2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of version 2 of the GNU General Public
8 * License as published by the Free Software Foundation.
11 #include <asm/types.h>
12 #include <linux/types.h>
23 #include <sys/capability.h>
24 #include <sys/resource.h>
26 #include <linux/unistd.h>
27 #include <linux/filter.h>
28 #include <linux/bpf_perf_event.h>
29 #include <linux/bpf.h>
34 # include "autoconf.h"
36 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
37 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
41 #include "../../../include/linux/filter.h"
44 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
51 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
52 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
56 struct bpf_insn insns[MAX_INSNS];
57 int fixup_map1[MAX_FIXUPS];
58 int fixup_map2[MAX_FIXUPS];
59 int fixup_prog[MAX_FIXUPS];
60 int fixup_map_in_map[MAX_FIXUPS];
62 const char *errstr_unpriv;
67 } result, result_unpriv;
68 enum bpf_prog_type prog_type;
72 /* Note we want this to be 64 bit aligned so that the end of our array is
73 * actually the end of the structure.
75 #define MAX_ENTRIES 11
82 static struct bpf_test tests[] = {
86 BPF_MOV64_IMM(BPF_REG_1, 1),
87 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
88 BPF_MOV64_IMM(BPF_REG_2, 3),
89 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
90 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
91 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
92 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
103 .errstr = "unreachable",
109 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
110 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
113 .errstr = "unreachable",
119 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
122 .errstr = "jump out of range",
126 "out of range jump2",
128 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
131 .errstr = "jump out of range",
137 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
138 BPF_LD_IMM64(BPF_REG_0, 0),
139 BPF_LD_IMM64(BPF_REG_0, 0),
140 BPF_LD_IMM64(BPF_REG_0, 1),
141 BPF_LD_IMM64(BPF_REG_0, 1),
142 BPF_MOV64_IMM(BPF_REG_0, 2),
145 .errstr = "invalid BPF_LD_IMM insn",
146 .errstr_unpriv = "R1 pointer comparison",
152 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
153 BPF_LD_IMM64(BPF_REG_0, 0),
154 BPF_LD_IMM64(BPF_REG_0, 0),
155 BPF_LD_IMM64(BPF_REG_0, 1),
156 BPF_LD_IMM64(BPF_REG_0, 1),
159 .errstr = "invalid BPF_LD_IMM insn",
160 .errstr_unpriv = "R1 pointer comparison",
166 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
167 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
168 BPF_LD_IMM64(BPF_REG_0, 0),
169 BPF_LD_IMM64(BPF_REG_0, 0),
170 BPF_LD_IMM64(BPF_REG_0, 1),
171 BPF_LD_IMM64(BPF_REG_0, 1),
174 .errstr = "invalid bpf_ld_imm64 insn",
180 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
183 .errstr = "invalid bpf_ld_imm64 insn",
189 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
191 .errstr = "invalid bpf_ld_imm64 insn",
197 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
198 BPF_RAW_INSN(0, 0, 0, 0, 0),
206 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
207 BPF_RAW_INSN(0, 0, 0, 0, 1),
215 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
216 BPF_RAW_INSN(0, 0, 0, 0, 1),
219 .errstr = "uses reserved fields",
225 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
226 BPF_RAW_INSN(0, 0, 0, 1, 1),
229 .errstr = "invalid bpf_ld_imm64 insn",
235 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
236 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
239 .errstr = "invalid bpf_ld_imm64 insn",
245 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
246 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
249 .errstr = "invalid bpf_ld_imm64 insn",
255 BPF_MOV64_IMM(BPF_REG_1, 0),
256 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
257 BPF_RAW_INSN(0, 0, 0, 0, 1),
260 .errstr = "not pointing to valid bpf_map",
266 BPF_MOV64_IMM(BPF_REG_1, 0),
267 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
268 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
271 .errstr = "invalid bpf_ld_imm64 insn",
277 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
279 .errstr = "jump out of range",
285 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
288 .errstr = "back-edge",
294 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
295 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
296 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
297 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
300 .errstr = "back-edge",
306 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
307 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
308 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
309 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
312 .errstr = "back-edge",
316 "read uninitialized register",
318 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
321 .errstr = "R2 !read_ok",
325 "read invalid register",
327 BPF_MOV64_REG(BPF_REG_0, -1),
330 .errstr = "R15 is invalid",
334 "program doesn't init R0 before exit",
336 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
339 .errstr = "R0 !read_ok",
343 "program doesn't init R0 before exit in all branches",
345 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
346 BPF_MOV64_IMM(BPF_REG_0, 1),
347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
350 .errstr = "R0 !read_ok",
351 .errstr_unpriv = "R1 pointer comparison",
355 "stack out of bounds",
357 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
360 .errstr = "invalid stack",
364 "invalid call insn1",
366 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
369 .errstr = "BPF_CALL uses reserved",
373 "invalid call insn2",
375 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
378 .errstr = "BPF_CALL uses reserved",
382 "invalid function call",
384 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
387 .errstr = "invalid func unknown#1234567",
391 "uninitialized stack1",
393 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
394 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
395 BPF_LD_MAP_FD(BPF_REG_1, 0),
396 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
397 BPF_FUNC_map_lookup_elem),
401 .errstr = "invalid indirect read from stack",
405 "uninitialized stack2",
407 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
408 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
411 .errstr = "invalid read from stack",
415 "invalid fp arithmetic",
416 /* If this gets ever changed, make sure JITs can deal with it. */
418 BPF_MOV64_IMM(BPF_REG_0, 0),
419 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
420 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
421 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
424 .errstr_unpriv = "R1 pointer arithmetic",
425 .result_unpriv = REJECT,
426 .errstr = "R1 invalid mem access",
430 "non-invalid fp arithmetic",
432 BPF_MOV64_IMM(BPF_REG_0, 0),
433 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
439 "invalid argument register",
441 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
442 BPF_FUNC_get_cgroup_classid),
443 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
444 BPF_FUNC_get_cgroup_classid),
447 .errstr = "R1 !read_ok",
449 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
452 "non-invalid argument register",
454 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
455 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
456 BPF_FUNC_get_cgroup_classid),
457 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
458 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
459 BPF_FUNC_get_cgroup_classid),
463 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
466 "check valid spill/fill",
468 /* spill R1(ctx) into stack */
469 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
470 /* fill it back into R2 */
471 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
472 /* should be able to access R0 = *(R2 + 8) */
473 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
474 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
477 .errstr_unpriv = "R0 leaks addr",
479 .result_unpriv = REJECT,
482 "check valid spill/fill, skb mark",
484 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
485 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
486 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
487 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
488 offsetof(struct __sk_buff, mark)),
492 .result_unpriv = ACCEPT,
495 "check corrupted spill/fill",
497 /* spill R1(ctx) into stack */
498 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
499 /* mess up with R1 pointer on stack */
500 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
501 /* fill back into R0 should fail */
502 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
505 .errstr_unpriv = "attempt to corrupt spilled",
506 .errstr = "corrupted spill",
510 "invalid src register in STX",
512 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
515 .errstr = "R15 is invalid",
519 "invalid dst register in STX",
521 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
524 .errstr = "R14 is invalid",
528 "invalid dst register in ST",
530 BPF_ST_MEM(BPF_B, 14, -1, -1),
533 .errstr = "R14 is invalid",
537 "invalid src register in LDX",
539 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
542 .errstr = "R12 is invalid",
546 "invalid dst register in LDX",
548 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
551 .errstr = "R11 is invalid",
557 BPF_RAW_INSN(0, 0, 0, 0, 0),
560 .errstr = "invalid BPF_LD_IMM",
566 BPF_RAW_INSN(1, 0, 0, 0, 0),
569 .errstr = "BPF_LDX uses reserved fields",
575 BPF_RAW_INSN(-1, 0, 0, 0, 0),
578 .errstr = "invalid BPF_ALU opcode f0",
584 BPF_RAW_INSN(-1, -1, -1, -1, -1),
587 .errstr = "invalid BPF_ALU opcode f0",
593 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
596 .errstr = "BPF_ALU uses reserved fields",
600 "misaligned read from stack",
602 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
603 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
606 .errstr = "misaligned access",
610 "invalid map_fd for function call",
612 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
613 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
615 BPF_LD_MAP_FD(BPF_REG_1, 0),
616 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
617 BPF_FUNC_map_delete_elem),
620 .errstr = "fd 0 is not pointing to valid bpf_map",
624 "don't check return value before access",
626 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
627 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
629 BPF_LD_MAP_FD(BPF_REG_1, 0),
630 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
631 BPF_FUNC_map_lookup_elem),
632 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
636 .errstr = "R0 invalid mem access 'map_value_or_null'",
640 "access memory with incorrect alignment",
642 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
643 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
644 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
645 BPF_LD_MAP_FD(BPF_REG_1, 0),
646 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
647 BPF_FUNC_map_lookup_elem),
648 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
649 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
653 .errstr = "misaligned access",
657 "sometimes access memory with incorrect alignment",
659 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
660 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
662 BPF_LD_MAP_FD(BPF_REG_1, 0),
663 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
664 BPF_FUNC_map_lookup_elem),
665 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
666 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
668 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
672 .errstr = "R0 invalid mem access",
673 .errstr_unpriv = "R0 leaks addr",
679 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
680 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
681 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
682 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
683 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
684 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
685 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
686 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
688 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
689 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
690 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
691 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
692 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
693 BPF_MOV64_IMM(BPF_REG_0, 0),
696 .errstr_unpriv = "R1 pointer comparison",
697 .result_unpriv = REJECT,
703 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
704 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
705 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
706 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
707 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
708 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
709 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
710 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
711 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
712 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
713 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
714 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
715 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
716 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
717 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
718 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
719 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
720 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
721 BPF_MOV64_IMM(BPF_REG_0, 0),
724 .errstr_unpriv = "R1 pointer comparison",
725 .result_unpriv = REJECT,
731 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
732 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
733 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
734 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
735 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
736 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
737 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
739 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
740 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
741 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
743 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
744 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
745 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
747 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
748 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
749 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
751 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
752 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
753 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
755 BPF_LD_MAP_FD(BPF_REG_1, 0),
756 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
757 BPF_FUNC_map_delete_elem),
760 .fixup_map1 = { 24 },
761 .errstr_unpriv = "R1 pointer comparison",
762 .result_unpriv = REJECT,
768 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
769 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
770 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
771 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
772 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
773 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
779 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
783 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
784 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
786 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
788 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
793 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
798 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
799 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
801 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
804 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
805 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
806 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
807 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
808 BPF_MOV64_IMM(BPF_REG_0, 0),
811 .errstr_unpriv = "R1 pointer comparison",
812 .result_unpriv = REJECT,
818 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
819 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
820 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
821 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
822 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
823 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
824 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
825 BPF_MOV64_IMM(BPF_REG_0, 0),
826 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
827 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
828 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
829 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
830 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
831 BPF_MOV64_IMM(BPF_REG_0, 0),
832 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
833 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
834 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
835 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
836 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
837 BPF_MOV64_IMM(BPF_REG_0, 0),
838 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
839 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
840 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
841 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
842 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
843 BPF_MOV64_IMM(BPF_REG_0, 0),
844 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
845 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
846 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
847 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
848 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
849 BPF_MOV64_IMM(BPF_REG_0, 0),
852 .errstr_unpriv = "R1 pointer comparison",
853 .result_unpriv = REJECT,
857 "access skb fields ok",
859 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
860 offsetof(struct __sk_buff, len)),
861 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
862 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
863 offsetof(struct __sk_buff, mark)),
864 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
865 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
866 offsetof(struct __sk_buff, pkt_type)),
867 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
868 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
869 offsetof(struct __sk_buff, queue_mapping)),
870 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
871 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
872 offsetof(struct __sk_buff, protocol)),
873 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
874 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
875 offsetof(struct __sk_buff, vlan_present)),
876 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
877 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
878 offsetof(struct __sk_buff, vlan_tci)),
879 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
880 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
881 offsetof(struct __sk_buff, napi_id)),
882 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
888 "access skb fields bad1",
890 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
893 .errstr = "invalid bpf_context access",
897 "access skb fields bad2",
899 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
900 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
901 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
902 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
903 BPF_LD_MAP_FD(BPF_REG_1, 0),
904 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
905 BPF_FUNC_map_lookup_elem),
906 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
908 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
909 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
910 offsetof(struct __sk_buff, pkt_type)),
914 .errstr = "different pointers",
915 .errstr_unpriv = "R1 pointer comparison",
919 "access skb fields bad3",
921 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
922 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
923 offsetof(struct __sk_buff, pkt_type)),
925 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
926 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
928 BPF_LD_MAP_FD(BPF_REG_1, 0),
929 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
930 BPF_FUNC_map_lookup_elem),
931 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
933 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
934 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
937 .errstr = "different pointers",
938 .errstr_unpriv = "R1 pointer comparison",
942 "access skb fields bad4",
944 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
945 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
946 offsetof(struct __sk_buff, len)),
947 BPF_MOV64_IMM(BPF_REG_0, 0),
949 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
950 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
951 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
952 BPF_LD_MAP_FD(BPF_REG_1, 0),
953 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
954 BPF_FUNC_map_lookup_elem),
955 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
957 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
958 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
961 .errstr = "different pointers",
962 .errstr_unpriv = "R1 pointer comparison",
966 "check skb->mark is not writeable by sockets",
968 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
969 offsetof(struct __sk_buff, mark)),
972 .errstr = "invalid bpf_context access",
973 .errstr_unpriv = "R1 leaks addr",
977 "check skb->tc_index is not writeable by sockets",
979 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
980 offsetof(struct __sk_buff, tc_index)),
983 .errstr = "invalid bpf_context access",
984 .errstr_unpriv = "R1 leaks addr",
988 "check cb access: byte",
990 BPF_MOV64_IMM(BPF_REG_0, 0),
991 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
992 offsetof(struct __sk_buff, cb[0])),
