb[3]) + 1),
933 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
934 offsetof(struct __sk_buff, cb[3]) + 2),
935 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
936 offsetof(struct __sk_buff, cb[3]) + 3),
937 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
938 offsetof(struct __sk_buff, cb[4])),
939 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
940 offsetof(struct __sk_buff, cb[4]) + 1),
941 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
942 offsetof(struct __sk_buff, cb[4]) + 2),
943 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
944 offsetof(struct __sk_buff, cb[4]) + 3),
950 "check cb access: byte, oob 1",
952 BPF_MOV64_IMM(BPF_REG_0, 0),
953 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
954 offsetof(struct __sk_buff, cb[4]) + 4),
957 .errstr = "invalid bpf_context access",
961 "check cb access: byte, oob 2",
963 BPF_MOV64_IMM(BPF_REG_0, 0),
964 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
965 offsetof(struct __sk_buff, cb[0]) - 1),
968 .errstr = "invalid bpf_context access",
972 "check cb access: byte, oob 3",
974 BPF_MOV64_IMM(BPF_REG_0, 0),
975 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
976 offsetof(struct __sk_buff, cb[4]) + 4),
979 .errstr = "invalid bpf_context access",
983 "check cb access: byte, oob 4",
985 BPF_MOV64_IMM(BPF_REG_0, 0),
986 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
987 offsetof(struct __sk_buff, cb[0]) - 1),
990 .errstr = "invalid bpf_context access",
994 "check cb access: byte, wrong type",
996 BPF_MOV64_IMM(BPF_REG_0, 0),
997 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
998 offsetof(struct __sk_buff, cb[0])),
1001 .errstr = "invalid bpf_context access",
1003 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1006 "check cb access: half",
1008 BPF_MOV64_IMM(BPF_REG_0, 0),
1009 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1010 offsetof(struct __sk_buff, cb[0])),
1011 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1012 offsetof(struct __sk_buff, cb[0]) + 2),
1013 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1014 offsetof(struct __sk_buff, cb[1])),
1015 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1016 offsetof(struct __sk_buff, cb[1]) + 2),
1017 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1018 offsetof(struct __sk_buff, cb[2])),
1019 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1020 offsetof(struct __sk_buff, cb[2]) + 2),
1021 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1022 offsetof(struct __sk_buff, cb[3])),
1023 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1024 offsetof(struct __sk_buff, cb[3]) + 2),
1025 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1026 offsetof(struct __sk_buff, cb[4])),
1027 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1028 offsetof(struct __sk_buff, cb[4]) + 2),
1029 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1030 offsetof(struct __sk_buff, cb[0])),
1031 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1032 offsetof(struct __sk_buff, cb[0]) + 2),
1033 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1034 offsetof(struct __sk_buff, cb[1])),
1035 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1036 offsetof(struct __sk_buff, cb[1]) + 2),
1037 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1038 offsetof(struct __sk_buff, cb[2])),
1039 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1040 offsetof(struct __sk_buff, cb[2]) + 2),
1041 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1042 offsetof(struct __sk_buff, cb[3])),
1043 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1044 offsetof(struct __sk_buff, cb[3]) + 2),
1045 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1046 offsetof(struct __sk_buff, cb[4])),
1047 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1048 offsetof(struct __sk_buff, cb[4]) + 2),
1054 "check cb access: half, unaligned",
1056 BPF_MOV64_IMM(BPF_REG_0, 0),
1057 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1058 offsetof(struct __sk_buff, cb[0]) + 1),
1061 .errstr = "misaligned access",
1065 "check cb access: half, oob 1",
1067 BPF_MOV64_IMM(BPF_REG_0, 0),
1068 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1069 offsetof(struct __sk_buff, cb[4]) + 4),
1072 .errstr = "invalid bpf_context access",
1076 "check cb access: half, oob 2",
1078 BPF_MOV64_IMM(BPF_REG_0, 0),
1079 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1080 offsetof(struct __sk_buff, cb[0]) - 2),
1083 .errstr = "invalid bpf_context access",
1087 "check cb access: half, oob 3",
1089 BPF_MOV64_IMM(BPF_REG_0, 0),
1090 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1091 offsetof(struct __sk_buff, cb[4]) + 4),
1094 .errstr = "invalid bpf_context access",
1098 "check cb access: half, oob 4",
1100 BPF_MOV64_IMM(BPF_REG_0, 0),
1101 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1102 offsetof(struct __sk_buff, cb[0]) - 2),
1105 .errstr = "invalid bpf_context access",
1109 "check cb access: half, wrong type",
1111 BPF_MOV64_IMM(BPF_REG_0, 0),
1112 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1113 offsetof(struct __sk_buff, cb[0])),
1116 .errstr = "invalid bpf_context access",
1118 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1121 "check cb access: word",
1123 BPF_MOV64_IMM(BPF_REG_0, 0),
1124 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1125 offsetof(struct __sk_buff, cb[0])),
1126 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1127 offsetof(struct __sk_buff, cb[1])),
1128 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1129 offsetof(struct __sk_buff, cb[2])),
1130 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1131 offsetof(struct __sk_buff, cb[3])),
1132 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1133 offsetof(struct __sk_buff, cb[4])),
1134 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1135 offsetof(struct __sk_buff, cb[0])),
1136 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1137 offsetof(struct __sk_buff, cb[1])),
1138 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1139 offsetof(struct __sk_buff, cb[2])),
1140 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1141 offsetof(struct __sk_buff, cb[3])),
1142 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1143 offsetof(struct __sk_buff, cb[4])),
1149 "check cb access: word, unaligned 1",
1151 BPF_MOV64_IMM(BPF_REG_0, 0),
1152 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1153 offsetof(struct __sk_buff, cb[0]) + 2),
1156 .errstr = "misaligned access",
1160 "check cb access: word, unaligned 2",
1162 BPF_MOV64_IMM(BPF_REG_0, 0),
1163 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1164 offsetof(struct __sk_buff, cb[4]) + 1),
1167 .errstr = "misaligned access",
1171 "check cb access: word, unaligned 3",
1173 BPF_MOV64_IMM(BPF_REG_0, 0),
1174 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1175 offsetof(struct __sk_buff, cb[4]) + 2),
1178 .errstr = "misaligned access",
1182 "check cb access: word, unaligned 4",
1184 BPF_MOV64_IMM(BPF_REG_0, 0),
1185 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1186 offsetof(struct __sk_buff, cb[4]) + 3),
1189 .errstr = "misaligned access",
1193 "check cb access: double",
1195 BPF_MOV64_IMM(BPF_REG_0, 0),
1196 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1197 offsetof(struct __sk_buff, cb[0])),
1198 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1199 offsetof(struct __sk_buff, cb[2])),
1200 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1201 offsetof(struct __sk_buff, cb[0])),
1202 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1203 offsetof(struct __sk_buff, cb[2])),
1209 "check cb access: double, unaligned 1",
1211 BPF_MOV64_IMM(BPF_REG_0, 0),
1212 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1213 offsetof(struct __sk_buff, cb[1])),
1216 .errstr = "misaligned access",
1220 "check cb access: double, unaligned 2",
1222 BPF_MOV64_IMM(BPF_REG_0, 0),
1223 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1224 offsetof(struct __sk_buff, cb[3])),
1227 .errstr = "misaligned access",
1231 "check cb access: double, oob 1",
1233 BPF_MOV64_IMM(BPF_REG_0, 0),
1234 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1235 offsetof(struct __sk_buff, cb[4])),
1238 .errstr = "invalid bpf_context access",
1242 "check cb access: double, oob 2",
1244 BPF_MOV64_IMM(BPF_REG_0, 0),
1245 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1246 offsetof(struct __sk_buff, cb[4]) + 8),
1249 .errstr = "invalid bpf_context access",
1253 "check cb access: double, oob 3",
1255 BPF_MOV64_IMM(BPF_REG_0, 0),
1256 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1257 offsetof(struct __sk_buff, cb[0]) - 8),
1260 .errstr = "invalid bpf_context access",
1264 "check cb access: double, oob 4",
1266 BPF_MOV64_IMM(BPF_REG_0, 0),
1267 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1268 offsetof(struct __sk_buff, cb[4])),
1271 .errstr = "invalid bpf_context access",
1275 "check cb access: double, oob 5",
1277 BPF_MOV64_IMM(BPF_REG_0, 0),
1278 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1279 offsetof(struct __sk_buff, cb[4]) + 8),
1282 .errstr = "invalid bpf_context access",
1286 "check cb access: double, oob 6",
1288 BPF_MOV64_IMM(BPF_REG_0, 0),
1289 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1290 offsetof(struct __sk_buff, cb[0]) - 8),
1293 .errstr = "invalid bpf_context access",
1297 "check cb access: double, wrong type",
1299 BPF_MOV64_IMM(BPF_REG_0, 0),
1300 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1301 offsetof(struct __sk_buff, cb[0])),
1304 .errstr = "invalid bpf_context access",
1306 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1309 "check out of range skb->cb access",
1311 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1312 offsetof(struct __sk_buff, cb[0]) + 256),
1315 .errstr = "invalid bpf_context access",
1316 .errstr_unpriv = "",
1318 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
1321 "write skb fields from socket prog",
1323 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1324 offsetof(struct __sk_buff, cb[4])),
1325 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1326 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1327 offsetof(struct __sk_buff, mark)),
1328 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1329 offsetof(struct __sk_buff, tc_index)),
1330 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1331 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1332 offsetof(struct __sk_buff, cb[0])),
1333 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1334 offsetof(struct __sk_buff, cb[2])),
1338 .errstr_unpriv = "R1 leaks addr",
1339 .result_unpriv = REJECT,
1342 "write skb fields from tc_cls_act prog",
1344 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1345 offsetof(struct __sk_buff, cb[0])),
1346 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1347 offsetof(struct __sk_buff, mark)),
1348 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1349 offsetof(struct __sk_buff, tc_index)),
1350 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1351 offsetof(struct __sk_buff, tc_index)),
1352 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1353 offsetof(struct __sk_buff, cb[3])),
1356 .errstr_unpriv = "",
1357 .result_unpriv = REJECT,
1359 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1362 "PTR_TO_STACK store/load",
1364 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1366 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1367 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1373 "PTR_TO_STACK store/load - bad alignment on off",
1375 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1377 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1378 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1382 .errstr = "misaligned access off -6 size 8",
1385 "PTR_TO_STACK store/load - bad alignment on reg",
1387 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1389 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1390 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1394 .errstr = "misaligned access off -2 size 8",
1397 "PTR_TO_STACK store/load - out of bounds low",
1399 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
1401 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1402 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1406 .errstr = "invalid stack off=-79992 size=8",
1409 "PTR_TO_STACK store/load - out of bounds high",
1411 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1413 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1414 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1418 .errstr = "invalid stack off=0 size=8",
1421 "unpriv: return pointer",
1423 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
1427 .result_unpriv = REJECT,
1428 .errstr_unpriv = "R0 leaks addr",
1431 "unpriv: add const to pointer",
1433 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
1434 BPF_MOV64_IMM(BPF_REG_0, 0),
1438 .result_unpriv = REJECT,
1439 .errstr_unpriv = "R1 pointer arithmetic",
1442 "unpriv: add pointer to pointer",
1444 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
1445 BPF_MOV64_IMM(BPF_REG_0, 0),
1449 .result_unpriv = REJECT,
1450 .errstr_unpriv = "R1 pointer arithmetic",
1453 "unpriv: neg pointer",
1455 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
1456 BPF_MOV64_IMM(BPF_REG_0, 0),
1460 .result_unpriv = REJECT,
1461 .errstr_unpriv = "R1 pointer arithmetic",
1464 "unpriv: cmp pointer with const",
1466 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1467 BPF_MOV64_IMM(BPF_REG_0, 0),
1471 .result_unpriv = REJECT,
1472 .errstr_unpriv = "R1 pointer comparison",
1475 "unpriv: cmp pointer with pointer",
1477 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1478 BPF_MOV64_IMM(BPF_REG_0, 0),
1482 .result_unpriv = REJECT,
1483 .errstr_unpriv = "R10 pointer comparison",
1486 "unpriv: check that printk is disallowed",
1488 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1489 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1490 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1491 BPF_MOV64_IMM(BPF_REG_2, 8),
1492 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
1493 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1494 BPF_FUNC_trace_printk),
