2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 * Copyright (c) 2017 Facebook
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of version 2 of the GNU General Public
9 * License as published by the Free Software Foundation.
13 #include <asm/types.h>
14 #include <linux/types.h>
26 #include <sys/capability.h>
28 #include <linux/unistd.h>
29 #include <linux/filter.h>
30 #include <linux/bpf_perf_event.h>
31 #include <linux/bpf.h>
32 #include <linux/if_ether.h>
37 # include "autoconf.h"
39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
40 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
43 #include "bpf_rlimit.h"
46 #include "../../../include/linux/filter.h"
48 #define MAX_INSNS BPF_MAXINSNS
51 #define POINTER_VALUE 0xcafe4all
52 #define TEST_DATA_LEN 64
54 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
55 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
57 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
58 static bool unpriv_disabled = false;
62 struct bpf_insn insns[MAX_INSNS];
63 int fixup_map1[MAX_FIXUPS];
64 int fixup_map2[MAX_FIXUPS];
65 int fixup_map3[MAX_FIXUPS];
66 int fixup_map4[MAX_FIXUPS];
67 int fixup_prog1[MAX_FIXUPS];
68 int fixup_prog2[MAX_FIXUPS];
69 int fixup_map_in_map[MAX_FIXUPS];
70 int fixup_cgroup_storage[MAX_FIXUPS];
71 int fixup_percpu_cgroup_storage[MAX_FIXUPS];
73 const char *errstr_unpriv;
79 } result, result_unpriv;
80 enum bpf_prog_type prog_type;
82 __u8 data[TEST_DATA_LEN];
83 void (*fill_helper)(struct bpf_test *self);
86 /* Note we want this to be 64 bit aligned so that the end of our array is
87 * actually the end of the structure.
89 #define MAX_ENTRIES 11
101 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
103 /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
105 unsigned int len = BPF_MAXINSNS;
106 struct bpf_insn *insn = self->insns;
109 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
111 for (j = 0; j < PUSH_CNT; j++) {
112 insn[i++] = BPF_LD_ABS(BPF_B, 0);
113 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
115 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
116 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
117 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
118 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
119 BPF_FUNC_skb_vlan_push),
120 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
124 for (j = 0; j < PUSH_CNT; j++) {
125 insn[i++] = BPF_LD_ABS(BPF_B, 0);
126 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
128 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
129 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
130 BPF_FUNC_skb_vlan_pop),
131 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
137 for (; i < len - 1; i++)
138 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
139 insn[len - 1] = BPF_EXIT_INSN();
142 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
144 struct bpf_insn *insn = self->insns;
145 unsigned int len = BPF_MAXINSNS;
148 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
149 insn[i++] = BPF_LD_ABS(BPF_B, 0);
150 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
153 insn[i++] = BPF_LD_ABS(BPF_B, 1);
154 insn[i] = BPF_EXIT_INSN();
157 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
159 struct bpf_insn *insn = self->insns;
163 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
164 while (i < self->retval) {
165 uint64_t val = bpf_semi_rand_get();
166 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
171 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
173 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
174 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
175 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
176 insn[i] = BPF_EXIT_INSN();
178 self->retval = (uint32_t)res;
181 static struct bpf_test tests[] = {
185 BPF_MOV64_IMM(BPF_REG_1, 1),
186 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
187 BPF_MOV64_IMM(BPF_REG_2, 3),
188 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
189 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
190 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
191 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
198 "DIV32 by 0, zero check 1",
200 BPF_MOV32_IMM(BPF_REG_0, 42),
201 BPF_MOV32_IMM(BPF_REG_1, 0),
202 BPF_MOV32_IMM(BPF_REG_2, 1),
203 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
210 "DIV32 by 0, zero check 2",
212 BPF_MOV32_IMM(BPF_REG_0, 42),
213 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
214 BPF_MOV32_IMM(BPF_REG_2, 1),
215 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
222 "DIV64 by 0, zero check",
224 BPF_MOV32_IMM(BPF_REG_0, 42),
225 BPF_MOV32_IMM(BPF_REG_1, 0),
226 BPF_MOV32_IMM(BPF_REG_2, 1),
227 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
234 "MOD32 by 0, zero check 1",
236 BPF_MOV32_IMM(BPF_REG_0, 42),
237 BPF_MOV32_IMM(BPF_REG_1, 0),
238 BPF_MOV32_IMM(BPF_REG_2, 1),
239 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
246 "MOD32 by 0, zero check 2",
248 BPF_MOV32_IMM(BPF_REG_0, 42),
249 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
250 BPF_MOV32_IMM(BPF_REG_2, 1),
251 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
258 "MOD64 by 0, zero check",
260 BPF_MOV32_IMM(BPF_REG_0, 42),
261 BPF_MOV32_IMM(BPF_REG_1, 0),
262 BPF_MOV32_IMM(BPF_REG_2, 1),
263 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
270 "DIV32 by 0, zero check ok, cls",
272 BPF_MOV32_IMM(BPF_REG_0, 42),
273 BPF_MOV32_IMM(BPF_REG_1, 2),
274 BPF_MOV32_IMM(BPF_REG_2, 16),
275 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
276 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
279 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
284 "DIV32 by 0, zero check 1, cls",
286 BPF_MOV32_IMM(BPF_REG_1, 0),
287 BPF_MOV32_IMM(BPF_REG_0, 1),
288 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
291 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
296 "DIV32 by 0, zero check 2, cls",
298 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
299 BPF_MOV32_IMM(BPF_REG_0, 1),
300 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
303 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
308 "DIV64 by 0, zero check, cls",
310 BPF_MOV32_IMM(BPF_REG_1, 0),
311 BPF_MOV32_IMM(BPF_REG_0, 1),
312 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
315 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
320 "MOD32 by 0, zero check ok, cls",
322 BPF_MOV32_IMM(BPF_REG_0, 42),
323 BPF_MOV32_IMM(BPF_REG_1, 3),
324 BPF_MOV32_IMM(BPF_REG_2, 5),
325 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
326 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
329 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
334 "MOD32 by 0, zero check 1, cls",
336 BPF_MOV32_IMM(BPF_REG_1, 0),
337 BPF_MOV32_IMM(BPF_REG_0, 1),
338 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
341 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
346 "MOD32 by 0, zero check 2, cls",
348 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
349 BPF_MOV32_IMM(BPF_REG_0, 1),
350 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
353 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
358 "MOD64 by 0, zero check 1, cls",
360 BPF_MOV32_IMM(BPF_REG_1, 0),
361 BPF_MOV32_IMM(BPF_REG_0, 2),
362 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
365 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
370 "MOD64 by 0, zero check 2, cls",
372 BPF_MOV32_IMM(BPF_REG_1, 0),
373 BPF_MOV32_IMM(BPF_REG_0, -1),
374 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
377 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
381 /* Just make sure that JITs used udiv/umod as otherwise we get
382 * an exception from INT_MIN/-1 overflow similarly as with div
386 "DIV32 overflow, check 1",
388 BPF_MOV32_IMM(BPF_REG_1, -1),
389 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
390 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
393 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
398 "DIV32 overflow, check 2",
400 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
401 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
404 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
409 "DIV64 overflow, check 1",
411 BPF_MOV64_IMM(BPF_REG_1, -1),
412 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
413 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
416 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
421 "DIV64 overflow, check 2",
423 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
424 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
427 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
432 "MOD32 overflow, check 1",
434 BPF_MOV32_IMM(BPF_REG_1, -1),
435 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
436 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
439 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
444 "MOD32 overflow, check 2",
446 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
447 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
450 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
455 "MOD64 overflow, check 1",
457 BPF_MOV64_IMM(BPF_REG_1, -1),
458 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
459 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
460 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
461 BPF_MOV32_IMM(BPF_REG_0, 0),
462 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
463 BPF_MOV32_IMM(BPF_REG_0, 1),
466 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
471 "MOD64 overflow, check 2",
473 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
474 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
475 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
476 BPF_MOV32_IMM(BPF_REG_0, 0),
477 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
478 BPF_MOV32_IMM(BPF_REG_0, 1),
481 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
486 "xor32 zero extend check",
488 BPF_MOV32_IMM(BPF_REG_2, -1),
489 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
490 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
491 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
492 BPF_MOV32_IMM(BPF_REG_0, 2),
493 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
494 BPF_MOV32_IMM(BPF_REG_0, 1),
497 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
505 .errstr = "unknown opcode 00",
513 .errstr = "R0 !read_ok",
522 .errstr = "unreachable",
528 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
529 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
532 .errstr = "unreachable",
538 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
541 .errstr = "jump out of range",
545 "out of range jump2",
547 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
550 .errstr = "jump out of range",
556 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
557 BPF_LD_IMM64(BPF_REG_0, 0),
558 BPF_LD_IMM64(BPF_REG_0, 0),
559 BPF_LD_IMM64(BPF_REG_0, 1),
560 BPF_LD_IMM64(BPF_REG_0, 1),
561 BPF_MOV64_IMM(BPF_REG_0, 2),
564 .errstr = "invalid BPF_LD_IMM insn",
565 .errstr_unpriv = "R1 pointer comparison",
571 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
572 BPF_LD_IMM64(BPF_REG_0, 0),
573 BPF_LD_IMM64(BPF_REG_0, 0),
574 BPF_LD_IMM64(BPF_REG_0, 1),
575 BPF_LD_IMM64(BPF_REG_0, 1),
578 .errstr = "invalid BPF_LD_IMM insn",
579 .errstr_unpriv = "R1 pointer comparison",
585 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
586 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
587 BPF_LD_IMM64(BPF_REG_0, 0),
588 BPF_LD_IMM64(BPF_REG_0, 0),
589 BPF_LD_IMM64(BPF_REG_0, 1),
590 BPF_LD_IMM64(BPF_REG_0, 1),
593 .errstr = "invalid bpf_ld_imm64 insn",
599 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
602 .errstr = "invalid bpf_ld_imm64 insn",
608 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
610 .errstr = "invalid bpf_ld_imm64 insn",
616 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
617 BPF_RAW_INSN(0, 0, 0, 0, 0),
625 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
626 BPF_RAW_INSN(0, 0, 0, 0, 1),
635 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
636 BPF_RAW_INSN(0, 0, 0, 0, 1),
639 .errstr = "uses reserved fields",
645 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
646 BPF_RAW_INSN(0, 0, 0, 1, 1),
649 .errstr = "invalid bpf_ld_imm64 insn",
655 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
656 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
659 .errstr = "invalid bpf_ld_imm64 insn",
665 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
666 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
669 .errstr = "invalid bpf_ld_imm64 insn",
675 BPF_MOV64_IMM(BPF_REG_1, 0),
676 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
677 BPF_RAW_INSN(0, 0, 0, 0, 1),
680 .errstr = "not pointing to valid bpf_map",
686 BPF_MOV64_IMM(BPF_REG_1, 0),
687 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
688 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
691 .errstr = "invalid bpf_ld_imm64 insn",
697 BPF_MOV64_IMM(BPF_REG_0, 1),
698 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
702 .errstr = "unknown opcode c4",
707 BPF_MOV64_IMM(BPF_REG_0, 1),
708 BPF_MOV64_IMM(BPF_REG_1, 5),
709 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
713 .errstr = "unknown opcode cc",
718 BPF_MOV64_IMM(BPF_REG_0, 1),
719 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
727 BPF_MOV64_IMM(BPF_REG_0, 1),
728 BPF_MOV64_IMM(BPF_REG_1, 5),
729 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
737 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
739 .errstr = "not an exit",
745 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
748 .errstr = "back-edge",
754 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
755 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
756 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
757 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
760 .errstr = "back-edge",
766 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
767 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
768 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
769 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
772 .errstr = "back-edge",
776 "read uninitialized register",
778 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
781 .errstr = "R2 !read_ok",
785 "read invalid register",
787 BPF_MOV64_REG(BPF_REG_0, -1),
790 .errstr = "R15 is invalid",
794 "program doesn't init R0 before exit",
796 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
799 .errstr = "R0 !read_ok",
803 "program doesn't init R0 before exit in all branches",
805 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
806 BPF_MOV64_IMM(BPF_REG_0, 1),
807 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
810 .errstr = "R0 !read_ok",
811 .errstr_unpriv = "R1 pointer comparison",
815 "stack out of bounds",
817 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
820 .errstr = "invalid stack",
824 "invalid call insn1",
826 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
829 .errstr = "unknown opcode 8d",
833 "invalid call insn2",
835 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
838 .errstr = "BPF_CALL uses reserved",
842 "invalid function call",
844 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
847 .errstr = "invalid func unknown#1234567",
851 "uninitialized stack1",
853 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
854 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
855 BPF_LD_MAP_FD(BPF_REG_1, 0),
856 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
857 BPF_FUNC_map_lookup_elem),
861 .errstr = "invalid indirect read from stack",
865 "uninitialized stack2",
867 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
868 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
871 .errstr = "invalid read from stack",
875 "invalid fp arithmetic",
876 /* If this gets ever changed, make sure JITs can deal with it. */
878 BPF_MOV64_IMM(BPF_REG_0, 0),
879 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
880 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
881 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
884 .errstr = "R1 subtraction from stack pointer",
888 "non-invalid fp arithmetic",
890 BPF_MOV64_IMM(BPF_REG_0, 0),
891 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
897 "invalid argument register",
899 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
900 BPF_FUNC_get_cgroup_classid),
901 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
902 BPF_FUNC_get_cgroup_classid),
905 .errstr = "R1 !read_ok",
907 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
910 "non-invalid argument register",
912 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
913 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
914 BPF_FUNC_get_cgroup_classid),
915 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
916 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
917 BPF_FUNC_get_cgroup_classid),
921 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
924 "check valid spill/fill",
926 /* spill R1(ctx) into stack */
927 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
928 /* fill it back into R2 */
929 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
930 /* should be able to access R0 = *(R2 + 8) */
931 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
932 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
935 .errstr_unpriv = "R0 leaks addr",
937 .result_unpriv = REJECT,
938 .retval = POINTER_VALUE,
941 "check valid spill/fill, skb mark",
943 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
944 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
945 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
946 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
947 offsetof(struct __sk_buff, mark)),
951 .result_unpriv = ACCEPT,
954 "check corrupted spill/fill",
956 /* spill R1(ctx) into stack */
957 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
958 /* mess up with R1 pointer on stack */
959 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
960 /* fill back into R0 should fail */
961 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
964 .errstr_unpriv = "attempt to corrupt spilled",
965 .errstr = "corrupted spill",
969 "invalid src register in STX",
971 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
974 .errstr = "R15 is invalid",
978 "invalid dst register in STX",
980 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
983 .errstr = "R14 is invalid",
987 "invalid dst register in ST",
989 BPF_ST_MEM(BPF_B, 14, -1, -1),
992 .errstr = "R14 is invalid",
996 "invalid src register in LDX",
998 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1001 .errstr = "R12 is invalid",
1005 "invalid dst register in LDX",
1007 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1010 .errstr = "R11 is invalid",
1016 BPF_RAW_INSN(0, 0, 0, 0, 0),
1019 .errstr = "unknown opcode 00",
1025 BPF_RAW_INSN(1, 0, 0, 0, 0),
1028 .errstr = "BPF_LDX uses reserved fields",
1034 BPF_RAW_INSN(-1, 0, 0, 0, 0),
1037 .errstr = "unknown opcode ff",
1043 BPF_RAW_INSN(-1, -1, -1, -1, -1),
1046 .errstr = "unknown opcode ff",
1052 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1055 .errstr = "BPF_ALU uses reserved fields",
1059 "misaligned read from stack",
1061 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1062 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1065 .errstr = "misaligned stack access",
1069 "invalid map_fd for function call",
1071 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1072 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1073 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1074 BPF_LD_MAP_FD(BPF_REG_1, 0),
1075 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1076 BPF_FUNC_map_delete_elem),
1079 .errstr = "fd 0 is not pointing to valid bpf_map",
1083 "don't check return value before access",
1085 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1086 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1088 BPF_LD_MAP_FD(BPF_REG_1, 0),
1089 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1090 BPF_FUNC_map_lookup_elem),
1091 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1094 .fixup_map1 = { 3 },
1095 .errstr = "R0 invalid mem access 'map_value_or_null'",
1099 "access memory with incorrect alignment",
1101 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1102 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1104 BPF_LD_MAP_FD(BPF_REG_1, 0),
1105 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1106 BPF_FUNC_map_lookup_elem),
1107 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1108 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1111 .fixup_map1 = { 3 },
1112 .errstr = "misaligned value access",
1114 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1117 "sometimes access memory with incorrect alignment",
1119 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1120 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1122 BPF_LD_MAP_FD(BPF_REG_1, 0),
1123 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1124 BPF_FUNC_map_lookup_elem),
1125 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1126 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1128 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1131 .fixup_map1 = { 3 },
1132 .errstr = "R0 invalid mem access",
1133 .errstr_unpriv = "R0 leaks addr",
1135 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1140 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1141 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1142 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1143 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1144 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1145 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1146 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1147 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1148 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1149 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1150 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1151 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1152 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1153 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1154 BPF_MOV64_IMM(BPF_REG_0, 0),
1157 .errstr_unpriv = "R1 pointer comparison",
1158 .result_unpriv = REJECT,
1164 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1165 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1166 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1167 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1168 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1169 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1170 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1171 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1172 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1173 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1174 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1175 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1176 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1177 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1178 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1179 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1180 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1181 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1182 BPF_MOV64_IMM(BPF_REG_0, 0),
1185 .errstr_unpriv = "R1 pointer comparison",
1186 .result_unpriv = REJECT,
1192 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1193 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1194 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1196 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1197 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1198 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1199 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1200 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1201 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1202 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1203 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1204 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1205 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1206 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1207 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1208 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1209 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1210 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1212 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1213 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1214 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1215 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1216 BPF_LD_MAP_FD(BPF_REG_1, 0),
1217 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1218 BPF_FUNC_map_delete_elem),
1221 .fixup_map1 = { 24 },
1222 .errstr_unpriv = "R1 pointer comparison",
1223 .result_unpriv = REJECT,
1230 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1231 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1233 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1234 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1235 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1237 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1238 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1239 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1240 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1241 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1242 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1243 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1244 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1245 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1246 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1247 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1248 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1250 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1251 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1252 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1257 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1259 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1260 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1261 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1262 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1266 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1269 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1270 BPF_MOV64_IMM(BPF_REG_0, 0),
1273 .errstr_unpriv = "R1 pointer comparison",
1274 .result_unpriv = REJECT,
1280 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1281 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1282 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1283 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1284 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1285 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1286 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1287 BPF_MOV64_IMM(BPF_REG_0, 0),
1288 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1289 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1290 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1291 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1292 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1293 BPF_MOV64_IMM(BPF_REG_0, 0),
1294 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1295 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1296 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1297 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1298 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1299 BPF_MOV64_IMM(BPF_REG_0, 0),
1300 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1301 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1302 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1303 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1304 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1305 BPF_MOV64_IMM(BPF_REG_0, 0),
1306 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1307 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1308 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1309 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1310 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1311 BPF_MOV64_IMM(BPF_REG_0, 0),
1314 .errstr_unpriv = "R1 pointer comparison",
1315 .result_unpriv = REJECT,
1319 "access skb fields ok",
1321 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1322 offsetof(struct __sk_buff, len)),
1323 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1324 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1325 offsetof(struct __sk_buff, mark)),
1326 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1327 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1328 offsetof(struct __sk_buff, pkt_type)),
1329 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1330 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1331 offsetof(struct __sk_buff, queue_mapping)),
1332 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1333 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1334 offsetof(struct __sk_buff, protocol)),
1335 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1336 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1337 offsetof(struct __sk_buff, vlan_present)),
1338 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1339 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1340 offsetof(struct __sk_buff, vlan_tci)),
1341 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1342 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1343 offsetof(struct __sk_buff, napi_id)),
1344 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1350 "access skb fields bad1",
1352 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1355 .errstr = "invalid bpf_context access",
1359 "access skb fields bad2",
1361 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1362 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1363 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1365 BPF_LD_MAP_FD(BPF_REG_1, 0),
1366 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1367 BPF_FUNC_map_lookup_elem),
1368 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1370 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1371 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1372 offsetof(struct __sk_buff, pkt_type)),
1375 .fixup_map1 = { 4 },
1376 .errstr = "different pointers",
1377 .errstr_unpriv = "R1 pointer comparison",
1381 "access skb fields bad3",
1383 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1384 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1385 offsetof(struct __sk_buff, pkt_type)),