993 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
994 offsetof(struct __sk_buff, cb[0]) + 1),
995 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
996 offsetof(struct __sk_buff, cb[0]) + 2),
997 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
998 offsetof(struct __sk_buff, cb[0]) + 3),
999 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1000 offsetof(struct __sk_buff, cb[1])),
1001 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1002 offsetof(struct __sk_buff, cb[1]) + 1),
1003 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1004 offsetof(struct __sk_buff, cb[1]) + 2),
1005 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1006 offsetof(struct __sk_buff, cb[1]) + 3),
1007 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1008 offsetof(struct __sk_buff, cb[2])),
1009 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1010 offsetof(struct __sk_buff, cb[2]) + 1),
1011 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1012 offsetof(struct __sk_buff, cb[2]) + 2),
1013 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1014 offsetof(struct __sk_buff, cb[2]) + 3),
1015 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1016 offsetof(struct __sk_buff, cb[3])),
1017 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1018 offsetof(struct __sk_buff, cb[3]) + 1),
1019 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1020 offsetof(struct __sk_buff, cb[3]) + 2),
1021 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1022 offsetof(struct __sk_buff, cb[3]) + 3),
1023 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1024 offsetof(struct __sk_buff, cb[4])),
1025 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1026 offsetof(struct __sk_buff, cb[4]) + 1),
1027 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1028 offsetof(struct __sk_buff, cb[4]) + 2),
1029 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1030 offsetof(struct __sk_buff, cb[4]) + 3),
1031 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1032 offsetof(struct __sk_buff, cb[0])),
1033 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1034 offsetof(struct __sk_buff, cb[0]) + 1),
1035 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1036 offsetof(struct __sk_buff, cb[0]) + 2),
1037 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1038 offsetof(struct __sk_buff, cb[0]) + 3),
1039 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1040 offsetof(struct __sk_buff, cb[1])),
1041 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1042 offsetof(struct __sk_buff, cb[1]) + 1),
1043 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1044 offsetof(struct __sk_buff, cb[1]) + 2),
1045 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1046 offsetof(struct __sk_buff, cb[1]) + 3),
1047 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1048 offsetof(struct __sk_buff, cb[2])),
1049 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1050 offsetof(struct __sk_buff, cb[2]) + 1),
1051 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1052 offsetof(struct __sk_buff, cb[2]) + 2),
1053 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1054 offsetof(struct __sk_buff, cb[2]) + 3),
1055 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1056 offsetof(struct __sk_buff, cb[3])),
1057 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1058 offsetof(struct __sk_buff, cb[3]) + 1),
1059 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1060 offsetof(struct __sk_buff, cb[3]) + 2),
1061 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1062 offsetof(struct __sk_buff, cb[3]) + 3),
1063 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1064 offsetof(struct __sk_buff, cb[4])),
1065 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1066 offsetof(struct __sk_buff, cb[4]) + 1),
1067 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1068 offsetof(struct __sk_buff, cb[4]) + 2),
1069 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1070 offsetof(struct __sk_buff, cb[4]) + 3),
1076 "__sk_buff->hash, offset 0, byte store not permitted",
1078 BPF_MOV64_IMM(BPF_REG_0, 0),
1079 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1080 offsetof(struct __sk_buff, hash)),
1083 .errstr = "invalid bpf_context access",
1087 "__sk_buff->tc_index, offset 3, byte store not permitted",
1089 BPF_MOV64_IMM(BPF_REG_0, 0),
1090 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1091 offsetof(struct __sk_buff, tc_index) + 3),
1094 .errstr = "invalid bpf_context access",
1098 "check skb->hash byte load permitted",
1100 BPF_MOV64_IMM(BPF_REG_0, 0),
1101 #ifdef __LITTLE_ENDIAN
1102 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1103 offsetof(struct __sk_buff, hash)),
1105 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1106 offsetof(struct __sk_buff, hash) + 3),
1113 "check skb->hash byte load not permitted 1",
1115 BPF_MOV64_IMM(BPF_REG_0, 0),
1116 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1117 offsetof(struct __sk_buff, hash) + 1),
1120 .errstr = "invalid bpf_context access",
1124 "check skb->hash byte load not permitted 2",
1126 BPF_MOV64_IMM(BPF_REG_0, 0),
1127 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1128 offsetof(struct __sk_buff, hash) + 2),
1131 .errstr = "invalid bpf_context access",
1135 "check skb->hash byte load not permitted 3",
1137 BPF_MOV64_IMM(BPF_REG_0, 0),
1138 #ifdef __LITTLE_ENDIAN
1139 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1140 offsetof(struct __sk_buff, hash) + 3),
1142 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1143 offsetof(struct __sk_buff, hash)),
1147 .errstr = "invalid bpf_context access",
1151 "check cb access: byte, wrong type",
1153 BPF_MOV64_IMM(BPF_REG_0, 0),
1154 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1155 offsetof(struct __sk_buff, cb[0])),
1158 .errstr = "invalid bpf_context access",
1160 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1163 "check cb access: half",
1165 BPF_MOV64_IMM(BPF_REG_0, 0),
1166 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1167 offsetof(struct __sk_buff, cb[0])),
1168 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1169 offsetof(struct __sk_buff, cb[0]) + 2),
1170 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1171 offsetof(struct __sk_buff, cb[1])),
1172 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1173 offsetof(struct __sk_buff, cb[1]) + 2),
1174 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1175 offsetof(struct __sk_buff, cb[2])),
1176 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1177 offsetof(struct __sk_buff, cb[2]) + 2),
1178 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1179 offsetof(struct __sk_buff, cb[3])),
1180 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1181 offsetof(struct __sk_buff, cb[3]) + 2),
1182 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1183 offsetof(struct __sk_buff, cb[4])),
1184 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1185 offsetof(struct __sk_buff, cb[4]) + 2),
1186 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1187 offsetof(struct __sk_buff, cb[0])),
1188 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1189 offsetof(struct __sk_buff, cb[0]) + 2),
1190 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1191 offsetof(struct __sk_buff, cb[1])),
1192 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1193 offsetof(struct __sk_buff, cb[1]) + 2),
1194 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1195 offsetof(struct __sk_buff, cb[2])),
1196 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1197 offsetof(struct __sk_buff, cb[2]) + 2),
1198 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1199 offsetof(struct __sk_buff, cb[3])),
1200 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1201 offsetof(struct __sk_buff, cb[3]) + 2),
1202 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1203 offsetof(struct __sk_buff, cb[4])),
1204 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1205 offsetof(struct __sk_buff, cb[4]) + 2),
1211 "check cb access: half, unaligned",
1213 BPF_MOV64_IMM(BPF_REG_0, 0),
1214 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1215 offsetof(struct __sk_buff, cb[0]) + 1),
1218 .errstr = "misaligned access",
1222 "check __sk_buff->hash, offset 0, half store not permitted",
1224 BPF_MOV64_IMM(BPF_REG_0, 0),
1225 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1226 offsetof(struct __sk_buff, hash)),
1229 .errstr = "invalid bpf_context access",
1233 "check __sk_buff->tc_index, offset 2, half store not permitted",
1235 BPF_MOV64_IMM(BPF_REG_0, 0),
1236 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1237 offsetof(struct __sk_buff, tc_index) + 2),
1240 .errstr = "invalid bpf_context access",
1244 "check skb->hash half load permitted",
1246 BPF_MOV64_IMM(BPF_REG_0, 0),
1247 #ifdef __LITTLE_ENDIAN
1248 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1249 offsetof(struct __sk_buff, hash)),
1251 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1252 offsetof(struct __sk_buff, hash) + 2),
1259 "check skb->hash half load not permitted",
1261 BPF_MOV64_IMM(BPF_REG_0, 0),
1262 #ifdef __LITTLE_ENDIAN
1263 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1264 offsetof(struct __sk_buff, hash) + 2),
1266 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1267 offsetof(struct __sk_buff, hash)),
1271 .errstr = "invalid bpf_context access",
1275 "check cb access: half, wrong type",
1277 BPF_MOV64_IMM(BPF_REG_0, 0),
1278 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1279 offsetof(struct __sk_buff, cb[0])),
1282 .errstr = "invalid bpf_context access",
1284 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1287 "check cb access: word",
1289 BPF_MOV64_IMM(BPF_REG_0, 0),
1290 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1291 offsetof(struct __sk_buff, cb[0])),
1292 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1293 offsetof(struct __sk_buff, cb[1])),
1294 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1295 offsetof(struct __sk_buff, cb[2])),
1296 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1297 offsetof(struct __sk_buff, cb[3])),
1298 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1299 offsetof(struct __sk_buff, cb[4])),
1300 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1301 offsetof(struct __sk_buff, cb[0])),
1302 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1303 offsetof(struct __sk_buff, cb[1])),
1304 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1305 offsetof(struct __sk_buff, cb[2])),
1306 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1307 offsetof(struct __sk_buff, cb[3])),
1308 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1309 offsetof(struct __sk_buff, cb[4])),
1315 "check cb access: word, unaligned 1",
1317 BPF_MOV64_IMM(BPF_REG_0, 0),
1318 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1319 offsetof(struct __sk_buff, cb[0]) + 2),
1322 .errstr = "misaligned access",
1326 "check cb access: word, unaligned 2",
1328 BPF_MOV64_IMM(BPF_REG_0, 0),
1329 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1330 offsetof(struct __sk_buff, cb[4]) + 1),
1333 .errstr = "misaligned access",
1337 "check cb access: word, unaligned 3",
1339 BPF_MOV64_IMM(BPF_REG_0, 0),
1340 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1341 offsetof(struct __sk_buff, cb[4]) + 2),
1344 .errstr = "misaligned access",
1348 "check cb access: word, unaligned 4",
1350 BPF_MOV64_IMM(BPF_REG_0, 0),
1351 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1352 offsetof(struct __sk_buff, cb[4]) + 3),
1355 .errstr = "misaligned access",
1359 "check cb access: double",
1361 BPF_MOV64_IMM(BPF_REG_0, 0),
1362 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1363 offsetof(struct __sk_buff, cb[0])),
1364 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1365 offsetof(struct __sk_buff, cb[2])),
1366 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1367 offsetof(struct __sk_buff, cb[0])),
1368 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1369 offsetof(struct __sk_buff, cb[2])),
1375 "check cb access: double, unaligned 1",
1377 BPF_MOV64_IMM(BPF_REG_0, 0),
1378 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1379 offsetof(struct __sk_buff, cb[1])),
1382 .errstr = "misaligned access",
1386 "check cb access: double, unaligned 2",
1388 BPF_MOV64_IMM(BPF_REG_0, 0),
1389 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1390 offsetof(struct __sk_buff, cb[3])),
1393 .errstr = "misaligned access",
1397 "check cb access: double, oob 1",
1399 BPF_MOV64_IMM(BPF_REG_0, 0),
1400 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1401 offsetof(struct __sk_buff, cb[4])),
1404 .errstr = "invalid bpf_context access",
1408 "check cb access: double, oob 2",
1410 BPF_MOV64_IMM(BPF_REG_0, 0),
1411 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1412 offsetof(struct __sk_buff, cb[4])),
1415 .errstr = "invalid bpf_context access",
1419 "check __sk_buff->ifindex dw store not permitted",
1421 BPF_MOV64_IMM(BPF_REG_0, 0),
1422 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1423 offsetof(struct __sk_buff, ifindex)),
1426 .errstr = "invalid bpf_context access",
1430 "check __sk_buff->ifindex dw load not permitted",
1432 BPF_MOV64_IMM(BPF_REG_0, 0),
1433 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1434 offsetof(struct __sk_buff, ifindex)),
1437 .errstr = "invalid bpf_context access",
1441 "check cb access: double, wrong type",
1443 BPF_MOV64_IMM(BPF_REG_0, 0),
1444 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1445 offsetof(struct __sk_buff, cb[0])),
1448 .errstr = "invalid bpf_context access",
1450 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1453 "check out of range skb->cb access",
1455 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1456 offsetof(struct __sk_buff, cb[0]) + 256),
1459 .errstr = "invalid bpf_context access",
1460 .errstr_unpriv = "",
1462 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
1465 "write skb fields from socket prog",
1467 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1468 offsetof(struct __sk_buff, cb[4])),
1469 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1470 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1471 offsetof(struct __sk_buff, mark)),
1472 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1473 offsetof(struct __sk_buff, tc_index)),
1474 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1475 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1476 offsetof(struct __sk_buff, cb[0])),
1477 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1478 offsetof(struct __sk_buff, cb[2])),
1482 .errstr_unpriv = "R1 leaks addr",
1483 .result_unpriv = REJECT,
1486 "write skb fields from tc_cls_act prog",
1488 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1489 offsetof(struct __sk_buff, cb[0])),
1490 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1491 offsetof(struct __sk_buff, mark)),
1492 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1493 offsetof(struct __sk_buff, tc_index)),
1494 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1495 offsetof(struct __sk_buff, tc_index)),
1496 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1497 offsetof(struct __sk_buff, cb[3])),
1500 .errstr_unpriv = "",
1501 .result_unpriv = REJECT,
1503 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1506 "PTR_TO_STACK store/load",
1508 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1509 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1510 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1511 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1517 "PTR_TO_STACK store/load - bad alignment on off",
1519 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1521 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1522 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1526 .errstr = "misaligned access off -6 size 8",
1529 "PTR_TO_STACK store/load - bad alignment on reg",
1531 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1533 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1534 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1538 .errstr = "misaligned access off -2 size 8",
1541 "PTR_TO_STACK store/load - out of bounds low",
1543 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1544 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
1545 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1546 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1550 .errstr = "invalid stack off=-79992 size=8",
1553 "PTR_TO_STACK store/load - out of bounds high",
1555 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1557 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1558 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1562 .errstr = "invalid stack off=0 size=8",
1565 "unpriv: return pointer",
1567 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
1571 .result_unpriv = REJECT,
1572 .errstr_unpriv = "R0 leaks addr",
1575 "unpriv: add const to pointer",
1577 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
1578 BPF_MOV64_IMM(BPF_REG_0, 0),
1582 .result_unpriv = REJECT,
1583 .errstr_unpriv = "R1 pointer arithmetic",
1586 "unpriv: add pointer to pointer",
1588 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
1589 BPF_MOV64_IMM(BPF_REG_0, 0),
1593 .result_unpriv = REJECT,
1594 .errstr_unpriv = "R1 pointer arithmetic",
1597 "unpriv: neg pointer",
1599 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
1600 BPF_MOV64_IMM(BPF_REG_0, 0),
1604 .result_unpriv = REJECT,
1605 .errstr_unpriv = "R1 pointer arithmetic",
1608 "unpriv: cmp pointer with const",
1610 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1611 BPF_MOV64_IMM(BPF_REG_0, 0),
1615 .result_unpriv = REJECT,
1616 .errstr_unpriv = "R1 pointer comparison",
1619 "unpriv: cmp pointer with pointer",
1621 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1622 BPF_MOV64_IMM(BPF_REG_0, 0),
1626 .result_unpriv = REJECT,
1627 .errstr_unpriv = "R10 pointer comparison",
1630 "unpriv: check that printk is disallowed",
1632 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1633 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1634 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1635 BPF_MOV64_IMM(BPF_REG_2, 8),
1636 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
1637 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1638 BPF_FUNC_trace_printk),
1639 BPF_MOV64_IMM(BPF_REG_0, 0),
1642 .errstr_unpriv = "unknown func bpf_trace_printk#6",
1643 .result_unpriv = REJECT,
1647 "unpriv: pass pointer to helper function",
1649 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1650 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1651 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1652 BPF_LD_MAP_FD(BPF_REG_1, 0),
1653 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1654 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
1655 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1656 BPF_FUNC_map_update_elem),
1657 BPF_MOV64_IMM(BPF_REG_0, 0),
1660 .fixup_map1 = { 3 },
1661 .errstr_unpriv = "R4 leaks addr",
1662 .result_unpriv = REJECT,
1666 "unpriv: indirectly pass pointer on stack to helper function",
1668 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1669 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1670 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1671 BPF_LD_MAP_FD(BPF_REG_1, 0),
1672 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1673 BPF_FUNC_map_lookup_elem),
1674 BPF_MOV64_IMM(BPF_REG_0, 0),
1677 .fixup_map1 = { 3 },
1678 .errstr = "invalid indirect read from stack off -8+0 size 8",
1682 "unpriv: mangle pointer on stack 1",
1684 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1685 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
1686 BPF_MOV64_IMM(BPF_REG_0, 0),
1689 .errstr_unpriv = "attempt to corrupt spilled",
1690 .result_unpriv = REJECT,
1694 "unpriv: mangle pointer on stack 2",
1696 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1697 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
1698 BPF_MOV64_IMM(BPF_REG_0, 0),
1701 .errstr_unpriv = "attempt to corrupt spilled",
1702 .result_unpriv = REJECT,
1706 "unpriv: read pointer from stack in small chunks",
1708 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1709 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
1710 BPF_MOV64_IMM(BPF_REG_0, 0),
1713 .errstr = "invalid size",
1717 "unpriv: write pointer into ctx",
1719 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
1720 BPF_MOV64_IMM(BPF_REG_0, 0),
1723 .errstr_unpriv = "R1 leaks addr",
1724 .result_unpriv = REJECT,
1725 .errstr = "invalid bpf_context access",
1729 "unpriv: spill/fill of ctx",
1731 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1732 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1733 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1734 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1735 BPF_MOV64_IMM(BPF_REG_0, 0),
1741 "unpriv: spill/fill of ctx 2",
1743 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1745 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1746 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1747 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1748 BPF_FUNC_get_hash_recalc),
1752 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1755 "unpriv: spill/fill of ctx 3",
1757 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1758 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1759 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1760 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
1761 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1762 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1763 BPF_FUNC_get_hash_recalc),
1767 .errstr = "R1 type=fp expected=ctx",
1768 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1771 "unpriv: spill/fill of ctx 4",
1773 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1775 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1776 BPF_MOV64_IMM(BPF_REG_0, 1),
1777 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
1779 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1780 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1781 BPF_FUNC_get_hash_recalc),
1785 .errstr = "R1 type=inv expected=ctx",
1786 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1789 "unpriv: spill/fill of different pointers stx",
1791 BPF_MOV64_IMM(BPF_REG_3, 42),