1495 BPF_MOV64_IMM(BPF_REG_0, 0),
1498 .errstr_unpriv = "unknown func bpf_trace_printk#6",
1499 .result_unpriv = REJECT,
1503 "unpriv: pass pointer to helper function",
1505 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1506 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1507 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1508 BPF_LD_MAP_FD(BPF_REG_1, 0),
1509 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1510 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
1511 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1512 BPF_FUNC_map_update_elem),
1513 BPF_MOV64_IMM(BPF_REG_0, 0),
1516 .fixup_map1 = { 3 },
1517 .errstr_unpriv = "R4 leaks addr",
1518 .result_unpriv = REJECT,
1522 "unpriv: indirectly pass pointer on stack to helper function",
1524 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1525 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1526 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1527 BPF_LD_MAP_FD(BPF_REG_1, 0),
1528 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1529 BPF_FUNC_map_lookup_elem),
1530 BPF_MOV64_IMM(BPF_REG_0, 0),
1533 .fixup_map1 = { 3 },
1534 .errstr = "invalid indirect read from stack off -8+0 size 8",
1538 "unpriv: mangle pointer on stack 1",
1540 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1541 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
1542 BPF_MOV64_IMM(BPF_REG_0, 0),
1545 .errstr_unpriv = "attempt to corrupt spilled",
1546 .result_unpriv = REJECT,
1550 "unpriv: mangle pointer on stack 2",
1552 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1553 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
1554 BPF_MOV64_IMM(BPF_REG_0, 0),
1557 .errstr_unpriv = "attempt to corrupt spilled",
1558 .result_unpriv = REJECT,
1562 "unpriv: read pointer from stack in small chunks",
1564 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1565 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
1566 BPF_MOV64_IMM(BPF_REG_0, 0),
1569 .errstr = "invalid size",
1573 "unpriv: write pointer into ctx",
1575 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
1576 BPF_MOV64_IMM(BPF_REG_0, 0),
1579 .errstr_unpriv = "R1 leaks addr",
1580 .result_unpriv = REJECT,
1581 .errstr = "invalid bpf_context access",
1585 "unpriv: spill/fill of ctx",
1587 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1589 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1590 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1591 BPF_MOV64_IMM(BPF_REG_0, 0),
1597 "unpriv: spill/fill of ctx 2",
1599 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1600 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1601 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1602 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1603 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1604 BPF_FUNC_get_hash_recalc),
1608 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1611 "unpriv: spill/fill of ctx 3",
1613 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1615 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1616 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
1617 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1618 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1619 BPF_FUNC_get_hash_recalc),
1623 .errstr = "R1 type=fp expected=ctx",
1624 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1627 "unpriv: spill/fill of ctx 4",
1629 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1630 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1631 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1632 BPF_MOV64_IMM(BPF_REG_0, 1),
1633 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
1635 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1636 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1637 BPF_FUNC_get_hash_recalc),
1641 .errstr = "R1 type=inv expected=ctx",
1642 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1645 "unpriv: spill/fill of different pointers stx",
1647 BPF_MOV64_IMM(BPF_REG_3, 42),
1648 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1649 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1650 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1651 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1652 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1653 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
1654 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
1655 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1656 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1657 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
1658 offsetof(struct __sk_buff, mark)),
1659 BPF_MOV64_IMM(BPF_REG_0, 0),
1663 .errstr = "same insn cannot be used with different pointers",
1664 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1667 "unpriv: spill/fill of different pointers ldx",
1669 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1670 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1671 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1672 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
1674 -(__s32)offsetof(struct bpf_perf_event_data,
1675 sample_period) - 8),
1676 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
1677 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
1678 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1679 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1680 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
1681 offsetof(struct bpf_perf_event_data,
1683 BPF_MOV64_IMM(BPF_REG_0, 0),
1687 .errstr = "same insn cannot be used with different pointers",
1688 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
1691 "unpriv: write pointer into map elem value",
1693 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1694 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1696 BPF_LD_MAP_FD(BPF_REG_1, 0),
1697 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1698 BPF_FUNC_map_lookup_elem),
1699 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1700 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
1703 .fixup_map1 = { 3 },
1704 .errstr_unpriv = "R0 leaks addr",
1705 .result_unpriv = REJECT,
1709 "unpriv: partial copy of pointer",
1711 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
1712 BPF_MOV64_IMM(BPF_REG_0, 0),
1715 .errstr_unpriv = "R10 partial copy",
1716 .result_unpriv = REJECT,
1720 "unpriv: pass pointer to tail_call",
1722 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
1723 BPF_LD_MAP_FD(BPF_REG_2, 0),
1724 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1725 BPF_FUNC_tail_call),
1726 BPF_MOV64_IMM(BPF_REG_0, 0),
1729 .fixup_prog = { 1 },
1730 .errstr_unpriv = "R3 leaks addr into helper",
1731 .result_unpriv = REJECT,
1735 "unpriv: cmp map pointer with zero",
1737 BPF_MOV64_IMM(BPF_REG_1, 0),
1738 BPF_LD_MAP_FD(BPF_REG_1, 0),
1739 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1740 BPF_MOV64_IMM(BPF_REG_0, 0),
1743 .fixup_map1 = { 1 },
1744 .errstr_unpriv = "R1 pointer comparison",
1745 .result_unpriv = REJECT,
1749 "unpriv: write into frame pointer",
1751 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
1752 BPF_MOV64_IMM(BPF_REG_0, 0),
1755 .errstr = "frame pointer is read only",
1759 "unpriv: spill/fill frame pointer",
1761 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1762 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1763 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
1764 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
1765 BPF_MOV64_IMM(BPF_REG_0, 0),
1768 .errstr = "frame pointer is read only",
1772 "unpriv: cmp of frame pointer",
1774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
1775 BPF_MOV64_IMM(BPF_REG_0, 0),
1778 .errstr_unpriv = "R10 pointer comparison",
1779 .result_unpriv = REJECT,
1783 "unpriv: cmp of stack pointer",
1785 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1786 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
1788 BPF_MOV64_IMM(BPF_REG_0, 0),
1791 .errstr_unpriv = "R2 pointer comparison",
1792 .result_unpriv = REJECT,
1796 "unpriv: obfuscate stack pointer",
1798 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1800 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1801 BPF_MOV64_IMM(BPF_REG_0, 0),
1804 .errstr_unpriv = "R2 pointer arithmetic",
1805 .result_unpriv = REJECT,
1809 "raw_stack: no skb_load_bytes",
1811 BPF_MOV64_IMM(BPF_REG_2, 4),
1812 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1813 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1814 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1815 BPF_MOV64_IMM(BPF_REG_4, 8),
1816 /* Call to skb_load_bytes() omitted. */
1817 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1821 .errstr = "invalid read from stack off -8+0 size 8",
1822 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1825 "raw_stack: skb_load_bytes, negative len",
1827 BPF_MOV64_IMM(BPF_REG_2, 4),
1828 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1829 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1830 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1831 BPF_MOV64_IMM(BPF_REG_4, -8),
1832 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1833 BPF_FUNC_skb_load_bytes),
1834 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1838 .errstr = "invalid stack type R3",
1839 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1842 "raw_stack: skb_load_bytes, negative len 2",
1844 BPF_MOV64_IMM(BPF_REG_2, 4),
1845 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1846 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1847 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1848 BPF_MOV64_IMM(BPF_REG_4, ~0),
1849 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1850 BPF_FUNC_skb_load_bytes),
1851 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1855 .errstr = "invalid stack type R3",
1856 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1859 "raw_stack: skb_load_bytes, zero len",
1861 BPF_MOV64_IMM(BPF_REG_2, 4),
1862 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1863 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1864 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1865 BPF_MOV64_IMM(BPF_REG_4, 0),
1866 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1867 BPF_FUNC_skb_load_bytes),
1868 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1872 .errstr = "invalid stack type R3",
1873 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1876 "raw_stack: skb_load_bytes, no init",
1878 BPF_MOV64_IMM(BPF_REG_2, 4),
1879 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1881 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1882 BPF_MOV64_IMM(BPF_REG_4, 8),
1883 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1884 BPF_FUNC_skb_load_bytes),
1885 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1889 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1892 "raw_stack: skb_load_bytes, init",
1894 BPF_MOV64_IMM(BPF_REG_2, 4),
1895 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1897 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
1898 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1899 BPF_MOV64_IMM(BPF_REG_4, 8),
1900 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1901 BPF_FUNC_skb_load_bytes),
1902 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1906 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1909 "raw_stack: skb_load_bytes, spilled regs around bounds",
1911 BPF_MOV64_IMM(BPF_REG_2, 4),
1912 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1913 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
1914 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
1915 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
1916 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1917 BPF_MOV64_IMM(BPF_REG_4, 8),
1918 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1919 BPF_FUNC_skb_load_bytes),
1920 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
1921 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
1922 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
1923 offsetof(struct __sk_buff, mark)),
1924 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
1925 offsetof(struct __sk_buff, priority)),
1926 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
1930 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1933 "raw_stack: skb_load_bytes, spilled regs corruption",
1935 BPF_MOV64_IMM(BPF_REG_2, 4),
1936 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1937 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1938 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1939 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1940 BPF_MOV64_IMM(BPF_REG_4, 8),
1941 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1942 BPF_FUNC_skb_load_bytes),
1943 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1944 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
1945 offsetof(struct __sk_buff, mark)),
1949 .errstr = "R0 invalid mem access 'inv'",
1950 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1953 "raw_stack: skb_load_bytes, spilled regs corruption 2",
1955 BPF_MOV64_IMM(BPF_REG_2, 4),
1956 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1957 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
1958 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
1959 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1960 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
1961 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1962 BPF_MOV64_IMM(BPF_REG_4, 8),
1963 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1964 BPF_FUNC_skb_load_bytes),
1965 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
1966 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
1967 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
1968 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
1969 offsetof(struct __sk_buff, mark)),
1970 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
1971 offsetof(struct __sk_buff, priority)),
1972 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
1973 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
1974 offsetof(struct __sk_buff, pkt_type)),
1975 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