1387 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1388 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1389 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1390 BPF_LD_MAP_FD(BPF_REG_1, 0),
1391 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1392 BPF_FUNC_map_lookup_elem),
1393 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1395 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1396 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1398 .fixup_map1 = { 6 },
1399 .errstr = "different pointers",
1400 .errstr_unpriv = "R1 pointer comparison",
1404 "access skb fields bad4",
1406 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1407 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1408 offsetof(struct __sk_buff, len)),
1409 BPF_MOV64_IMM(BPF_REG_0, 0),
1411 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1412 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1413 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1414 BPF_LD_MAP_FD(BPF_REG_1, 0),
1415 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1416 BPF_FUNC_map_lookup_elem),
1417 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1419 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1420 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1422 .fixup_map1 = { 7 },
1423 .errstr = "different pointers",
1424 .errstr_unpriv = "R1 pointer comparison",
1428 "invalid access __sk_buff family",
1430 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1431 offsetof(struct __sk_buff, family)),
1434 .errstr = "invalid bpf_context access",
1438 "invalid access __sk_buff remote_ip4",
1440 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1441 offsetof(struct __sk_buff, remote_ip4)),
1444 .errstr = "invalid bpf_context access",
1448 "invalid access __sk_buff local_ip4",
1450 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1451 offsetof(struct __sk_buff, local_ip4)),
1454 .errstr = "invalid bpf_context access",
1458 "invalid access __sk_buff remote_ip6",
1460 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1461 offsetof(struct __sk_buff, remote_ip6)),
1464 .errstr = "invalid bpf_context access",
1468 "invalid access __sk_buff local_ip6",
1470 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1471 offsetof(struct __sk_buff, local_ip6)),
1474 .errstr = "invalid bpf_context access",
1478 "invalid access __sk_buff remote_port",
1480 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1481 offsetof(struct __sk_buff, remote_port)),
1484 .errstr = "invalid bpf_context access",
1488 "invalid access __sk_buff remote_port",
1490 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1491 offsetof(struct __sk_buff, local_port)),
1494 .errstr = "invalid bpf_context access",
1498 "valid access __sk_buff family",
1500 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1501 offsetof(struct __sk_buff, family)),
1505 .prog_type = BPF_PROG_TYPE_SK_SKB,
1508 "valid access __sk_buff remote_ip4",
1510 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1511 offsetof(struct __sk_buff, remote_ip4)),
1515 .prog_type = BPF_PROG_TYPE_SK_SKB,
1518 "valid access __sk_buff local_ip4",
1520 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1521 offsetof(struct __sk_buff, local_ip4)),
1525 .prog_type = BPF_PROG_TYPE_SK_SKB,
1528 "valid access __sk_buff remote_ip6",
1530 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1531 offsetof(struct __sk_buff, remote_ip6[0])),
1532 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1533 offsetof(struct __sk_buff, remote_ip6[1])),
1534 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1535 offsetof(struct __sk_buff, remote_ip6[2])),
1536 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1537 offsetof(struct __sk_buff, remote_ip6[3])),
1541 .prog_type = BPF_PROG_TYPE_SK_SKB,
1544 "valid access __sk_buff local_ip6",
1546 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1547 offsetof(struct __sk_buff, local_ip6[0])),
1548 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1549 offsetof(struct __sk_buff, local_ip6[1])),
1550 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1551 offsetof(struct __sk_buff, local_ip6[2])),
1552 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1553 offsetof(struct __sk_buff, local_ip6[3])),
1557 .prog_type = BPF_PROG_TYPE_SK_SKB,
1560 "valid access __sk_buff remote_port",
1562 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1563 offsetof(struct __sk_buff, remote_port)),
1567 .prog_type = BPF_PROG_TYPE_SK_SKB,
1570 "valid access __sk_buff remote_port",
1572 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1573 offsetof(struct __sk_buff, local_port)),
1577 .prog_type = BPF_PROG_TYPE_SK_SKB,
1580 "invalid access of tc_classid for SK_SKB",
1582 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1583 offsetof(struct __sk_buff, tc_classid)),
1587 .prog_type = BPF_PROG_TYPE_SK_SKB,
1588 .errstr = "invalid bpf_context access",
1591 "invalid access of skb->mark for SK_SKB",
1593 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1594 offsetof(struct __sk_buff, mark)),
1598 .prog_type = BPF_PROG_TYPE_SK_SKB,
1599 .errstr = "invalid bpf_context access",
1602 "check skb->mark is not writeable by SK_SKB",
1604 BPF_MOV64_IMM(BPF_REG_0, 0),
1605 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1606 offsetof(struct __sk_buff, mark)),
1610 .prog_type = BPF_PROG_TYPE_SK_SKB,
1611 .errstr = "invalid bpf_context access",
1614 "check skb->tc_index is writeable by SK_SKB",
1616 BPF_MOV64_IMM(BPF_REG_0, 0),
1617 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1618 offsetof(struct __sk_buff, tc_index)),
1622 .prog_type = BPF_PROG_TYPE_SK_SKB,
1625 "check skb->priority is writeable by SK_SKB",
1627 BPF_MOV64_IMM(BPF_REG_0, 0),
1628 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1629 offsetof(struct __sk_buff, priority)),
1633 .prog_type = BPF_PROG_TYPE_SK_SKB,
1636 "direct packet read for SK_SKB",
1638 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1639 offsetof(struct __sk_buff, data)),
1640 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1641 offsetof(struct __sk_buff, data_end)),
1642 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1643 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1644 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1645 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1646 BPF_MOV64_IMM(BPF_REG_0, 0),
1650 .prog_type = BPF_PROG_TYPE_SK_SKB,
1653 "direct packet write for SK_SKB",
1655 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1656 offsetof(struct __sk_buff, data)),
1657 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1658 offsetof(struct __sk_buff, data_end)),
1659 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1661 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1662 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1663 BPF_MOV64_IMM(BPF_REG_0, 0),
1667 .prog_type = BPF_PROG_TYPE_SK_SKB,
1670 "overlapping checks for direct packet access SK_SKB",
1672 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1673 offsetof(struct __sk_buff, data)),
1674 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1675 offsetof(struct __sk_buff, data_end)),
1676 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1677 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1678 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1679 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1680 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1681 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1682 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1683 BPF_MOV64_IMM(BPF_REG_0, 0),
1687 .prog_type = BPF_PROG_TYPE_SK_SKB,
1690 "valid access family in SK_MSG",
1692 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1693 offsetof(struct sk_msg_md, family)),
1697 .prog_type = BPF_PROG_TYPE_SK_MSG,
1700 "valid access remote_ip4 in SK_MSG",
1702 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1703 offsetof(struct sk_msg_md, remote_ip4)),
1707 .prog_type = BPF_PROG_TYPE_SK_MSG,
1710 "valid access local_ip4 in SK_MSG",
1712 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1713 offsetof(struct sk_msg_md, local_ip4)),
1717 .prog_type = BPF_PROG_TYPE_SK_MSG,
1720 "valid access remote_port in SK_MSG",
1722 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1723 offsetof(struct sk_msg_md, remote_port)),
1727 .prog_type = BPF_PROG_TYPE_SK_MSG,
1730 "valid access local_port in SK_MSG",
1732 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1733 offsetof(struct sk_msg_md, local_port)),
1737 .prog_type = BPF_PROG_TYPE_SK_MSG,
1740 "valid access remote_ip6 in SK_MSG",
1742 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1743 offsetof(struct sk_msg_md, remote_ip6[0])),
1744 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1745 offsetof(struct sk_msg_md, remote_ip6[1])),
1746 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1747 offsetof(struct sk_msg_md, remote_ip6[2])),
1748 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1749 offsetof(struct sk_msg_md, remote_ip6[3])),
1753 .prog_type = BPF_PROG_TYPE_SK_SKB,
1756 "valid access local_ip6 in SK_MSG",
1758 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1759 offsetof(struct sk_msg_md, local_ip6[0])),
1760 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1761 offsetof(struct sk_msg_md, local_ip6[1])),
1762 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1763 offsetof(struct sk_msg_md, local_ip6[2])),
1764 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1765 offsetof(struct sk_msg_md, local_ip6[3])),
1769 .prog_type = BPF_PROG_TYPE_SK_SKB,
1772 "invalid 64B read of family in SK_MSG",
1774 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1775 offsetof(struct sk_msg_md, family)),
1778 .errstr = "invalid bpf_context access",
1780 .prog_type = BPF_PROG_TYPE_SK_MSG,
1783 "invalid read past end of SK_MSG",
1785 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1786 offsetof(struct sk_msg_md, local_port) + 4),
1789 .errstr = "R0 !read_ok",
1791 .prog_type = BPF_PROG_TYPE_SK_MSG,
1794 "invalid read offset in SK_MSG",
1796 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1797 offsetof(struct sk_msg_md, family) + 1),
1800 .errstr = "invalid bpf_context access",
1802 .prog_type = BPF_PROG_TYPE_SK_MSG,
1805 "direct packet read for SK_MSG",
1807 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1808 offsetof(struct sk_msg_md, data)),
1809 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1810 offsetof(struct sk_msg_md, data_end)),
1811 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1812 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1813 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1814 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1815 BPF_MOV64_IMM(BPF_REG_0, 0),
1819 .prog_type = BPF_PROG_TYPE_SK_MSG,
1822 "direct packet write for SK_MSG",
1824 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1825 offsetof(struct sk_msg_md, data)),
1826 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1827 offsetof(struct sk_msg_md, data_end)),
1828 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1829 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1830 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1831 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1832 BPF_MOV64_IMM(BPF_REG_0, 0),
1836 .prog_type = BPF_PROG_TYPE_SK_MSG,
1839 "overlapping checks for direct packet access SK_MSG",
1841 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1842 offsetof(struct sk_msg_md, data)),
1843 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1844 offsetof(struct sk_msg_md, data_end)),
1845 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1846 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1847 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1848 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1849 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1850 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1851 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1852 BPF_MOV64_IMM(BPF_REG_0, 0),
1856 .prog_type = BPF_PROG_TYPE_SK_MSG,
1859 "check skb->mark is not writeable by sockets",
1861 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1862 offsetof(struct __sk_buff, mark)),
1865 .errstr = "invalid bpf_context access",
1866 .errstr_unpriv = "R1 leaks addr",
1870 "check skb->tc_index is not writeable by sockets",
1872 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1873 offsetof(struct __sk_buff, tc_index)),
1876 .errstr = "invalid bpf_context access",
1877 .errstr_unpriv = "R1 leaks addr",
1881 "check cb access: byte",
1883 BPF_MOV64_IMM(BPF_REG_0, 0),
1884 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1885 offsetof(struct __sk_buff, cb[0])),
1886 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1887 offsetof(struct __sk_buff, cb[0]) + 1),
1888 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1889 offsetof(struct __sk_buff, cb[0]) + 2),
1890 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1891 offsetof(struct __sk_buff, cb[0]) + 3),
1892 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1893 offsetof(struct __sk_buff, cb[1])),
1894 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1895 offsetof(struct __sk_buff, cb[1]) + 1),
1896 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1897 offsetof(struct __sk_buff, cb[1]) + 2),
1898 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1899 offsetof(struct __sk_buff, cb[1]) + 3),
1900 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1901 offsetof(struct __sk_buff, cb[2])),
1902 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1903 offsetof(struct __sk_buff, cb[2]) + 1),
1904 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1905 offsetof(struct __sk_buff, cb[2]) + 2),
1906 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1907 offsetof(struct __sk_buff, cb[2]) + 3),
1908 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1909 offsetof(struct __sk_buff, cb[3])),
1910 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1911 offsetof(struct __sk_buff, cb[3]) + 1),
1912 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1913 offsetof(struct __sk_buff, cb[3]) + 2),
1914 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1915 offsetof(struct __sk_buff, cb[3]) + 3),
1916 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1917 offsetof(struct __sk_buff, cb[4])),
1918 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1919 offsetof(struct __sk_buff, cb[4]) + 1),
1920 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1921 offsetof(struct __sk_buff, cb[4]) + 2),
1922 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1923 offsetof(struct __sk_buff, cb[4]) + 3),
1924 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1925 offsetof(struct __sk_buff, cb[0])),
1926 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1927 offsetof(struct __sk_buff, cb[0]) + 1),
1928 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1929 offsetof(struct __sk_buff, cb[0]) + 2),
1930 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1931 offsetof(struct __sk_buff, cb[0]) + 3),
1932 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1933 offsetof(struct __sk_buff, cb[1])),
1934 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1935 offsetof(struct __sk_buff, cb[1]) + 1),
1936 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1937 offsetof(struct __sk_buff, cb[1]) + 2),
1938 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1939 offsetof(struct __sk_buff, cb[1]) + 3),
1940 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1941 offsetof(struct __sk_buff, cb[2])),
1942 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1943 offsetof(struct __sk_buff, cb[2]) + 1),
1944 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1945 offsetof(struct __sk_buff, cb[2]) + 2),
1946 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1947 offsetof(struct __sk_buff, cb[2]) + 3),
1948 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1949 offsetof(struct __sk_buff, cb[3])),
1950 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1951 offsetof(struct __sk_buff, cb[3]) + 1),
1952 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1953 offsetof(struct __sk_buff, cb[3]) + 2),
1954 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1955 offsetof(struct __sk_buff, cb[3]) + 3),
1956 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1957 offsetof(struct __sk_buff, cb[4])),
1958 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1959 offsetof(struct __sk_buff, cb[4]) + 1),
1960 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1961 offsetof(struct __sk_buff, cb[4]) + 2),
1962 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1963 offsetof(struct __sk_buff, cb[4]) + 3),
1969 "__sk_buff->hash, offset 0, byte store not permitted",
1971 BPF_MOV64_IMM(BPF_REG_0, 0),
1972 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1973 offsetof(struct __sk_buff, hash)),
1976 .errstr = "invalid bpf_context access",
1980 "__sk_buff->tc_index, offset 3, byte store not permitted",
1982 BPF_MOV64_IMM(BPF_REG_0, 0),
1983 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1984 offsetof(struct __sk_buff, tc_index) + 3),
1987 .errstr = "invalid bpf_context access",
1991 "check skb->hash byte load permitted",
1993 BPF_MOV64_IMM(BPF_REG_0, 0),
1994 #if __BYTE_ORDER == __LITTLE_ENDIAN
1995 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1996 offsetof(struct __sk_buff, hash)),
1998 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1999 offsetof(struct __sk_buff, hash) + 3),
2006 "check skb->hash byte load not permitted 1",
2008 BPF_MOV64_IMM(BPF_REG_0, 0),
2009 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2010 offsetof(struct __sk_buff, hash) + 1),
2013 .errstr = "invalid bpf_context access",
2017 "check skb->hash byte load not permitted 2",
2019 BPF_MOV64_IMM(BPF_REG_0, 0),
2020 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2021 offsetof(struct __sk_buff, hash) + 2),
2024 .errstr = "invalid bpf_context access",
2028 "check skb->hash byte load not permitted 3",
2030 BPF_MOV64_IMM(BPF_REG_0, 0),
2031 #if __BYTE_ORDER == __LITTLE_ENDIAN
2032 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2033 offsetof(struct __sk_buff, hash) + 3),
2035 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2036 offsetof(struct __sk_buff, hash)),
2040 .errstr = "invalid bpf_context access",
2044 "check cb access: byte, wrong type",
2046 BPF_MOV64_IMM(BPF_REG_0, 0),
2047 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2048 offsetof(struct __sk_buff, cb[0])),
2051 .errstr = "invalid bpf_context access",
2053 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2056 "check cb access: half",
2058 BPF_MOV64_IMM(BPF_REG_0, 0),
2059 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2060 offsetof(struct __sk_buff, cb[0])),
2061 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2062 offsetof(struct __sk_buff, cb[0]) + 2),
2063 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2064 offsetof(struct __sk_buff, cb[1])),
2065 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2066 offsetof(struct __sk_buff, cb[1]) + 2),
2067 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2068 offsetof(struct __sk_buff, cb[2])),
2069 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2070 offsetof(struct __sk_buff, cb[2]) + 2),
2071 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2072 offsetof(struct __sk_buff, cb[3])),
2073 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2074 offsetof(struct __sk_buff, cb[3]) + 2),
2075 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2076 offsetof(struct __sk_buff, cb[4])),
2077 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2078 offsetof(struct __sk_buff, cb[4]) + 2),
2079 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2080 offsetof(struct __sk_buff, cb[0])),
2081 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2082 offsetof(struct __sk_buff, cb[0]) + 2),
2083 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2084 offsetof(struct __sk_buff, cb[1])),
2085 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2086 offsetof(struct __sk_buff, cb[1]) + 2),
2087 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2088 offsetof(struct __sk_buff, cb[2])),
2089 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2090 offsetof(struct __sk_buff, cb[2]) + 2),
2091 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2092 offsetof(struct __sk_buff, cb[3])),
2093 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2094 offsetof(struct __sk_buff, cb[3]) + 2),
2095 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2096 offsetof(struct __sk_buff, cb[4])),
2097 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2098 offsetof(struct __sk_buff, cb[4]) + 2),
2104 "check cb access: half, unaligned",
2106 BPF_MOV64_IMM(BPF_REG_0, 0),
2107 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2108 offsetof(struct __sk_buff, cb[0]) + 1),
2111 .errstr = "misaligned context access",
2113 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2116 "check __sk_buff->hash, offset 0, half store not permitted",
2118 BPF_MOV64_IMM(BPF_REG_0, 0),
2119 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2120 offsetof(struct __sk_buff, hash)),
2123 .errstr = "invalid bpf_context access",
2127 "check __sk_buff->tc_index, offset 2, half store not permitted",
2129 BPF_MOV64_IMM(BPF_REG_0, 0),
2130 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2131 offsetof(struct __sk_buff, tc_index) + 2),
2134 .errstr = "invalid bpf_context access",
2138 "check skb->hash half load permitted",
2140 BPF_MOV64_IMM(BPF_REG_0, 0),
2141 #if __BYTE_ORDER == __LITTLE_ENDIAN
2142 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2143 offsetof(struct __sk_buff, hash)),
2145 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2146 offsetof(struct __sk_buff, hash) + 2),
2153 "check skb->hash half load not permitted",
2155 BPF_MOV64_IMM(BPF_REG_0, 0),
2156 #if __BYTE_ORDER == __LITTLE_ENDIAN
2157 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2158 offsetof(struct __sk_buff, hash) + 2),
2160 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2161 offsetof(struct __sk_buff, hash)),
2165 .errstr = "invalid bpf_context access",
2169 "check cb access: half, wrong type",
2171 BPF_MOV64_IMM(BPF_REG_0, 0),
2172 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2173 offsetof(struct __sk_buff, cb[0])),
2176 .errstr = "invalid bpf_context access",
2178 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2181 "check cb access: word",
2183 BPF_MOV64_IMM(BPF_REG_0, 0),
2184 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2185 offsetof(struct __sk_buff, cb[0])),
2186 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2187 offsetof(struct __sk_buff, cb[1])),
2188 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2189 offsetof(struct __sk_buff, cb[2])),
2190 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2191 offsetof(struct __sk_buff, cb[3])),
2192 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2193 offsetof(struct __sk_buff, cb[4])),
2194 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2195 offsetof(struct __sk_buff, cb[0])),
2196 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2197 offsetof(struct __sk_buff, cb[1])),
2198 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2199 offsetof(struct __sk_buff, cb[2])),
2200 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2201 offsetof(struct __sk_buff, cb[3])),
2202 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2203 offsetof(struct __sk_buff, cb[4])),
2209 "check cb access: word, unaligned 1",
2211 BPF_MOV64_IMM(BPF_REG_0, 0),
2212 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2213 offsetof(struct __sk_buff, cb[0]) + 2),
2216 .errstr = "misaligned context access",
2218 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2221 "check cb access: word, unaligned 2",
2223 BPF_MOV64_IMM(BPF_REG_0, 0),
2224 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2225 offsetof(struct __sk_buff, cb[4]) + 1),
2228 .errstr = "misaligned context access",
2230 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2233 "check cb access: word, unaligned 3",
2235 BPF_MOV64_IMM(BPF_REG_0, 0),
2236 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2237 offsetof(struct __sk_buff, cb[4]) + 2),
2240 .errstr = "misaligned context access",
2242 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2245 "check cb access: word, unaligned 4",
2247 BPF_MOV64_IMM(BPF_REG_0, 0),
2248 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2249 offsetof(struct __sk_buff, cb[4]) + 3),
2252 .errstr = "misaligned context access",
2254 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2257 "check cb access: double",
2259 BPF_MOV64_IMM(BPF_REG_0, 0),
2260 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2261 offsetof(struct __sk_buff, cb[0])),
2262 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2263 offsetof(struct __sk_buff, cb[2])),
2264 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2265 offsetof(struct __sk_buff, cb[0])),
2266 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2267 offsetof(struct __sk_buff, cb[2])),
2273 "check cb access: double, unaligned 1",
2275 BPF_MOV64_IMM(BPF_REG_0, 0),
2276 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2277 offsetof(struct __sk_buff, cb[1])),
2280 .errstr = "misaligned context access",
2282 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2285 "check cb access: double, unaligned 2",
2287 BPF_MOV64_IMM(BPF_REG_0, 0),
2288 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2289 offsetof(struct __sk_buff, cb[3])),
2292 .errstr = "misaligned context access",
2294 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2297 "check cb access: double, oob 1",
2299 BPF_MOV64_IMM(BPF_REG_0, 0),
2300 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2301 offsetof(struct __sk_buff, cb[4])),
2304 .errstr = "invalid bpf_context access",
2308 "check cb access: double, oob 2",
2310 BPF_MOV64_IMM(BPF_REG_0, 0),
2311 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2312 offsetof(struct __sk_buff, cb[4])),
2315 .errstr = "invalid bpf_context access",
2319 "check __sk_buff->ifindex dw store not permitted",
2321 BPF_MOV64_IMM(BPF_REG_0, 0),
2322 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2323 offsetof(struct __sk_buff, ifindex)),
2326 .errstr = "invalid bpf_context access",
2330 "check __sk_buff->ifindex dw load not permitted",
2332 BPF_MOV64_IMM(BPF_REG_0, 0),
2333 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2334 offsetof(struct __sk_buff, ifindex)),
2337 .errstr = "invalid bpf_context access",
2341 "check cb access: double, wrong type",
2343 BPF_MOV64_IMM(BPF_REG_0, 0),
2344 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2345 offsetof(struct __sk_buff, cb[0])),
2348 .errstr = "invalid bpf_context access",
2350 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2353 "check out of range skb->cb access",
2355 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2356 offsetof(struct __sk_buff, cb[0]) + 256),
2359 .errstr = "invalid bpf_context access",
2360 .errstr_unpriv = "",
2362 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2365 "write skb fields from socket prog",
2367 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2368 offsetof(struct __sk_buff, cb[4])),
2369 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2370 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2371 offsetof(struct __sk_buff, mark)),
2372 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2373 offsetof(struct __sk_buff, tc_index)),
2374 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2375 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2376 offsetof(struct __sk_buff, cb[0])),
2377 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2378 offsetof(struct __sk_buff, cb[2])),
2382 .errstr_unpriv = "R1 leaks addr",
2383 .result_unpriv = REJECT,
2386 "write skb fields from tc_cls_act prog",
2388 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2389 offsetof(struct __sk_buff, cb[0])),
2390 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2391 offsetof(struct __sk_buff, mark)),
2392 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2393 offsetof(struct __sk_buff, tc_index)),
2394 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2395 offsetof(struct __sk_buff, tc_index)),
2396 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2397 offsetof(struct __sk_buff, cb[3])),
2400 .errstr_unpriv = "",
2401 .result_unpriv = REJECT,
2403 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2406 "PTR_TO_STACK store/load",
2408 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2410 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2411 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2415 .retval = 0xfaceb00c,
2418 "PTR_TO_STACK store/load - bad alignment on off",
2420 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2421 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2422 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2423 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2427 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2430 "PTR_TO_STACK store/load - bad alignment on reg",
2432 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2433 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2434 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2435 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2439 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2442 "PTR_TO_STACK store/load - out of bounds low",
2444 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2445 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2446 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2447 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2451 .errstr = "invalid stack off=-79992 size=8",
2454 "PTR_TO_STACK store/load - out of bounds high",
2456 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2457 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2458 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2459 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2463 .errstr = "invalid stack off=0 size=8",
2466 "unpriv: return pointer",
2468 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2472 .result_unpriv = REJECT,
2473 .errstr_unpriv = "R0 leaks addr",
2474 .retval = POINTER_VALUE,
2477 "unpriv: add const to pointer",
2479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2480 BPF_MOV64_IMM(BPF_REG_0, 0),
2486 "unpriv: add pointer to pointer",
2488 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2489 BPF_MOV64_IMM(BPF_REG_0, 0),
2493 .errstr = "R1 pointer += pointer",
2496 "unpriv: neg pointer",
2498 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2499 BPF_MOV64_IMM(BPF_REG_0, 0),