1792 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1795 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1796 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1797 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
1798 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
1799 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1800 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1801 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
1802 offsetof(struct __sk_buff, mark)),
1803 BPF_MOV64_IMM(BPF_REG_0, 0),
1807 .errstr = "same insn cannot be used with different pointers",
1808 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1811 "unpriv: spill/fill of different pointers ldx",
1813 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1815 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1816 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
1818 -(__s32)offsetof(struct bpf_perf_event_data,
1819 sample_period) - 8),
1820 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
1821 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
1822 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1823 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1824 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
1825 offsetof(struct bpf_perf_event_data,
1827 BPF_MOV64_IMM(BPF_REG_0, 0),
1831 .errstr = "same insn cannot be used with different pointers",
1832 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
1835 "unpriv: write pointer into map elem value",
1837 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1838 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1839 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1840 BPF_LD_MAP_FD(BPF_REG_1, 0),
1841 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1842 BPF_FUNC_map_lookup_elem),
1843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1844 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
1847 .fixup_map1 = { 3 },
1848 .errstr_unpriv = "R0 leaks addr",
1849 .result_unpriv = REJECT,
1853 "unpriv: partial copy of pointer",
1855 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
1856 BPF_MOV64_IMM(BPF_REG_0, 0),
1859 .errstr_unpriv = "R10 partial copy",
1860 .result_unpriv = REJECT,
1864 "unpriv: pass pointer to tail_call",
1866 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
1867 BPF_LD_MAP_FD(BPF_REG_2, 0),
1868 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1869 BPF_FUNC_tail_call),
1870 BPF_MOV64_IMM(BPF_REG_0, 0),
1873 .fixup_prog = { 1 },
1874 .errstr_unpriv = "R3 leaks addr into helper",
1875 .result_unpriv = REJECT,
1879 "unpriv: cmp map pointer with zero",
1881 BPF_MOV64_IMM(BPF_REG_1, 0),
1882 BPF_LD_MAP_FD(BPF_REG_1, 0),
1883 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1884 BPF_MOV64_IMM(BPF_REG_0, 0),
1887 .fixup_map1 = { 1 },
1888 .errstr_unpriv = "R1 pointer comparison",
1889 .result_unpriv = REJECT,
1893 "unpriv: write into frame pointer",
1895 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
1896 BPF_MOV64_IMM(BPF_REG_0, 0),
1899 .errstr = "frame pointer is read only",
1903 "unpriv: spill/fill frame pointer",
1905 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1906 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1907 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
1908 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
1909 BPF_MOV64_IMM(BPF_REG_0, 0),
1912 .errstr = "frame pointer is read only",
1916 "unpriv: cmp of frame pointer",
1918 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
1919 BPF_MOV64_IMM(BPF_REG_0, 0),
1922 .errstr_unpriv = "R10 pointer comparison",
1923 .result_unpriv = REJECT,
1927 "unpriv: adding of fp",
1929 BPF_MOV64_IMM(BPF_REG_0, 0),
1930 BPF_MOV64_IMM(BPF_REG_1, 0),
1931 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
1932 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
1935 .errstr_unpriv = "pointer arithmetic prohibited",
1936 .result_unpriv = REJECT,
1937 .errstr = "R1 invalid mem access",
1941 "unpriv: cmp of stack pointer",
1943 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1944 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1945 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
1946 BPF_MOV64_IMM(BPF_REG_0, 0),
1949 .errstr_unpriv = "R2 pointer comparison",
1950 .result_unpriv = REJECT,
1954 "stack pointer arithmetic",
1956 BPF_MOV64_IMM(BPF_REG_1, 4),
1957 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1958 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
1959 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
1960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
1961 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
1962 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
1963 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
1964 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
1965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
1966 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
1967 BPF_MOV64_IMM(BPF_REG_0, 0),
1973 "raw_stack: no skb_load_bytes",
1975 BPF_MOV64_IMM(BPF_REG_2, 4),
1976 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1977 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1978 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1979 BPF_MOV64_IMM(BPF_REG_4, 8),
1980 /* Call to skb_load_bytes() omitted. */
1981 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1985 .errstr = "invalid read from stack off -8+0 size 8",
1986 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1989 "raw_stack: skb_load_bytes, negative len",
1991 BPF_MOV64_IMM(BPF_REG_2, 4),
1992 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1994 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1995 BPF_MOV64_IMM(BPF_REG_4, -8),
1996 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1997 BPF_FUNC_skb_load_bytes),
1998 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2002 .errstr = "invalid stack type R3",
2003 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2006 "raw_stack: skb_load_bytes, negative len 2",
2008 BPF_MOV64_IMM(BPF_REG_2, 4),
2009 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2010 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2011 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2012 BPF_MOV64_IMM(BPF_REG_4, ~0),
2013 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2014 BPF_FUNC_skb_load_bytes),
2015 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2019 .errstr = "invalid stack type R3",
2020 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2023 "raw_stack: skb_load_bytes, zero len",
2025 BPF_MOV64_IMM(BPF_REG_2, 4),
2026 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2027 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2028 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2029 BPF_MOV64_IMM(BPF_REG_4, 0),
2030 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2031 BPF_FUNC_skb_load_bytes),
2032 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2036 .errstr = "invalid stack type R3",
2037 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2040 "raw_stack: skb_load_bytes, no init",
2042 BPF_MOV64_IMM(BPF_REG_2, 4),
2043 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2044 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2045 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2046 BPF_MOV64_IMM(BPF_REG_4, 8),
2047 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2048 BPF_FUNC_skb_load_bytes),
2049 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2053 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2056 "raw_stack: skb_load_bytes, init",
2058 BPF_MOV64_IMM(BPF_REG_2, 4),
2059 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2061 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2062 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2063 BPF_MOV64_IMM(BPF_REG_4, 8),
2064 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2065 BPF_FUNC_skb_load_bytes),
2066 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2070 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2073 "raw_stack: skb_load_bytes, spilled regs around bounds",
2075 BPF_MOV64_IMM(BPF_REG_2, 4),
2076 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2077 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2078 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2079 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2080 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2081 BPF_MOV64_IMM(BPF_REG_4, 8),
2082 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2083 BPF_FUNC_skb_load_bytes),
2084 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2085 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2086 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2087 offsetof(struct __sk_buff, mark)),
2088 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2089 offsetof(struct __sk_buff, priority)),
2090 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2094 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2097 "raw_stack: skb_load_bytes, spilled regs corruption",
2099 BPF_MOV64_IMM(BPF_REG_2, 4),
2100 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2102 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2103 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2104 BPF_MOV64_IMM(BPF_REG_4, 8),
2105 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2106 BPF_FUNC_skb_load_bytes),
2107 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2108 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2109 offsetof(struct __sk_buff, mark)),
2113 .errstr = "R0 invalid mem access 'inv'",
2114 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2117 "raw_stack: skb_load_bytes, spilled regs corruption 2",
2119 BPF_MOV64_IMM(BPF_REG_2, 4),
2120 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2122 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2123 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2124 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2125 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2126 BPF_MOV64_IMM(BPF_REG_4, 8),
2127 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2128 BPF_FUNC_skb_load_bytes),
2129 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2130 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2131 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
2132 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2133 offsetof(struct __sk_buff, mark)),
2134 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2135 offsetof(struct __sk_buff, priority)),
2136 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2137 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
2138 offsetof(struct __sk_buff, pkt_type)),
2139 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2143 .errstr = "R3 invalid mem access 'inv'",
2144 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2147 "raw_stack: skb_load_bytes, spilled regs + data",
2149 BPF_MOV64_IMM(BPF_REG_2, 4),
2150 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2151 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2152 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2153 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2154 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2155 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2156 BPF_MOV64_IMM(BPF_REG_4, 8),
2157 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2158 BPF_FUNC_skb_load_bytes),
2159 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2160 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2161 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
2162 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2163 offsetof(struct __sk_buff, mark)),
2164 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2165 offsetof(struct __sk_buff, priority)),
2166 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2167 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2171 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2174 "raw_stack: skb_load_bytes, invalid access 1",
2176 BPF_MOV64_IMM(BPF_REG_2, 4),
2177 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2178 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2179 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2180 BPF_MOV64_IMM(BPF_REG_4, 8),
2181 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2182 BPF_FUNC_skb_load_bytes),
2183 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2187 .errstr = "invalid stack type R3 off=-513 access_size=8",
2188 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2191 "raw_stack: skb_load_bytes, invalid access 2",
2193 BPF_MOV64_IMM(BPF_REG_2, 4),
2194 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2196 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2197 BPF_MOV64_IMM(BPF_REG_4, 8),
2198 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2199 BPF_FUNC_skb_load_bytes),
2200 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2204 .errstr = "invalid stack type R3 off=-1 access_size=8",
2205 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2208 "raw_stack: skb_load_bytes, invalid access 3",
2210 BPF_MOV64_IMM(BPF_REG_2, 4),
2211 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2213 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2214 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2215 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2216 BPF_FUNC_skb_load_bytes),
2217 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2221 .errstr = "invalid stack type R3 off=-1 access_size=-1",
2222 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2225 "raw_stack: skb_load_bytes, invalid access 4",
2227 BPF_MOV64_IMM(BPF_REG_2, 4),
2228 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2230 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2231 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2232 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2233 BPF_FUNC_skb_load_bytes),
2234 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2238 .errstr = "invalid stack type R3 off=-1 access_size=2147483647",
2239 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2242 "raw_stack: skb_load_bytes, invalid access 5",
2244 BPF_MOV64_IMM(BPF_REG_2, 4),
2245 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2247 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2248 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2249 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2250 BPF_FUNC_skb_load_bytes),
2251 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2255 .errstr = "invalid stack type R3 off=-512 access_size=2147483647",
2256 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2259 "raw_stack: skb_load_bytes, invalid access 6",
2261 BPF_MOV64_IMM(BPF_REG_2, 4),
2262 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2264 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2265 BPF_MOV64_IMM(BPF_REG_4, 0),
2266 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2267 BPF_FUNC_skb_load_bytes),
2268 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2272 .errstr = "invalid stack type R3 off=-512 access_size=0",
2273 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2276 "raw_stack: skb_load_bytes, large access",
2278 BPF_MOV64_IMM(BPF_REG_2, 4),
2279 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2281 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2282 BPF_MOV64_IMM(BPF_REG_4, 512),
2283 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2284 BPF_FUNC_skb_load_bytes),
2285 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2289 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2292 "direct packet access: test1",
2294 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2295 offsetof(struct __sk_buff, data)),
2296 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2297 offsetof(struct __sk_buff, data_end)),
2298 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2299 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2300 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2301 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2302 BPF_MOV64_IMM(BPF_REG_0, 0),
2306 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2309 "direct packet access: test2",
2311 BPF_MOV64_IMM(BPF_REG_0, 1),
2312 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
2313 offsetof(struct __sk_buff, data_end)),
2314 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2315 offsetof(struct __sk_buff, data)),
2316 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
2318 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
2319 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
2320 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
2321 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
2322 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2323 offsetof(struct __sk_buff, data)),
2324 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
2325 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
2326 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 48),
2327 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 48),
2328 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
2329 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
2330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2331 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2332 offsetof(struct __sk_buff, data_end)),
2333 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
2334 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
2335 BPF_MOV64_IMM(BPF_REG_0, 0),
2339 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2342 "direct packet access: test3",
2344 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2345 offsetof(struct __sk_buff, data)),
2346 BPF_MOV64_IMM(BPF_REG_0, 0),
2349 .errstr = "invalid bpf_context access off=76",
2351 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2354 "direct packet access: test4 (write)",
2356 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2357 offsetof(struct __sk_buff, data)),
2358 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2359 offsetof(struct __sk_buff, data_end)),
2360 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2362 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2363 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2364 BPF_MOV64_IMM(BPF_REG_0, 0),
2368 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2371 "direct packet access: test5 (pkt_end >= reg, good access)",
2373 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2374 offsetof(struct __sk_buff, data)),
2375 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2376 offsetof(struct __sk_buff, data_end)),
2377 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2379 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2380 BPF_MOV64_IMM(BPF_REG_0, 1),
2382 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2383 BPF_MOV64_IMM(BPF_REG_0, 0),
2387 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2390 "direct packet access: test6 (pkt_end >= reg, bad access)",
2392 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2393 offsetof(struct __sk_buff, data)),
2394 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2395 offsetof(struct __sk_buff, data_end)),
2396 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2397 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2398 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2399 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2400 BPF_MOV64_IMM(BPF_REG_0, 1),
2402 BPF_MOV64_IMM(BPF_REG_0, 0),
2405 .errstr = "invalid access to packet",
2407 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2410 "direct packet access: test7 (pkt_end >= reg, both accesses)",
2412 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2413 offsetof(struct __sk_buff, data)),
2414 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2415 offsetof(struct __sk_buff, data_end)),
2416 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2417 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2418 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2419 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2420 BPF_MOV64_IMM(BPF_REG_0, 1),
2422 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2423 BPF_MOV64_IMM(BPF_REG_0, 0),
2426 .errstr = "invalid access to packet",
2428 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2431 "direct packet access: test8 (double test, variant 1)",
2433 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2434 offsetof(struct __sk_buff, data)),
2435 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2436 offsetof(struct __sk_buff, data_end)),
2437 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2439 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
2440 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2441 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2442 BPF_MOV64_IMM(BPF_REG_0, 1),
2444 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2445 BPF_MOV64_IMM(BPF_REG_0, 0),
2449 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2452 "direct packet access: test9 (double test, variant 2)",
2454 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2455 offsetof(struct __sk_buff, data)),
2456 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2457 offsetof(struct __sk_buff, data_end)),
2458 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2460 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2461 BPF_MOV64_IMM(BPF_REG_0, 1),
2463 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2464 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2465 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2466 BPF_MOV64_IMM(BPF_REG_0, 0),
2470 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2473 "direct packet access: test10 (write invalid)",
2475 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2476 offsetof(struct __sk_buff, data)),
2477 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2478 offsetof(struct __sk_buff, data_end)),
2479 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2481 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
2482 BPF_MOV64_IMM(BPF_REG_0, 0),
2484 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2485 BPF_MOV64_IMM(BPF_REG_0, 0),
2488 .errstr = "invalid access to packet",
2490 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2493 "direct packet access: test11 (shift, good access)",
2495 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2496 offsetof(struct __sk_buff, data)),
2497 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2498 offsetof(struct __sk_buff, data_end)),