1979 .errstr = "R3 invalid mem access 'inv'",
1980 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1983 "raw_stack: skb_load_bytes, spilled regs + data",
1985 BPF_MOV64_IMM(BPF_REG_2, 4),
1986 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1987 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
1988 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
1989 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1990 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
1991 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1992 BPF_MOV64_IMM(BPF_REG_4, 8),
1993 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1994 BPF_FUNC_skb_load_bytes),
1995 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
1996 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
1997 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
1998 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
1999 offsetof(struct __sk_buff, mark)),
2000 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2001 offsetof(struct __sk_buff, priority)),
2002 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2003 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2007 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2010 "raw_stack: skb_load_bytes, invalid access 1",
2012 BPF_MOV64_IMM(BPF_REG_2, 4),
2013 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2014 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2015 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2016 BPF_MOV64_IMM(BPF_REG_4, 8),
2017 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2018 BPF_FUNC_skb_load_bytes),
2019 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2023 .errstr = "invalid stack type R3 off=-513 access_size=8",
2024 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2027 "raw_stack: skb_load_bytes, invalid access 2",
2029 BPF_MOV64_IMM(BPF_REG_2, 4),
2030 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2032 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2033 BPF_MOV64_IMM(BPF_REG_4, 8),
2034 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2035 BPF_FUNC_skb_load_bytes),
2036 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2040 .errstr = "invalid stack type R3 off=-1 access_size=8",
2041 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2044 "raw_stack: skb_load_bytes, invalid access 3",
2046 BPF_MOV64_IMM(BPF_REG_2, 4),
2047 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2048 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2049 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2050 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2051 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2052 BPF_FUNC_skb_load_bytes),
2053 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2057 .errstr = "invalid stack type R3 off=-1 access_size=-1",
2058 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2061 "raw_stack: skb_load_bytes, invalid access 4",
2063 BPF_MOV64_IMM(BPF_REG_2, 4),
2064 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2066 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2067 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2068 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2069 BPF_FUNC_skb_load_bytes),
2070 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2074 .errstr = "invalid stack type R3 off=-1 access_size=2147483647",
2075 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2078 "raw_stack: skb_load_bytes, invalid access 5",
2080 BPF_MOV64_IMM(BPF_REG_2, 4),
2081 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2083 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2084 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2085 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2086 BPF_FUNC_skb_load_bytes),
2087 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2091 .errstr = "invalid stack type R3 off=-512 access_size=2147483647",
2092 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2095 "raw_stack: skb_load_bytes, invalid access 6",
2097 BPF_MOV64_IMM(BPF_REG_2, 4),
2098 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2099 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2100 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2101 BPF_MOV64_IMM(BPF_REG_4, 0),
2102 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2103 BPF_FUNC_skb_load_bytes),
2104 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2108 .errstr = "invalid stack type R3 off=-512 access_size=0",
2109 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2112 "raw_stack: skb_load_bytes, large access",
2114 BPF_MOV64_IMM(BPF_REG_2, 4),
2115 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2117 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2118 BPF_MOV64_IMM(BPF_REG_4, 512),
2119 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2120 BPF_FUNC_skb_load_bytes),
2121 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2125 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2128 "direct packet access: test1",
2130 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2131 offsetof(struct __sk_buff, data)),
2132 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2133 offsetof(struct __sk_buff, data_end)),
2134 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2135 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2136 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2137 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2138 BPF_MOV64_IMM(BPF_REG_0, 0),
2142 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2145 "direct packet access: test2",
2147 BPF_MOV64_IMM(BPF_REG_0, 1),
2148 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
2149 offsetof(struct __sk_buff, data_end)),
2150 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2151 offsetof(struct __sk_buff, data)),
2152 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2153 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
2154 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
2155 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
2156 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
2157 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
2158 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2159 offsetof(struct __sk_buff, data)),
2160 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
2161 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
2162 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 48),
2163 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 48),
2164 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
2165 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
2166 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2167 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2168 offsetof(struct __sk_buff, data_end)),
2169 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
2170 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
2171 BPF_MOV64_IMM(BPF_REG_0, 0),
2175 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2178 "direct packet access: test3",
2180 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2181 offsetof(struct __sk_buff, data)),
2182 BPF_MOV64_IMM(BPF_REG_0, 0),
2185 .errstr = "invalid bpf_context access off=76",
2187 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2190 "direct packet access: test4 (write)",
2192 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2193 offsetof(struct __sk_buff, data)),
2194 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2195 offsetof(struct __sk_buff, data_end)),
2196 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2198 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2199 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2200 BPF_MOV64_IMM(BPF_REG_0, 0),
2204 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2207 "direct packet access: test5 (pkt_end >= reg, good access)",
2209 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2210 offsetof(struct __sk_buff, data)),
2211 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2212 offsetof(struct __sk_buff, data_end)),
2213 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2215 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2216 BPF_MOV64_IMM(BPF_REG_0, 1),
2218 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2219 BPF_MOV64_IMM(BPF_REG_0, 0),
2223 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2226 "direct packet access: test6 (pkt_end >= reg, bad access)",
2228 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2229 offsetof(struct __sk_buff, data)),
2230 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2231 offsetof(struct __sk_buff, data_end)),
2232 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2233 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2234 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2235 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2236 BPF_MOV64_IMM(BPF_REG_0, 1),
2238 BPF_MOV64_IMM(BPF_REG_0, 0),
2241 .errstr = "invalid access to packet",
2243 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2246 "direct packet access: test7 (pkt_end >= reg, both accesses)",
2248 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2249 offsetof(struct __sk_buff, data)),
2250 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2251 offsetof(struct __sk_buff, data_end)),
2252 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2253 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2254 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2255 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2256 BPF_MOV64_IMM(BPF_REG_0, 1),
2258 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2259 BPF_MOV64_IMM(BPF_REG_0, 0),
2262 .errstr = "invalid access to packet",
2264 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2267 "direct packet access: test8 (double test, variant 1)",
2269 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2270 offsetof(struct __sk_buff, data)),
2271 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2272 offsetof(struct __sk_buff, data_end)),
2273 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2275 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
2276 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2277 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2278 BPF_MOV64_IMM(BPF_REG_0, 1),
2280 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2281 BPF_MOV64_IMM(BPF_REG_0, 0),
2285 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2288 "direct packet access: test9 (double test, variant 2)",
2290 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2291 offsetof(struct __sk_buff, data)),
2292 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2293 offsetof(struct __sk_buff, data_end)),
2294 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2295 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2296 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2297 BPF_MOV64_IMM(BPF_REG_0, 1),
2299 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2300 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2301 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2302 BPF_MOV64_IMM(BPF_REG_0, 0),
2306 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2309 "direct packet access: test10 (write invalid)",
2311 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2312 offsetof(struct __sk_buff, data)),
2313 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2314 offsetof(struct __sk_buff, data_end)),
2315 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2316 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2317 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
2318 BPF_MOV64_IMM(BPF_REG_0, 0),
2320 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2321 BPF_MOV64_IMM(BPF_REG_0, 0),
2324 .errstr = "invalid access to packet",
2326 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2329 "helper access to packet: test1, valid packet_ptr range",
2331 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2332 offsetof(struct xdp_md, data)),
2333 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2334 offsetof(struct xdp_md, data_end)),
2335 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
2336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2337 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
2338 BPF_LD_MAP_FD(BPF_REG_1, 0),
2339 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2340 BPF_MOV64_IMM(BPF_REG_4, 0),
2341 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2342 BPF_FUNC_map_update_elem),
2343 BPF_MOV64_IMM(BPF_REG_0, 0),
2346 .fixup_map1 = { 5 },
2347 .result_unpriv = ACCEPT,
2349 .prog_type = BPF_PROG_TYPE_XDP,
2352 "helper access to packet: test2, unchecked packet_ptr",
2354 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2355 offsetof(struct xdp_md, data)),
2356 BPF_LD_MAP_FD(BPF_REG_1, 0),
2357 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2358 BPF_FUNC_map_lookup_elem),
2359 BPF_MOV64_IMM(BPF_REG_0, 0),
2362 .fixup_map1 = { 1 },
2364 .errstr = "invalid access to packet",
2365 .prog_type = BPF_PROG_TYPE_XDP,
2368 "helper access to packet: test3, variable add",
2370 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2371 offsetof(struct xdp_md, data)),
2372 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2373 offsetof(struct xdp_md, data_end)),
2374 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2375 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
2376 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
2377 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
2378 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2379 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
2380 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2381 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
2382 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
2383 BPF_LD_MAP_FD(BPF_REG_1, 0),
2384 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
2385 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2386 BPF_FUNC_map_lookup_elem),
2387 BPF_MOV64_IMM(BPF_REG_0, 0),
2390 .fixup_map1 = { 11 },
2392 .prog_type = BPF_PROG_TYPE_XDP,
2395 "helper access to packet: test4, packet_ptr with bad range",