2503 .result_unpriv = REJECT,
2504 .errstr_unpriv = "R1 pointer arithmetic",
2507 "unpriv: cmp pointer with const",
2509 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2510 BPF_MOV64_IMM(BPF_REG_0, 0),
2514 .result_unpriv = REJECT,
2515 .errstr_unpriv = "R1 pointer comparison",
2518 "unpriv: cmp pointer with pointer",
2520 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2521 BPF_MOV64_IMM(BPF_REG_0, 0),
2525 .result_unpriv = REJECT,
2526 .errstr_unpriv = "R10 pointer comparison",
2529 "unpriv: check that printk is disallowed",
2531 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2532 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2534 BPF_MOV64_IMM(BPF_REG_2, 8),
2535 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2536 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2537 BPF_FUNC_trace_printk),
2538 BPF_MOV64_IMM(BPF_REG_0, 0),
2541 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2542 .result_unpriv = REJECT,
2546 "unpriv: pass pointer to helper function",
2548 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2549 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2550 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2551 BPF_LD_MAP_FD(BPF_REG_1, 0),
2552 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2553 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2554 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2555 BPF_FUNC_map_update_elem),
2556 BPF_MOV64_IMM(BPF_REG_0, 0),
2559 .fixup_map1 = { 3 },
2560 .errstr_unpriv = "R4 leaks addr",
2561 .result_unpriv = REJECT,
2565 "unpriv: indirectly pass pointer on stack to helper function",
2567 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2568 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2570 BPF_LD_MAP_FD(BPF_REG_1, 0),
2571 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2572 BPF_FUNC_map_lookup_elem),
2573 BPF_MOV64_IMM(BPF_REG_0, 0),
2576 .fixup_map1 = { 3 },
2577 .errstr = "invalid indirect read from stack off -8+0 size 8",
2581 "unpriv: mangle pointer on stack 1",
2583 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2584 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2585 BPF_MOV64_IMM(BPF_REG_0, 0),
2588 .errstr_unpriv = "attempt to corrupt spilled",
2589 .result_unpriv = REJECT,
2593 "unpriv: mangle pointer on stack 2",
2595 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2596 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2597 BPF_MOV64_IMM(BPF_REG_0, 0),
2600 .errstr_unpriv = "attempt to corrupt spilled",
2601 .result_unpriv = REJECT,
2605 "unpriv: read pointer from stack in small chunks",
2607 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2608 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2609 BPF_MOV64_IMM(BPF_REG_0, 0),
2612 .errstr = "invalid size",
2616 "unpriv: write pointer into ctx",
2618 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2619 BPF_MOV64_IMM(BPF_REG_0, 0),
2622 .errstr_unpriv = "R1 leaks addr",
2623 .result_unpriv = REJECT,
2624 .errstr = "invalid bpf_context access",
2628 "unpriv: spill/fill of ctx",
2630 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2632 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2633 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2634 BPF_MOV64_IMM(BPF_REG_0, 0),
2640 "unpriv: spill/fill of ctx 2",
2642 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2643 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2644 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2645 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2646 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2647 BPF_FUNC_get_hash_recalc),
2648 BPF_MOV64_IMM(BPF_REG_0, 0),
2652 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2655 "unpriv: spill/fill of ctx 3",
2657 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2658 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2659 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2660 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2661 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2662 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2663 BPF_FUNC_get_hash_recalc),
2667 .errstr = "R1 type=fp expected=ctx",
2668 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2671 "unpriv: spill/fill of ctx 4",
2673 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2674 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2675 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2676 BPF_MOV64_IMM(BPF_REG_0, 1),
2677 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2679 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2680 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2681 BPF_FUNC_get_hash_recalc),
2685 .errstr = "R1 type=inv expected=ctx",
2686 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2689 "unpriv: spill/fill of different pointers stx",
2691 BPF_MOV64_IMM(BPF_REG_3, 42),
2692 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2693 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2694 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2695 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2696 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2697 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2698 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2699 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2700 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2701 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2702 offsetof(struct __sk_buff, mark)),
2703 BPF_MOV64_IMM(BPF_REG_0, 0),
2707 .errstr = "same insn cannot be used with different pointers",
2708 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2711 "unpriv: spill/fill of different pointers ldx",
2713 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2714 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2715 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2716 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2717 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2718 -(__s32)offsetof(struct bpf_perf_event_data,
2719 sample_period) - 8),
2720 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2721 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2722 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2723 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2724 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2725 offsetof(struct bpf_perf_event_data,
2727 BPF_MOV64_IMM(BPF_REG_0, 0),
2731 .errstr = "same insn cannot be used with different pointers",
2732 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2735 "unpriv: write pointer into map elem value",
2737 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2738 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2739 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2740 BPF_LD_MAP_FD(BPF_REG_1, 0),
2741 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2742 BPF_FUNC_map_lookup_elem),
2743 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2744 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2747 .fixup_map1 = { 3 },
2748 .errstr_unpriv = "R0 leaks addr",
2749 .result_unpriv = REJECT,
2753 "unpriv: partial copy of pointer",
2755 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2756 BPF_MOV64_IMM(BPF_REG_0, 0),
2759 .errstr_unpriv = "R10 partial copy",
2760 .result_unpriv = REJECT,
2764 "unpriv: pass pointer to tail_call",
2766 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2767 BPF_LD_MAP_FD(BPF_REG_2, 0),
2768 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2769 BPF_FUNC_tail_call),
2770 BPF_MOV64_IMM(BPF_REG_0, 0),
2773 .fixup_prog1 = { 1 },
2774 .errstr_unpriv = "R3 leaks addr into helper",
2775 .result_unpriv = REJECT,
2779 "unpriv: cmp map pointer with zero",
2781 BPF_MOV64_IMM(BPF_REG_1, 0),
2782 BPF_LD_MAP_FD(BPF_REG_1, 0),
2783 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2784 BPF_MOV64_IMM(BPF_REG_0, 0),
2787 .fixup_map1 = { 1 },
2788 .errstr_unpriv = "R1 pointer comparison",
2789 .result_unpriv = REJECT,
2793 "unpriv: write into frame pointer",
2795 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2796 BPF_MOV64_IMM(BPF_REG_0, 0),
2799 .errstr = "frame pointer is read only",
2803 "unpriv: spill/fill frame pointer",
2805 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2807 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2808 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2809 BPF_MOV64_IMM(BPF_REG_0, 0),
2812 .errstr = "frame pointer is read only",
2816 "unpriv: cmp of frame pointer",
2818 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2819 BPF_MOV64_IMM(BPF_REG_0, 0),
2822 .errstr_unpriv = "R10 pointer comparison",
2823 .result_unpriv = REJECT,
2827 "unpriv: adding of fp",
2829 BPF_MOV64_IMM(BPF_REG_0, 0),
2830 BPF_MOV64_IMM(BPF_REG_1, 0),
2831 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2832 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2838 "unpriv: cmp of stack pointer",
2840 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2841 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2842 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2843 BPF_MOV64_IMM(BPF_REG_0, 0),
2846 .errstr_unpriv = "R2 pointer comparison",
2847 .result_unpriv = REJECT,
2851 "runtime/jit: tail_call within bounds, prog once",
2853 BPF_MOV64_IMM(BPF_REG_3, 0),
2854 BPF_LD_MAP_FD(BPF_REG_2, 0),
2855 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2856 BPF_FUNC_tail_call),
2857 BPF_MOV64_IMM(BPF_REG_0, 1),
2860 .fixup_prog1 = { 1 },
2865 "runtime/jit: tail_call within bounds, prog loop",
2867 BPF_MOV64_IMM(BPF_REG_3, 1),
2868 BPF_LD_MAP_FD(BPF_REG_2, 0),
2869 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2870 BPF_FUNC_tail_call),
2871 BPF_MOV64_IMM(BPF_REG_0, 1),
2874 .fixup_prog1 = { 1 },
2879 "runtime/jit: tail_call within bounds, no prog",
2881 BPF_MOV64_IMM(BPF_REG_3, 2),
2882 BPF_LD_MAP_FD(BPF_REG_2, 0),
2883 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2884 BPF_FUNC_tail_call),
2885 BPF_MOV64_IMM(BPF_REG_0, 1),
2888 .fixup_prog1 = { 1 },
2893 "runtime/jit: tail_call out of bounds",
2895 BPF_MOV64_IMM(BPF_REG_3, 256),
2896 BPF_LD_MAP_FD(BPF_REG_2, 0),
2897 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2898 BPF_FUNC_tail_call),
2899 BPF_MOV64_IMM(BPF_REG_0, 2),
2902 .fixup_prog1 = { 1 },
2907 "runtime/jit: pass negative index to tail_call",
2909 BPF_MOV64_IMM(BPF_REG_3, -1),
2910 BPF_LD_MAP_FD(BPF_REG_2, 0),
2911 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2912 BPF_FUNC_tail_call),
2913 BPF_MOV64_IMM(BPF_REG_0, 2),
2916 .fixup_prog1 = { 1 },
2921 "runtime/jit: pass > 32bit index to tail_call",
2923 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2924 BPF_LD_MAP_FD(BPF_REG_2, 0),
2925 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2926 BPF_FUNC_tail_call),
2927 BPF_MOV64_IMM(BPF_REG_0, 2),
2930 .fixup_prog1 = { 2 },
2935 "stack pointer arithmetic",
2937 BPF_MOV64_IMM(BPF_REG_1, 4),
2938 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2939 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2943 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2944 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2945 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2946 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2947 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2948 BPF_MOV64_IMM(BPF_REG_0, 0),
2954 "raw_stack: no skb_load_bytes",
2956 BPF_MOV64_IMM(BPF_REG_2, 4),
2957 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2958 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2959 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2960 BPF_MOV64_IMM(BPF_REG_4, 8),
2961 /* Call to skb_load_bytes() omitted. */
2962 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2966 .errstr = "invalid read from stack off -8+0 size 8",
2967 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2970 "raw_stack: skb_load_bytes, negative len",
2972 BPF_MOV64_IMM(BPF_REG_2, 4),
2973 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2974 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2975 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2976 BPF_MOV64_IMM(BPF_REG_4, -8),
2977 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2978 BPF_FUNC_skb_load_bytes),
2979 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2983 .errstr = "R4 min value is negative",
2984 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2987 "raw_stack: skb_load_bytes, negative len 2",
2989 BPF_MOV64_IMM(BPF_REG_2, 4),
2990 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2992 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2993 BPF_MOV64_IMM(BPF_REG_4, ~0),
2994 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2995 BPF_FUNC_skb_load_bytes),
2996 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3000 .errstr = "R4 min value is negative",
3001 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3004 "raw_stack: skb_load_bytes, zero len",
3006 BPF_MOV64_IMM(BPF_REG_2, 4),
3007 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3009 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3010 BPF_MOV64_IMM(BPF_REG_4, 0),
3011 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3012 BPF_FUNC_skb_load_bytes),
3013 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3017 .errstr = "invalid stack type R3",
3018 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3021 "raw_stack: skb_load_bytes, no init",
3023 BPF_MOV64_IMM(BPF_REG_2, 4),
3024 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3025 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3026 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3027 BPF_MOV64_IMM(BPF_REG_4, 8),
3028 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3029 BPF_FUNC_skb_load_bytes),
3030 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3034 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3037 "raw_stack: skb_load_bytes, init",
3039 BPF_MOV64_IMM(BPF_REG_2, 4),
3040 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3042 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3043 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3044 BPF_MOV64_IMM(BPF_REG_4, 8),
3045 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3046 BPF_FUNC_skb_load_bytes),
3047 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3051 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3054 "raw_stack: skb_load_bytes, spilled regs around bounds",
3056 BPF_MOV64_IMM(BPF_REG_2, 4),
3057 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3059 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3060 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3061 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3062 BPF_MOV64_IMM(BPF_REG_4, 8),
3063 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3064 BPF_FUNC_skb_load_bytes),
3065 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3066 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3067 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3068 offsetof(struct __sk_buff, mark)),
3069 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3070 offsetof(struct __sk_buff, priority)),
3071 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3075 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3078 "raw_stack: skb_load_bytes, spilled regs corruption",
3080 BPF_MOV64_IMM(BPF_REG_2, 4),
3081 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3083 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3084 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3085 BPF_MOV64_IMM(BPF_REG_4, 8),
3086 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3087 BPF_FUNC_skb_load_bytes),
3088 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3089 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3090 offsetof(struct __sk_buff, mark)),
3094 .errstr = "R0 invalid mem access 'inv'",
3095 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3098 "raw_stack: skb_load_bytes, spilled regs corruption 2",
3100 BPF_MOV64_IMM(BPF_REG_2, 4),
3101 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3103 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3104 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3105 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3106 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3107 BPF_MOV64_IMM(BPF_REG_4, 8),
3108 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3109 BPF_FUNC_skb_load_bytes),
3110 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3111 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3112 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3113 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3114 offsetof(struct __sk_buff, mark)),
3115 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3116 offsetof(struct __sk_buff, priority)),
3117 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3118 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3119 offsetof(struct __sk_buff, pkt_type)),
3120 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3124 .errstr = "R3 invalid mem access 'inv'",
3125 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3128 "raw_stack: skb_load_bytes, spilled regs + data",
3130 BPF_MOV64_IMM(BPF_REG_2, 4),
3131 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3132 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3133 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3134 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3135 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3136 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3137 BPF_MOV64_IMM(BPF_REG_4, 8),
3138 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3139 BPF_FUNC_skb_load_bytes),
3140 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3141 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3142 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3143 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3144 offsetof(struct __sk_buff, mark)),
3145 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3146 offsetof(struct __sk_buff, priority)),
3147 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3148 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3152 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3155 "raw_stack: skb_load_bytes, invalid access 1",
3157 BPF_MOV64_IMM(BPF_REG_2, 4),
3158 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3159 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3160 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3161 BPF_MOV64_IMM(BPF_REG_4, 8),
3162 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3163 BPF_FUNC_skb_load_bytes),
3164 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3168 .errstr = "invalid stack type R3 off=-513 access_size=8",
3169 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3172 "raw_stack: skb_load_bytes, invalid access 2",
3174 BPF_MOV64_IMM(BPF_REG_2, 4),
3175 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3177 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3178 BPF_MOV64_IMM(BPF_REG_4, 8),
3179 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3180 BPF_FUNC_skb_load_bytes),
3181 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3185 .errstr = "invalid stack type R3 off=-1 access_size=8",
3186 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3189 "raw_stack: skb_load_bytes, invalid access 3",
3191 BPF_MOV64_IMM(BPF_REG_2, 4),
3192 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3193 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3194 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3195 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3197 BPF_FUNC_skb_load_bytes),
3198 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3202 .errstr = "R4 min value is negative",
3203 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3206 "raw_stack: skb_load_bytes, invalid access 4",
3208 BPF_MOV64_IMM(BPF_REG_2, 4),
3209 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3211 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3212 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3213 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3214 BPF_FUNC_skb_load_bytes),
3215 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3219 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3220 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3223 "raw_stack: skb_load_bytes, invalid access 5",
3225 BPF_MOV64_IMM(BPF_REG_2, 4),
3226 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3227 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3228 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3229 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3230 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3231 BPF_FUNC_skb_load_bytes),
3232 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3236 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3237 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3240 "raw_stack: skb_load_bytes, invalid access 6",
3242 BPF_MOV64_IMM(BPF_REG_2, 4),
3243 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3244 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3245 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3246 BPF_MOV64_IMM(BPF_REG_4, 0),
3247 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3248 BPF_FUNC_skb_load_bytes),
3249 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3253 .errstr = "invalid stack type R3 off=-512 access_size=0",
3254 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3257 "raw_stack: skb_load_bytes, large access",
3259 BPF_MOV64_IMM(BPF_REG_2, 4),
3260 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3261 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3262 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3263 BPF_MOV64_IMM(BPF_REG_4, 512),
3264 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3265 BPF_FUNC_skb_load_bytes),
3266 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3270 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3273 "context stores via ST",
3275 BPF_MOV64_IMM(BPF_REG_0, 0),
3276 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3279 .errstr = "BPF_ST stores into R1 inv is not allowed",
3281 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3284 "context stores via XADD",
3286 BPF_MOV64_IMM(BPF_REG_0, 0),
3287 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3288 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3291 .errstr = "BPF_XADD stores into R1 inv is not allowed",
3293 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3296 "direct packet access: test1",
3298 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3299 offsetof(struct __sk_buff, data)),
3300 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3301 offsetof(struct __sk_buff, data_end)),
3302 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3303 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3304 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3305 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3306 BPF_MOV64_IMM(BPF_REG_0, 0),
3310 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3313 "direct packet access: test2",
3315 BPF_MOV64_IMM(BPF_REG_0, 1),
3316 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3317 offsetof(struct __sk_buff, data_end)),
3318 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3319 offsetof(struct __sk_buff, data)),
3320 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3321 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3322 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3323 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3324 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3325 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3326 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3327 offsetof(struct __sk_buff, data)),
3328 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3329 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3330 offsetof(struct __sk_buff, len)),
3331 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3332 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3333 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3334 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3335 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3336 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3337 offsetof(struct __sk_buff, data_end)),
3338 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3339 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3340 BPF_MOV64_IMM(BPF_REG_0, 0),
3344 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3347 "direct packet access: test3",
3349 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3350 offsetof(struct __sk_buff, data)),
3351 BPF_MOV64_IMM(BPF_REG_0, 0),
3354 .errstr = "invalid bpf_context access off=76",
3356 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3359 "direct packet access: test4 (write)",
3361 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3362 offsetof(struct __sk_buff, data)),
3363 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3364 offsetof(struct __sk_buff, data_end)),
3365 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3366 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3367 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3368 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3369 BPF_MOV64_IMM(BPF_REG_0, 0),
3373 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3376 "direct packet access: test5 (pkt_end >= reg, good access)",
3378 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3379 offsetof(struct __sk_buff, data)),
3380 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3381 offsetof(struct __sk_buff, data_end)),
3382 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3384 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3385 BPF_MOV64_IMM(BPF_REG_0, 1),
3387 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3388 BPF_MOV64_IMM(BPF_REG_0, 0),
3392 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3395 "direct packet access: test6 (pkt_end >= reg, bad access)",
3397 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3398 offsetof(struct __sk_buff, data)),
3399 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3400 offsetof(struct __sk_buff, data_end)),
3401 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3403 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3404 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3405 BPF_MOV64_IMM(BPF_REG_0, 1),
3407 BPF_MOV64_IMM(BPF_REG_0, 0),
3410 .errstr = "invalid access to packet",
3412 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3415 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3417 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3418 offsetof(struct __sk_buff, data)),
3419 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3420 offsetof(struct __sk_buff, data_end)),
3421 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3422 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3423 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3424 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3425 BPF_MOV64_IMM(BPF_REG_0, 1),
3427 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3428 BPF_MOV64_IMM(BPF_REG_0, 0),
3431 .errstr = "invalid access to packet",
3433 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3436 "direct packet access: test8 (double test, variant 1)",
3438 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3439 offsetof(struct __sk_buff, data)),
3440 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3441 offsetof(struct __sk_buff, data_end)),
3442 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3443 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3444 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3445 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3446 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3447 BPF_MOV64_IMM(BPF_REG_0, 1),
3449 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3450 BPF_MOV64_IMM(BPF_REG_0, 0),
3454 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3457 "direct packet access: test9 (double test, variant 2)",
3459 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3460 offsetof(struct __sk_buff, data)),
3461 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3462 offsetof(struct __sk_buff, data_end)),
3463 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3465 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3466 BPF_MOV64_IMM(BPF_REG_0, 1),
3468 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3469 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3470 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3471 BPF_MOV64_IMM(BPF_REG_0, 0),
3475 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3478 "direct packet access: test10 (write invalid)",
3480 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3481 offsetof(struct __sk_buff, data)),
3482 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3483 offsetof(struct __sk_buff, data_end)),
3484 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3485 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3486 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3487 BPF_MOV64_IMM(BPF_REG_0, 0),
3489 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3490 BPF_MOV64_IMM(BPF_REG_0, 0),
3493 .errstr = "invalid access to packet",
3495 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3498 "direct packet access: test11 (shift, good access)",
3500 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3501 offsetof(struct __sk_buff, data)),
3502 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3503 offsetof(struct __sk_buff, data_end)),
3504 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3506 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3507 BPF_MOV64_IMM(BPF_REG_3, 144),
3508 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3509 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3510 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3511 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3512 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3513 BPF_MOV64_IMM(BPF_REG_0, 1),
3515 BPF_MOV64_IMM(BPF_REG_0, 0),
3519 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3523 "direct packet access: test12 (and, good access)",
3525 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3526 offsetof(struct __sk_buff, data)),
3527 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3528 offsetof(struct __sk_buff, data_end)),
3529 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3530 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3531 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3532 BPF_MOV64_IMM(BPF_REG_3, 144),
3533 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3535 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3536 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3537 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3538 BPF_MOV64_IMM(BPF_REG_0, 1),