2499 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2501 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2502 BPF_MOV64_IMM(BPF_REG_3, 144),
2503 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2504 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2505 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
2506 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2507 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2508 BPF_MOV64_IMM(BPF_REG_0, 1),
2510 BPF_MOV64_IMM(BPF_REG_0, 0),
2514 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2517 "direct packet access: test12 (and, good access)",
2519 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2520 offsetof(struct __sk_buff, data)),
2521 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2522 offsetof(struct __sk_buff, data_end)),
2523 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2525 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2526 BPF_MOV64_IMM(BPF_REG_3, 144),
2527 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2528 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2529 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2530 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2531 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2532 BPF_MOV64_IMM(BPF_REG_0, 1),
2534 BPF_MOV64_IMM(BPF_REG_0, 0),
2538 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2541 "direct packet access: test13 (branches, good access)",
2543 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2544 offsetof(struct __sk_buff, data)),
2545 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2546 offsetof(struct __sk_buff, data_end)),
2547 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2548 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2549 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
2550 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2551 offsetof(struct __sk_buff, mark)),
2552 BPF_MOV64_IMM(BPF_REG_4, 1),
2553 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
2554 BPF_MOV64_IMM(BPF_REG_3, 14),
2555 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
2556 BPF_MOV64_IMM(BPF_REG_3, 24),
2557 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2559 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2560 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2561 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2562 BPF_MOV64_IMM(BPF_REG_0, 1),
2564 BPF_MOV64_IMM(BPF_REG_0, 0),
2568 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2571 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
2573 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2574 offsetof(struct __sk_buff, data)),
2575 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2576 offsetof(struct __sk_buff, data_end)),
2577 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2578 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2579 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
2580 BPF_MOV64_IMM(BPF_REG_5, 12),
2581 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
2582 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2583 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2584 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
2585 BPF_MOV64_IMM(BPF_REG_0, 1),
2587 BPF_MOV64_IMM(BPF_REG_0, 0),
2591 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2594 "direct packet access: test15 (spill with xadd)",
2596 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2597 offsetof(struct __sk_buff, data)),
2598 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2599 offsetof(struct __sk_buff, data_end)),
2600 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2601 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2602 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2603 BPF_MOV64_IMM(BPF_REG_5, 4096),
2604 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2606 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2607 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
2608 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
2609 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
2610 BPF_MOV64_IMM(BPF_REG_0, 0),
2613 .errstr = "R2 invalid mem access 'inv'",
2615 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2618 "direct packet access: test16 (arith on data_end)",
2620 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2621 offsetof(struct __sk_buff, data)),
2622 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2623 offsetof(struct __sk_buff, data_end)),
2624 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2625 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
2627 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2628 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2629 BPF_MOV64_IMM(BPF_REG_0, 0),
2632 .errstr = "invalid access to packet",
2634 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2637 "direct packet access: test17 (pruning, alignment)",
2639 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2640 offsetof(struct __sk_buff, data)),
2641 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2642 offsetof(struct __sk_buff, data_end)),
2643 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2644 offsetof(struct __sk_buff, mark)),
2645 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2646 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
2647 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
2648 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2649 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
2650 BPF_MOV64_IMM(BPF_REG_0, 0),
2652 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
2655 .errstr = "misaligned packet access off 2+15+-4 size 4",
2657 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2658 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2661 "direct packet access: test18 (imm += pkt_ptr, 1)",
2663 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2664 offsetof(struct __sk_buff, data)),
2665 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2666 offsetof(struct __sk_buff, data_end)),
2667 BPF_MOV64_IMM(BPF_REG_0, 8),
2668 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2669 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2670 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2671 BPF_MOV64_IMM(BPF_REG_0, 0),
2675 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2678 "direct packet access: test19 (imm += pkt_ptr, 2)",
2680 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2681 offsetof(struct __sk_buff, data)),
2682 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2683 offsetof(struct __sk_buff, data_end)),
2684 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2685 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2686 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
2687 BPF_MOV64_IMM(BPF_REG_4, 4),
2688 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2689 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
2690 BPF_MOV64_IMM(BPF_REG_0, 0),
2694 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2697 "direct packet access: test20 (x += pkt_ptr, 1)",
2699 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2700 offsetof(struct __sk_buff, data)),
2701 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2702 offsetof(struct __sk_buff, data_end)),
2703 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
2704 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
2705 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
2706 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
2707 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
2708 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2709 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2710 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xffff - 1),
2711 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
2712 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
2713 BPF_MOV64_IMM(BPF_REG_0, 0),
2716 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2720 "direct packet access: test21 (x += pkt_ptr, 2)",
2722 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2723 offsetof(struct __sk_buff, data)),
2724 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2725 offsetof(struct __sk_buff, data_end)),
2726 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2728 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
2729 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2730 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
2731 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
2732 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0xffff),
2733 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2734 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2735 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xffff - 1),
2736 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
2737 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
2738 BPF_MOV64_IMM(BPF_REG_0, 0),
2741 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2745 "direct packet access: test22 (x += pkt_ptr, 3)",
2747 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2748 offsetof(struct __sk_buff, data)),
2749 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2750 offsetof(struct __sk_buff, data_end)),
2751 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2753 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
2754 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
2755 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
2756 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
2757 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
2758 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2759 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
2760 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
2761 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 48),
2762 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2763 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
2764 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
2765 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
2766 BPF_MOV64_IMM(BPF_REG_2, 1),
2767 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
2768 BPF_MOV64_IMM(BPF_REG_0, 0),
2771 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2775 "direct packet access: test23 (x += pkt_ptr, 4)",
2777 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2778 offsetof(struct __sk_buff, data)),
2779 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2780 offsetof(struct __sk_buff, data_end)),
2781 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
2782 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
2783 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
2784 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
2785 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
2786 BPF_MOV64_IMM(BPF_REG_0, 31),
2787 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
2788 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2789 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
2790 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
2791 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2792 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
2793 BPF_MOV64_IMM(BPF_REG_0, 0),
2796 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2798 .errstr = "cannot add integer value with 47 upper zero bits to ptr_to_packet",
2801 "direct packet access: test24 (x += pkt_ptr, 5)",
2803 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2804 offsetof(struct __sk_buff, data)),
2805 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2806 offsetof(struct __sk_buff, data_end)),
2807 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
2808 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
2809 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
2810 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
2811 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
2812 BPF_MOV64_IMM(BPF_REG_0, 64),
2813 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
2814 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2815 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
2816 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
2817 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2818 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
2819 BPF_MOV64_IMM(BPF_REG_0, 0),
2822 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2826 "helper access to packet: test1, valid packet_ptr range",
2828 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2829 offsetof(struct xdp_md, data)),
2830 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2831 offsetof(struct xdp_md, data_end)),
2832 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
2833 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2834 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
2835 BPF_LD_MAP_FD(BPF_REG_1, 0),
2836 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2837 BPF_MOV64_IMM(BPF_REG_4, 0),
2838 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2839 BPF_FUNC_map_update_elem),
2840 BPF_MOV64_IMM(BPF_REG_0, 0),
2843 .fixup_map1 = { 5 },
2844 .result_unpriv = ACCEPT,
2846 .prog_type = BPF_PROG_TYPE_XDP,
2849 "helper access to packet: test2, unchecked packet_ptr",
2851 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2852 offsetof(struct xdp_md, data)),
2853 BPF_LD_MAP_FD(BPF_REG_1, 0),
2854 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2855 BPF_FUNC_map_lookup_elem),
2856 BPF_MOV64_IMM(BPF_REG_0, 0),
2859 .fixup_map1 = { 1 },
2861 .errstr = "invalid access to packet",
2862 .prog_type = BPF_PROG_TYPE_XDP,
2865 "helper access to packet: test3, variable add",
2867 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2868 offsetof(struct xdp_md, data)),
2869 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2870 offsetof(struct xdp_md, data_end)),
2871 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
2873 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
2874 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
2875 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2876 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
2877 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2878 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
2879 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
2880 BPF_LD_MAP_FD(BPF_REG_1, 0),
2881 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
2882 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2883 BPF_FUNC_map_lookup_elem),
2884 BPF_MOV64_IMM(BPF_REG_0, 0),
2887 .fixup_map1 = { 11 },
2889 .prog_type = BPF_PROG_TYPE_XDP,
2892 "helper access to packet: test4, packet_ptr with bad range",
2894 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2895 offsetof(struct xdp_md, data)),
2896 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2897 offsetof(struct xdp_md, data_end)),
2898 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2899 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
2900 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
2901 BPF_MOV64_IMM(BPF_REG_0, 0),
2903 BPF_LD_MAP_FD(BPF_REG_1, 0),
2904 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2905 BPF_FUNC_map_lookup_elem),
2906 BPF_MOV64_IMM(BPF_REG_0, 0),
2909 .fixup_map1 = { 7 },
2911 .errstr = "invalid access to packet",
2912 .prog_type = BPF_PROG_TYPE_XDP,
2915 "helper access to packet: test5, packet_ptr with too short range",
2917 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2918 offsetof(struct xdp_md, data)),
2919 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2920 offsetof(struct xdp_md, data_end)),
2921 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
2922 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2923 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
2924 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
2925 BPF_LD_MAP_FD(BPF_REG_1, 0),
2926 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2927 BPF_FUNC_map_lookup_elem),
2928 BPF_MOV64_IMM(BPF_REG_0, 0),
2931 .fixup_map1 = { 6 },
2933 .errstr = "invalid access to packet",
2934 .prog_type = BPF_PROG_TYPE_XDP,
2937 "helper access to packet: test6, cls valid packet_ptr range",
2939 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2940 offsetof(struct __sk_buff, data)),
2941 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2942 offsetof(struct __sk_buff, data_end)),
2943 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
2944 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2945 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
2946 BPF_LD_MAP_FD(BPF_REG_1, 0),
2947 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2948 BPF_MOV64_IMM(BPF_REG_4, 0),
2949 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2950 BPF_FUNC_map_update_elem),
2951 BPF_MOV64_IMM(BPF_REG_0, 0),
2954 .fixup_map1 = { 5 },
2956 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2959 "helper access to packet: test7, cls unchecked packet_ptr",
2961 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2962 offsetof(struct __sk_buff, data)),
2963 BPF_LD_MAP_FD(BPF_REG_1, 0),
2964 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2965 BPF_FUNC_map_lookup_elem),
2966 BPF_MOV64_IMM(BPF_REG_0, 0),
2969 .fixup_map1 = { 1 },
2971 .errstr = "invalid access to packet",
2972 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2975 "helper access to packet: test8, cls variable add",
2977 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2978 offsetof(struct __sk_buff, data)),
2979 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2980 offsetof(struct __sk_buff, data_end)),
2981 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2982 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
2983 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
2984 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
2985 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2986 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
2987 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
2989 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
2990 BPF_LD_MAP_FD(BPF_REG_1, 0),
2991 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
2992 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2993 BPF_FUNC_map_lookup_elem),
2994 BPF_MOV64_IMM(BPF_REG_0, 0),
2997 .fixup_map1 = { 11 },
2999 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3002 "helper access to packet: test9, cls packet_ptr with bad range",
3004 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3005 offsetof(struct __sk_buff, data)),
3006 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3007 offsetof(struct __sk_buff, data_end)),
3008 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3009 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3010 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3011 BPF_MOV64_IMM(BPF_REG_0, 0),
3013 BPF_LD_MAP_FD(BPF_REG_1, 0),
3014 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3015 BPF_FUNC_map_lookup_elem),
3016 BPF_MOV64_IMM(BPF_REG_0, 0),
3019 .fixup_map1 = { 7 },
3021 .errstr = "invalid access to packet",
3022 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3025 "helper access to packet: test10, cls packet_ptr with too short range",
3027 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3028 offsetof(struct __sk_buff, data)),
3029 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3030 offsetof(struct __sk_buff, data_end)),
3031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3032 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3034 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3035 BPF_LD_MAP_FD(BPF_REG_1, 0),
3036 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3037 BPF_FUNC_map_lookup_elem),
3038 BPF_MOV64_IMM(BPF_REG_0, 0),
3041 .fixup_map1 = { 6 },
3043 .errstr = "invalid access to packet",
3044 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3047 "helper access to packet: test11, cls unsuitable helper 1",
3049 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3050 offsetof(struct __sk_buff, data)),
3051 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3052 offsetof(struct __sk_buff, data_end)),
3053 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3054 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3055 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
3056 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
3057 BPF_MOV64_IMM(BPF_REG_2, 0),
3058 BPF_MOV64_IMM(BPF_REG_4, 42),
3059 BPF_MOV64_IMM(BPF_REG_5, 0),
3060 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3061 BPF_FUNC_skb_store_bytes),
3062 BPF_MOV64_IMM(BPF_REG_0, 0),
3066 .errstr = "helper access to the packet",
3067 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3070 "helper access to packet: test12, cls unsuitable helper 2",
3072 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3073 offsetof(struct __sk_buff, data)),
3074 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3075 offsetof(struct __sk_buff, data_end)),
3076 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3077 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
3078 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
3079 BPF_MOV64_IMM(BPF_REG_2, 0),
3080 BPF_MOV64_IMM(BPF_REG_4, 4),
3081 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3082 BPF_FUNC_skb_load_bytes),
3083 BPF_MOV64_IMM(BPF_REG_0, 0),
3087 .errstr = "helper access to the packet",
3088 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3091 "helper access to packet: test13, cls helper ok",
3093 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3094 offsetof(struct __sk_buff, data)),
3095 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3096 offsetof(struct __sk_buff, data_end)),
3097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3098 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3099 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3100 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3101 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3102 BPF_MOV64_IMM(BPF_REG_2, 4),
3103 BPF_MOV64_IMM(BPF_REG_3, 0),
3104 BPF_MOV64_IMM(BPF_REG_4, 0),
3105 BPF_MOV64_IMM(BPF_REG_5, 0),
3106 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3107 BPF_FUNC_csum_diff),
3108 BPF_MOV64_IMM(BPF_REG_0, 0),
3112 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3115 "helper access to packet: test14, cls helper fail sub",
3117 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3118 offsetof(struct __sk_buff, data)),
3119 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3120 offsetof(struct __sk_buff, data_end)),