2397 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2398 offsetof(struct xdp_md, data)),
2399 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2400 offsetof(struct xdp_md, data_end)),
2401 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
2403 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
2404 BPF_MOV64_IMM(BPF_REG_0, 0),
2406 BPF_LD_MAP_FD(BPF_REG_1, 0),
2407 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2408 BPF_FUNC_map_lookup_elem),
2409 BPF_MOV64_IMM(BPF_REG_0, 0),
2412 .fixup_map1 = { 7 },
2414 .errstr = "invalid access to packet",
2415 .prog_type = BPF_PROG_TYPE_XDP,
2418 "helper access to packet: test5, packet_ptr with too short range",
2420 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2421 offsetof(struct xdp_md, data)),
2422 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2423 offsetof(struct xdp_md, data_end)),
2424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
2425 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2426 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
2427 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
2428 BPF_LD_MAP_FD(BPF_REG_1, 0),
2429 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2430 BPF_FUNC_map_lookup_elem),
2431 BPF_MOV64_IMM(BPF_REG_0, 0),
2434 .fixup_map1 = { 6 },
2436 .errstr = "invalid access to packet",
2437 .prog_type = BPF_PROG_TYPE_XDP,
2440 "helper access to packet: test6, cls valid packet_ptr range",
2442 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2443 offsetof(struct __sk_buff, data)),
2444 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2445 offsetof(struct __sk_buff, data_end)),
2446 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
2447 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2448 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
2449 BPF_LD_MAP_FD(BPF_REG_1, 0),
2450 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2451 BPF_MOV64_IMM(BPF_REG_4, 0),
2452 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2453 BPF_FUNC_map_update_elem),
2454 BPF_MOV64_IMM(BPF_REG_0, 0),
2457 .fixup_map1 = { 5 },
2459 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2462 "helper access to packet: test7, cls unchecked packet_ptr",
2464 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2465 offsetof(struct __sk_buff, data)),
2466 BPF_LD_MAP_FD(BPF_REG_1, 0),
2467 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2468 BPF_FUNC_map_lookup_elem),
2469 BPF_MOV64_IMM(BPF_REG_0, 0),
2472 .fixup_map1 = { 1 },
2474 .errstr = "invalid access to packet",
2475 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2478 "helper access to packet: test8, cls variable add",
2480 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2481 offsetof(struct __sk_buff, data)),
2482 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2483 offsetof(struct __sk_buff, data_end)),
2484 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2485 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
2486 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
2487 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
2488 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2489 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
2490 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
2492 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
2493 BPF_LD_MAP_FD(BPF_REG_1, 0),
2494 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
2495 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2496 BPF_FUNC_map_lookup_elem),
2497 BPF_MOV64_IMM(BPF_REG_0, 0),
2500 .fixup_map1 = { 11 },
2502 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2505 "helper access to packet: test9, cls packet_ptr with bad range",
2507 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2508 offsetof(struct __sk_buff, data)),
2509 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2510 offsetof(struct __sk_buff, data_end)),
2511 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2512 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
2513 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
2514 BPF_MOV64_IMM(BPF_REG_0, 0),
2516 BPF_LD_MAP_FD(BPF_REG_1, 0),
2517 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2518 BPF_FUNC_map_lookup_elem),
2519 BPF_MOV64_IMM(BPF_REG_0, 0),
2522 .fixup_map1 = { 7 },
2524 .errstr = "invalid access to packet",
2525 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2528 "helper access to packet: test10, cls packet_ptr with too short range",
2530 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2531 offsetof(struct __sk_buff, data)),
2532 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2533 offsetof(struct __sk_buff, data_end)),
2534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
2535 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2536 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
2537 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
2538 BPF_LD_MAP_FD(BPF_REG_1, 0),
2539 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2540 BPF_FUNC_map_lookup_elem),
2541 BPF_MOV64_IMM(BPF_REG_0, 0),
2544 .fixup_map1 = { 6 },
2546 .errstr = "invalid access to packet",
2547 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2550 "helper access to packet: test11, cls unsuitable helper 1",
2552 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2553 offsetof(struct __sk_buff, data)),
2554 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2555 offsetof(struct __sk_buff, data_end)),
2556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2557 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
2559 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
2560 BPF_MOV64_IMM(BPF_REG_2, 0),
2561 BPF_MOV64_IMM(BPF_REG_4, 42),
2562 BPF_MOV64_IMM(BPF_REG_5, 0),
2563 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2564 BPF_FUNC_skb_store_bytes),
2565 BPF_MOV64_IMM(BPF_REG_0, 0),
2569 .errstr = "helper access to the packet",
2570 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2573 "helper access to packet: test12, cls unsuitable helper 2",
2575 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2576 offsetof(struct __sk_buff, data)),
2577 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2578 offsetof(struct __sk_buff, data_end)),
2579 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2580 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
2581 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
2582 BPF_MOV64_IMM(BPF_REG_2, 0),
2583 BPF_MOV64_IMM(BPF_REG_4, 4),
2584 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2585 BPF_FUNC_skb_load_bytes),
2586 BPF_MOV64_IMM(BPF_REG_0, 0),
2590 .errstr = "helper access to the packet",
2591 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2594 "helper access to packet: test13, cls helper ok",
2596 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2597 offsetof(struct __sk_buff, data)),
2598 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2599 offsetof(struct __sk_buff, data_end)),
2600 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2601 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2603 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2604 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2605 BPF_MOV64_IMM(BPF_REG_2, 4),
2606 BPF_MOV64_IMM(BPF_REG_3, 0),
2607 BPF_MOV64_IMM(BPF_REG_4, 0),
2608 BPF_MOV64_IMM(BPF_REG_5, 0),
2609 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2610 BPF_FUNC_csum_diff),
2611 BPF_MOV64_IMM(BPF_REG_0, 0),
2615 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2618 "helper access to packet: test14, cls helper fail sub",
2620 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2621 offsetof(struct __sk_buff, data)),
2622 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2623 offsetof(struct __sk_buff, data_end)),
2624 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2625 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2627 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2628 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
2629 BPF_MOV64_IMM(BPF_REG_2, 4),
2630 BPF_MOV64_IMM(BPF_REG_3, 0),
2631 BPF_MOV64_IMM(BPF_REG_4, 0),
2632 BPF_MOV64_IMM(BPF_REG_5, 0),
2633 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2634 BPF_FUNC_csum_diff),
2635 BPF_MOV64_IMM(BPF_REG_0, 0),
2639 .errstr = "type=inv expected=fp",
2640 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2643 "helper access to packet: test15, cls helper fail range 1",
2645 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2646 offsetof(struct __sk_buff, data)),
2647 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2648 offsetof(struct __sk_buff, data_end)),
2649 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2650 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2651 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2652 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2653 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2654 BPF_MOV64_IMM(BPF_REG_2, 8),
2655 BPF_MOV64_IMM(BPF_REG_3, 0),
2656 BPF_MOV64_IMM(BPF_REG_4, 0),
2657 BPF_MOV64_IMM(BPF_REG_5, 0),
2658 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2659 BPF_FUNC_csum_diff),
2660 BPF_MOV64_IMM(BPF_REG_0, 0),
2664 .errstr = "invalid access to packet",
2665 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2668 "helper access to packet: test16, cls helper fail range 2",
2670 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2671 offsetof(struct __sk_buff, data)),
2672 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2673 offsetof(struct __sk_buff, data_end)),
2674 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2675 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2677 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2678 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2679 BPF_MOV64_IMM(BPF_REG_2, -9),
2680 BPF_MOV64_IMM(BPF_REG_3, 0),
2681 BPF_MOV64_IMM(BPF_REG_4, 0),
2682 BPF_MOV64_IMM(BPF_REG_5, 0),
2683 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2684 BPF_FUNC_csum_diff),
2685 BPF_MOV64_IMM(BPF_REG_0, 0),
2689 .errstr = "invalid access to packet",
2690 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2693 "helper access to packet: test17, cls helper fail range 3",
2695 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2696 offsetof(struct __sk_buff, data)),
2697 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2698 offsetof(struct __sk_buff, data_end)),
2699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2700 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2702 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2703 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2704 BPF_MOV64_IMM(BPF_REG_2, ~0),
2705 BPF_MOV64_IMM(BPF_REG_3, 0),
2706 BPF_MOV64_IMM(BPF_REG_4, 0),
2707 BPF_MOV64_IMM(BPF_REG_5, 0),
2708 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2709 BPF_FUNC_csum_diff),
2710 BPF_MOV64_IMM(BPF_REG_0, 0),
2714 .errstr = "invalid access to packet",
2715 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2718 "helper access to packet: test18, cls helper fail range zero",
2720 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2721 offsetof(struct __sk_buff, data)),
2722 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2723 offsetof(struct __sk_buff, data_end)),
2724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2725 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2727 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2728 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2729 BPF_MOV64_IMM(BPF_REG_2, 0),
2730 BPF_MOV64_IMM(BPF_REG_3, 0),
2731 BPF_MOV64_IMM(BPF_REG_4, 0),
2732 BPF_MOV64_IMM(BPF_REG_5, 0),
2733 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2734 BPF_FUNC_csum_diff),
2735 BPF_MOV64_IMM(BPF_REG_0, 0),
2739 .errstr = "invalid access to packet",
2740 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2743 "helper access to packet: test19, pkt end as input",
2745 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2746 offsetof(struct __sk_buff, data)),
2747 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2748 offsetof(struct __sk_buff, data_end)),
2749 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2750 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2751 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2752 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2753 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
2754 BPF_MOV64_IMM(BPF_REG_2, 4),
2755 BPF_MOV64_IMM(BPF_REG_3, 0),
2756 BPF_MOV64_IMM(BPF_REG_4, 0),
2757 BPF_MOV64_IMM(BPF_REG_5, 0),
2758 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2759 BPF_FUNC_csum_diff),
2760 BPF_MOV64_IMM(BPF_REG_0, 0),
2764 .errstr = "R1 type=pkt_end expected=fp",
2765 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2768 "helper access to packet: test20, wrong reg",
2770 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2771 offsetof(struct __sk_buff, data)),
2772 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2773 offsetof(struct __sk_buff, data_end)),
2774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2775 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2776 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2777 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2778 BPF_MOV64_IMM(BPF_REG_2, 4),
2779 BPF_MOV64_IMM(BPF_REG_3, 0),
2780 BPF_MOV64_IMM(BPF_REG_4, 0),
2781 BPF_MOV64_IMM(BPF_REG_5, 0),
2782 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2783 BPF_FUNC_csum_diff),
2784 BPF_MOV64_IMM(BPF_REG_0, 0),
2788 .errstr = "invalid access to packet",
2789 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2792 "valid map access into an array with a constant",
2794 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2795 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2796 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2797 BPF_LD_MAP_FD(BPF_REG_1, 0),
2798 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2799 BPF_FUNC_map_lookup_elem),
2800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2801 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
2802 offsetof(struct test_val, foo)),
2805 .fixup_map2 = { 3 },
2806 .errstr_unpriv = "R0 leaks addr",
2807 .result_unpriv = REJECT,
2811 "valid map access into an array with a register",