3540 BPF_MOV64_IMM(BPF_REG_0, 0),
3544 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3548 "direct packet access: test13 (branches, good access)",
3550 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3551 offsetof(struct __sk_buff, data)),
3552 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3553 offsetof(struct __sk_buff, data_end)),
3554 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3555 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3556 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3557 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3558 offsetof(struct __sk_buff, mark)),
3559 BPF_MOV64_IMM(BPF_REG_4, 1),
3560 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3561 BPF_MOV64_IMM(BPF_REG_3, 14),
3562 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3563 BPF_MOV64_IMM(BPF_REG_3, 24),
3564 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3565 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3566 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3567 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3568 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3569 BPF_MOV64_IMM(BPF_REG_0, 1),
3571 BPF_MOV64_IMM(BPF_REG_0, 0),
3575 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3579 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3581 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3582 offsetof(struct __sk_buff, data)),
3583 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3584 offsetof(struct __sk_buff, data_end)),
3585 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3586 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3587 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3588 BPF_MOV64_IMM(BPF_REG_5, 12),
3589 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3590 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3591 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3592 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3593 BPF_MOV64_IMM(BPF_REG_0, 1),
3595 BPF_MOV64_IMM(BPF_REG_0, 0),
3599 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3603 "direct packet access: test15 (spill with xadd)",
3605 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3606 offsetof(struct __sk_buff, data)),
3607 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3608 offsetof(struct __sk_buff, data_end)),
3609 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3610 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3611 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3612 BPF_MOV64_IMM(BPF_REG_5, 4096),
3613 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3615 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3616 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3617 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3618 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3619 BPF_MOV64_IMM(BPF_REG_0, 0),
3622 .errstr = "R2 invalid mem access 'inv'",
3624 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3627 "direct packet access: test16 (arith on data_end)",
3629 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3630 offsetof(struct __sk_buff, data)),
3631 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3632 offsetof(struct __sk_buff, data_end)),
3633 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3634 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3635 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3636 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3637 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3638 BPF_MOV64_IMM(BPF_REG_0, 0),
3641 .errstr = "R3 pointer arithmetic on pkt_end",
3643 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3646 "direct packet access: test17 (pruning, alignment)",
3648 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3649 offsetof(struct __sk_buff, data)),
3650 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3651 offsetof(struct __sk_buff, data_end)),
3652 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3653 offsetof(struct __sk_buff, mark)),
3654 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3655 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3656 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3657 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3658 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3659 BPF_MOV64_IMM(BPF_REG_0, 0),
3661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3664 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3666 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3667 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3670 "direct packet access: test18 (imm += pkt_ptr, 1)",
3672 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3673 offsetof(struct __sk_buff, data)),
3674 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3675 offsetof(struct __sk_buff, data_end)),
3676 BPF_MOV64_IMM(BPF_REG_0, 8),
3677 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3678 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3679 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3680 BPF_MOV64_IMM(BPF_REG_0, 0),
3684 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3687 "direct packet access: test19 (imm += pkt_ptr, 2)",
3689 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3690 offsetof(struct __sk_buff, data)),
3691 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3692 offsetof(struct __sk_buff, data_end)),
3693 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3694 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3695 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3696 BPF_MOV64_IMM(BPF_REG_4, 4),
3697 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3698 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3699 BPF_MOV64_IMM(BPF_REG_0, 0),
3703 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3706 "direct packet access: test20 (x += pkt_ptr, 1)",
3708 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3709 offsetof(struct __sk_buff, data)),
3710 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3711 offsetof(struct __sk_buff, data_end)),
3712 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3713 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3714 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3715 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3716 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3717 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3718 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3719 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3720 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3721 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3722 BPF_MOV64_IMM(BPF_REG_0, 0),
3725 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3729 "direct packet access: test21 (x += pkt_ptr, 2)",
3731 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3732 offsetof(struct __sk_buff, data)),
3733 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3734 offsetof(struct __sk_buff, data_end)),
3735 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3737 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3738 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3739 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3740 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3741 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3742 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3743 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3745 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3746 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3747 BPF_MOV64_IMM(BPF_REG_0, 0),
3750 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3754 "direct packet access: test22 (x += pkt_ptr, 3)",
3756 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3757 offsetof(struct __sk_buff, data)),
3758 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3759 offsetof(struct __sk_buff, data_end)),
3760 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3762 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3763 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3764 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3765 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3766 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3767 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3768 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3769 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3770 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3771 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3772 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3773 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3774 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3775 BPF_MOV64_IMM(BPF_REG_2, 1),
3776 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3777 BPF_MOV64_IMM(BPF_REG_0, 0),
3780 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3784 "direct packet access: test23 (x += pkt_ptr, 4)",
3786 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3787 offsetof(struct __sk_buff, data)),
3788 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3789 offsetof(struct __sk_buff, data_end)),
3790 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3791 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3792 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3793 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3794 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3795 BPF_MOV64_IMM(BPF_REG_0, 31),
3796 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3797 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3798 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3800 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3801 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3802 BPF_MOV64_IMM(BPF_REG_0, 0),
3805 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3807 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3810 "direct packet access: test24 (x += pkt_ptr, 5)",
3812 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3813 offsetof(struct __sk_buff, data)),
3814 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3815 offsetof(struct __sk_buff, data_end)),
3816 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3817 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3818 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3819 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3820 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3821 BPF_MOV64_IMM(BPF_REG_0, 64),
3822 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3823 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3824 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3825 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3826 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3827 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3828 BPF_MOV64_IMM(BPF_REG_0, 0),
3831 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3835 "direct packet access: test25 (marking on <, good access)",
3837 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3838 offsetof(struct __sk_buff, data)),
3839 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3840 offsetof(struct __sk_buff, data_end)),
3841 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3843 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3844 BPF_MOV64_IMM(BPF_REG_0, 0),
3846 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3847 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3850 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3853 "direct packet access: test26 (marking on <, bad access)",
3855 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3856 offsetof(struct __sk_buff, data)),
3857 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3858 offsetof(struct __sk_buff, data_end)),
3859 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3860 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3861 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3862 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3863 BPF_MOV64_IMM(BPF_REG_0, 0),
3865 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3868 .errstr = "invalid access to packet",
3869 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3872 "direct packet access: test27 (marking on <=, good access)",
3874 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3875 offsetof(struct __sk_buff, data)),
3876 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3877 offsetof(struct __sk_buff, data_end)),
3878 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3879 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3880 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3881 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3882 BPF_MOV64_IMM(BPF_REG_0, 1),
3886 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3890 "direct packet access: test28 (marking on <=, bad access)",
3892 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3893 offsetof(struct __sk_buff, data)),
3894 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3895 offsetof(struct __sk_buff, data_end)),
3896 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3898 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3899 BPF_MOV64_IMM(BPF_REG_0, 1),
3901 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3902 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3905 .errstr = "invalid access to packet",
3906 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3909 "helper access to packet: test1, valid packet_ptr range",
3911 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3912 offsetof(struct xdp_md, data)),
3913 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3914 offsetof(struct xdp_md, data_end)),
3915 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3917 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3918 BPF_LD_MAP_FD(BPF_REG_1, 0),
3919 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3920 BPF_MOV64_IMM(BPF_REG_4, 0),
3921 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3922 BPF_FUNC_map_update_elem),
3923 BPF_MOV64_IMM(BPF_REG_0, 0),
3926 .fixup_map1 = { 5 },
3927 .result_unpriv = ACCEPT,
3929 .prog_type = BPF_PROG_TYPE_XDP,
3932 "helper access to packet: test2, unchecked packet_ptr",
3934 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3935 offsetof(struct xdp_md, data)),
3936 BPF_LD_MAP_FD(BPF_REG_1, 0),
3937 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3938 BPF_FUNC_map_lookup_elem),
3939 BPF_MOV64_IMM(BPF_REG_0, 0),
3942 .fixup_map1 = { 1 },
3944 .errstr = "invalid access to packet",
3945 .prog_type = BPF_PROG_TYPE_XDP,
3948 "helper access to packet: test3, variable add",
3950 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3951 offsetof(struct xdp_md, data)),
3952 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3953 offsetof(struct xdp_md, data_end)),
3954 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3956 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3957 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3958 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3959 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3960 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3961 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3962 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3963 BPF_LD_MAP_FD(BPF_REG_1, 0),
3964 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3965 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3966 BPF_FUNC_map_lookup_elem),
3967 BPF_MOV64_IMM(BPF_REG_0, 0),
3970 .fixup_map1 = { 11 },
3972 .prog_type = BPF_PROG_TYPE_XDP,
3975 "helper access to packet: test4, packet_ptr with bad range",
3977 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3978 offsetof(struct xdp_md, data)),
3979 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3980 offsetof(struct xdp_md, data_end)),
3981 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3982 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3983 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3984 BPF_MOV64_IMM(BPF_REG_0, 0),
3986 BPF_LD_MAP_FD(BPF_REG_1, 0),
3987 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3988 BPF_FUNC_map_lookup_elem),
3989 BPF_MOV64_IMM(BPF_REG_0, 0),
3992 .fixup_map1 = { 7 },
3994 .errstr = "invalid access to packet",
3995 .prog_type = BPF_PROG_TYPE_XDP,
3998 "helper access to packet: test5, packet_ptr with too short range",
4000 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4001 offsetof(struct xdp_md, data)),
4002 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4003 offsetof(struct xdp_md, data_end)),
4004 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4005 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4007 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4008 BPF_LD_MAP_FD(BPF_REG_1, 0),
4009 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4010 BPF_FUNC_map_lookup_elem),
4011 BPF_MOV64_IMM(BPF_REG_0, 0),
4014 .fixup_map1 = { 6 },
4016 .errstr = "invalid access to packet",
4017 .prog_type = BPF_PROG_TYPE_XDP,
4020 "helper access to packet: test6, cls valid packet_ptr range",
4022 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4023 offsetof(struct __sk_buff, data)),
4024 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4025 offsetof(struct __sk_buff, data_end)),
4026 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4027 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4028 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4029 BPF_LD_MAP_FD(BPF_REG_1, 0),
4030 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4031 BPF_MOV64_IMM(BPF_REG_4, 0),
4032 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4033 BPF_FUNC_map_update_elem),
4034 BPF_MOV64_IMM(BPF_REG_0, 0),
4037 .fixup_map1 = { 5 },
4039 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4042 "helper access to packet: test7, cls unchecked packet_ptr",
4044 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4045 offsetof(struct __sk_buff, data)),
4046 BPF_LD_MAP_FD(BPF_REG_1, 0),
4047 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4048 BPF_FUNC_map_lookup_elem),
4049 BPF_MOV64_IMM(BPF_REG_0, 0),
4052 .fixup_map1 = { 1 },
4054 .errstr = "invalid access to packet",
4055 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4058 "helper access to packet: test8, cls variable add",
4060 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4061 offsetof(struct __sk_buff, data)),
4062 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4063 offsetof(struct __sk_buff, data_end)),
4064 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4066 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4067 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4068 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4069 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4070 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4071 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4072 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4073 BPF_LD_MAP_FD(BPF_REG_1, 0),
4074 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4075 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4076 BPF_FUNC_map_lookup_elem),
4077 BPF_MOV64_IMM(BPF_REG_0, 0),
4080 .fixup_map1 = { 11 },
4082 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4085 "helper access to packet: test9, cls packet_ptr with bad range",
4087 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4088 offsetof(struct __sk_buff, data)),
4089 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4090 offsetof(struct __sk_buff, data_end)),
4091 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4092 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4093 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4094 BPF_MOV64_IMM(BPF_REG_0, 0),
4096 BPF_LD_MAP_FD(BPF_REG_1, 0),
4097 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4098 BPF_FUNC_map_lookup_elem),
4099 BPF_MOV64_IMM(BPF_REG_0, 0),
4102 .fixup_map1 = { 7 },
4104 .errstr = "invalid access to packet",
4105 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4108 "helper access to packet: test10, cls packet_ptr with too short range",
4110 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4111 offsetof(struct __sk_buff, data)),
4112 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4113 offsetof(struct __sk_buff, data_end)),
4114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4115 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4117 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4118 BPF_LD_MAP_FD(BPF_REG_1, 0),
4119 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4120 BPF_FUNC_map_lookup_elem),
4121 BPF_MOV64_IMM(BPF_REG_0, 0),
4124 .fixup_map1 = { 6 },
4126 .errstr = "invalid access to packet",
4127 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4130 "helper access to packet: test11, cls unsuitable helper 1",
4132 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4133 offsetof(struct __sk_buff, data)),
4134 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4135 offsetof(struct __sk_buff, data_end)),
4136 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4137 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4139 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4140 BPF_MOV64_IMM(BPF_REG_2, 0),
4141 BPF_MOV64_IMM(BPF_REG_4, 42),
4142 BPF_MOV64_IMM(BPF_REG_5, 0),
4143 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4144 BPF_FUNC_skb_store_bytes),
4145 BPF_MOV64_IMM(BPF_REG_0, 0),
4149 .errstr = "helper access to the packet",
4150 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4153 "helper access to packet: test12, cls unsuitable helper 2",
4155 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4156 offsetof(struct __sk_buff, data)),
4157 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4158 offsetof(struct __sk_buff, data_end)),
4159 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4161 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4162 BPF_MOV64_IMM(BPF_REG_2, 0),
4163 BPF_MOV64_IMM(BPF_REG_4, 4),
4164 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4165 BPF_FUNC_skb_load_bytes),
4166 BPF_MOV64_IMM(BPF_REG_0, 0),
4170 .errstr = "helper access to the packet",
4171 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4174 "helper access to packet: test13, cls helper ok",
4176 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4177 offsetof(struct __sk_buff, data)),
4178 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4179 offsetof(struct __sk_buff, data_end)),
4180 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4181 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4183 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4184 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4185 BPF_MOV64_IMM(BPF_REG_2, 4),
4186 BPF_MOV64_IMM(BPF_REG_3, 0),
4187 BPF_MOV64_IMM(BPF_REG_4, 0),
4188 BPF_MOV64_IMM(BPF_REG_5, 0),
4189 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4190 BPF_FUNC_csum_diff),
4191 BPF_MOV64_IMM(BPF_REG_0, 0),
4195 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4198 "helper access to packet: test14, cls helper ok sub",
4200 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4201 offsetof(struct __sk_buff, data)),
4202 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4203 offsetof(struct __sk_buff, data_end)),
4204 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4205 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4207 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4208 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4209 BPF_MOV64_IMM(BPF_REG_2, 4),
4210 BPF_MOV64_IMM(BPF_REG_3, 0),
4211 BPF_MOV64_IMM(BPF_REG_4, 0),
4212 BPF_MOV64_IMM(BPF_REG_5, 0),
4213 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4214 BPF_FUNC_csum_diff),
4215 BPF_MOV64_IMM(BPF_REG_0, 0),
4219 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4222 "helper access to packet: test15, cls helper fail sub",
4224 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4225 offsetof(struct __sk_buff, data)),
4226 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4227 offsetof(struct __sk_buff, data_end)),
4228 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4229 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4231 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4232 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4233 BPF_MOV64_IMM(BPF_REG_2, 4),
4234 BPF_MOV64_IMM(BPF_REG_3, 0),
4235 BPF_MOV64_IMM(BPF_REG_4, 0),
4236 BPF_MOV64_IMM(BPF_REG_5, 0),
4237 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4238 BPF_FUNC_csum_diff),
4239 BPF_MOV64_IMM(BPF_REG_0, 0),
4243 .errstr = "invalid access to packet",
4244 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4247 "helper access to packet: test16, cls helper fail range 1",
4249 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4250 offsetof(struct __sk_buff, data)),
4251 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4252 offsetof(struct __sk_buff, data_end)),
4253 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4254 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4255 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4256 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4257 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4258 BPF_MOV64_IMM(BPF_REG_2, 8),
4259 BPF_MOV64_IMM(BPF_REG_3, 0),
4260 BPF_MOV64_IMM(BPF_REG_4, 0),
4261 BPF_MOV64_IMM(BPF_REG_5, 0),
4262 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4263 BPF_FUNC_csum_diff),
4264 BPF_MOV64_IMM(BPF_REG_0, 0),
4268 .errstr = "invalid access to packet",
4269 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4272 "helper access to packet: test17, cls helper fail range 2",
4274 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4275 offsetof(struct __sk_buff, data)),
4276 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4277 offsetof(struct __sk_buff, data_end)),
4278 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4279 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4281 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4282 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4283 BPF_MOV64_IMM(BPF_REG_2, -9),
4284 BPF_MOV64_IMM(BPF_REG_3, 0),
4285 BPF_MOV64_IMM(BPF_REG_4, 0),
4286 BPF_MOV64_IMM(BPF_REG_5, 0),
4287 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4288 BPF_FUNC_csum_diff),
4289 BPF_MOV64_IMM(BPF_REG_0, 0),
4293 .errstr = "R2 min value is negative",
4294 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4297 "helper access to packet: test18, cls helper fail range 3",
4299 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4300 offsetof(struct __sk_buff, data)),
4301 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4302 offsetof(struct __sk_buff, data_end)),
4303 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4304 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4305 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4306 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4307 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4308 BPF_MOV64_IMM(BPF_REG_2, ~0),
4309 BPF_MOV64_IMM(BPF_REG_3, 0),
4310 BPF_MOV64_IMM(BPF_REG_4, 0),
4311 BPF_MOV64_IMM(BPF_REG_5, 0),
4312 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4313 BPF_FUNC_csum_diff),
4314 BPF_MOV64_IMM(BPF_REG_0, 0),
4318 .errstr = "R2 min value is negative",
4319 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4322 "helper access to packet: test19, cls helper range zero",
4324 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4325 offsetof(struct __sk_buff, data)),
4326 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4327 offsetof(struct __sk_buff, data_end)),
4328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4329 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4331 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4332 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4333 BPF_MOV64_IMM(BPF_REG_2, 0),
4334 BPF_MOV64_IMM(BPF_REG_3, 0),
4335 BPF_MOV64_IMM(BPF_REG_4, 0),
4336 BPF_MOV64_IMM(BPF_REG_5, 0),
4337 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4338 BPF_FUNC_csum_diff),
4339 BPF_MOV64_IMM(BPF_REG_0, 0),
4343 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4346 "helper access to packet: test20, pkt end as input",
4348 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4349 offsetof(struct __sk_buff, data)),
4350 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4351 offsetof(struct __sk_buff, data_end)),
4352 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4353 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4354 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4355 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4356 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4357 BPF_MOV64_IMM(BPF_REG_2, 4),
4358 BPF_MOV64_IMM(BPF_REG_3, 0),
4359 BPF_MOV64_IMM(BPF_REG_4, 0),
4360 BPF_MOV64_IMM(BPF_REG_5, 0),
4361 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4362 BPF_FUNC_csum_diff),
4363 BPF_MOV64_IMM(BPF_REG_0, 0),
4367 .errstr = "R1 type=pkt_end expected=fp",
4368 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4371 "helper access to packet: test21, wrong reg",
4373 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4374 offsetof(struct __sk_buff, data)),
4375 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4376 offsetof(struct __sk_buff, data_end)),
4377 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4378 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4380 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4381 BPF_MOV64_IMM(BPF_REG_2, 4),
4382 BPF_MOV64_IMM(BPF_REG_3, 0),
4383 BPF_MOV64_IMM(BPF_REG_4, 0),
4384 BPF_MOV64_IMM(BPF_REG_5, 0),
4385 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4386 BPF_FUNC_csum_diff),
4387 BPF_MOV64_IMM(BPF_REG_0, 0),
4391 .errstr = "invalid access to packet",
4392 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4395 "valid map access into an array with a constant",
4397 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4398 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4399 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4400 BPF_LD_MAP_FD(BPF_REG_1, 0),
4401 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4402 BPF_FUNC_map_lookup_elem),
4403 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4404 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4405 offsetof(struct test_val, foo)),
4408 .fixup_map2 = { 3 },
4409 .errstr_unpriv = "R0 leaks addr",
4410 .result_unpriv = REJECT,
4414 "valid map access into an array with a register",