3121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3122 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3123 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3124 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3125 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
3126 BPF_MOV64_IMM(BPF_REG_2, 4),
3127 BPF_MOV64_IMM(BPF_REG_3, 0),
3128 BPF_MOV64_IMM(BPF_REG_4, 0),
3129 BPF_MOV64_IMM(BPF_REG_5, 0),
3130 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3131 BPF_FUNC_csum_diff),
3132 BPF_MOV64_IMM(BPF_REG_0, 0),
3136 .errstr = "type=inv expected=fp",
3137 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3140 "helper access to packet: test15, cls helper fail range 1",
3142 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3143 offsetof(struct __sk_buff, data)),
3144 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3145 offsetof(struct __sk_buff, data_end)),
3146 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3147 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3148 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3149 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3150 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3151 BPF_MOV64_IMM(BPF_REG_2, 8),
3152 BPF_MOV64_IMM(BPF_REG_3, 0),
3153 BPF_MOV64_IMM(BPF_REG_4, 0),
3154 BPF_MOV64_IMM(BPF_REG_5, 0),
3155 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3156 BPF_FUNC_csum_diff),
3157 BPF_MOV64_IMM(BPF_REG_0, 0),
3161 .errstr = "invalid access to packet",
3162 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3165 "helper access to packet: test16, cls helper fail range 2",
3167 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3168 offsetof(struct __sk_buff, data)),
3169 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3170 offsetof(struct __sk_buff, data_end)),
3171 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3172 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3174 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3175 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3176 BPF_MOV64_IMM(BPF_REG_2, -9),
3177 BPF_MOV64_IMM(BPF_REG_3, 0),
3178 BPF_MOV64_IMM(BPF_REG_4, 0),
3179 BPF_MOV64_IMM(BPF_REG_5, 0),
3180 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3181 BPF_FUNC_csum_diff),
3182 BPF_MOV64_IMM(BPF_REG_0, 0),
3186 .errstr = "invalid access to packet",
3187 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3190 "helper access to packet: test17, cls helper fail range 3",
3192 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3193 offsetof(struct __sk_buff, data)),
3194 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3195 offsetof(struct __sk_buff, data_end)),
3196 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3197 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3199 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3200 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3201 BPF_MOV64_IMM(BPF_REG_2, ~0),
3202 BPF_MOV64_IMM(BPF_REG_3, 0),
3203 BPF_MOV64_IMM(BPF_REG_4, 0),
3204 BPF_MOV64_IMM(BPF_REG_5, 0),
3205 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3206 BPF_FUNC_csum_diff),
3207 BPF_MOV64_IMM(BPF_REG_0, 0),
3211 .errstr = "invalid access to packet",
3212 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3215 "helper access to packet: test18, cls helper fail range zero",
3217 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3218 offsetof(struct __sk_buff, data)),
3219 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3220 offsetof(struct __sk_buff, data_end)),
3221 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3222 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3223 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3224 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3225 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3226 BPF_MOV64_IMM(BPF_REG_2, 0),
3227 BPF_MOV64_IMM(BPF_REG_3, 0),
3228 BPF_MOV64_IMM(BPF_REG_4, 0),
3229 BPF_MOV64_IMM(BPF_REG_5, 0),
3230 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3231 BPF_FUNC_csum_diff),
3232 BPF_MOV64_IMM(BPF_REG_0, 0),
3236 .errstr = "invalid access to packet",
3237 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3240 "helper access to packet: test19, pkt end as input",
3242 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3243 offsetof(struct __sk_buff, data)),
3244 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3245 offsetof(struct __sk_buff, data_end)),
3246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3247 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3248 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3249 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3250 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
3251 BPF_MOV64_IMM(BPF_REG_2, 4),
3252 BPF_MOV64_IMM(BPF_REG_3, 0),
3253 BPF_MOV64_IMM(BPF_REG_4, 0),
3254 BPF_MOV64_IMM(BPF_REG_5, 0),
3255 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3256 BPF_FUNC_csum_diff),
3257 BPF_MOV64_IMM(BPF_REG_0, 0),
3261 .errstr = "R1 type=pkt_end expected=fp",
3262 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3265 "helper access to packet: test20, wrong reg",
3267 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3268 offsetof(struct __sk_buff, data)),
3269 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3270 offsetof(struct __sk_buff, data_end)),
3271 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3272 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3273 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3274 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3275 BPF_MOV64_IMM(BPF_REG_2, 4),
3276 BPF_MOV64_IMM(BPF_REG_3, 0),
3277 BPF_MOV64_IMM(BPF_REG_4, 0),
3278 BPF_MOV64_IMM(BPF_REG_5, 0),
3279 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3280 BPF_FUNC_csum_diff),
3281 BPF_MOV64_IMM(BPF_REG_0, 0),
3285 .errstr = "invalid access to packet",
3286 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3289 "valid map access into an array with a constant",
3291 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3292 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3293 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3294 BPF_LD_MAP_FD(BPF_REG_1, 0),
3295 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3296 BPF_FUNC_map_lookup_elem),
3297 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3298 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3299 offsetof(struct test_val, foo)),
3302 .fixup_map2 = { 3 },
3303 .errstr_unpriv = "R0 leaks addr",
3304 .result_unpriv = REJECT,
3308 "valid map access into an array with a register",
3310 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3311 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3312 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3313 BPF_LD_MAP_FD(BPF_REG_1, 0),
3314 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3315 BPF_FUNC_map_lookup_elem),
3316 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3317 BPF_MOV64_IMM(BPF_REG_1, 4),
3318 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3319 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3320 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3321 offsetof(struct test_val, foo)),
3324 .fixup_map2 = { 3 },
3325 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3326 .result_unpriv = REJECT,
3328 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3331 "valid map access into an array with a variable",
3333 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3334 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3335 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3336 BPF_LD_MAP_FD(BPF_REG_1, 0),
3337 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3338 BPF_FUNC_map_lookup_elem),
3339 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3340 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3341 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
3342 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3343 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3344 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3345 offsetof(struct test_val, foo)),
3348 .fixup_map2 = { 3 },
3349 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3350 .result_unpriv = REJECT,
3352 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3355 "valid map access into an array with a signed variable",
3357 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3358 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3360 BPF_LD_MAP_FD(BPF_REG_1, 0),
3361 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3362 BPF_FUNC_map_lookup_elem),
3363 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
3364 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3365 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
3366 BPF_MOV32_IMM(BPF_REG_1, 0),
3367 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3368 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3369 BPF_MOV32_IMM(BPF_REG_1, 0),
3370 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3371 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3372 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3373 offsetof(struct test_val, foo)),
3376 .fixup_map2 = { 3 },
3377 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3378 .result_unpriv = REJECT,
3380 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3383 "invalid map access into an array with a constant",
3385 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3386 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3388 BPF_LD_MAP_FD(BPF_REG_1, 0),
3389 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3390 BPF_FUNC_map_lookup_elem),
3391 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3392 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
3393 offsetof(struct test_val, foo)),
3396 .fixup_map2 = { 3 },
3397 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
3401 "invalid map access into an array with a register",
3403 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3404 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3405 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3406 BPF_LD_MAP_FD(BPF_REG_1, 0),
3407 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3408 BPF_FUNC_map_lookup_elem),
3409 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3410 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
3411 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3412 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3413 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3414 offsetof(struct test_val, foo)),
3417 .fixup_map2 = { 3 },
3418 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3419 .errstr = "R0 min value is outside of the array range",
3420 .result_unpriv = REJECT,
3422 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3425 "invalid map access into an array with a variable",
3427 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3428 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3429 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3430 BPF_LD_MAP_FD(BPF_REG_1, 0),
3431 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3432 BPF_FUNC_map_lookup_elem),
3433 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3434 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3435 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3436 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3437 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3438 offsetof(struct test_val, foo)),
3441 .fixup_map2 = { 3 },
3442 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3443 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
3444 .result_unpriv = REJECT,
3446 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3449 "invalid map access into an array with no floor check",
3451 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3452 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3454 BPF_LD_MAP_FD(BPF_REG_1, 0),
3455 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3456 BPF_FUNC_map_lookup_elem),
3457 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3458 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3459 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3460 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3461 BPF_MOV32_IMM(BPF_REG_1, 0),
3462 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3463 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3464 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3465 offsetof(struct test_val, foo)),
3468 .fixup_map2 = { 3 },
3469 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3470 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
3471 .result_unpriv = REJECT,
3473 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3476 "invalid map access into an array with a invalid max check",
3478 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3479 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3481 BPF_LD_MAP_FD(BPF_REG_1, 0),
3482 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3483 BPF_FUNC_map_lookup_elem),
3484 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3485 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3486 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
3487 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3488 BPF_MOV32_IMM(BPF_REG_1, 0),
3489 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3490 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3491 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3492 offsetof(struct test_val, foo)),
3495 .fixup_map2 = { 3 },
3496 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3497 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
3498 .result_unpriv = REJECT,
3500 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3503 "invalid map access into an array with a invalid max check",
3505 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3506 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3507 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3508 BPF_LD_MAP_FD(BPF_REG_1, 0),
3509 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3510 BPF_FUNC_map_lookup_elem),
3511 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
3512 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
3513 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3514 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3515 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3516 BPF_LD_MAP_FD(BPF_REG_1, 0),
3517 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3518 BPF_FUNC_map_lookup_elem),
3519 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
3520 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
3521 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3522 offsetof(struct test_val, foo)),
3525 .fixup_map2 = { 3, 11 },
3526 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3527 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
3528 .result_unpriv = REJECT,
3530 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3533 "multiple registers share map_lookup_elem result",
3535 BPF_MOV64_IMM(BPF_REG_1, 10),
3536 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3537 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3539 BPF_LD_MAP_FD(BPF_REG_1, 0),
3540 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3541 BPF_FUNC_map_lookup_elem),
3542 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3543 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3544 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3547 .fixup_map1 = { 4 },
3549 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3552 "alu ops on ptr_to_map_value_or_null, 1",
3554 BPF_MOV64_IMM(BPF_REG_1, 10),
3555 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3556 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3557 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3558 BPF_LD_MAP_FD(BPF_REG_1, 0),
3559 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3560 BPF_FUNC_map_lookup_elem),
3561 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3562 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
3563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
3564 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3565 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3568 .fixup_map1 = { 4 },
3569 .errstr = "R4 invalid mem access",
3571 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3574 "alu ops on ptr_to_map_value_or_null, 2",
3576 BPF_MOV64_IMM(BPF_REG_1, 10),
3577 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3578 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3579 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3580 BPF_LD_MAP_FD(BPF_REG_1, 0),
3581 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3582 BPF_FUNC_map_lookup_elem),
3583 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3584 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
3585 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3586 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3589 .fixup_map1 = { 4 },
3590 .errstr = "R4 invalid mem access",
3592 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3595 "alu ops on ptr_to_map_value_or_null, 3",
3597 BPF_MOV64_IMM(BPF_REG_1, 10),
3598 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3599 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3600 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3601 BPF_LD_MAP_FD(BPF_REG_1, 0),
3602 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3603 BPF_FUNC_map_lookup_elem),
3604 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3605 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
3606 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3607 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3610 .fixup_map1 = { 4 },
3611 .errstr = "R4 invalid mem access",
3613 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3616 "invalid memory access with multiple map_lookup_elem calls",
3618 BPF_MOV64_IMM(BPF_REG_1, 10),
3619 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3620 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3621 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3622 BPF_LD_MAP_FD(BPF_REG_1, 0),
3623 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
3624 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
3625 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3626 BPF_FUNC_map_lookup_elem),
3627 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3628 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
3629 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3630 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3631 BPF_FUNC_map_lookup_elem),
3632 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3633 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3636 .fixup_map1 = { 4 },
3638 .errstr = "R4 !read_ok",
3639 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3642 "valid indirect map_lookup_elem access with 2nd lookup in branch",
3644 BPF_MOV64_IMM(BPF_REG_1, 10),
3645 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3646 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3647 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3648 BPF_LD_MAP_FD(BPF_REG_1, 0),
3649 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
3650 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
3651 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3652 BPF_FUNC_map_lookup_elem),
3653 BPF_MOV64_IMM(BPF_REG_2, 10),
3654 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
3655 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
3656 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3657 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3658 BPF_FUNC_map_lookup_elem),
3659 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3660 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3661 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3664 .fixup_map1 = { 4 },
3666 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3669 "multiple registers share map_lookup_elem bad reg type",
3671 BPF_MOV64_IMM(BPF_REG_1, 10),
3672 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3673 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3674 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3675 BPF_LD_MAP_FD(BPF_REG_1, 0),
3676 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3677 BPF_FUNC_map_lookup_elem),
3678 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
3679 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
3680 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3681 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3682 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3683 BPF_MOV64_IMM(BPF_REG_1, 1),
3684 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3685 BPF_MOV64_IMM(BPF_REG_1, 2),
3686 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0, 1),
3687 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 0),
3688 BPF_MOV64_IMM(BPF_REG_1, 3),
3691 .fixup_map1 = { 4 },
3693 .errstr = "R3 invalid mem access 'inv'",
3694 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3697 "invalid map access from else condition",
3699 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3700 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3702 BPF_LD_MAP_FD(BPF_REG_1, 0),
3703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
3704 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3705 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3706 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
3707 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
3708 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3709 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3710 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
3713 .fixup_map2 = { 3 },
3714 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
3716 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3717 .result_unpriv = REJECT,
3718 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3721 "constant register |= constant should keep constant type",
3723 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3725 BPF_MOV64_IMM(BPF_REG_2, 34),
3726 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
3727 BPF_MOV64_IMM(BPF_REG_3, 0),
3728 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3732 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3735 "constant register |= constant should not bypass stack boundary checks",