2813 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2814 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2815 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2816 BPF_LD_MAP_FD(BPF_REG_1, 0),
2817 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2818 BPF_FUNC_map_lookup_elem),
2819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
2820 BPF_MOV64_IMM(BPF_REG_1, 4),
2821 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
2822 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
2823 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
2824 offsetof(struct test_val, foo)),
2827 .fixup_map2 = { 3 },
2828 .errstr_unpriv = "R0 pointer arithmetic prohibited",
2829 .result_unpriv = REJECT,
2833 "valid map access into an array with a variable",
2835 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2838 BPF_LD_MAP_FD(BPF_REG_1, 0),
2839 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2840 BPF_FUNC_map_lookup_elem),
2841 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
2842 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
2843 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
2844 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
2845 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
2846 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
2847 offsetof(struct test_val, foo)),
2850 .fixup_map2 = { 3 },
2851 .errstr_unpriv = "R0 pointer arithmetic prohibited",
2852 .result_unpriv = REJECT,
2856 "valid map access into an array with a signed variable",
2858 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2859 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2860 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2861 BPF_LD_MAP_FD(BPF_REG_1, 0),
2862 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2863 BPF_FUNC_map_lookup_elem),
2864 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
2865 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
2866 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
2867 BPF_MOV32_IMM(BPF_REG_1, 0),
2868 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
2869 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
2870 BPF_MOV32_IMM(BPF_REG_1, 0),
2871 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
2872 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
2873 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
2874 offsetof(struct test_val, foo)),
2877 .fixup_map2 = { 3 },
2878 .errstr_unpriv = "R0 pointer arithmetic prohibited",
2879 .result_unpriv = REJECT,
2883 "invalid map access into an array with a constant",
2885 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2886 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2887 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2888 BPF_LD_MAP_FD(BPF_REG_1, 0),
2889 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2890 BPF_FUNC_map_lookup_elem),
2891 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2892 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
2893 offsetof(struct test_val, foo)),
2896 .fixup_map2 = { 3 },
2897 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
2901 "invalid map access into an array with a register",
2903 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2904 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2905 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2906 BPF_LD_MAP_FD(BPF_REG_1, 0),
2907 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2908 BPF_FUNC_map_lookup_elem),
2909 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
2910 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
2911 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
2912 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
2913 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
2914 offsetof(struct test_val, foo)),
2917 .fixup_map2 = { 3 },
2918 .errstr_unpriv = "R0 pointer arithmetic prohibited",
2919 .errstr = "R0 min value is outside of the array range",
2920 .result_unpriv = REJECT,
2924 "invalid map access into an array with a variable",
2926 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2927 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2929 BPF_LD_MAP_FD(BPF_REG_1, 0),
2930 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2931 BPF_FUNC_map_lookup_elem),
2932 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
2933 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
2934 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
2935 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
2936 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
2937 offsetof(struct test_val, foo)),
2940 .fixup_map2 = { 3 },
2941 .errstr_unpriv = "R0 pointer arithmetic prohibited",
2942 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
2943 .result_unpriv = REJECT,
2947 "invalid map access into an array with no floor check",
2949 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2950 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2951 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2952 BPF_LD_MAP_FD(BPF_REG_1, 0),
2953 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2954 BPF_FUNC_map_lookup_elem),
2955 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
2956 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
2957 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
2958 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
2959 BPF_MOV32_IMM(BPF_REG_1, 0),
2960 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
2961 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
2962 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
2963 offsetof(struct test_val, foo)),
2966 .fixup_map2 = { 3 },
2967 .errstr_unpriv = "R0 pointer arithmetic prohibited",
2968 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
2969 .result_unpriv = REJECT,
2973 "invalid map access into an array with a invalid max check",
2975 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2976 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2977 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2978 BPF_LD_MAP_FD(BPF_REG_1, 0),
2979 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2980 BPF_FUNC_map_lookup_elem),
2981 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
2982 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
2983 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
2984 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
2985 BPF_MOV32_IMM(BPF_REG_1, 0),
2986 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
2987 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
2988 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
2989 offsetof(struct test_val, foo)),
2992 .fixup_map2 = { 3 },
2993 .errstr_unpriv = "R0 pointer arithmetic prohibited",
2994 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
2995 .result_unpriv = REJECT,
2999 "invalid map access into an array with a invalid max check",
3001 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3002 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3003 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3004 BPF_LD_MAP_FD(BPF_REG_1, 0),
3005 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3006 BPF_FUNC_map_lookup_elem),
3007 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
3008 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
3009 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3010 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3012 BPF_LD_MAP_FD(BPF_REG_1, 0),
3013 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3014 BPF_FUNC_map_lookup_elem),
3015 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
3016 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
3017 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3018 offsetof(struct test_val, foo)),
3021 .fixup_map2 = { 3, 11 },
3022 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3023 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
3024 .result_unpriv = REJECT,
3028 "multiple registers share map_lookup_elem result",
3030 BPF_MOV64_IMM(BPF_REG_1, 10),
3031 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3032 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3034 BPF_LD_MAP_FD(BPF_REG_1, 0),
3035 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3036 BPF_FUNC_map_lookup_elem),
3037 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3038 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3039 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3042 .fixup_map1 = { 4 },
3044 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3047 "invalid memory access with multiple map_lookup_elem calls",
3049 BPF_MOV64_IMM(BPF_REG_1, 10),
3050 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3051 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3052 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3053 BPF_LD_MAP_FD(BPF_REG_1, 0),
3054 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
3055 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
3056 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3057 BPF_FUNC_map_lookup_elem),
3058 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3059 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
3060 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3061 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3062 BPF_FUNC_map_lookup_elem),
3063 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3064 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3067 .fixup_map1 = { 4 },
3069 .errstr = "R4 !read_ok",
3070 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3073 "valid indirect map_lookup_elem access with 2nd lookup in branch",
3075 BPF_MOV64_IMM(BPF_REG_1, 10),
3076 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3077 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3078 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3079 BPF_LD_MAP_FD(BPF_REG_1, 0),
3080 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
3081 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
3082 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3083 BPF_FUNC_map_lookup_elem),
3084 BPF_MOV64_IMM(BPF_REG_2, 10),
3085 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
3086 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
3087 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3088 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3089 BPF_FUNC_map_lookup_elem),
3090 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3091 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3092 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3095 .fixup_map1 = { 4 },
3097 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3100 "multiple registers share map_lookup_elem bad reg type",
3102 BPF_MOV64_IMM(BPF_REG_1, 10),
3103 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3104 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3105 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3106 BPF_LD_MAP_FD(BPF_REG_1, 0),
3107 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3108 BPF_FUNC_map_lookup_elem),
3109 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
3110 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
3111 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3112 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3113 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3114 BPF_MOV64_IMM(BPF_REG_1, 1),
3115 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3116 BPF_MOV64_IMM(BPF_REG_1, 2),
3117 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0, 1),
3118 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 0),
3119 BPF_MOV64_IMM(BPF_REG_1, 3),
3122 .fixup_map1 = { 4 },
3124 .errstr = "R3 invalid mem access 'inv'",
3125 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3128 "invalid map access from else condition",
3130 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3131 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3132 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3133 BPF_LD_MAP_FD(BPF_REG_1, 0),
3134 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
3135 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3136 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3137 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
3138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
3139 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3140 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3141 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
3144 .fixup_map2 = { 3 },
3145 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
3147 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3148 .result_unpriv = REJECT,
3151 "constant register |= constant should keep constant type",
3153 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3154 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3155 BPF_MOV64_IMM(BPF_REG_2, 34),
3156 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
3157 BPF_MOV64_IMM(BPF_REG_3, 0),
3158 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3162 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3165 "constant register |= constant should not bypass stack boundary checks",
3167 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3168 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3169 BPF_MOV64_IMM(BPF_REG_2, 34),
3170 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
3171 BPF_MOV64_IMM(BPF_REG_3, 0),
3172 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3175 .errstr = "invalid stack type R1 off=-48 access_size=58",
3177 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3180 "constant register |= constant register should keep constant type",
3182 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3183 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3184 BPF_MOV64_IMM(BPF_REG_2, 34),
3185 BPF_MOV64_IMM(BPF_REG_4, 13),
3186 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
3187 BPF_MOV64_IMM(BPF_REG_3, 0),
3188 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3192 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3195 "constant register |= constant register should not bypass stack boundary checks",