4416 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4417 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4418 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4419 BPF_LD_MAP_FD(BPF_REG_1, 0),
4420 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4421 BPF_FUNC_map_lookup_elem),
4422 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4423 BPF_MOV64_IMM(BPF_REG_1, 4),
4424 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4425 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4426 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4427 offsetof(struct test_val, foo)),
4430 .fixup_map2 = { 3 },
4431 .errstr_unpriv = "R0 leaks addr",
4432 .result_unpriv = REJECT,
4434 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4437 "valid map access into an array with a variable",
4439 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4440 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4441 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4442 BPF_LD_MAP_FD(BPF_REG_1, 0),
4443 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4444 BPF_FUNC_map_lookup_elem),
4445 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4446 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4447 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4448 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4449 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4450 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4451 offsetof(struct test_val, foo)),
4454 .fixup_map2 = { 3 },
4455 .errstr_unpriv = "R0 leaks addr",
4456 .result_unpriv = REJECT,
4458 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4461 "valid map access into an array with a signed variable",
4463 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4464 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4465 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4466 BPF_LD_MAP_FD(BPF_REG_1, 0),
4467 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4468 BPF_FUNC_map_lookup_elem),
4469 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4470 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4471 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4472 BPF_MOV32_IMM(BPF_REG_1, 0),
4473 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4474 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4475 BPF_MOV32_IMM(BPF_REG_1, 0),
4476 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4477 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4478 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4479 offsetof(struct test_val, foo)),
4482 .fixup_map2 = { 3 },
4483 .errstr_unpriv = "R0 leaks addr",
4484 .result_unpriv = REJECT,
4486 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4489 "invalid map access into an array with a constant",
4491 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4492 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4494 BPF_LD_MAP_FD(BPF_REG_1, 0),
4495 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4496 BPF_FUNC_map_lookup_elem),
4497 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4498 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4499 offsetof(struct test_val, foo)),
4502 .fixup_map2 = { 3 },
4503 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4507 "invalid map access into an array with a register",
4509 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4510 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4511 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4512 BPF_LD_MAP_FD(BPF_REG_1, 0),
4513 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4514 BPF_FUNC_map_lookup_elem),
4515 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4516 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4517 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4518 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4519 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4520 offsetof(struct test_val, foo)),
4523 .fixup_map2 = { 3 },
4524 .errstr = "R0 min value is outside of the array range",
4526 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4529 "invalid map access into an array with a variable",
4531 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4532 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4534 BPF_LD_MAP_FD(BPF_REG_1, 0),
4535 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4536 BPF_FUNC_map_lookup_elem),
4537 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4538 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4539 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4540 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4541 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4542 offsetof(struct test_val, foo)),
4545 .fixup_map2 = { 3 },
4546 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4548 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4551 "invalid map access into an array with no floor check",
4553 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4554 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4555 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4556 BPF_LD_MAP_FD(BPF_REG_1, 0),
4557 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4558 BPF_FUNC_map_lookup_elem),
4559 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4560 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4561 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4562 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4563 BPF_MOV32_IMM(BPF_REG_1, 0),
4564 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4565 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4566 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4567 offsetof(struct test_val, foo)),
4570 .fixup_map2 = { 3 },
4571 .errstr_unpriv = "R0 leaks addr",
4572 .errstr = "R0 unbounded memory access",
4573 .result_unpriv = REJECT,
4575 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4578 "invalid map access into an array with a invalid max check",
4580 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4581 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4583 BPF_LD_MAP_FD(BPF_REG_1, 0),
4584 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4585 BPF_FUNC_map_lookup_elem),
4586 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4587 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4588 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4589 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4590 BPF_MOV32_IMM(BPF_REG_1, 0),
4591 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4592 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4593 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4594 offsetof(struct test_val, foo)),
4597 .fixup_map2 = { 3 },
4598 .errstr_unpriv = "R0 leaks addr",
4599 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
4600 .result_unpriv = REJECT,
4602 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4605 "invalid map access into an array with a invalid max check",
4607 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4608 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4610 BPF_LD_MAP_FD(BPF_REG_1, 0),
4611 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4612 BPF_FUNC_map_lookup_elem),
4613 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4614 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4615 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4616 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4617 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4618 BPF_LD_MAP_FD(BPF_REG_1, 0),
4619 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4620 BPF_FUNC_map_lookup_elem),
4621 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4622 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4623 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4624 offsetof(struct test_val, foo)),
4627 .fixup_map2 = { 3, 11 },
4628 .errstr = "R0 pointer += pointer",
4630 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4633 "valid cgroup storage access",
4635 BPF_MOV64_IMM(BPF_REG_2, 0),
4636 BPF_LD_MAP_FD(BPF_REG_1, 0),
4637 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4638 BPF_FUNC_get_local_storage),
4639 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4640 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4641 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4644 .fixup_cgroup_storage = { 1 },
4646 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4649 "invalid cgroup storage access 1",
4651 BPF_MOV64_IMM(BPF_REG_2, 0),
4652 BPF_LD_MAP_FD(BPF_REG_1, 0),
4653 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4654 BPF_FUNC_get_local_storage),
4655 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4656 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4657 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4660 .fixup_map1 = { 1 },
4662 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
4663 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4666 "invalid cgroup storage access 2",
4668 BPF_MOV64_IMM(BPF_REG_2, 0),
4669 BPF_LD_MAP_FD(BPF_REG_1, 1),
4670 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4671 BPF_FUNC_get_local_storage),
4672 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4676 .errstr = "fd 1 is not pointing to valid bpf_map",
4677 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4680 "invalid cgroup storage access 3",
4682 BPF_MOV64_IMM(BPF_REG_2, 0),
4683 BPF_LD_MAP_FD(BPF_REG_1, 0),
4684 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4685 BPF_FUNC_get_local_storage),
4686 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
4687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4688 BPF_MOV64_IMM(BPF_REG_0, 0),
4691 .fixup_cgroup_storage = { 1 },
4693 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
4694 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4697 "invalid cgroup storage access 4",
4699 BPF_MOV64_IMM(BPF_REG_2, 0),
4700 BPF_LD_MAP_FD(BPF_REG_1, 0),
4701 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4702 BPF_FUNC_get_local_storage),
4703 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
4704 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4705 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4708 .fixup_cgroup_storage = { 1 },
4710 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
4711 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4714 "invalid cgroup storage access 5",
4716 BPF_MOV64_IMM(BPF_REG_2, 7),
4717 BPF_LD_MAP_FD(BPF_REG_1, 0),
4718 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4719 BPF_FUNC_get_local_storage),
4720 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4721 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4722 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4725 .fixup_cgroup_storage = { 1 },
4727 .errstr = "get_local_storage() doesn't support non-zero flags",
4728 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4731 "invalid cgroup storage access 6",
4733 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
4734 BPF_LD_MAP_FD(BPF_REG_1, 0),
4735 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4736 BPF_FUNC_get_local_storage),
4737 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4738 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4739 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4742 .fixup_cgroup_storage = { 1 },
4744 .errstr = "get_local_storage() doesn't support non-zero flags",
4745 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4748 "valid per-cpu cgroup storage access",
4750 BPF_MOV64_IMM(BPF_REG_2, 0),
4751 BPF_LD_MAP_FD(BPF_REG_1, 0),
4752 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4753 BPF_FUNC_get_local_storage),
4754 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4755 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4756 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4759 .fixup_percpu_cgroup_storage = { 1 },
4761 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4764 "invalid per-cpu cgroup storage access 1",
4766 BPF_MOV64_IMM(BPF_REG_2, 0),
4767 BPF_LD_MAP_FD(BPF_REG_1, 0),
4768 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4769 BPF_FUNC_get_local_storage),
4770 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4771 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4772 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4775 .fixup_map1 = { 1 },
4777 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
4778 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4781 "invalid per-cpu cgroup storage access 2",
4783 BPF_MOV64_IMM(BPF_REG_2, 0),
4784 BPF_LD_MAP_FD(BPF_REG_1, 1),
4785 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4786 BPF_FUNC_get_local_storage),
4787 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4791 .errstr = "fd 1 is not pointing to valid bpf_map",
4792 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4795 "invalid per-cpu cgroup storage access 3",
4797 BPF_MOV64_IMM(BPF_REG_2, 0),
4798 BPF_LD_MAP_FD(BPF_REG_1, 0),
4799 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4800 BPF_FUNC_get_local_storage),
4801 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
4802 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4803 BPF_MOV64_IMM(BPF_REG_0, 0),
4806 .fixup_percpu_cgroup_storage = { 1 },
4808 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
4809 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4812 "invalid per-cpu cgroup storage access 4",
4814 BPF_MOV64_IMM(BPF_REG_2, 0),
4815 BPF_LD_MAP_FD(BPF_REG_1, 0),
4816 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4817 BPF_FUNC_get_local_storage),
4818 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
4819 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4820 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4823 .fixup_cgroup_storage = { 1 },
4825 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
4826 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4829 "invalid per-cpu cgroup storage access 5",
4831 BPF_MOV64_IMM(BPF_REG_2, 7),
4832 BPF_LD_MAP_FD(BPF_REG_1, 0),
4833 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4834 BPF_FUNC_get_local_storage),
4835 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4836 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4837 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4840 .fixup_percpu_cgroup_storage = { 1 },
4842 .errstr = "get_local_storage() doesn't support non-zero flags",
4843 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4846 "invalid per-cpu cgroup storage access 6",
4848 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
4849 BPF_LD_MAP_FD(BPF_REG_1, 0),
4850 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4851 BPF_FUNC_get_local_storage),
4852 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4853 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4854 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4857 .fixup_percpu_cgroup_storage = { 1 },
4859 .errstr = "get_local_storage() doesn't support non-zero flags",
4860 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4863 "multiple registers share map_lookup_elem result",
4865 BPF_MOV64_IMM(BPF_REG_1, 10),
4866 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4867 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4869 BPF_LD_MAP_FD(BPF_REG_1, 0),
4870 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4871 BPF_FUNC_map_lookup_elem),
4872 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4873 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4874 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4877 .fixup_map1 = { 4 },
4879 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4882 "alu ops on ptr_to_map_value_or_null, 1",
4884 BPF_MOV64_IMM(BPF_REG_1, 10),
4885 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4886 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4887 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4888 BPF_LD_MAP_FD(BPF_REG_1, 0),
4889 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4890 BPF_FUNC_map_lookup_elem),
4891 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4892 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4893 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4894 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4895 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4898 .fixup_map1 = { 4 },
4899 .errstr = "R4 pointer arithmetic on map_value_or_null",
4901 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4904 "alu ops on ptr_to_map_value_or_null, 2",
4906 BPF_MOV64_IMM(BPF_REG_1, 10),
4907 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4908 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4909 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4910 BPF_LD_MAP_FD(BPF_REG_1, 0),
4911 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4912 BPF_FUNC_map_lookup_elem),
4913 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4914 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4915 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4916 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4919 .fixup_map1 = { 4 },
4920 .errstr = "R4 pointer arithmetic on map_value_or_null",
4922 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4925 "alu ops on ptr_to_map_value_or_null, 3",
4927 BPF_MOV64_IMM(BPF_REG_1, 10),
4928 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4929 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4930 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4931 BPF_LD_MAP_FD(BPF_REG_1, 0),
4932 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4933 BPF_FUNC_map_lookup_elem),
4934 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4935 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4936 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4937 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4940 .fixup_map1 = { 4 },
4941 .errstr = "R4 pointer arithmetic on map_value_or_null",
4943 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4946 "invalid memory access with multiple map_lookup_elem calls",
4948 BPF_MOV64_IMM(BPF_REG_1, 10),
4949 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4950 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4951 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4952 BPF_LD_MAP_FD(BPF_REG_1, 0),
4953 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4954 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4955 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4956 BPF_FUNC_map_lookup_elem),
4957 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4958 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4959 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4960 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4961 BPF_FUNC_map_lookup_elem),
4962 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4963 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4966 .fixup_map1 = { 4 },
4968 .errstr = "R4 !read_ok",
4969 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4972 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4974 BPF_MOV64_IMM(BPF_REG_1, 10),
4975 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4976 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4977 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4978 BPF_LD_MAP_FD(BPF_REG_1, 0),
4979 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4980 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4981 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4982 BPF_FUNC_map_lookup_elem),
4983 BPF_MOV64_IMM(BPF_REG_2, 10),
4984 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4985 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4986 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4987 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4988 BPF_FUNC_map_lookup_elem),
4989 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4990 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4991 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4994 .fixup_map1 = { 4 },
4996 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4999 "invalid map access from else condition",
5001 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5002 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5003 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5004 BPF_LD_MAP_FD(BPF_REG_1, 0),
5005 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
5006 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5007 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5008 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
5009 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5010 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5011 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5012 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
5015 .fixup_map2 = { 3 },
5016 .errstr = "R0 unbounded memory access",
5018 .errstr_unpriv = "R0 leaks addr",
5019 .result_unpriv = REJECT,
5020 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5023 "constant register |= constant should keep constant type",
5025 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5026 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5027 BPF_MOV64_IMM(BPF_REG_2, 34),
5028 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
5029 BPF_MOV64_IMM(BPF_REG_3, 0),
5030 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5034 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5037 "constant register |= constant should not bypass stack boundary checks",
5039 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5041 BPF_MOV64_IMM(BPF_REG_2, 34),
5042 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
5043 BPF_MOV64_IMM(BPF_REG_3, 0),
5044 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5047 .errstr = "invalid stack type R1 off=-48 access_size=58",
5049 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5052 "constant register |= constant register should keep constant type",
5054 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5055 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5056 BPF_MOV64_IMM(BPF_REG_2, 34),
5057 BPF_MOV64_IMM(BPF_REG_4, 13),
5058 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5059 BPF_MOV64_IMM(BPF_REG_3, 0),
5060 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5064 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5067 "constant register |= constant register should not bypass stack boundary checks",
5069 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5070 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5071 BPF_MOV64_IMM(BPF_REG_2, 34),
5072 BPF_MOV64_IMM(BPF_REG_4, 24),
5073 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5074 BPF_MOV64_IMM(BPF_REG_3, 0),
5075 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5078 .errstr = "invalid stack type R1 off=-48 access_size=58",
5080 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5083 "invalid direct packet write for LWT_IN",
5085 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5086 offsetof(struct __sk_buff, data)),
5087 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5088 offsetof(struct __sk_buff, data_end)),
5089 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5090 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5091 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5092 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5093 BPF_MOV64_IMM(BPF_REG_0, 0),
5096 .errstr = "cannot write into packet",
5098 .prog_type = BPF_PROG_TYPE_LWT_IN,
5101 "invalid direct packet write for LWT_OUT",
5103 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5104 offsetof(struct __sk_buff, data)),
5105 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5106 offsetof(struct __sk_buff, data_end)),
5107 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5108 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5109 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5110 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5111 BPF_MOV64_IMM(BPF_REG_0, 0),
5114 .errstr = "cannot write into packet",
5116 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5119 "direct packet write for LWT_XMIT",
5121 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5122 offsetof(struct __sk_buff, data)),
5123 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5124 offsetof(struct __sk_buff, data_end)),
5125 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5126 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5127 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5128 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5129 BPF_MOV64_IMM(BPF_REG_0, 0),
5133 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5136 "direct packet read for LWT_IN",
5138 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5139 offsetof(struct __sk_buff, data)),
5140 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5141 offsetof(struct __sk_buff, data_end)),
5142 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5143 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5144 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5145 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5146 BPF_MOV64_IMM(BPF_REG_0, 0),
5150 .prog_type = BPF_PROG_TYPE_LWT_IN,
5153 "direct packet read for LWT_OUT",
5155 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5156 offsetof(struct __sk_buff, data)),
5157 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5158 offsetof(struct __sk_buff, data_end)),
5159 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5161 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5162 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5163 BPF_MOV64_IMM(BPF_REG_0, 0),
5167 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5170 "direct packet read for LWT_XMIT",
5172 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5173 offsetof(struct __sk_buff, data)),
5174 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5175 offsetof(struct __sk_buff, data_end)),
5176 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5177 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5178 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5179 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5180 BPF_MOV64_IMM(BPF_REG_0, 0),
5184 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5187 "overlapping checks for direct packet access",
5189 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5190 offsetof(struct __sk_buff, data)),
5191 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5192 offsetof(struct __sk_buff, data_end)),
5193 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5195 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
5196 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
5197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
5198 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
5199 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
5200 BPF_MOV64_IMM(BPF_REG_0, 0),
5204 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5207 "make headroom for LWT_XMIT",
5209 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5210 BPF_MOV64_IMM(BPF_REG_2, 34),
5211 BPF_MOV64_IMM(BPF_REG_3, 0),
5212 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5213 /* split for s390 to succeed */
5214 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5215 BPF_MOV64_IMM(BPF_REG_2, 42),
5216 BPF_MOV64_IMM(BPF_REG_3, 0),
5217 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5218 BPF_MOV64_IMM(BPF_REG_0, 0),
5222 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5225 "invalid access of tc_classid for LWT_IN",
5227 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5228 offsetof(struct __sk_buff, tc_classid)),
5232 .errstr = "invalid bpf_context access",
5235 "invalid access of tc_classid for LWT_OUT",
5237 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5238 offsetof(struct __sk_buff, tc_classid)),
5242 .errstr = "invalid bpf_context access",
5245 "invalid access of tc_classid for LWT_XMIT",
5247 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5248 offsetof(struct __sk_buff, tc_classid)),
5252 .errstr = "invalid bpf_context access",
5255 "leak pointer into ctx 1",
5257 BPF_MOV64_IMM(BPF_REG_0, 0),
5258 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5259 offsetof(struct __sk_buff, cb[0])),
5260 BPF_LD_MAP_FD(BPF_REG_2, 0),
5261 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
5262 offsetof(struct __sk_buff, cb[0])),
5265 .fixup_map1 = { 2 },
5266 .errstr_unpriv = "R2 leaks addr into mem",
5267 .result_unpriv = REJECT,
5269 .errstr = "BPF_XADD stores into R1 inv is not allowed",
5272 "leak pointer into ctx 2",
5274 BPF_MOV64_IMM(BPF_REG_0, 0),
5275 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5276 offsetof(struct __sk_buff, cb[0])),
5277 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
5278 offsetof(struct __sk_buff, cb[0])),
5281 .errstr_unpriv = "R10 leaks addr into mem",
5282 .result_unpriv = REJECT,
5284 .errstr = "BPF_XADD stores into R1 inv is not allowed",
5287 "leak pointer into ctx 3",
5289 BPF_MOV64_IMM(BPF_REG_0, 0),
5290 BPF_LD_MAP_FD(BPF_REG_2, 0),
5291 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
5292 offsetof(struct __sk_buff, cb[0])),
5295 .fixup_map1 = { 1 },
5296 .errstr_unpriv = "R2 leaks addr into ctx",
5297 .result_unpriv = REJECT,
5301 "leak pointer into map val",
5303 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5304 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5305 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5306 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5307 BPF_LD_MAP_FD(BPF_REG_1, 0),
5308 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5309 BPF_FUNC_map_lookup_elem),
5310 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5311 BPF_MOV64_IMM(BPF_REG_3, 0),
5312 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
5313 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
5314 BPF_MOV64_IMM(BPF_REG_0, 0),
5317 .fixup_map1 = { 4 },
5318 .errstr_unpriv = "R6 leaks addr into mem",
5319 .result_unpriv = REJECT,
5323 "helper access to map: full range",
5325 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5326 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5327 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5328 BPF_LD_MAP_FD(BPF_REG_1, 0),
5329 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5330 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5331 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5332 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5333 BPF_MOV64_IMM(BPF_REG_3, 0),
5334 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5337 .fixup_map2 = { 3 },
5339 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5342 "helper access to map: partial range",
5344 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5345 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5346 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5347 BPF_LD_MAP_FD(BPF_REG_1, 0),