3737 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3739 BPF_MOV64_IMM(BPF_REG_2, 34),
3740 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
3741 BPF_MOV64_IMM(BPF_REG_3, 0),
3742 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3745 .errstr = "invalid stack type R1 off=-48 access_size=58",
3747 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3750 "constant register |= constant register should keep constant type",
3752 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3754 BPF_MOV64_IMM(BPF_REG_2, 34),
3755 BPF_MOV64_IMM(BPF_REG_4, 13),
3756 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
3757 BPF_MOV64_IMM(BPF_REG_3, 0),
3758 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3762 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3765 "constant register |= constant register should not bypass stack boundary checks",
3767 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3768 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3769 BPF_MOV64_IMM(BPF_REG_2, 34),
3770 BPF_MOV64_IMM(BPF_REG_4, 24),
3771 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
3772 BPF_MOV64_IMM(BPF_REG_3, 0),
3773 BPF_EMIT_CALL(BPF_FUNC_probe_read),
3776 .errstr = "invalid stack type R1 off=-48 access_size=58",
3778 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3781 "invalid direct packet write for LWT_IN",
3783 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3784 offsetof(struct __sk_buff, data)),
3785 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3786 offsetof(struct __sk_buff, data_end)),
3787 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3789 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3790 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3791 BPF_MOV64_IMM(BPF_REG_0, 0),
3794 .errstr = "cannot write into packet",
3796 .prog_type = BPF_PROG_TYPE_LWT_IN,
3799 "invalid direct packet write for LWT_OUT",
3801 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3802 offsetof(struct __sk_buff, data)),
3803 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3804 offsetof(struct __sk_buff, data_end)),
3805 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3807 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3808 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3809 BPF_MOV64_IMM(BPF_REG_0, 0),
3812 .errstr = "cannot write into packet",
3814 .prog_type = BPF_PROG_TYPE_LWT_OUT,
3817 "direct packet write for LWT_XMIT",
3819 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3820 offsetof(struct __sk_buff, data)),
3821 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3822 offsetof(struct __sk_buff, data_end)),
3823 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3825 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3826 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3827 BPF_MOV64_IMM(BPF_REG_0, 0),
3831 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
3834 "direct packet read for LWT_IN",
3836 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3837 offsetof(struct __sk_buff, data)),
3838 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3839 offsetof(struct __sk_buff, data_end)),
3840 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3841 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3842 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3843 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3844 BPF_MOV64_IMM(BPF_REG_0, 0),
3848 .prog_type = BPF_PROG_TYPE_LWT_IN,
3851 "direct packet read for LWT_OUT",
3853 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3854 offsetof(struct __sk_buff, data)),
3855 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3856 offsetof(struct __sk_buff, data_end)),
3857 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3858 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3859 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3860 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3861 BPF_MOV64_IMM(BPF_REG_0, 0),
3865 .prog_type = BPF_PROG_TYPE_LWT_OUT,
3868 "direct packet read for LWT_XMIT",
3870 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3871 offsetof(struct __sk_buff, data)),
3872 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3873 offsetof(struct __sk_buff, data_end)),
3874 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3875 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3876 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3877 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3878 BPF_MOV64_IMM(BPF_REG_0, 0),
3882 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
3885 "overlapping checks for direct packet access",
3887 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3888 offsetof(struct __sk_buff, data)),
3889 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3890 offsetof(struct __sk_buff, data_end)),
3891 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3892 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3893 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
3894 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3895 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
3896 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
3897 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
3898 BPF_MOV64_IMM(BPF_REG_0, 0),
3902 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
3905 "invalid access of tc_classid for LWT_IN",
3907 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
3908 offsetof(struct __sk_buff, tc_classid)),
3912 .errstr = "invalid bpf_context access",
3915 "invalid access of tc_classid for LWT_OUT",
3917 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
3918 offsetof(struct __sk_buff, tc_classid)),
3922 .errstr = "invalid bpf_context access",
3925 "invalid access of tc_classid for LWT_XMIT",
3927 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
3928 offsetof(struct __sk_buff, tc_classid)),
3932 .errstr = "invalid bpf_context access",
3935 "leak pointer into ctx 1",
3937 BPF_MOV64_IMM(BPF_REG_0, 0),
3938 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
3939 offsetof(struct __sk_buff, cb[0])),
3940 BPF_LD_MAP_FD(BPF_REG_2, 0),
3941 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
3942 offsetof(struct __sk_buff, cb[0])),
3945 .fixup_map1 = { 2 },
3946 .errstr_unpriv = "R2 leaks addr into mem",
3947 .result_unpriv = REJECT,
3951 "leak pointer into ctx 2",
3953 BPF_MOV64_IMM(BPF_REG_0, 0),
3954 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
3955 offsetof(struct __sk_buff, cb[0])),
3956 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
3957 offsetof(struct __sk_buff, cb[0])),
3960 .errstr_unpriv = "R10 leaks addr into mem",
3961 .result_unpriv = REJECT,
3965 "leak pointer into ctx 3",
3967 BPF_MOV64_IMM(BPF_REG_0, 0),
3968 BPF_LD_MAP_FD(BPF_REG_2, 0),
3969 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
3970 offsetof(struct __sk_buff, cb[0])),
3973 .fixup_map1 = { 1 },
3974 .errstr_unpriv = "R2 leaks addr into ctx",
3975 .result_unpriv = REJECT,
3979 "leak pointer into map val",
3981 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
3982 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3983 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3984 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3985 BPF_LD_MAP_FD(BPF_REG_1, 0),
3986 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3987 BPF_FUNC_map_lookup_elem),
3988 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
3989 BPF_MOV64_IMM(BPF_REG_3, 0),
3990 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
3991 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3992 BPF_MOV64_IMM(BPF_REG_0, 0),
3995 .fixup_map1 = { 4 },
3996 .errstr_unpriv = "R6 leaks addr into mem",
3997 .result_unpriv = REJECT,
4001 "helper access to map: full range",
4003 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4004 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4005 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4006 BPF_LD_MAP_FD(BPF_REG_1, 0),
4007 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4008 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4009 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4010 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4011 BPF_MOV64_IMM(BPF_REG_3, 0),
4012 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4015 .fixup_map2 = { 3 },
4017 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4020 "helper access to map: partial range",
4022 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4024 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4025 BPF_LD_MAP_FD(BPF_REG_1, 0),
4026 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4027 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4028 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4029 BPF_MOV64_IMM(BPF_REG_2, 8),
4030 BPF_MOV64_IMM(BPF_REG_3, 0),
4031 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4034 .fixup_map2 = { 3 },
4036 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4039 "helper access to map: empty range",
4041 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4042 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4043 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4044 BPF_LD_MAP_FD(BPF_REG_1, 0),
4045 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4046 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4047 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4048 BPF_MOV64_IMM(BPF_REG_2, 0),
4049 BPF_MOV64_IMM(BPF_REG_3, 0),
4050 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4053 .fixup_map2 = { 3 },
4054 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
4056 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4059 "helper access to map: out-of-bound range",
4061 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4062 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4063 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4064 BPF_LD_MAP_FD(BPF_REG_1, 0),
4065 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4066 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4067 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4068 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
4069 BPF_MOV64_IMM(BPF_REG_3, 0),
4070 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4073 .fixup_map2 = { 3 },
4074 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
4076 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4079 "helper access to map: negative range",
4081 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4083 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4084 BPF_LD_MAP_FD(BPF_REG_1, 0),
4085 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4086 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4087 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4088 BPF_MOV64_IMM(BPF_REG_2, -8),
4089 BPF_MOV64_IMM(BPF_REG_3, 0),
4090 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4093 .fixup_map2 = { 3 },
4094 .errstr = "invalid access to map value, value_size=48 off=0 size=-8",
4096 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4099 "helper access to adjusted map (via const imm): full range",
4101 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4103 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4104 BPF_LD_MAP_FD(BPF_REG_1, 0),
4105 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4106 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4107 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4108 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4109 offsetof(struct test_val, foo)),
4110 BPF_MOV64_IMM(BPF_REG_2,
4111 sizeof(struct test_val) -
4112 offsetof(struct test_val, foo)),
4113 BPF_MOV64_IMM(BPF_REG_3, 0),
4114 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4117 .fixup_map2 = { 3 },
4119 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4122 "helper access to adjusted map (via const imm): partial range",
4124 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4125 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4126 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4127 BPF_LD_MAP_FD(BPF_REG_1, 0),
4128 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4129 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4130 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4132 offsetof(struct test_val, foo)),
4133 BPF_MOV64_IMM(BPF_REG_2, 8),
4134 BPF_MOV64_IMM(BPF_REG_3, 0),
4135 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4138 .fixup_map2 = { 3 },
4140 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4143 "helper access to adjusted map (via const imm): empty range",
4145 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4146 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4147 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4148 BPF_LD_MAP_FD(BPF_REG_1, 0),
4149 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4150 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4151 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4153 offsetof(struct test_val, foo)),
4154 BPF_MOV64_IMM(BPF_REG_2, 0),
4155 BPF_MOV64_IMM(BPF_REG_3, 0),
4156 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4159 .fixup_map2 = { 3 },
4160 .errstr = "R1 min value is outside of the array range",
4162 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4165 "helper access to adjusted map (via const imm): out-of-bound range",
4167 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4168 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4169 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4170 BPF_LD_MAP_FD(BPF_REG_1, 0),
4171 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4172 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4173 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4174 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4175 offsetof(struct test_val, foo)),
4176 BPF_MOV64_IMM(BPF_REG_2,
4177 sizeof(struct test_val) -
4178 offsetof(struct test_val, foo) + 8),
4179 BPF_MOV64_IMM(BPF_REG_3, 0),
4180 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4183 .fixup_map2 = { 3 },
4184 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4186 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4189 "helper access to adjusted map (via const imm): negative range (> adjustment)",
4191 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4193 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4194 BPF_LD_MAP_FD(BPF_REG_1, 0),
4195 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4196 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4197 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4199 offsetof(struct test_val, foo)),
4200 BPF_MOV64_IMM(BPF_REG_2, -8),
4201 BPF_MOV64_IMM(BPF_REG_3, 0),
4202 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4205 .fixup_map2 = { 3 },
4206 .errstr = "invalid access to map value, value_size=48 off=4 size=-8",
4208 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4211 "helper access to adjusted map (via const imm): negative range (< adjustment)",
4213 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4215 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4216 BPF_LD_MAP_FD(BPF_REG_1, 0),
4217 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4218 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4219 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4220 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4221 offsetof(struct test_val, foo)),
4222 BPF_MOV64_IMM(BPF_REG_2, -1),
4223 BPF_MOV64_IMM(BPF_REG_3, 0),
4224 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4227 .fixup_map2 = { 3 },
4228 .errstr = "R1 min value is outside of the array range",
4230 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4233 "helper access to adjusted map (via const reg): full range",
4235 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4237 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4238 BPF_LD_MAP_FD(BPF_REG_1, 0),
4239 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4240 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4241 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4242 BPF_MOV64_IMM(BPF_REG_3,
4243 offsetof(struct test_val, foo)),
4244 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4245 BPF_MOV64_IMM(BPF_REG_2,
4246 sizeof(struct test_val) -
4247 offsetof(struct test_val, foo)),
4248 BPF_MOV64_IMM(BPF_REG_3, 0),
4249 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4252 .fixup_map2 = { 3 },
4254 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4257 "helper access to adjusted map (via const reg): partial range",
4259 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4260 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4261 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4262 BPF_LD_MAP_FD(BPF_REG_1, 0),
4263 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4265 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4266 BPF_MOV64_IMM(BPF_REG_3,
4267 offsetof(struct test_val, foo)),
4268 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4269 BPF_MOV64_IMM(BPF_REG_2, 8),
4270 BPF_MOV64_IMM(BPF_REG_3, 0),
4271 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4274 .fixup_map2 = { 3 },
4276 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4279 "helper access to adjusted map (via const reg): empty range",
4281 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4282 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4283 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4284 BPF_LD_MAP_FD(BPF_REG_1, 0),
4285 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4286 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4287 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4288 BPF_MOV64_IMM(BPF_REG_3, 0),
4289 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4290 BPF_MOV64_IMM(BPF_REG_2, 0),
4291 BPF_MOV64_IMM(BPF_REG_3, 0),
4292 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4295 .fixup_map2 = { 3 },
4296 .errstr = "R1 min value is outside of the array range",
4298 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4301 "helper access to adjusted map (via const reg): out-of-bound range",
4303 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4305 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4306 BPF_LD_MAP_FD(BPF_REG_1, 0),
4307 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4308 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4309 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4310 BPF_MOV64_IMM(BPF_REG_3,
4311 offsetof(struct test_val, foo)),
4312 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4313 BPF_MOV64_IMM(BPF_REG_2,
4314 sizeof(struct test_val) -
4315 offsetof(struct test_val, foo) + 8),
4316 BPF_MOV64_IMM(BPF_REG_3, 0),
4317 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4320 .fixup_map2 = { 3 },
4321 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4323 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4326 "helper access to adjusted map (via const reg): negative range (> adjustment)",
4328 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4329 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4330 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4331 BPF_LD_MAP_FD(BPF_REG_1, 0),
4332 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4333 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4334 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4335 BPF_MOV64_IMM(BPF_REG_3,
4336 offsetof(struct test_val, foo)),
4337 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4338 BPF_MOV64_IMM(BPF_REG_2, -8),
4339 BPF_MOV64_IMM(BPF_REG_3, 0),
4340 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4343 .fixup_map2 = { 3 },
4344 .errstr = "invalid access to map value, value_size=48 off=4 size=-8",
4346 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4349 "helper access to adjusted map (via const reg): negative range (< adjustment)",
4351 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4352 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4353 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4354 BPF_LD_MAP_FD(BPF_REG_1, 0),
4355 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4356 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4357 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4358 BPF_MOV64_IMM(BPF_REG_3,
4359 offsetof(struct test_val, foo)),
4360 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4361 BPF_MOV64_IMM(BPF_REG_2, -1),
4362 BPF_MOV64_IMM(BPF_REG_3, 0),
4363 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4366 .fixup_map2 = { 3 },
4367 .errstr = "R1 min value is outside of the array range",
4369 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4372 "helper access to adjusted map (via variable): full range",
4374 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4375 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4376 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4377 BPF_LD_MAP_FD(BPF_REG_1, 0),
4378 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4379 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4380 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4381 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4382 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4383 offsetof(struct test_val, foo), 4),
4384 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4385 BPF_MOV64_IMM(BPF_REG_2,
4386 sizeof(struct test_val) -
4387 offsetof(struct test_val, foo)),
4388 BPF_MOV64_IMM(BPF_REG_3, 0),
4389 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4392 .fixup_map2 = { 3 },
4394 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4397 "helper access to adjusted map (via variable): partial range",
4399 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4401 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4402 BPF_LD_MAP_FD(BPF_REG_1, 0),
4403 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4404 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4405 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4406 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4407 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4408 offsetof(struct test_val, foo), 4),
4409 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4410 BPF_MOV64_IMM(BPF_REG_2, 8),
4411 BPF_MOV64_IMM(BPF_REG_3, 0),
4412 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4415 .fixup_map2 = { 3 },
4417 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4420 "helper access to adjusted map (via variable): empty range",