3197 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3199 BPF_MOV64_IMM(BPF_REG_2, 34),
3200 BPF_MOV64_IMM(BPF_REG_4, 24),
3201 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
3202 BPF_MOV64_IMM(BPF_REG_3, 0),
3203 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3206 .errstr = "invalid stack type R1 off=-48 access_size=58",
3208 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3211 "invalid direct packet write for LWT_IN",
3213 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3214 offsetof(struct __sk_buff, data)),
3215 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3216 offsetof(struct __sk_buff, data_end)),
3217 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3218 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3219 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3220 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3221 BPF_MOV64_IMM(BPF_REG_0, 0),
3224 .errstr = "cannot write into packet",
3226 .prog_type = BPF_PROG_TYPE_LWT_IN,
3229 "invalid direct packet write for LWT_OUT",
3231 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3232 offsetof(struct __sk_buff, data)),
3233 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3234 offsetof(struct __sk_buff, data_end)),
3235 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3237 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3238 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3239 BPF_MOV64_IMM(BPF_REG_0, 0),
3242 .errstr = "cannot write into packet",
3244 .prog_type = BPF_PROG_TYPE_LWT_OUT,
3247 "direct packet write for LWT_XMIT",
3249 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3250 offsetof(struct __sk_buff, data)),
3251 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3252 offsetof(struct __sk_buff, data_end)),
3253 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3254 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3255 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3256 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3257 BPF_MOV64_IMM(BPF_REG_0, 0),
3261 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
3264 "direct packet read for LWT_IN",
3266 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3267 offsetof(struct __sk_buff, data)),
3268 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3269 offsetof(struct __sk_buff, data_end)),
3270 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3271 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3272 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3273 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3274 BPF_MOV64_IMM(BPF_REG_0, 0),
3278 .prog_type = BPF_PROG_TYPE_LWT_IN,
3281 "direct packet read for LWT_OUT",
3283 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3284 offsetof(struct __sk_buff, data)),
3285 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3286 offsetof(struct __sk_buff, data_end)),
3287 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3288 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3289 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3290 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3291 BPF_MOV64_IMM(BPF_REG_0, 0),
3295 .prog_type = BPF_PROG_TYPE_LWT_OUT,
3298 "direct packet read for LWT_XMIT",
3300 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3301 offsetof(struct __sk_buff, data)),
3302 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3303 offsetof(struct __sk_buff, data_end)),
3304 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3305 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3306 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3307 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3308 BPF_MOV64_IMM(BPF_REG_0, 0),
3312 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
3315 "invalid access of tc_classid for LWT_IN",
3317 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
3318 offsetof(struct __sk_buff, tc_classid)),
3322 .errstr = "invalid bpf_context access",
3325 "invalid access of tc_classid for LWT_OUT",
3327 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
3328 offsetof(struct __sk_buff, tc_classid)),
3332 .errstr = "invalid bpf_context access",
3335 "invalid access of tc_classid for LWT_XMIT",
3337 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
3338 offsetof(struct __sk_buff, tc_classid)),
3342 .errstr = "invalid bpf_context access",
3345 "helper access to map: full range",
3347 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3349 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3350 BPF_LD_MAP_FD(BPF_REG_1, 0),
3351 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3352 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3353 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3354 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
3355 BPF_MOV64_IMM(BPF_REG_3, 0),
3356 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3359 .fixup_map2 = { 3 },
3361 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3364 "helper access to map: partial range",
3366 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3367 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3368 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3369 BPF_LD_MAP_FD(BPF_REG_1, 0),
3370 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3371 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3372 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3373 BPF_MOV64_IMM(BPF_REG_2, 8),
3374 BPF_MOV64_IMM(BPF_REG_3, 0),
3375 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3378 .fixup_map2 = { 3 },
3380 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3383 "helper access to map: empty range",
3385 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3387 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3388 BPF_LD_MAP_FD(BPF_REG_1, 0),
3389 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3390 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3391 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3392 BPF_MOV64_IMM(BPF_REG_2, 0),
3393 BPF_MOV64_IMM(BPF_REG_3, 0),
3394 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3397 .fixup_map2 = { 3 },
3398 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
3400 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3403 "helper access to map: out-of-bound range",
3405 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3406 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3407 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3408 BPF_LD_MAP_FD(BPF_REG_1, 0),
3409 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3410 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3411 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3412 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
3413 BPF_MOV64_IMM(BPF_REG_3, 0),
3414 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3417 .fixup_map2 = { 3 },
3418 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
3420 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3423 "helper access to map: negative range",
3425 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3426 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3427 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3428 BPF_LD_MAP_FD(BPF_REG_1, 0),
3429 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3430 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3432 BPF_MOV64_IMM(BPF_REG_2, -8),
3433 BPF_MOV64_IMM(BPF_REG_3, 0),
3434 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3437 .fixup_map2 = { 3 },
3438 .errstr = "invalid access to map value, value_size=48 off=0 size=-8",
3440 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3443 "helper access to adjusted map (via const imm): full range",
3445 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3446 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3447 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3448 BPF_LD_MAP_FD(BPF_REG_1, 0),
3449 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3450 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3451 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3452 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3453 offsetof(struct test_val, foo)),
3454 BPF_MOV64_IMM(BPF_REG_2,
3455 sizeof(struct test_val) -
3456 offsetof(struct test_val, foo)),
3457 BPF_MOV64_IMM(BPF_REG_3, 0),
3458 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3461 .fixup_map2 = { 3 },
3463 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3466 "helper access to adjusted map (via const imm): partial range",
3468 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3469 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3470 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3471 BPF_LD_MAP_FD(BPF_REG_1, 0),
3472 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3473 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3474 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3475 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3476 offsetof(struct test_val, foo)),
3477 BPF_MOV64_IMM(BPF_REG_2, 8),
3478 BPF_MOV64_IMM(BPF_REG_3, 0),
3479 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3482 .fixup_map2 = { 3 },
3484 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3487 "helper access to adjusted map (via const imm): empty range",
3489 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3490 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3491 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3492 BPF_LD_MAP_FD(BPF_REG_1, 0),
3493 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3494 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3495 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3496 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3497 offsetof(struct test_val, foo)),
3498 BPF_MOV64_IMM(BPF_REG_2, 0),
3499 BPF_MOV64_IMM(BPF_REG_3, 0),
3500 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3503 .fixup_map2 = { 3 },
3504 .errstr = "R1 min value is outside of the array range",
3506 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3509 "helper access to adjusted map (via const imm): out-of-bound range",
3511 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3512 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3513 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3514 BPF_LD_MAP_FD(BPF_REG_1, 0),
3515 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3516 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3517 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3518 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3519 offsetof(struct test_val, foo)),
3520 BPF_MOV64_IMM(BPF_REG_2,
3521 sizeof(struct test_val) -
3522 offsetof(struct test_val, foo) + 8),
3523 BPF_MOV64_IMM(BPF_REG_3, 0),
3524 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3527 .fixup_map2 = { 3 },
3528 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
3530 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3533 "helper access to adjusted map (via const imm): negative range (> adjustment)",
3535 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3536 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3537 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3538 BPF_LD_MAP_FD(BPF_REG_1, 0),
3539 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3540 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3541 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3543 offsetof(struct test_val, foo)),
3544 BPF_MOV64_IMM(BPF_REG_2, -8),
3545 BPF_MOV64_IMM(BPF_REG_3, 0),
3546 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3549 .fixup_map2 = { 3 },
3550 .errstr = "invalid access to map value, value_size=48 off=4 size=-8",
3552 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3555 "helper access to adjusted map (via const imm): negative range (< adjustment)",
3557 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3559 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3560 BPF_LD_MAP_FD(BPF_REG_1, 0),
3561 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3562 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3563 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3564 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3565 offsetof(struct test_val, foo)),
3566 BPF_MOV64_IMM(BPF_REG_2, -1),
3567 BPF_MOV64_IMM(BPF_REG_3, 0),
3568 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3571 .fixup_map2 = { 3 },
3572 .errstr = "R1 min value is outside of the array range",
3574 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3577 "helper access to adjusted map (via const reg): full range",
3579 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3580 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3581 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3582 BPF_LD_MAP_FD(BPF_REG_1, 0),
3583 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3584 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3585 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3586 BPF_MOV64_IMM(BPF_REG_3,
3587 offsetof(struct test_val, foo)),
3588 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3589 BPF_MOV64_IMM(BPF_REG_2,
3590 sizeof(struct test_val) -
3591 offsetof(struct test_val, foo)),
3592 BPF_MOV64_IMM(BPF_REG_3, 0),
3593 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3596 .fixup_map2 = { 3 },
3598 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3601 "helper access to adjusted map (via const reg): partial range",
3603 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3604 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3605 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3606 BPF_LD_MAP_FD(BPF_REG_1, 0),
3607 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3608 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3609 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3610 BPF_MOV64_IMM(BPF_REG_3,
3611 offsetof(struct test_val, foo)),
3612 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3613 BPF_MOV64_IMM(BPF_REG_2, 8),
3614 BPF_MOV64_IMM(BPF_REG_3, 0),
3615 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3618 .fixup_map2 = { 3 },
3620 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3623 "helper access to adjusted map (via const reg): empty range",