5348 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5349 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5350 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5351 BPF_MOV64_IMM(BPF_REG_2, 8),
5352 BPF_MOV64_IMM(BPF_REG_3, 0),
5353 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5356 .fixup_map2 = { 3 },
5358 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5361 "helper access to map: empty range",
5363 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5365 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5366 BPF_LD_MAP_FD(BPF_REG_1, 0),
5367 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5368 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5369 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5370 BPF_MOV64_IMM(BPF_REG_2, 0),
5371 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5374 .fixup_map2 = { 3 },
5375 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
5377 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5380 "helper access to map: out-of-bound range",
5382 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5384 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5385 BPF_LD_MAP_FD(BPF_REG_1, 0),
5386 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5387 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5388 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5389 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5390 BPF_MOV64_IMM(BPF_REG_3, 0),
5391 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5394 .fixup_map2 = { 3 },
5395 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
5397 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5400 "helper access to map: negative range",
5402 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5403 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5404 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5405 BPF_LD_MAP_FD(BPF_REG_1, 0),
5406 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5407 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5408 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5409 BPF_MOV64_IMM(BPF_REG_2, -8),
5410 BPF_MOV64_IMM(BPF_REG_3, 0),
5411 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5414 .fixup_map2 = { 3 },
5415 .errstr = "R2 min value is negative",
5417 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5420 "helper access to adjusted map (via const imm): full range",
5422 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5423 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5424 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5425 BPF_LD_MAP_FD(BPF_REG_1, 0),
5426 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5427 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5428 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5429 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5430 offsetof(struct test_val, foo)),
5431 BPF_MOV64_IMM(BPF_REG_2,
5432 sizeof(struct test_val) -
5433 offsetof(struct test_val, foo)),
5434 BPF_MOV64_IMM(BPF_REG_3, 0),
5435 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5438 .fixup_map2 = { 3 },
5440 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5443 "helper access to adjusted map (via const imm): partial range",
5445 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5446 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5447 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5448 BPF_LD_MAP_FD(BPF_REG_1, 0),
5449 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5450 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5451 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5452 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5453 offsetof(struct test_val, foo)),
5454 BPF_MOV64_IMM(BPF_REG_2, 8),
5455 BPF_MOV64_IMM(BPF_REG_3, 0),
5456 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5459 .fixup_map2 = { 3 },
5461 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5464 "helper access to adjusted map (via const imm): empty range",
5466 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5467 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5468 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5469 BPF_LD_MAP_FD(BPF_REG_1, 0),
5470 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5471 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5472 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5474 offsetof(struct test_val, foo)),
5475 BPF_MOV64_IMM(BPF_REG_2, 0),
5476 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5479 .fixup_map2 = { 3 },
5480 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5482 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5485 "helper access to adjusted map (via const imm): out-of-bound range",
5487 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5488 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5489 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5490 BPF_LD_MAP_FD(BPF_REG_1, 0),
5491 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5492 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5493 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5494 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5495 offsetof(struct test_val, foo)),
5496 BPF_MOV64_IMM(BPF_REG_2,
5497 sizeof(struct test_val) -
5498 offsetof(struct test_val, foo) + 8),
5499 BPF_MOV64_IMM(BPF_REG_3, 0),
5500 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5503 .fixup_map2 = { 3 },
5504 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5506 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5509 "helper access to adjusted map (via const imm): negative range (> adjustment)",
5511 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5512 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5513 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5514 BPF_LD_MAP_FD(BPF_REG_1, 0),
5515 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5516 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5517 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5518 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5519 offsetof(struct test_val, foo)),
5520 BPF_MOV64_IMM(BPF_REG_2, -8),
5521 BPF_MOV64_IMM(BPF_REG_3, 0),
5522 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5525 .fixup_map2 = { 3 },
5526 .errstr = "R2 min value is negative",
5528 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5531 "helper access to adjusted map (via const imm): negative range (< adjustment)",
5533 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5535 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5536 BPF_LD_MAP_FD(BPF_REG_1, 0),
5537 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5538 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5539 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5541 offsetof(struct test_val, foo)),
5542 BPF_MOV64_IMM(BPF_REG_2, -1),
5543 BPF_MOV64_IMM(BPF_REG_3, 0),
5544 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5547 .fixup_map2 = { 3 },
5548 .errstr = "R2 min value is negative",
5550 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5553 "helper access to adjusted map (via const reg): full range",
5555 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5557 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5558 BPF_LD_MAP_FD(BPF_REG_1, 0),
5559 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5560 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5561 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5562 BPF_MOV64_IMM(BPF_REG_3,
5563 offsetof(struct test_val, foo)),
5564 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5565 BPF_MOV64_IMM(BPF_REG_2,
5566 sizeof(struct test_val) -
5567 offsetof(struct test_val, foo)),
5568 BPF_MOV64_IMM(BPF_REG_3, 0),
5569 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5572 .fixup_map2 = { 3 },
5574 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5577 "helper access to adjusted map (via const reg): partial range",
5579 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5580 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5581 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5582 BPF_LD_MAP_FD(BPF_REG_1, 0),
5583 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5584 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5585 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5586 BPF_MOV64_IMM(BPF_REG_3,
5587 offsetof(struct test_val, foo)),
5588 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5589 BPF_MOV64_IMM(BPF_REG_2, 8),
5590 BPF_MOV64_IMM(BPF_REG_3, 0),
5591 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5594 .fixup_map2 = { 3 },
5596 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5599 "helper access to adjusted map (via const reg): empty range",
5601 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5602 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5603 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5604 BPF_LD_MAP_FD(BPF_REG_1, 0),
5605 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5606 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5607 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5608 BPF_MOV64_IMM(BPF_REG_3, 0),
5609 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5610 BPF_MOV64_IMM(BPF_REG_2, 0),
5611 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5614 .fixup_map2 = { 3 },
5615 .errstr = "R1 min value is outside of the array range",
5617 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5620 "helper access to adjusted map (via const reg): out-of-bound range",
5622 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5623 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5624 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5625 BPF_LD_MAP_FD(BPF_REG_1, 0),
5626 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5627 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5628 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5629 BPF_MOV64_IMM(BPF_REG_3,
5630 offsetof(struct test_val, foo)),
5631 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5632 BPF_MOV64_IMM(BPF_REG_2,
5633 sizeof(struct test_val) -
5634 offsetof(struct test_val, foo) + 8),
5635 BPF_MOV64_IMM(BPF_REG_3, 0),
5636 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5639 .fixup_map2 = { 3 },
5640 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5642 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5645 "helper access to adjusted map (via const reg): negative range (> adjustment)",
5647 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5649 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5650 BPF_LD_MAP_FD(BPF_REG_1, 0),
5651 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5652 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5653 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5654 BPF_MOV64_IMM(BPF_REG_3,
5655 offsetof(struct test_val, foo)),
5656 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5657 BPF_MOV64_IMM(BPF_REG_2, -8),
5658 BPF_MOV64_IMM(BPF_REG_3, 0),
5659 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5662 .fixup_map2 = { 3 },
5663 .errstr = "R2 min value is negative",
5665 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5668 "helper access to adjusted map (via const reg): negative range (< adjustment)",
5670 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5671 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5672 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5673 BPF_LD_MAP_FD(BPF_REG_1, 0),
5674 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5675 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5676 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5677 BPF_MOV64_IMM(BPF_REG_3,
5678 offsetof(struct test_val, foo)),
5679 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5680 BPF_MOV64_IMM(BPF_REG_2, -1),
5681 BPF_MOV64_IMM(BPF_REG_3, 0),
5682 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5685 .fixup_map2 = { 3 },
5686 .errstr = "R2 min value is negative",
5688 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5691 "helper access to adjusted map (via variable): full range",
5693 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5694 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5695 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5696 BPF_LD_MAP_FD(BPF_REG_1, 0),
5697 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5698 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5699 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5700 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5701 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5702 offsetof(struct test_val, foo), 4),
5703 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5704 BPF_MOV64_IMM(BPF_REG_2,
5705 sizeof(struct test_val) -
5706 offsetof(struct test_val, foo)),
5707 BPF_MOV64_IMM(BPF_REG_3, 0),
5708 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5711 .fixup_map2 = { 3 },
5713 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5716 "helper access to adjusted map (via variable): partial range",
5718 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5719 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5720 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5721 BPF_LD_MAP_FD(BPF_REG_1, 0),
5722 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5723 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5724 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5725 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5726 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5727 offsetof(struct test_val, foo), 4),
5728 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5729 BPF_MOV64_IMM(BPF_REG_2, 8),
5730 BPF_MOV64_IMM(BPF_REG_3, 0),
5731 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5734 .fixup_map2 = { 3 },
5736 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5739 "helper access to adjusted map (via variable): empty range",
5741 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5743 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5744 BPF_LD_MAP_FD(BPF_REG_1, 0),
5745 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5746 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5747 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5748 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5749 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5750 offsetof(struct test_val, foo), 3),
5751 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5752 BPF_MOV64_IMM(BPF_REG_2, 0),
5753 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5756 .fixup_map2 = { 3 },
5757 .errstr = "R1 min value is outside of the array range",
5759 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5762 "helper access to adjusted map (via variable): no max check",
5764 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5765 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5766 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5767 BPF_LD_MAP_FD(BPF_REG_1, 0),
5768 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5769 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5770 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5771 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5772 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5773 BPF_MOV64_IMM(BPF_REG_2, 1),
5774 BPF_MOV64_IMM(BPF_REG_3, 0),
5775 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5778 .fixup_map2 = { 3 },
5779 .errstr = "R1 unbounded memory access",
5781 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5784 "helper access to adjusted map (via variable): wrong max check",
5786 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5788 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5789 BPF_LD_MAP_FD(BPF_REG_1, 0),
5790 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5792 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5793 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5794 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5795 offsetof(struct test_val, foo), 4),
5796 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5797 BPF_MOV64_IMM(BPF_REG_2,
5798 sizeof(struct test_val) -
5799 offsetof(struct test_val, foo) + 1),
5800 BPF_MOV64_IMM(BPF_REG_3, 0),
5801 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5804 .fixup_map2 = { 3 },
5805 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
5807 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5810 "helper access to map: bounds check using <, good access",
5812 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5813 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5814 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5815 BPF_LD_MAP_FD(BPF_REG_1, 0),
5816 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5817 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5818 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5819 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5820 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5821 BPF_MOV64_IMM(BPF_REG_0, 0),
5823 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5824 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5825 BPF_MOV64_IMM(BPF_REG_0, 0),
5828 .fixup_map2 = { 3 },
5830 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5833 "helper access to map: bounds check using <, bad access",
5835 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5836 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5837 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5838 BPF_LD_MAP_FD(BPF_REG_1, 0),
5839 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5840 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5841 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5842 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5843 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5844 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5845 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5846 BPF_MOV64_IMM(BPF_REG_0, 0),
5848 BPF_MOV64_IMM(BPF_REG_0, 0),
5851 .fixup_map2 = { 3 },
5853 .errstr = "R1 unbounded memory access",
5854 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5857 "helper access to map: bounds check using <=, good access",
5859 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5860 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5861 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5862 BPF_LD_MAP_FD(BPF_REG_1, 0),
5863 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5864 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5865 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5866 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5867 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5868 BPF_MOV64_IMM(BPF_REG_0, 0),
5870 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5871 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5872 BPF_MOV64_IMM(BPF_REG_0, 0),
5875 .fixup_map2 = { 3 },
5877 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5880 "helper access to map: bounds check using <=, bad access",
5882 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5884 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5885 BPF_LD_MAP_FD(BPF_REG_1, 0),
5886 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5887 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5888 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5889 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5890 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5891 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5892 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5893 BPF_MOV64_IMM(BPF_REG_0, 0),
5895 BPF_MOV64_IMM(BPF_REG_0, 0),
5898 .fixup_map2 = { 3 },
5900 .errstr = "R1 unbounded memory access",
5901 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5904 "helper access to map: bounds check using s<, good access",
5906 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5908 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5909 BPF_LD_MAP_FD(BPF_REG_1, 0),
5910 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5911 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5912 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5913 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5914 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5915 BPF_MOV64_IMM(BPF_REG_0, 0),
5917 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5918 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5919 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5920 BPF_MOV64_IMM(BPF_REG_0, 0),
5923 .fixup_map2 = { 3 },
5925 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5928 "helper access to map: bounds check using s<, good access 2",
5930 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5932 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5933 BPF_LD_MAP_FD(BPF_REG_1, 0),
5934 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5935 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5936 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5937 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5938 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5939 BPF_MOV64_IMM(BPF_REG_0, 0),
5941 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5942 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5943 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5944 BPF_MOV64_IMM(BPF_REG_0, 0),
5947 .fixup_map2 = { 3 },
5949 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5952 "helper access to map: bounds check using s<, bad access",
5954 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5956 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5957 BPF_LD_MAP_FD(BPF_REG_1, 0),
5958 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5959 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5960 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5961 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5962 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5963 BPF_MOV64_IMM(BPF_REG_0, 0),
5965 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5966 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5967 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5968 BPF_MOV64_IMM(BPF_REG_0, 0),
5971 .fixup_map2 = { 3 },
5973 .errstr = "R1 min value is negative",
5974 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5977 "helper access to map: bounds check using s<=, good access",
5979 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5980 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5981 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5982 BPF_LD_MAP_FD(BPF_REG_1, 0),
5983 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5984 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5985 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5986 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5987 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5988 BPF_MOV64_IMM(BPF_REG_0, 0),
5990 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5991 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5992 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5993 BPF_MOV64_IMM(BPF_REG_0, 0),
5996 .fixup_map2 = { 3 },
5998 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6001 "helper access to map: bounds check using s<=, good access 2",
6003 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6004 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6005 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6006 BPF_LD_MAP_FD(BPF_REG_1, 0),
6007 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6008 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6009 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6010 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6011 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6012 BPF_MOV64_IMM(BPF_REG_0, 0),
6014 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6015 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6016 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6017 BPF_MOV64_IMM(BPF_REG_0, 0),
6020 .fixup_map2 = { 3 },
6022 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6025 "helper access to map: bounds check using s<=, bad access",
6027 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6028 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6029 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6030 BPF_LD_MAP_FD(BPF_REG_1, 0),
6031 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6032 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6033 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6034 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6035 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6036 BPF_MOV64_IMM(BPF_REG_0, 0),
6038 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6039 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6040 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6041 BPF_MOV64_IMM(BPF_REG_0, 0),
6044 .fixup_map2 = { 3 },
6046 .errstr = "R1 min value is negative",
6047 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6050 "map lookup helper access to map",
6052 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6053 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6054 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6055 BPF_LD_MAP_FD(BPF_REG_1, 0),
6056 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6057 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6058 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6059 BPF_LD_MAP_FD(BPF_REG_1, 0),
6060 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6063 .fixup_map3 = { 3, 8 },
6065 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6068 "map update helper access to map",
6070 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6071 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6072 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6073 BPF_LD_MAP_FD(BPF_REG_1, 0),
6074 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6075 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6076 BPF_MOV64_IMM(BPF_REG_4, 0),
6077 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
6078 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6079 BPF_LD_MAP_FD(BPF_REG_1, 0),
6080 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
6083 .fixup_map3 = { 3, 10 },
6085 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6088 "map update helper access to map: wrong size",
6090 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6091 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6092 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6093 BPF_LD_MAP_FD(BPF_REG_1, 0),
6094 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6095 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6096 BPF_MOV64_IMM(BPF_REG_4, 0),
6097 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
6098 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6099 BPF_LD_MAP_FD(BPF_REG_1, 0),
6100 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
6103 .fixup_map1 = { 3 },
6104 .fixup_map3 = { 10 },
6106 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
6107 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6110 "map helper access to adjusted map (via const imm)",
6112 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6114 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6115 BPF_LD_MAP_FD(BPF_REG_1, 0),
6116 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6117 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6118 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6119 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6120 offsetof(struct other_val, bar)),
6121 BPF_LD_MAP_FD(BPF_REG_1, 0),
6122 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6125 .fixup_map3 = { 3, 9 },
6127 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6130 "map helper access to adjusted map (via const imm): out-of-bound 1",
6132 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6134 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6135 BPF_LD_MAP_FD(BPF_REG_1, 0),
6136 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6137 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6138 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6139 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6140 sizeof(struct other_val) - 4),
6141 BPF_LD_MAP_FD(BPF_REG_1, 0),
6142 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6145 .fixup_map3 = { 3, 9 },
6147 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6148 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6151 "map helper access to adjusted map (via const imm): out-of-bound 2",
6153 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6154 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6155 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6156 BPF_LD_MAP_FD(BPF_REG_1, 0),
6157 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6158 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6159 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6161 BPF_LD_MAP_FD(BPF_REG_1, 0),
6162 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6165 .fixup_map3 = { 3, 9 },
6167 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6168 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6171 "map helper access to adjusted map (via const reg)",
6173 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6174 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6175 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6176 BPF_LD_MAP_FD(BPF_REG_1, 0),
6177 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6178 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6179 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6180 BPF_MOV64_IMM(BPF_REG_3,
6181 offsetof(struct other_val, bar)),
6182 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6183 BPF_LD_MAP_FD(BPF_REG_1, 0),
6184 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6187 .fixup_map3 = { 3, 10 },
6189 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6192 "map helper access to adjusted map (via const reg): out-of-bound 1",
6194 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6196 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6197 BPF_LD_MAP_FD(BPF_REG_1, 0),
6198 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6199 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6200 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6201 BPF_MOV64_IMM(BPF_REG_3,
6202 sizeof(struct other_val) - 4),
6203 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6204 BPF_LD_MAP_FD(BPF_REG_1, 0),
6205 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6208 .fixup_map3 = { 3, 10 },
6210 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6211 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6214 "map helper access to adjusted map (via const reg): out-of-bound 2",