4422 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4423 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4424 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4425 BPF_LD_MAP_FD(BPF_REG_1, 0),
4426 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4427 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4428 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4429 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4430 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4431 offsetof(struct test_val, foo), 4),
4432 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4433 BPF_MOV64_IMM(BPF_REG_2, 0),
4434 BPF_MOV64_IMM(BPF_REG_3, 0),
4435 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4438 .fixup_map2 = { 3 },
4439 .errstr = "R1 min value is outside of the array range",
4441 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4444 "helper access to adjusted map (via variable): no max check",
4446 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4447 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4448 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4449 BPF_LD_MAP_FD(BPF_REG_1, 0),
4450 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4451 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4452 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4453 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4454 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4455 BPF_MOV64_IMM(BPF_REG_2, 0),
4456 BPF_MOV64_IMM(BPF_REG_3, 0),
4457 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4460 .fixup_map2 = { 3 },
4461 .errstr = "R1 min value is negative, either use unsigned index or do a if (index >=0) check",
4463 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4466 "helper access to adjusted map (via variable): wrong max check",
4468 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4469 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4470 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4471 BPF_LD_MAP_FD(BPF_REG_1, 0),
4472 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4473 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4474 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4475 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4476 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4477 offsetof(struct test_val, foo), 4),
4478 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4479 BPF_MOV64_IMM(BPF_REG_2,
4480 sizeof(struct test_val) -
4481 offsetof(struct test_val, foo) + 1),
4482 BPF_MOV64_IMM(BPF_REG_3, 0),
4483 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4486 .fixup_map2 = { 3 },
4487 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
4489 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4492 "map element value is preserved across register spilling",
4494 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4495 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4496 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4497 BPF_LD_MAP_FD(BPF_REG_1, 0),
4498 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4499 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4500 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
4501 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
4503 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4504 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
4505 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
4508 .fixup_map2 = { 3 },
4509 .errstr_unpriv = "R0 leaks addr",
4511 .result_unpriv = REJECT,
4514 "map element value or null is marked on register spilling",
4516 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4518 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4519 BPF_LD_MAP_FD(BPF_REG_1, 0),
4520 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4521 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4522 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
4523 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4524 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4525 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
4526 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
4529 .fixup_map2 = { 3 },
4530 .errstr_unpriv = "R0 leaks addr",
4532 .result_unpriv = REJECT,
4535 "map element value store of cleared call register",
4537 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4539 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4540 BPF_LD_MAP_FD(BPF_REG_1, 0),
4541 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4542 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4543 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
4546 .fixup_map2 = { 3 },
4547 .errstr_unpriv = "R1 !read_ok",
4548 .errstr = "R1 !read_ok",
4550 .result_unpriv = REJECT,
4553 "map element value with unaligned store",
4555 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4557 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4558 BPF_LD_MAP_FD(BPF_REG_1, 0),
4559 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4560 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
4561 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
4562 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
4563 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
4564 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
4565 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4566 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
4567 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
4568 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
4569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
4570 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
4571 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
4572 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
4573 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
4574 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
4575 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
4576 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
4577 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
4580 .fixup_map2 = { 3 },
4581 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4583 .result_unpriv = REJECT,
4584 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4587 "map element value with unaligned load",
4589 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4591 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4592 BPF_LD_MAP_FD(BPF_REG_1, 0),
4593 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4594 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
4595 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4596 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
4597 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
4598 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
4599 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
4600 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4601 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
4602 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
4603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
4604 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
4605 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
4608 .fixup_map2 = { 3 },
4609 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4611 .result_unpriv = REJECT,
4612 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4615 "map element value illegal alu op, 1",
4617 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4618 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4619 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4620 BPF_LD_MAP_FD(BPF_REG_1, 0),
4621 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4622 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4623 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
4624 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4627 .fixup_map2 = { 3 },
4628 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4629 .errstr = "invalid mem access 'inv'",
4631 .result_unpriv = REJECT,
4634 "map element value illegal alu op, 2",
4636 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4637 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4638 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4639 BPF_LD_MAP_FD(BPF_REG_1, 0),
4640 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4641 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4642 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
4643 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4646 .fixup_map2 = { 3 },
4647 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4648 .errstr = "invalid mem access 'inv'",
4650 .result_unpriv = REJECT,
4653 "map element value illegal alu op, 3",
4655 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4656 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4657 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4658 BPF_LD_MAP_FD(BPF_REG_1, 0),
4659 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4660 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4661 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
4662 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4665 .fixup_map2 = { 3 },
4666 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4667 .errstr = "invalid mem access 'inv'",
4669 .result_unpriv = REJECT,
4672 "map element value illegal alu op, 4",
4674 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4675 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4676 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4677 BPF_LD_MAP_FD(BPF_REG_1, 0),
4678 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4679 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4680 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
4681 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4684 .fixup_map2 = { 3 },
4685 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4686 .errstr = "invalid mem access 'inv'",
4688 .result_unpriv = REJECT,
4691 "map element value illegal alu op, 5",
4693 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4694 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4695 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4696 BPF_LD_MAP_FD(BPF_REG_1, 0),
4697 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4698 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4699 BPF_MOV64_IMM(BPF_REG_3, 4096),
4700 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4702 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
4703 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
4704 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
4705 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4708 .fixup_map2 = { 3 },
4709 .errstr_unpriv = "R0 invalid mem access 'inv'",
4710 .errstr = "R0 invalid mem access 'inv'",
4712 .result_unpriv = REJECT,
4715 "map element value is preserved across register spilling",
4717 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4718 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4719 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4720 BPF_LD_MAP_FD(BPF_REG_1, 0),
4721 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4722 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4723 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
4724 offsetof(struct test_val, foo)),
4725 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
4726 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
4728 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4729 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
4730 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
4733 .fixup_map2 = { 3 },
4734 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4736 .result_unpriv = REJECT,
4737 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4740 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
4742 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4743 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4744 BPF_MOV64_IMM(BPF_REG_0, 0),
4745 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4746 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4747 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4748 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4749 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
4750 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4751 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4752 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4753 BPF_MOV64_IMM(BPF_REG_2, 16),
4754 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4755 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4756 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
4757 BPF_MOV64_IMM(BPF_REG_4, 0),
4758 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4759 BPF_MOV64_IMM(BPF_REG_3, 0),
4760 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4761 BPF_MOV64_IMM(BPF_REG_0, 0),
4765 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4768 "helper access to variable memory: stack, bitwise AND, zero included",
4770 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4771 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4772 BPF_MOV64_IMM(BPF_REG_2, 16),
4773 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4774 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4775 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
4776 BPF_MOV64_IMM(BPF_REG_3, 0),
4777 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4780 .errstr = "invalid stack type R1 off=-64 access_size=0",
4782 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4785 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
4787 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4789 BPF_MOV64_IMM(BPF_REG_2, 16),
4790 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4791 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4792 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
4793 BPF_MOV64_IMM(BPF_REG_4, 0),
4794 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4795 BPF_MOV64_IMM(BPF_REG_3, 0),
4796 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4797 BPF_MOV64_IMM(BPF_REG_0, 0),
4800 .errstr = "invalid stack type R1 off=-64 access_size=65",
4802 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4805 "helper access to variable memory: stack, JMP, correct bounds",
4807 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4808 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4809 BPF_MOV64_IMM(BPF_REG_0, 0),
4810 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4811 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4812 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4813 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4814 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
4815 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4816 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4817 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4818 BPF_MOV64_IMM(BPF_REG_2, 16),
4819 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4820 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4821 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
4822 BPF_MOV64_IMM(BPF_REG_4, 0),
4823 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4824 BPF_MOV64_IMM(BPF_REG_3, 0),
4825 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4826 BPF_MOV64_IMM(BPF_REG_0, 0),
4830 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4833 "helper access to variable memory: stack, JMP (signed), correct bounds",
4835 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4836 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4837 BPF_MOV64_IMM(BPF_REG_0, 0),
4838 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4839 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4840 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4841 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4842 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
4843 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4844 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4845 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4846 BPF_MOV64_IMM(BPF_REG_2, 16),
4847 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4848 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4849 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
4850 BPF_MOV64_IMM(BPF_REG_4, 0),
4851 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
4852 BPF_MOV64_IMM(BPF_REG_3, 0),
4853 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4854 BPF_MOV64_IMM(BPF_REG_0, 0),
4858 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4861 "helper access to variable memory: stack, JMP, bounds + offset",
4863 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4864 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4865 BPF_MOV64_IMM(BPF_REG_2, 16),
4866 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4867 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4868 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
4869 BPF_MOV64_IMM(BPF_REG_4, 0),
4870 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
4871 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4872 BPF_MOV64_IMM(BPF_REG_3, 0),
4873 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4874 BPF_MOV64_IMM(BPF_REG_0, 0),
4877 .errstr = "invalid stack type R1 off=-64 access_size=65",
4879 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4882 "helper access to variable memory: stack, JMP, wrong max",
4884 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4885 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4886 BPF_MOV64_IMM(BPF_REG_2, 16),
4887 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4888 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4889 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
4890 BPF_MOV64_IMM(BPF_REG_4, 0),
4891 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4892 BPF_MOV64_IMM(BPF_REG_3, 0),
4893 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4894 BPF_MOV64_IMM(BPF_REG_0, 0),
4897 .errstr = "invalid stack type R1 off=-64 access_size=65",
4899 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4902 "helper access to variable memory: stack, JMP, no max check",
4904 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4905 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4906 BPF_MOV64_IMM(BPF_REG_2, 16),
4907 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4908 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4909 BPF_MOV64_IMM(BPF_REG_4, 0),
4910 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4911 BPF_MOV64_IMM(BPF_REG_3, 0),
4912 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4913 BPF_MOV64_IMM(BPF_REG_0, 0),
4916 .errstr = "R2 unbounded memory access",
4918 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4921 "helper access to variable memory: stack, JMP, no min check",
4923 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4925 BPF_MOV64_IMM(BPF_REG_2, 16),
4926 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4927 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4928 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
4929 BPF_MOV64_IMM(BPF_REG_3, 0),
4930 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4931 BPF_MOV64_IMM(BPF_REG_0, 0),
4934 .errstr = "invalid stack type R1 off=-64 access_size=0",
4936 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4939 "helper access to variable memory: stack, JMP (signed), no min check",
4941 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4943 BPF_MOV64_IMM(BPF_REG_2, 16),
4944 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4945 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4946 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
4947 BPF_MOV64_IMM(BPF_REG_3, 0),
4948 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4949 BPF_MOV64_IMM(BPF_REG_0, 0),
4952 .errstr = "R2 min value is negative",
4954 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4957 "helper access to variable memory: map, JMP, correct bounds",
4959 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4961 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4962 BPF_LD_MAP_FD(BPF_REG_1, 0),
4963 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4964 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4965 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4966 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4967 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4968 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4969 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
4970 sizeof(struct test_val), 4),
4971 BPF_MOV64_IMM(BPF_REG_4, 0),
4972 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
4973 BPF_MOV64_IMM(BPF_REG_3, 0),
4974 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4975 BPF_MOV64_IMM(BPF_REG_0, 0),
4978 .fixup_map2 = { 3 },
4980 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4983 "helper access to variable memory: map, JMP, wrong max",
4985 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4986 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4987 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4988 BPF_LD_MAP_FD(BPF_REG_1, 0),
4989 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4990 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4991 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4992 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4993 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4994 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4995 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
4996 sizeof(struct test_val) + 1, 4),
4997 BPF_MOV64_IMM(BPF_REG_4, 0),
4998 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
4999 BPF_MOV64_IMM(BPF_REG_3, 0),
5000 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5001 BPF_MOV64_IMM(BPF_REG_0, 0),
5004 .fixup_map2 = { 3 },
5005 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
5007 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5010 "helper access to variable memory: map adjusted, JMP, correct bounds",
5012 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5014 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5015 BPF_LD_MAP_FD(BPF_REG_1, 0),
5016 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5017 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5018 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5019 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5020 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5021 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5022 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5023 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5024 sizeof(struct test_val) - 20, 4),