3625 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3627 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3628 BPF_LD_MAP_FD(BPF_REG_1, 0),
3629 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3630 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3631 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3632 BPF_MOV64_IMM(BPF_REG_3, 0),
3633 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3634 BPF_MOV64_IMM(BPF_REG_2, 0),
3635 BPF_MOV64_IMM(BPF_REG_3, 0),
3636 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3639 .fixup_map2 = { 3 },
3640 .errstr = "R1 min value is outside of the array range",
3642 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3645 "helper access to adjusted map (via const reg): out-of-bound range",
3647 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3649 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3650 BPF_LD_MAP_FD(BPF_REG_1, 0),
3651 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3652 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3653 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3654 BPF_MOV64_IMM(BPF_REG_3,
3655 offsetof(struct test_val, foo)),
3656 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3657 BPF_MOV64_IMM(BPF_REG_2,
3658 sizeof(struct test_val) -
3659 offsetof(struct test_val, foo) + 8),
3660 BPF_MOV64_IMM(BPF_REG_3, 0),
3661 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3664 .fixup_map2 = { 3 },
3665 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
3667 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3670 "helper access to adjusted map (via const reg): negative range (> adjustment)",
3672 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3674 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3675 BPF_LD_MAP_FD(BPF_REG_1, 0),
3676 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3677 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3678 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3679 BPF_MOV64_IMM(BPF_REG_3,
3680 offsetof(struct test_val, foo)),
3681 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3682 BPF_MOV64_IMM(BPF_REG_2, -8),
3683 BPF_MOV64_IMM(BPF_REG_3, 0),
3684 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3687 .fixup_map2 = { 3 },
3688 .errstr = "invalid access to map value, value_size=48 off=4 size=-8",
3690 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3693 "helper access to adjusted map (via const reg): negative range (< adjustment)",
3695 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3696 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3697 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3698 BPF_LD_MAP_FD(BPF_REG_1, 0),
3699 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3700 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3701 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3702 BPF_MOV64_IMM(BPF_REG_3,
3703 offsetof(struct test_val, foo)),
3704 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3705 BPF_MOV64_IMM(BPF_REG_2, -1),
3706 BPF_MOV64_IMM(BPF_REG_3, 0),
3707 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3710 .fixup_map2 = { 3 },
3711 .errstr = "R1 min value is outside of the array range",
3713 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3716 "helper access to adjusted map (via variable): full range",
3718 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3719 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3720 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3721 BPF_LD_MAP_FD(BPF_REG_1, 0),
3722 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3723 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3724 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3725 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
3726 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
3727 offsetof(struct test_val, foo), 4),
3728 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3729 BPF_MOV64_IMM(BPF_REG_2,
3730 sizeof(struct test_val) -
3731 offsetof(struct test_val, foo)),
3732 BPF_MOV64_IMM(BPF_REG_3, 0),
3733 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3736 .fixup_map2 = { 3 },
3738 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3741 "helper access to adjusted map (via variable): partial range",
3743 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3745 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3746 BPF_LD_MAP_FD(BPF_REG_1, 0),
3747 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3748 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3749 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3750 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
3751 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
3752 offsetof(struct test_val, foo), 4),
3753 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3754 BPF_MOV64_IMM(BPF_REG_2, 8),
3755 BPF_MOV64_IMM(BPF_REG_3, 0),
3756 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3759 .fixup_map2 = { 3 },
3761 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3764 "helper access to adjusted map (via variable): empty range",
3766 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3767 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3768 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3769 BPF_LD_MAP_FD(BPF_REG_1, 0),
3770 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3771 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3772 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3773 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
3774 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
3775 offsetof(struct test_val, foo), 4),
3776 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3777 BPF_MOV64_IMM(BPF_REG_2, 0),
3778 BPF_MOV64_IMM(BPF_REG_3, 0),
3779 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3782 .fixup_map2 = { 3 },
3783 .errstr = "R1 min value is outside of the array range",
3785 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3788 "helper access to adjusted map (via variable): no max check",
3790 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3792 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3793 BPF_LD_MAP_FD(BPF_REG_1, 0),
3794 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3796 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3797 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
3798 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3799 BPF_MOV64_IMM(BPF_REG_2, 0),
3800 BPF_MOV64_IMM(BPF_REG_3, 0),
3801 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3804 .fixup_map2 = { 3 },
3805 .errstr = "R1 min value is negative, either use unsigned index or do a if (index >=0) check",
3807 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3810 "helper access to adjusted map (via variable): wrong max check",
3812 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3813 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3814 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3815 BPF_LD_MAP_FD(BPF_REG_1, 0),
3816 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3817 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3818 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3819 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
3820 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
3821 offsetof(struct test_val, foo), 4),
3822 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3823 BPF_MOV64_IMM(BPF_REG_2,
3824 sizeof(struct test_val) -
3825 offsetof(struct test_val, foo) + 1),
3826 BPF_MOV64_IMM(BPF_REG_3, 0),
3827 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3830 .fixup_map2 = { 3 },
3831 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
3833 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3836 "map element value is preserved across register spilling",
3838 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3839 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3840 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3841 BPF_LD_MAP_FD(BPF_REG_1, 0),
3842 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3844 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
3845 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3846 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
3847 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
3848 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
3849 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
3852 .fixup_map2 = { 3 },
3853 .errstr_unpriv = "R0 leaks addr",
3855 .result_unpriv = REJECT,
3858 "map element value (adjusted) is preserved across register spilling",
3860 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3861 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3862 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3863 BPF_LD_MAP_FD(BPF_REG_1, 0),
3864 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3865 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3866 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
3867 offsetof(struct test_val, foo)),
3868 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
3869 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3870 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
3871 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
3872 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
3873 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
3876 .fixup_map2 = { 3 },
3877 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3879 .result_unpriv = REJECT,
3882 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
3884 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3885 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
3886 BPF_MOV64_IMM(BPF_REG_0, 0),
3887 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
3888 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
3889 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
3890 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
3891 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
3892 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
3893 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
3894 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3895 BPF_MOV64_IMM(BPF_REG_2, 16),
3896 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
3897 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
3898 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
3899 BPF_MOV64_IMM(BPF_REG_4, 0),
3900 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
3901 BPF_MOV64_IMM(BPF_REG_3, 0),
3902 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3903 BPF_MOV64_IMM(BPF_REG_0, 0),
3907 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3910 "helper access to variable memory: stack, bitwise AND, zero included",
3912 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3913 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
3914 BPF_MOV64_IMM(BPF_REG_2, 16),
3915 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
3916 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
3917 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
3918 BPF_MOV64_IMM(BPF_REG_3, 0),
3919 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3922 .errstr = "invalid stack type R1 off=-64 access_size=0",
3924 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3927 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
3929 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3930 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
3931 BPF_MOV64_IMM(BPF_REG_2, 16),
3932 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
3933 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
3934 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
3935 BPF_MOV64_IMM(BPF_REG_4, 0),
3936 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
3937 BPF_MOV64_IMM(BPF_REG_3, 0),
3938 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3939 BPF_MOV64_IMM(BPF_REG_0, 0),
3942 .errstr = "invalid stack type R1 off=-64 access_size=65",
3944 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3947 "helper access to variable memory: stack, JMP, correct bounds",
3949 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3950 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
3951 BPF_MOV64_IMM(BPF_REG_0, 0),
3952 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
3953 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
3954 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
3955 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
3956 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
3957 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
3958 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
3959 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3960 BPF_MOV64_IMM(BPF_REG_2, 16),
3961 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
3962 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
3963 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
3964 BPF_MOV64_IMM(BPF_REG_4, 0),
3965 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
3966 BPF_MOV64_IMM(BPF_REG_3, 0),
3967 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3968 BPF_MOV64_IMM(BPF_REG_0, 0),
3972 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3975 "helper access to variable memory: stack, JMP (signed), correct bounds",
3977 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3978 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
3979 BPF_MOV64_IMM(BPF_REG_0, 0),
3980 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
3981 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
3982 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
3983 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
3984 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
3985 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
3986 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
3987 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3988 BPF_MOV64_IMM(BPF_REG_2, 16),
3989 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
3990 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
3991 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
3992 BPF_MOV64_IMM(BPF_REG_4, 0),
3993 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
3994 BPF_MOV64_IMM(BPF_REG_3, 0),