6216 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6217 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6218 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6219 BPF_LD_MAP_FD(BPF_REG_1, 0),
6220 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6221 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6222 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6223 BPF_MOV64_IMM(BPF_REG_3, -4),
6224 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6225 BPF_LD_MAP_FD(BPF_REG_1, 0),
6226 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6229 .fixup_map3 = { 3, 10 },
6231 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6232 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6235 "map helper access to adjusted map (via variable)",
6237 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6239 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6240 BPF_LD_MAP_FD(BPF_REG_1, 0),
6241 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6242 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6243 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6244 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6245 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6246 offsetof(struct other_val, bar), 4),
6247 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6248 BPF_LD_MAP_FD(BPF_REG_1, 0),
6249 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6252 .fixup_map3 = { 3, 11 },
6254 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6257 "map helper access to adjusted map (via variable): no max check",
6259 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6260 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6261 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6262 BPF_LD_MAP_FD(BPF_REG_1, 0),
6263 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6265 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6266 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6267 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6268 BPF_LD_MAP_FD(BPF_REG_1, 0),
6269 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6272 .fixup_map3 = { 3, 10 },
6274 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
6275 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6278 "map helper access to adjusted map (via variable): wrong max check",
6280 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6282 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6283 BPF_LD_MAP_FD(BPF_REG_1, 0),
6284 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6285 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6286 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6287 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6288 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6289 offsetof(struct other_val, bar) + 1, 4),
6290 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6291 BPF_LD_MAP_FD(BPF_REG_1, 0),
6292 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6295 .fixup_map3 = { 3, 11 },
6297 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
6298 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6301 "map element value is preserved across register spilling",
6303 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6305 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6306 BPF_LD_MAP_FD(BPF_REG_1, 0),
6307 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6308 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6309 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6310 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6312 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6313 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6314 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6317 .fixup_map2 = { 3 },
6318 .errstr_unpriv = "R0 leaks addr",
6320 .result_unpriv = REJECT,
6323 "map element value or null is marked on register spilling",
6325 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6326 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6327 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6328 BPF_LD_MAP_FD(BPF_REG_1, 0),
6329 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6330 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
6332 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6333 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6334 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6335 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6338 .fixup_map2 = { 3 },
6339 .errstr_unpriv = "R0 leaks addr",
6341 .result_unpriv = REJECT,
6344 "map element value store of cleared call register",
6346 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6348 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6349 BPF_LD_MAP_FD(BPF_REG_1, 0),
6350 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6351 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
6352 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
6355 .fixup_map2 = { 3 },
6356 .errstr_unpriv = "R1 !read_ok",
6357 .errstr = "R1 !read_ok",
6359 .result_unpriv = REJECT,
6362 "map element value with unaligned store",
6364 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6366 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6367 BPF_LD_MAP_FD(BPF_REG_1, 0),
6368 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6369 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
6370 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6371 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6372 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
6373 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
6374 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6375 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
6376 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
6377 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
6378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
6379 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
6380 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
6381 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
6382 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
6383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
6384 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
6385 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
6386 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
6389 .fixup_map2 = { 3 },
6390 .errstr_unpriv = "R0 leaks addr",
6392 .result_unpriv = REJECT,
6393 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6396 "map element value with unaligned load",
6398 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6399 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6400 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6401 BPF_LD_MAP_FD(BPF_REG_1, 0),
6402 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6403 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6404 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6405 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
6406 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6407 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6408 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
6409 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6410 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
6411 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
6412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
6413 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6414 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
6417 .fixup_map2 = { 3 },
6418 .errstr_unpriv = "R0 leaks addr",
6420 .result_unpriv = REJECT,
6421 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6424 "map element value illegal alu op, 1",
6426 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6427 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6428 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6429 BPF_LD_MAP_FD(BPF_REG_1, 0),
6430 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6431 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6432 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
6433 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6436 .fixup_map2 = { 3 },
6437 .errstr = "R0 bitwise operator &= on pointer",
6441 "map element value illegal alu op, 2",
6443 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6445 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6446 BPF_LD_MAP_FD(BPF_REG_1, 0),
6447 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6448 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6449 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
6450 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6453 .fixup_map2 = { 3 },
6454 .errstr = "R0 32-bit pointer arithmetic prohibited",
6458 "map element value illegal alu op, 3",
6460 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6462 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6463 BPF_LD_MAP_FD(BPF_REG_1, 0),
6464 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6465 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6466 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
6467 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6470 .fixup_map2 = { 3 },
6471 .errstr = "R0 pointer arithmetic with /= operator",
6475 "map element value illegal alu op, 4",
6477 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6479 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6480 BPF_LD_MAP_FD(BPF_REG_1, 0),
6481 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6482 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6483 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
6484 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6487 .fixup_map2 = { 3 },
6488 .errstr_unpriv = "R0 pointer arithmetic prohibited",
6489 .errstr = "invalid mem access 'inv'",
6491 .result_unpriv = REJECT,
6494 "map element value illegal alu op, 5",
6496 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6497 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6498 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6499 BPF_LD_MAP_FD(BPF_REG_1, 0),
6500 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6501 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6502 BPF_MOV64_IMM(BPF_REG_3, 4096),
6503 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6504 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6505 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6506 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
6507 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
6508 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6511 .fixup_map2 = { 3 },
6512 .errstr = "R0 invalid mem access 'inv'",
6516 "map element value is preserved across register spilling",
6518 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6519 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6520 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6521 BPF_LD_MAP_FD(BPF_REG_1, 0),
6522 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6523 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
6525 offsetof(struct test_val, foo)),
6526 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6527 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6528 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6529 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6530 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6531 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6534 .fixup_map2 = { 3 },
6535 .errstr_unpriv = "R0 leaks addr",
6537 .result_unpriv = REJECT,
6538 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6541 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
6543 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6544 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6545 BPF_MOV64_IMM(BPF_REG_0, 0),
6546 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6547 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6548 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6549 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6550 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6551 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6552 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6553 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6554 BPF_MOV64_IMM(BPF_REG_2, 16),
6555 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6556 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6557 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6558 BPF_MOV64_IMM(BPF_REG_4, 0),
6559 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6560 BPF_MOV64_IMM(BPF_REG_3, 0),
6561 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6562 BPF_MOV64_IMM(BPF_REG_0, 0),
6566 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6569 "helper access to variable memory: stack, bitwise AND, zero included",
6571 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6572 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6573 BPF_MOV64_IMM(BPF_REG_2, 16),
6574 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6575 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6576 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6577 BPF_MOV64_IMM(BPF_REG_3, 0),
6578 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6581 .errstr = "invalid indirect read from stack off -64+0 size 64",
6583 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6586 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
6588 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6589 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6590 BPF_MOV64_IMM(BPF_REG_2, 16),
6591 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6592 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6593 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
6594 BPF_MOV64_IMM(BPF_REG_4, 0),
6595 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6596 BPF_MOV64_IMM(BPF_REG_3, 0),
6597 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6598 BPF_MOV64_IMM(BPF_REG_0, 0),
6601 .errstr = "invalid stack type R1 off=-64 access_size=65",
6603 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6606 "helper access to variable memory: stack, JMP, correct bounds",
6608 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6610 BPF_MOV64_IMM(BPF_REG_0, 0),
6611 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6612 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6613 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6614 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6615 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6616 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6617 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6618 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6619 BPF_MOV64_IMM(BPF_REG_2, 16),
6620 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6621 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6622 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
6623 BPF_MOV64_IMM(BPF_REG_4, 0),
6624 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6625 BPF_MOV64_IMM(BPF_REG_3, 0),
6626 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6627 BPF_MOV64_IMM(BPF_REG_0, 0),
6631 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6634 "helper access to variable memory: stack, JMP (signed), correct bounds",
6636 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6637 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6638 BPF_MOV64_IMM(BPF_REG_0, 0),
6639 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6640 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6641 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6642 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6643 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6644 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6645 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6646 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6647 BPF_MOV64_IMM(BPF_REG_2, 16),
6648 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6649 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6650 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
6651 BPF_MOV64_IMM(BPF_REG_4, 0),
6652 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6653 BPF_MOV64_IMM(BPF_REG_3, 0),
6654 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6655 BPF_MOV64_IMM(BPF_REG_0, 0),
6659 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6662 "helper access to variable memory: stack, JMP, bounds + offset",
6664 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6665 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6666 BPF_MOV64_IMM(BPF_REG_2, 16),
6667 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6668 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6669 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
6670 BPF_MOV64_IMM(BPF_REG_4, 0),
6671 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
6672 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6673 BPF_MOV64_IMM(BPF_REG_3, 0),
6674 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6675 BPF_MOV64_IMM(BPF_REG_0, 0),
6678 .errstr = "invalid stack type R1 off=-64 access_size=65",
6680 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6683 "helper access to variable memory: stack, JMP, wrong max",
6685 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6687 BPF_MOV64_IMM(BPF_REG_2, 16),
6688 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6689 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6690 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
6691 BPF_MOV64_IMM(BPF_REG_4, 0),
6692 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6693 BPF_MOV64_IMM(BPF_REG_3, 0),
6694 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6695 BPF_MOV64_IMM(BPF_REG_0, 0),
6698 .errstr = "invalid stack type R1 off=-64 access_size=65",
6700 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6703 "helper access to variable memory: stack, JMP, no max check",
6705 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6706 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6707 BPF_MOV64_IMM(BPF_REG_2, 16),
6708 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6709 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6710 BPF_MOV64_IMM(BPF_REG_4, 0),
6711 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6712 BPF_MOV64_IMM(BPF_REG_3, 0),
6713 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6714 BPF_MOV64_IMM(BPF_REG_0, 0),
6717 /* because max wasn't checked, signed min is negative */
6718 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
6720 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6723 "helper access to variable memory: stack, JMP, no min check",
6725 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6727 BPF_MOV64_IMM(BPF_REG_2, 16),
6728 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6729 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6730 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
6731 BPF_MOV64_IMM(BPF_REG_3, 0),
6732 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6733 BPF_MOV64_IMM(BPF_REG_0, 0),
6736 .errstr = "invalid indirect read from stack off -64+0 size 64",
6738 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6741 "helper access to variable memory: stack, JMP (signed), no min check",
6743 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6745 BPF_MOV64_IMM(BPF_REG_2, 16),
6746 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6747 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6748 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
6749 BPF_MOV64_IMM(BPF_REG_3, 0),
6750 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6751 BPF_MOV64_IMM(BPF_REG_0, 0),
6754 .errstr = "R2 min value is negative",
6756 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6759 "helper access to variable memory: map, JMP, correct bounds",
6761 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6762 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6763 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6764 BPF_LD_MAP_FD(BPF_REG_1, 0),
6765 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6766 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6767 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6768 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6769 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6770 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6771 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6772 sizeof(struct test_val), 4),
6773 BPF_MOV64_IMM(BPF_REG_4, 0),
6774 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6775 BPF_MOV64_IMM(BPF_REG_3, 0),
6776 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6777 BPF_MOV64_IMM(BPF_REG_0, 0),
6780 .fixup_map2 = { 3 },
6782 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6785 "helper access to variable memory: map, JMP, wrong max",
6787 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6789 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6790 BPF_LD_MAP_FD(BPF_REG_1, 0),
6791 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6793 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6794 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6795 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6796 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6797 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6798 sizeof(struct test_val) + 1, 4),
6799 BPF_MOV64_IMM(BPF_REG_4, 0),
6800 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6801 BPF_MOV64_IMM(BPF_REG_3, 0),
6802 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6803 BPF_MOV64_IMM(BPF_REG_0, 0),
6806 .fixup_map2 = { 3 },
6807 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
6809 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6812 "helper access to variable memory: map adjusted, JMP, correct bounds",
6814 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6815 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6816 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6817 BPF_LD_MAP_FD(BPF_REG_1, 0),
6818 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6820 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6821 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6822 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6823 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6824 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6825 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6826 sizeof(struct test_val) - 20, 4),
6827 BPF_MOV64_IMM(BPF_REG_4, 0),
6828 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6829 BPF_MOV64_IMM(BPF_REG_3, 0),
6830 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6831 BPF_MOV64_IMM(BPF_REG_0, 0),
6834 .fixup_map2 = { 3 },
6836 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6839 "helper access to variable memory: map adjusted, JMP, wrong max",
6841 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6843 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6844 BPF_LD_MAP_FD(BPF_REG_1, 0),
6845 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6846 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6847 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6849 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6850 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6851 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6852 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6853 sizeof(struct test_val) - 19, 4),
6854 BPF_MOV64_IMM(BPF_REG_4, 0),
6855 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6856 BPF_MOV64_IMM(BPF_REG_3, 0),
6857 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6858 BPF_MOV64_IMM(BPF_REG_0, 0),
6861 .fixup_map2 = { 3 },
6862 .errstr = "R1 min value is outside of the array range",
6864 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6867 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6869 BPF_MOV64_IMM(BPF_REG_1, 0),
6870 BPF_MOV64_IMM(BPF_REG_2, 0),
6871 BPF_MOV64_IMM(BPF_REG_3, 0),
6872 BPF_MOV64_IMM(BPF_REG_4, 0),
6873 BPF_MOV64_IMM(BPF_REG_5, 0),
6874 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6878 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6881 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6883 BPF_MOV64_IMM(BPF_REG_1, 0),
6884 BPF_MOV64_IMM(BPF_REG_2, 1),
6885 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6886 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6887 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6888 BPF_MOV64_IMM(BPF_REG_3, 0),
6889 BPF_MOV64_IMM(BPF_REG_4, 0),
6890 BPF_MOV64_IMM(BPF_REG_5, 0),
6891 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6894 .errstr = "R1 type=inv expected=fp",
6896 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6899 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6901 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6902 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6903 BPF_MOV64_IMM(BPF_REG_2, 0),
6904 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6905 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
6906 BPF_MOV64_IMM(BPF_REG_3, 0),
6907 BPF_MOV64_IMM(BPF_REG_4, 0),
6908 BPF_MOV64_IMM(BPF_REG_5, 0),
6909 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6913 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6916 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6918 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6919 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6920 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6921 BPF_LD_MAP_FD(BPF_REG_1, 0),
6922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6923 BPF_FUNC_map_lookup_elem),
6924 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6925 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6926 BPF_MOV64_IMM(BPF_REG_2, 0),
6927 BPF_MOV64_IMM(BPF_REG_3, 0),
6928 BPF_MOV64_IMM(BPF_REG_4, 0),
6929 BPF_MOV64_IMM(BPF_REG_5, 0),
6930 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6933 .fixup_map1 = { 3 },
6935 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6938 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6940 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6941 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6943 BPF_LD_MAP_FD(BPF_REG_1, 0),
6944 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6945 BPF_FUNC_map_lookup_elem),
6946 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6947 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6948 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
6949 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6950 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6951 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6952 BPF_MOV64_IMM(BPF_REG_3, 0),
6953 BPF_MOV64_IMM(BPF_REG_4, 0),
6954 BPF_MOV64_IMM(BPF_REG_5, 0),
6955 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6958 .fixup_map1 = { 3 },
6960 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6963 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6965 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6966 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6968 BPF_LD_MAP_FD(BPF_REG_1, 0),
6969 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6970 BPF_FUNC_map_lookup_elem),
6971 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6972 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6973 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6974 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6975 BPF_MOV64_IMM(BPF_REG_3, 0),
6976 BPF_MOV64_IMM(BPF_REG_4, 0),
6977 BPF_MOV64_IMM(BPF_REG_5, 0),
6978 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6981 .fixup_map1 = { 3 },
6983 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6986 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
6988 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6989 offsetof(struct __sk_buff, data)),
6990 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6991 offsetof(struct __sk_buff, data_end)),
6992 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
6993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6994 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
6995 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6996 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
6997 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6998 BPF_MOV64_IMM(BPF_REG_3, 0),
6999 BPF_MOV64_IMM(BPF_REG_4, 0),
7000 BPF_MOV64_IMM(BPF_REG_5, 0),
7001 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7005 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7006 .retval = 0 /* csum_diff of 64-byte packet */,
7009 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
7011 BPF_MOV64_IMM(BPF_REG_1, 0),
7012 BPF_MOV64_IMM(BPF_REG_2, 0),
7013 BPF_MOV64_IMM(BPF_REG_3, 0),
7014 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7017 .errstr = "R1 type=inv expected=fp",
7019 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7022 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
7024 BPF_MOV64_IMM(BPF_REG_1, 0),
7025 BPF_MOV64_IMM(BPF_REG_2, 1),
7026 BPF_MOV64_IMM(BPF_REG_3, 0),
7027 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7030 .errstr = "R1 type=inv expected=fp",
7032 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7035 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7037 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7038 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7039 BPF_MOV64_IMM(BPF_REG_2, 0),
7040 BPF_MOV64_IMM(BPF_REG_3, 0),
7041 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7045 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7048 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7050 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7051 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7052 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7053 BPF_LD_MAP_FD(BPF_REG_1, 0),
7054 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7055 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7056 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7057 BPF_MOV64_IMM(BPF_REG_2, 0),
7058 BPF_MOV64_IMM(BPF_REG_3, 0),
7059 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7062 .fixup_map1 = { 3 },
7064 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7067 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7069 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7070 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7071 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7072 BPF_LD_MAP_FD(BPF_REG_1, 0),