5025 BPF_MOV64_IMM(BPF_REG_4, 0),
5026 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5027 BPF_MOV64_IMM(BPF_REG_3, 0),
5028 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5029 BPF_MOV64_IMM(BPF_REG_0, 0),
5032 .fixup_map2 = { 3 },
5034 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5037 "helper access to variable memory: map adjusted, JMP, wrong max",
5039 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5041 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5042 BPF_LD_MAP_FD(BPF_REG_1, 0),
5043 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5044 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5045 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5046 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5047 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5048 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5049 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5050 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5051 sizeof(struct test_val) - 19, 4),
5052 BPF_MOV64_IMM(BPF_REG_4, 0),
5053 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5054 BPF_MOV64_IMM(BPF_REG_3, 0),
5055 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5056 BPF_MOV64_IMM(BPF_REG_0, 0),
5059 .fixup_map2 = { 3 },
5060 .errstr = "R1 min value is outside of the array range",
5062 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5065 "helper access to variable memory: size > 0 not allowed on NULL",
5067 BPF_MOV64_IMM(BPF_REG_1, 0),
5068 BPF_MOV64_IMM(BPF_REG_2, 0),
5069 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5070 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5071 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5072 BPF_MOV64_IMM(BPF_REG_3, 0),
5073 BPF_MOV64_IMM(BPF_REG_4, 0),
5074 BPF_MOV64_IMM(BPF_REG_5, 0),
5075 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5078 .errstr = "R1 type=imm expected=fp",
5080 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5083 "helper access to variable memory: size = 0 not allowed on != NULL",
5085 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5087 BPF_MOV64_IMM(BPF_REG_2, 0),
5088 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5089 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
5090 BPF_MOV64_IMM(BPF_REG_3, 0),
5091 BPF_MOV64_IMM(BPF_REG_4, 0),
5092 BPF_MOV64_IMM(BPF_REG_5, 0),
5093 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5096 .errstr = "invalid stack type R1 off=-8 access_size=0",
5098 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5101 "helper access to variable memory: 8 bytes leak",
5103 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5105 BPF_MOV64_IMM(BPF_REG_0, 0),
5106 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5107 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5108 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5109 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5110 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5111 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5112 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5113 BPF_MOV64_IMM(BPF_REG_2, 0),
5114 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5115 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5116 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
5117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5118 BPF_MOV64_IMM(BPF_REG_3, 0),
5119 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5120 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5123 .errstr = "invalid indirect read from stack off -64+32 size 64",
5125 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5128 "helper access to variable memory: 8 bytes no leak (init memory)",
5130 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5131 BPF_MOV64_IMM(BPF_REG_0, 0),
5132 BPF_MOV64_IMM(BPF_REG_0, 0),
5133 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5134 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5135 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5136 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5137 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5138 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5139 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5140 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5141 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5142 BPF_MOV64_IMM(BPF_REG_2, 0),
5143 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
5144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
5145 BPF_MOV64_IMM(BPF_REG_3, 0),
5146 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5147 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5151 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5154 "invalid and of negative number",
5156 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5157 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5158 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5159 BPF_LD_MAP_FD(BPF_REG_1, 0),
5160 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5161 BPF_FUNC_map_lookup_elem),
5162 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5163 BPF_MOV64_IMM(BPF_REG_1, 6),
5164 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
5165 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5166 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5167 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5168 offsetof(struct test_val, foo)),
5171 .fixup_map2 = { 3 },
5172 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5173 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
5175 .result_unpriv = REJECT,
5176 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5179 "invalid range check",
5181 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5182 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5183 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5184 BPF_LD_MAP_FD(BPF_REG_1, 0),
5185 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5186 BPF_FUNC_map_lookup_elem),
5187 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
5188 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5189 BPF_MOV64_IMM(BPF_REG_9, 1),
5190 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
5191 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
5192 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
5193 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
5194 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
5195 BPF_MOV32_IMM(BPF_REG_3, 1),
5196 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
5197 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
5198 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
5199 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
5200 BPF_MOV64_REG(BPF_REG_0, 0),
5203 .fixup_map2 = { 3 },
5204 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5205 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
5207 .result_unpriv = REJECT,
5208 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5211 "map in map access",
5213 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5214 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5215 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5216 BPF_LD_MAP_FD(BPF_REG_1, 0),
5217 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5218 BPF_FUNC_map_lookup_elem),
5219 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5220 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5221 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5223 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5224 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5225 BPF_FUNC_map_lookup_elem),
5226 BPF_MOV64_REG(BPF_REG_0, 0),
5229 .fixup_map_in_map = { 3 },
5233 "invalid inner map pointer",
5235 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5236 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5237 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5238 BPF_LD_MAP_FD(BPF_REG_1, 0),
5239 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5240 BPF_FUNC_map_lookup_elem),
5241 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5242 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5243 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5244 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5245 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
5247 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5248 BPF_FUNC_map_lookup_elem),
5249 BPF_MOV64_REG(BPF_REG_0, 0),
5252 .fixup_map_in_map = { 3 },
5253 .errstr = "R1 type=inv expected=map_ptr",
5254 .errstr_unpriv = "R1 pointer arithmetic prohibited",
5258 "forgot null checking on the inner map pointer",
5260 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5261 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5263 BPF_LD_MAP_FD(BPF_REG_1, 0),
5264 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5265 BPF_FUNC_map_lookup_elem),
5266 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5267 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5268 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5269 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5270 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5271 BPF_FUNC_map_lookup_elem),
5272 BPF_MOV64_REG(BPF_REG_0, 0),
5275 .fixup_map_in_map = { 3 },
5276 .errstr = "R1 type=map_value_or_null expected=map_ptr",
5280 "ld_abs: check calling conv, r1",
5282 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5283 BPF_MOV64_IMM(BPF_REG_1, 0),
5284 BPF_LD_ABS(BPF_W, -0x200000),
5285 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5288 .errstr = "R1 !read_ok",
5292 "ld_abs: check calling conv, r2",
5294 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5295 BPF_MOV64_IMM(BPF_REG_2, 0),
5296 BPF_LD_ABS(BPF_W, -0x200000),
5297 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5300 .errstr = "R2 !read_ok",
5304 "ld_abs: check calling conv, r3",
5306 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5307 BPF_MOV64_IMM(BPF_REG_3, 0),
5308 BPF_LD_ABS(BPF_W, -0x200000),
5309 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
5312 .errstr = "R3 !read_ok",
5316 "ld_abs: check calling conv, r4",
5318 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5319 BPF_MOV64_IMM(BPF_REG_4, 0),
5320 BPF_LD_ABS(BPF_W, -0x200000),
5321 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
5324 .errstr = "R4 !read_ok",
5328 "ld_abs: check calling conv, r5",
5330 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5331 BPF_MOV64_IMM(BPF_REG_5, 0),
5332 BPF_LD_ABS(BPF_W, -0x200000),
5333 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
5336 .errstr = "R5 !read_ok",
5340 "ld_abs: check calling conv, r7",
5342 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5343 BPF_MOV64_IMM(BPF_REG_7, 0),
5344 BPF_LD_ABS(BPF_W, -0x200000),
5345 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
5351 "ld_ind: check calling conv, r1",
5353 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5354 BPF_MOV64_IMM(BPF_REG_1, 1),
5355 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
5356 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5359 .errstr = "R1 !read_ok",
5363 "ld_ind: check calling conv, r2",
5365 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5366 BPF_MOV64_IMM(BPF_REG_2, 1),
5367 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
5368 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5371 .errstr = "R2 !read_ok",
5375 "ld_ind: check calling conv, r3",
5377 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5378 BPF_MOV64_IMM(BPF_REG_3, 1),
5379 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
5380 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
5383 .errstr = "R3 !read_ok",
5387 "ld_ind: check calling conv, r4",
5389 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5390 BPF_MOV64_IMM(BPF_REG_4, 1),
5391 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
5392 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
5395 .errstr = "R4 !read_ok",
5399 "ld_ind: check calling conv, r5",
5401 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5402 BPF_MOV64_IMM(BPF_REG_5, 1),
5403 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
5404 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
5407 .errstr = "R5 !read_ok",
5411 "ld_ind: check calling conv, r7",
5413 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5414 BPF_MOV64_IMM(BPF_REG_7, 1),
5415 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
5416 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
5422 "check bpf_perf_event_data->sample_period byte load permitted",
5424 BPF_MOV64_IMM(BPF_REG_0, 0),
5425 #ifdef __LITTLE_ENDIAN
5426 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
5427 offsetof(struct bpf_perf_event_data, sample_period)),
5429 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
5430 offsetof(struct bpf_perf_event_data, sample_period) + 7),
5435 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
5438 "check bpf_perf_event_data->sample_period half load permitted",
5440 BPF_MOV64_IMM(BPF_REG_0, 0),
5441 #ifdef __LITTLE_ENDIAN
5442 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5443 offsetof(struct bpf_perf_event_data, sample_period)),
5445 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5446 offsetof(struct bpf_perf_event_data, sample_period) + 6),
5451 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
5454 "check bpf_perf_event_data->sample_period word load permitted",
5456 BPF_MOV64_IMM(BPF_REG_0, 0),
5457 #ifdef __LITTLE_ENDIAN
5458 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5459 offsetof(struct bpf_perf_event_data, sample_period)),
5461 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5462 offsetof(struct bpf_perf_event_data, sample_period) + 4),
5467 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
5470 "check bpf_perf_event_data->sample_period dword load permitted",
5472 BPF_MOV64_IMM(BPF_REG_0, 0),
5473 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
5474 offsetof(struct bpf_perf_event_data, sample_period)),
5478 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
5481 "check skb->data half load not permitted",
5483 BPF_MOV64_IMM(BPF_REG_0, 0),
5484 #ifdef __LITTLE_ENDIAN
5485 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5486 offsetof(struct __sk_buff, data)),
5488 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5489 offsetof(struct __sk_buff, data) + 2),
5494 .errstr = "invalid bpf_context access",
5497 "check skb->tc_classid half load not permitted for lwt prog",
5499 BPF_MOV64_IMM(BPF_REG_0, 0),
5500 #ifdef __LITTLE_ENDIAN
5501 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5502 offsetof(struct __sk_buff, tc_classid)),
5504 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
5505 offsetof(struct __sk_buff, tc_classid) + 2),
5510 .errstr = "invalid bpf_context access",
5511 .prog_type = BPF_PROG_TYPE_LWT_IN,
5514 "bounds checks mixing signed and unsigned, positive bounds",
5516 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5517 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5518 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5519 BPF_LD_MAP_FD(BPF_REG_1, 0),
5520 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5521 BPF_FUNC_map_lookup_elem),
5522 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5523 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5524 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5525 BPF_MOV64_IMM(BPF_REG_2, 2),
5526 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
5527 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
5528 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5529 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
5530 BPF_MOV64_IMM(BPF_REG_0, 0),
5533 .fixup_map1 = { 3 },
5534 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5535 .errstr = "R0 min value is negative",
5537 .result_unpriv = REJECT,
5540 "bounds checks mixing signed and unsigned",
5542 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5543 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5544 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5545 BPF_LD_MAP_FD(BPF_REG_1, 0),
5546 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5547 BPF_FUNC_map_lookup_elem),
5548 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5549 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
5550 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5551 BPF_MOV64_IMM(BPF_REG_2, -1),
5552 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
5553 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
5554 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5555 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
5556 BPF_MOV64_IMM(BPF_REG_0, 0),
5559 .fixup_map1 = { 3 },
5560 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5561 .errstr = "R0 min value is negative",
5563 .result_unpriv = REJECT,
5567 static int probe_filter_length(const struct bpf_insn *fp)
5571 for (len = MAX_INSNS - 1; len > 0; --len)
5572 if (fp[len].code != 0 || fp[len].imm != 0)
5577 static int create_map(uint32_t size_value, uint32_t max_elem)
5581 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
5582 size_value, max_elem, BPF_F_NO_PREALLOC);
5584 printf("Failed to create hash map '%s'!\n", strerror(errno));
5589 static int create_prog_array(void)
5593 fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
5596 printf("Failed to create prog array '%s'!\n", strerror(errno));
5601 static int create_map_in_map(void)
5603 int inner_map_fd, outer_map_fd;
5605 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
5607 if (inner_map_fd < 0) {
5608 printf("Failed to create array '%s'!\n", strerror(errno));
5609 return inner_map_fd;
5612 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS,
5613 sizeof(int), inner_map_fd, 1, 0);
5614 if (outer_map_fd < 0)
5615 printf("Failed to create array of maps '%s'!\n",
5618 close(inner_map_fd);
5620 return outer_map_fd;
5623 static char bpf_vlog[32768];
5625 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
5628 int *fixup_map1 = test->fixup_map1;
5629 int *fixup_map2 = test->fixup_map2;
5630 int *fixup_prog = test->fixup_prog;
5631 int *fixup_map_in_map = test->fixup_map_in_map;
5633 /* Allocating HTs with 1 elem is fine here, since we only test
5634 * for verifier and not do a runtime lookup, so the only thing
5635 * that really matters is value size in this case.
5638 map_fds[0] = create_map(sizeof(long long), 1);
5640 prog[*fixup_map1].imm = map_fds[0];
5642 } while (*fixup_map1);
5646 map_fds[1] = create_map(sizeof(struct test_val), 1);
5648 prog[*fixup_map2].imm = map_fds[1];
5650 } while (*fixup_map2);
5654 map_fds[2] = create_prog_array();
5656 prog[*fixup_prog].imm = map_fds[2];
5658 } while (*fixup_prog);
5661 if (*fixup_map_in_map) {
5662 map_fds[3] = create_map_in_map();
5664 prog[*fixup_map_in_map].imm = map_fds[3];
5666 } while (*fixup_map_in_map);
5670 static void do_test_single(struct bpf_test *test, bool unpriv,
5671 int *passes, int *errors)
5673 int fd_prog, expected_ret, reject_from_alignment;
5674 struct bpf_insn *prog = test->insns;
5675 int prog_len = probe_filter_length(prog);
5676 int prog_type = test->prog_type;
5677 int map_fds[MAX_NR_MAPS];
5678 const char *expected_err;
5681 for (i = 0; i < MAX_NR_MAPS; i++)
5684 do_test_fixup(test, prog, map_fds);
5686 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
5687 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
5688 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
5690 expected_ret = unpriv && test->result_unpriv != UNDEF ?
5691 test->result_unpriv : test->result;
5692 expected_err = unpriv && test->errstr_unpriv ?
5693 test->errstr_unpriv : test->errstr;
5695 reject_from_alignment = fd_prog < 0 &&
5696 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
5697 strstr(bpf_vlog, "Unknown alignment.");
5698 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
5699 if (reject_from_alignment) {
5700 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
5705 if (expected_ret == ACCEPT) {
5706 if (fd_prog < 0 && !reject_from_alignment) {
5707 printf("FAIL\nFailed to load prog '%s'!\n",
5713 printf("FAIL\nUnexpected success to load!\n");
5716 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
5717 printf("FAIL\nUnexpected error message!\n");
5723 printf("OK%s\n", reject_from_alignment ?
5724 " (NOTE: reject due to unknown alignment)" : "");
5727 for (i = 0; i < MAX_NR_MAPS; i++)
5733 printf("%s", bpf_vlog);
5737 static bool is_admin(void)
5740 cap_flag_value_t sysadmin = CAP_CLEAR;
5741 const cap_value_t cap_val = CAP_SYS_ADMIN;
5743 #ifdef CAP_IS_SUPPORTED
5744 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
5745 perror("cap_get_flag");
5749 caps = cap_get_proc();
5751 perror("cap_get_proc");
5754 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
5755 perror("cap_get_flag");
5758 return (sysadmin == CAP_SET);
5761 static int set_admin(bool admin)
5764 const cap_value_t cap_val = CAP_SYS_ADMIN;
5767 caps = cap_get_proc();
5769 perror("cap_get_proc");
5772 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
5773 admin ? CAP_SET : CAP_CLEAR)) {
5774 perror("cap_set_flag");
5777 if (cap_set_proc(caps)) {
5778 perror("cap_set_proc");
5788 static int do_test(bool unpriv, unsigned int from, unsigned int to)
5790 int i, passes = 0, errors = 0;
5792 for (i = from; i < to; i++) {
5793 struct bpf_test *test = &tests[i];
5795 /* Program types that are not supported by non-root we
5798 if (!test->prog_type) {
5801 printf("#%d/u %s ", i, test->descr);
5802 do_test_single(test, true, &passes, &errors);
5808 printf("#%d/p %s ", i, test->descr);
5809 do_test_single(test, false, &passes, &errors);
5813 printf("Summary: %d PASSED, %d FAILED\n", passes, errors);
5814 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
5817 int main(int argc, char **argv)
5819 struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY };
5820 struct rlimit rlim = { 1 << 20, 1 << 20 };
5821 unsigned int from = 0, to = ARRAY_SIZE(tests);
5822 bool unpriv = !is_admin();
5825 unsigned int l = atoi(argv[argc - 2]);
5826 unsigned int u = atoi(argv[argc - 1]);
5828 if (l < to && u < to) {
5832 } else if (argc == 2) {
5833 unsigned int t = atoi(argv[argc - 1]);
5841 setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf);
5842 return do_test(unpriv, from, to);