3995 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3996 BPF_MOV64_IMM(BPF_REG_0, 0),
4000 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4003 "helper access to variable memory: stack, JMP, bounds + offset",
4005 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4007 BPF_MOV64_IMM(BPF_REG_2, 16),
4008 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4009 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4010 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
4011 BPF_MOV64_IMM(BPF_REG_4, 0),
4012 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
4013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4014 BPF_MOV64_IMM(BPF_REG_3, 0),
4015 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4016 BPF_MOV64_IMM(BPF_REG_0, 0),
4019 .errstr = "invalid stack type R1 off=-64 access_size=65",
4021 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4024 "helper access to variable memory: stack, JMP, wrong max",
4026 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4027 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4028 BPF_MOV64_IMM(BPF_REG_2, 16),
4029 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4030 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4031 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
4032 BPF_MOV64_IMM(BPF_REG_4, 0),
4033 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4034 BPF_MOV64_IMM(BPF_REG_3, 0),
4035 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4036 BPF_MOV64_IMM(BPF_REG_0, 0),
4039 .errstr = "invalid stack type R1 off=-64 access_size=65",
4041 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4044 "helper access to variable memory: stack, JMP, no max check",
4046 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4047 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4048 BPF_MOV64_IMM(BPF_REG_2, 16),
4049 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4050 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4051 BPF_MOV64_IMM(BPF_REG_4, 0),
4052 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4053 BPF_MOV64_IMM(BPF_REG_3, 0),
4054 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4055 BPF_MOV64_IMM(BPF_REG_0, 0),
4058 .errstr = "R2 unbounded memory access",
4060 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4063 "helper access to variable memory: stack, JMP, no min check",
4065 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4067 BPF_MOV64_IMM(BPF_REG_2, 16),
4068 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4069 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4070 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
4071 BPF_MOV64_IMM(BPF_REG_3, 0),
4072 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4073 BPF_MOV64_IMM(BPF_REG_0, 0),
4076 .errstr = "invalid stack type R1 off=-64 access_size=0",
4078 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4081 "helper access to variable memory: stack, JMP (signed), no min check",
4083 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4085 BPF_MOV64_IMM(BPF_REG_2, 16),
4086 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4087 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4088 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
4089 BPF_MOV64_IMM(BPF_REG_3, 0),
4090 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4091 BPF_MOV64_IMM(BPF_REG_0, 0),
4094 .errstr = "R2 min value is negative",
4096 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4099 "helper access to variable memory: map, JMP, correct bounds",
4101 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4103 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4104 BPF_LD_MAP_FD(BPF_REG_1, 0),
4105 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4106 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4107 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4108 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4109 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4110 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4111 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
4112 sizeof(struct test_val), 4),
4113 BPF_MOV64_IMM(BPF_REG_4, 0),
4114 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4115 BPF_MOV64_IMM(BPF_REG_3, 0),
4116 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4117 BPF_MOV64_IMM(BPF_REG_0, 0),
4120 .fixup_map2 = { 3 },
4122 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4125 "helper access to variable memory: map, JMP, wrong max",
4127 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4128 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4129 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4130 BPF_LD_MAP_FD(BPF_REG_1, 0),
4131 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4132 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4133 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4134 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4135 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4136 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4137 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
4138 sizeof(struct test_val) + 1, 4),
4139 BPF_MOV64_IMM(BPF_REG_4, 0),
4140 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4141 BPF_MOV64_IMM(BPF_REG_3, 0),
4142 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4143 BPF_MOV64_IMM(BPF_REG_0, 0),
4146 .fixup_map2 = { 3 },
4147 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
4149 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4152 "helper access to variable memory: map adjusted, JMP, correct bounds",
4154 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4155 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4156 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4157 BPF_LD_MAP_FD(BPF_REG_1, 0),
4158 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4159 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
4160 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4161 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
4162 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4163 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4164 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4165 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
4166 sizeof(struct test_val) - 20, 4),
4167 BPF_MOV64_IMM(BPF_REG_4, 0),
4168 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4169 BPF_MOV64_IMM(BPF_REG_3, 0),
4170 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4171 BPF_MOV64_IMM(BPF_REG_0, 0),
4174 .fixup_map2 = { 3 },
4176 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4179 "helper access to variable memory: map adjusted, JMP, wrong max",
4181 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4183 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4184 BPF_LD_MAP_FD(BPF_REG_1, 0),
4185 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4186 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
4187 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
4189 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4190 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4191 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4192 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
4193 sizeof(struct test_val) - 19, 4),
4194 BPF_MOV64_IMM(BPF_REG_4, 0),
4195 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4196 BPF_MOV64_IMM(BPF_REG_3, 0),
4197 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4198 BPF_MOV64_IMM(BPF_REG_0, 0),
4201 .fixup_map2 = { 3 },
4202 .errstr = "R1 min value is outside of the array range",
4204 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4207 "helper access to variable memory: size > 0 not allowed on NULL",
4209 BPF_MOV64_IMM(BPF_REG_1, 0),
4210 BPF_MOV64_IMM(BPF_REG_2, 0),
4211 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
4212 BPF_MOV64_IMM(BPF_REG_3, 0),
4213 BPF_MOV64_IMM(BPF_REG_4, 0),
4214 BPF_MOV64_IMM(BPF_REG_5, 0),
4215 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
4218 .errstr = "R1 type=imm expected=fp",
4220 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4223 "helper access to variable memory: size = 0 not allowed on != NULL",
4225 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
4227 BPF_MOV64_IMM(BPF_REG_2, 0),
4228 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
4229 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
4230 BPF_MOV64_IMM(BPF_REG_3, 0),
4231 BPF_MOV64_IMM(BPF_REG_4, 0),
4232 BPF_MOV64_IMM(BPF_REG_5, 0),
4233 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
4236 .errstr = "invalid stack type R1 off=-8 access_size=0",
4238 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4241 "helper access to variable memory: 8 bytes leak",
4243 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4244 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4245 BPF_MOV64_IMM(BPF_REG_0, 0),
4246 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4247 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4248 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4249 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4250 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4251 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4252 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4253 BPF_MOV64_IMM(BPF_REG_2, 0),
4254 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
4255 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4256 BPF_MOV64_IMM(BPF_REG_3, 0),
4257 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4258 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
4261 .errstr = "invalid indirect read from stack off -64+32 size 64",
4263 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4266 "helper access to variable memory: 8 bytes no leak (init memory)",
4268 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4269 BPF_MOV64_IMM(BPF_REG_0, 0),
4270 BPF_MOV64_IMM(BPF_REG_0, 0),
4271 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4272 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4273 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4274 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4275 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
4276 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4277 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4278 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4279 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4280 BPF_MOV64_IMM(BPF_REG_2, 0),
4281 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
4282 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
4283 BPF_MOV64_IMM(BPF_REG_3, 0),
4284 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4285 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
4289 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4293 static int probe_filter_length(const struct bpf_insn *fp)
4297 for (len = MAX_INSNS - 1; len > 0; --len)
4298 if (fp[len].code != 0 || fp[len].imm != 0)
4303 static int create_map(uint32_t size_value, uint32_t max_elem)
4307 fd = bpf_map_create(BPF_MAP_TYPE_HASH, sizeof(long long),
4308 size_value, max_elem, BPF_F_NO_PREALLOC);
4310 printf("Failed to create hash map '%s'!\n", strerror(errno));
4315 static int create_prog_array(void)
4319 fd = bpf_map_create(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
4322 printf("Failed to create prog array '%s'!\n", strerror(errno));
4327 static char bpf_vlog[32768];
4329 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
4330 int *fd_f1, int *fd_f2, int *fd_f3)
4332 int *fixup_map1 = test->fixup_map1;
4333 int *fixup_map2 = test->fixup_map2;
4334 int *fixup_prog = test->fixup_prog;
4336 /* Allocating HTs with 1 elem is fine here, since we only test
4337 * for verifier and not do a runtime lookup, so the only thing
4338 * that really matters is value size in this case.
4341 *fd_f1 = create_map(sizeof(long long), 1);
4343 prog[*fixup_map1].imm = *fd_f1;
4345 } while (*fixup_map1);
4349 *fd_f2 = create_map(sizeof(struct test_val), 1);
4351 prog[*fixup_map2].imm = *fd_f2;
4353 } while (*fixup_map2);
4357 *fd_f3 = create_prog_array();
4359 prog[*fixup_prog].imm = *fd_f3;
4361 } while (*fixup_prog);
4365 static void do_test_single(struct bpf_test *test, bool unpriv,
4366 int *passes, int *errors)
4368 struct bpf_insn *prog = test->insns;
4369 int prog_len = probe_filter_length(prog);
4370 int prog_type = test->prog_type;
4371 int fd_f1 = -1, fd_f2 = -1, fd_f3 = -1;
4372 int fd_prog, expected_ret;
4373 const char *expected_err;
4375 do_test_fixup(test, prog, &fd_f1, &fd_f2, &fd_f3);
4377 fd_prog = bpf_prog_load(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
4378 prog, prog_len * sizeof(struct bpf_insn),
4379 "GPL", bpf_vlog, sizeof(bpf_vlog));
4381 expected_ret = unpriv && test->result_unpriv != UNDEF ?
4382 test->result_unpriv : test->result;
4383 expected_err = unpriv && test->errstr_unpriv ?
4384 test->errstr_unpriv : test->errstr;
4385 if (expected_ret == ACCEPT) {
4387 printf("FAIL\nFailed to load prog '%s'!\n",
4393 printf("FAIL\nUnexpected success to load!\n");
4396 if (!strstr(bpf_vlog, expected_err)) {
4397 printf("FAIL\nUnexpected error message!\n");
4413 printf("%s", bpf_vlog);
4417 static int do_test(bool unpriv, unsigned int from, unsigned int to)
4419 int i, passes = 0, errors = 0;
4421 for (i = from; i < to; i++) {
4422 struct bpf_test *test = &tests[i];
4424 /* Program types that are not supported by non-root we
4427 if (unpriv && test->prog_type)
4430 printf("#%d %s ", i, test->descr);
4431 do_test_single(test, unpriv, &passes, &errors);
4434 printf("Summary: %d PASSED, %d FAILED\n", passes, errors);
4435 return errors ? -errors : 0;
4438 int main(int argc, char **argv)
4440 struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY };
4441 struct rlimit rlim = { 1 << 20, 1 << 20 };
4442 unsigned int from = 0, to = ARRAY_SIZE(tests);
4443 bool unpriv = geteuid() != 0;
4446 unsigned int l = atoi(argv[argc - 2]);
4447 unsigned int u = atoi(argv[argc - 1]);
4449 if (l < to && u < to) {
4453 } else if (argc == 2) {
4454 unsigned int t = atoi(argv[argc - 1]);
4462 setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf);
4463 return do_test(unpriv, from, to);
projects / karo-tx-linux.git / blob