7073 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7074 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7075 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7076 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7077 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7078 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7079 BPF_MOV64_IMM(BPF_REG_3, 0),
7080 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7083 .fixup_map1 = { 3 },
7085 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7088 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7090 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7091 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7092 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7093 BPF_LD_MAP_FD(BPF_REG_1, 0),
7094 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7095 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7096 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7097 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7098 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
7099 BPF_MOV64_IMM(BPF_REG_3, 0),
7100 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7103 .fixup_map1 = { 3 },
7105 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7108 "helper access to variable memory: 8 bytes leak",
7110 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7112 BPF_MOV64_IMM(BPF_REG_0, 0),
7113 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7114 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7115 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7116 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7117 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7118 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7119 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7120 BPF_MOV64_IMM(BPF_REG_2, 1),
7121 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7122 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7123 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
7124 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7125 BPF_MOV64_IMM(BPF_REG_3, 0),
7126 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7127 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7130 .errstr = "invalid indirect read from stack off -64+32 size 64",
7132 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7135 "helper access to variable memory: 8 bytes no leak (init memory)",
7137 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7138 BPF_MOV64_IMM(BPF_REG_0, 0),
7139 BPF_MOV64_IMM(BPF_REG_0, 0),
7140 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7141 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7142 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7143 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7144 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7145 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7146 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7147 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7148 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7149 BPF_MOV64_IMM(BPF_REG_2, 0),
7150 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
7151 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
7152 BPF_MOV64_IMM(BPF_REG_3, 0),
7153 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7154 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7158 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7161 "invalid and of negative number",
7163 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7164 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7165 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7166 BPF_LD_MAP_FD(BPF_REG_1, 0),
7167 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7168 BPF_FUNC_map_lookup_elem),
7169 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7170 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7171 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
7172 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
7173 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7174 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7175 offsetof(struct test_val, foo)),
7178 .fixup_map2 = { 3 },
7179 .errstr = "R0 max value is outside of the array range",
7181 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7184 "invalid range check",
7186 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7187 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7189 BPF_LD_MAP_FD(BPF_REG_1, 0),
7190 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7191 BPF_FUNC_map_lookup_elem),
7192 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
7193 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7194 BPF_MOV64_IMM(BPF_REG_9, 1),
7195 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
7196 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
7197 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
7198 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
7199 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
7200 BPF_MOV32_IMM(BPF_REG_3, 1),
7201 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
7202 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
7203 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
7204 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
7205 BPF_MOV64_REG(BPF_REG_0, 0),
7208 .fixup_map2 = { 3 },
7209 .errstr = "R0 max value is outside of the array range",
7211 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7214 "map in map access",
7216 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7217 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7218 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7219 BPF_LD_MAP_FD(BPF_REG_1, 0),
7220 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7221 BPF_FUNC_map_lookup_elem),
7222 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7223 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7224 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7226 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7227 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7228 BPF_FUNC_map_lookup_elem),
7229 BPF_MOV64_IMM(BPF_REG_0, 0),
7232 .fixup_map_in_map = { 3 },
7236 "invalid inner map pointer",
7238 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7239 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7240 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7241 BPF_LD_MAP_FD(BPF_REG_1, 0),
7242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7243 BPF_FUNC_map_lookup_elem),
7244 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7245 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7246 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7248 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7250 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7251 BPF_FUNC_map_lookup_elem),
7252 BPF_MOV64_IMM(BPF_REG_0, 0),
7255 .fixup_map_in_map = { 3 },
7256 .errstr = "R1 pointer arithmetic on map_ptr prohibited",
7260 "forgot null checking on the inner map pointer",
7262 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7263 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7265 BPF_LD_MAP_FD(BPF_REG_1, 0),
7266 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7267 BPF_FUNC_map_lookup_elem),
7268 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7269 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7270 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7271 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7272 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7273 BPF_FUNC_map_lookup_elem),
7274 BPF_MOV64_IMM(BPF_REG_0, 0),
7277 .fixup_map_in_map = { 3 },
7278 .errstr = "R1 type=map_value_or_null expected=map_ptr",
7282 "ld_abs: check calling conv, r1",
7284 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7285 BPF_MOV64_IMM(BPF_REG_1, 0),
7286 BPF_LD_ABS(BPF_W, -0x200000),
7287 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7290 .errstr = "R1 !read_ok",
7294 "ld_abs: check calling conv, r2",
7296 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7297 BPF_MOV64_IMM(BPF_REG_2, 0),
7298 BPF_LD_ABS(BPF_W, -0x200000),
7299 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7302 .errstr = "R2 !read_ok",
7306 "ld_abs: check calling conv, r3",
7308 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7309 BPF_MOV64_IMM(BPF_REG_3, 0),
7310 BPF_LD_ABS(BPF_W, -0x200000),
7311 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7314 .errstr = "R3 !read_ok",
7318 "ld_abs: check calling conv, r4",
7320 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7321 BPF_MOV64_IMM(BPF_REG_4, 0),
7322 BPF_LD_ABS(BPF_W, -0x200000),
7323 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7326 .errstr = "R4 !read_ok",
7330 "ld_abs: check calling conv, r5",
7332 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7333 BPF_MOV64_IMM(BPF_REG_5, 0),
7334 BPF_LD_ABS(BPF_W, -0x200000),
7335 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7338 .errstr = "R5 !read_ok",
7342 "ld_abs: check calling conv, r7",
7344 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7345 BPF_MOV64_IMM(BPF_REG_7, 0),
7346 BPF_LD_ABS(BPF_W, -0x200000),
7347 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7353 "ld_abs: tests on r6 and skb data reload helper",
7355 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7356 BPF_LD_ABS(BPF_B, 0),
7357 BPF_LD_ABS(BPF_H, 0),
7358 BPF_LD_ABS(BPF_W, 0),
7359 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
7360 BPF_MOV64_IMM(BPF_REG_6, 0),
7361 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
7362 BPF_MOV64_IMM(BPF_REG_2, 1),
7363 BPF_MOV64_IMM(BPF_REG_3, 2),
7364 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7365 BPF_FUNC_skb_vlan_push),
7366 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
7367 BPF_LD_ABS(BPF_B, 0),
7368 BPF_LD_ABS(BPF_H, 0),
7369 BPF_LD_ABS(BPF_W, 0),
7370 BPF_MOV64_IMM(BPF_REG_0, 42),
7373 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7375 .retval = 42 /* ultimate return value */,
7378 "ld_ind: check calling conv, r1",
7380 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7381 BPF_MOV64_IMM(BPF_REG_1, 1),
7382 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
7383 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7386 .errstr = "R1 !read_ok",
7390 "ld_ind: check calling conv, r2",
7392 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7393 BPF_MOV64_IMM(BPF_REG_2, 1),
7394 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
7395 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7398 .errstr = "R2 !read_ok",
7402 "ld_ind: check calling conv, r3",
7404 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7405 BPF_MOV64_IMM(BPF_REG_3, 1),
7406 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
7407 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7410 .errstr = "R3 !read_ok",
7414 "ld_ind: check calling conv, r4",
7416 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7417 BPF_MOV64_IMM(BPF_REG_4, 1),
7418 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
7419 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7422 .errstr = "R4 !read_ok",
7426 "ld_ind: check calling conv, r5",
7428 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7429 BPF_MOV64_IMM(BPF_REG_5, 1),
7430 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
7431 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7434 .errstr = "R5 !read_ok",
7438 "ld_ind: check calling conv, r7",
7440 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7441 BPF_MOV64_IMM(BPF_REG_7, 1),
7442 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
7443 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7450 "check bpf_perf_event_data->sample_period byte load permitted",
7452 BPF_MOV64_IMM(BPF_REG_0, 0),
7453 #if __BYTE_ORDER == __LITTLE_ENDIAN
7454 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7455 offsetof(struct bpf_perf_event_data, sample_period)),
7457 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7458 offsetof(struct bpf_perf_event_data, sample_period) + 7),
7463 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7466 "check bpf_perf_event_data->sample_period half load permitted",
7468 BPF_MOV64_IMM(BPF_REG_0, 0),
7469 #if __BYTE_ORDER == __LITTLE_ENDIAN
7470 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7471 offsetof(struct bpf_perf_event_data, sample_period)),
7473 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7474 offsetof(struct bpf_perf_event_data, sample_period) + 6),
7479 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7482 "check bpf_perf_event_data->sample_period word load permitted",
7484 BPF_MOV64_IMM(BPF_REG_0, 0),
7485 #if __BYTE_ORDER == __LITTLE_ENDIAN
7486 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7487 offsetof(struct bpf_perf_event_data, sample_period)),
7489 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7490 offsetof(struct bpf_perf_event_data, sample_period) + 4),
7495 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7498 "check bpf_perf_event_data->sample_period dword load permitted",
7500 BPF_MOV64_IMM(BPF_REG_0, 0),
7501 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
7502 offsetof(struct bpf_perf_event_data, sample_period)),
7506 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7509 "check skb->data half load not permitted",
7511 BPF_MOV64_IMM(BPF_REG_0, 0),
7512 #if __BYTE_ORDER == __LITTLE_ENDIAN
7513 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7514 offsetof(struct __sk_buff, data)),
7516 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7517 offsetof(struct __sk_buff, data) + 2),
7522 .errstr = "invalid bpf_context access",
7525 "check skb->tc_classid half load not permitted for lwt prog",
7527 BPF_MOV64_IMM(BPF_REG_0, 0),
7528 #if __BYTE_ORDER == __LITTLE_ENDIAN
7529 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7530 offsetof(struct __sk_buff, tc_classid)),
7532 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7533 offsetof(struct __sk_buff, tc_classid) + 2),
7538 .errstr = "invalid bpf_context access",
7539 .prog_type = BPF_PROG_TYPE_LWT_IN,
7542 "bounds checks mixing signed and unsigned, positive bounds",
7544 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7545 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7546 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7547 BPF_LD_MAP_FD(BPF_REG_1, 0),
7548 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7549 BPF_FUNC_map_lookup_elem),
7550 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7551 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7552 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7553 BPF_MOV64_IMM(BPF_REG_2, 2),
7554 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
7555 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
7556 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7557 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7558 BPF_MOV64_IMM(BPF_REG_0, 0),
7561 .fixup_map1 = { 3 },
7562 .errstr = "unbounded min value",
7566 "bounds checks mixing signed and unsigned",
7568 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7569 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7570 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7571 BPF_LD_MAP_FD(BPF_REG_1, 0),
7572 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7573 BPF_FUNC_map_lookup_elem),
7574 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7575 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7576 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7577 BPF_MOV64_IMM(BPF_REG_2, -1),
7578 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7579 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7580 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7581 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7582 BPF_MOV64_IMM(BPF_REG_0, 0),
7585 .fixup_map1 = { 3 },
7586 .errstr = "unbounded min value",
7590 "bounds checks mixing signed and unsigned, variant 2",
7592 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7593 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7594 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7595 BPF_LD_MAP_FD(BPF_REG_1, 0),
7596 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7597 BPF_FUNC_map_lookup_elem),
7598 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7599 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7600 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7601 BPF_MOV64_IMM(BPF_REG_2, -1),
7602 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7603 BPF_MOV64_IMM(BPF_REG_8, 0),
7604 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
7605 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7606 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7607 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7608 BPF_MOV64_IMM(BPF_REG_0, 0),
7611 .fixup_map1 = { 3 },
7612 .errstr = "unbounded min value",
7616 "bounds checks mixing signed and unsigned, variant 3",
7618 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7619 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7620 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7621 BPF_LD_MAP_FD(BPF_REG_1, 0),
7622 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7623 BPF_FUNC_map_lookup_elem),
7624 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7625 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7626 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7627 BPF_MOV64_IMM(BPF_REG_2, -1),
7628 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
7629 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
7630 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7631 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7632 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7633 BPF_MOV64_IMM(BPF_REG_0, 0),
7636 .fixup_map1 = { 3 },
7637 .errstr = "unbounded min value",
7641 "bounds checks mixing signed and unsigned, variant 4",
7643 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7644 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7645 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7646 BPF_LD_MAP_FD(BPF_REG_1, 0),
7647 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7648 BPF_FUNC_map_lookup_elem),
7649 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7650 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7651 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7652 BPF_MOV64_IMM(BPF_REG_2, 1),
7653 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
7654 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7655 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7656 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7657 BPF_MOV64_IMM(BPF_REG_0, 0),
7660 .fixup_map1 = { 3 },
7664 "bounds checks mixing signed and unsigned, variant 5",
7666 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7667 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7668 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7669 BPF_LD_MAP_FD(BPF_REG_1, 0),
7670 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7671 BPF_FUNC_map_lookup_elem),
7672 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7673 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7674 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7675 BPF_MOV64_IMM(BPF_REG_2, -1),
7676 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7677 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
7678 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
7679 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7680 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7681 BPF_MOV64_IMM(BPF_REG_0, 0),
7684 .fixup_map1 = { 3 },
7685 .errstr = "unbounded min value",
7689 "bounds checks mixing signed and unsigned, variant 6",
7691 BPF_MOV64_IMM(BPF_REG_2, 0),
7692 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
7693 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
7694 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7695 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
7696 BPF_MOV64_IMM(BPF_REG_6, -1),
7697 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
7698 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
7699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7700 BPF_MOV64_IMM(BPF_REG_5, 0),
7701 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
7702 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7703 BPF_FUNC_skb_load_bytes),
7704 BPF_MOV64_IMM(BPF_REG_0, 0),
7707 .errstr = "R4 min value is negative, either use unsigned",
7711 "bounds checks mixing signed and unsigned, variant 7",
7713 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7714 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7715 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7716 BPF_LD_MAP_FD(BPF_REG_1, 0),
7717 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7718 BPF_FUNC_map_lookup_elem),
7719 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7720 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7721 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7722 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
7723 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7724 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7725 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7726 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7727 BPF_MOV64_IMM(BPF_REG_0, 0),
7730 .fixup_map1 = { 3 },
7734 "bounds checks mixing signed and unsigned, variant 8",
7736 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7737 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7739 BPF_LD_MAP_FD(BPF_REG_1, 0),
7740 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7741 BPF_FUNC_map_lookup_elem),
7742 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7743 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7744 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7745 BPF_MOV64_IMM(BPF_REG_2, -1),
7746 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7747 BPF_MOV64_IMM(BPF_REG_0, 0),
7749 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7750 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7751 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7752 BPF_MOV64_IMM(BPF_REG_0, 0),
7755 .fixup_map1 = { 3 },
7756 .errstr = "unbounded min value",
7760 "bounds checks mixing signed and unsigned, variant 9",
7762 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7763 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7764 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7765 BPF_LD_MAP_FD(BPF_REG_1, 0),
7766 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7767 BPF_FUNC_map_lookup_elem),
7768 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7769 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7770 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7771 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
7772 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7773 BPF_MOV64_IMM(BPF_REG_0, 0),
7775 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7776 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7777 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7778 BPF_MOV64_IMM(BPF_REG_0, 0),
7781 .fixup_map1 = { 3 },
7785 "bounds checks mixing signed and unsigned, variant 10",
7787 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7788 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7789 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7790 BPF_LD_MAP_FD(BPF_REG_1, 0),
7791 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7792 BPF_FUNC_map_lookup_elem),
7793 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7794 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7795 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7796 BPF_MOV64_IMM(BPF_REG_2, 0),
7797 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7798 BPF_MOV64_IMM(BPF_REG_0, 0),
7800 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7801 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7802 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7803 BPF_MOV64_IMM(BPF_REG_0, 0),
7806 .fixup_map1 = { 3 },
7807 .errstr = "unbounded min value",
7811 "bounds checks mixing signed and unsigned, variant 11",
7813 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7814 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7815 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7816 BPF_LD_MAP_FD(BPF_REG_1, 0),
7817 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7818 BPF_FUNC_map_lookup_elem),
7819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7820 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7821 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7822 BPF_MOV64_IMM(BPF_REG_2, -1),
7823 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7825 BPF_MOV64_IMM(BPF_REG_0, 0),
7827 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7828 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7829 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7830 BPF_MOV64_IMM(BPF_REG_0, 0),
7833 .fixup_map1 = { 3 },
7834 .errstr = "unbounded min value",
7838 "bounds checks mixing signed and unsigned, variant 12",
7840 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7841 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7843 BPF_LD_MAP_FD(BPF_REG_1, 0),
7844 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7845 BPF_FUNC_map_lookup_elem),
7846 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7847 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7848 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7849 BPF_MOV64_IMM(BPF_REG_2, -6),
7850 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7851 BPF_MOV64_IMM(BPF_REG_0, 0),
7853 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7854 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7855 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7856 BPF_MOV64_IMM(BPF_REG_0, 0),
7859 .fixup_map1 = { 3 },
7860 .errstr = "unbounded min value",
7864 "bounds checks mixing signed and unsigned, variant 13",
7866 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7867 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7869 BPF_LD_MAP_FD(BPF_REG_1, 0),
7870 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7871 BPF_FUNC_map_lookup_elem),
7872 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7873 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7874 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7875 BPF_MOV64_IMM(BPF_REG_2, 2),
7876 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7877 BPF_MOV64_IMM(BPF_REG_7, 1),
7878 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
7879 BPF_MOV64_IMM(BPF_REG_0, 0),
7881 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
7882 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
7883 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
7884 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7885 BPF_MOV64_IMM(BPF_REG_0, 0),
7888 .fixup_map1 = { 3 },
7889 .errstr = "unbounded min value",
7893 "bounds checks mixing signed and unsigned, variant 14",
7895 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
7896 offsetof(struct __sk_buff, mark)),
7897 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7898 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7899 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7900 BPF_LD_MAP_FD(BPF_REG_1, 0),
7901 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7902 BPF_FUNC_map_lookup_elem),
7903 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7904 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7905 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7906 BPF_MOV64_IMM(BPF_REG_2, -1),
7907 BPF_MOV64_IMM(BPF_REG_8, 2),
7908 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
7909 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
7910 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7911 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7912 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7913 BPF_MOV64_IMM(BPF_REG_0, 0),
7915 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
7916 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
7918 .fixup_map1 = { 4 },
7919 .errstr = "R0 invalid mem access 'inv'",
7923 "bounds checks mixing signed and unsigned, variant 15",
7925 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7926 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7928 BPF_LD_MAP_FD(BPF_REG_1, 0),
7929 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7930 BPF_FUNC_map_lookup_elem),
7931 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7932 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7933 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7934 BPF_MOV64_IMM(BPF_REG_2, -6),
7935 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7936 BPF_MOV64_IMM(BPF_REG_0, 0),
7938 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7939 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
7940 BPF_MOV64_IMM(BPF_REG_0, 0),
7942 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7943 BPF_MOV64_IMM(BPF_REG_0, 0),
7946 .fixup_map1 = { 3 },
7947 .errstr = "unbounded min value",
7949 .result_unpriv = REJECT,
7952 "subtraction bounds (map value) variant 1",
7954 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7955 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7956 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7957 BPF_LD_MAP_FD(BPF_REG_1, 0),
7958 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7959 BPF_FUNC_map_lookup_elem),
7960 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7961 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7962 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
7963 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7964 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
7965 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7966 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
7967 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7968 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7970 BPF_MOV64_IMM(BPF_REG_0, 0),
7973 .fixup_map1 = { 3 },
7974 .errstr = "R0 max value is outside of the array range",
7978 "subtraction bounds (map value) variant 2",
7980 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7981 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7982 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7983 BPF_LD_MAP_FD(BPF_REG_1, 0),
7984 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7985 BPF_FUNC_map_lookup_elem),
7986 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7987 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7988 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
7989 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7990 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
7991 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7992 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7993 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7995 BPF_MOV64_IMM(BPF_REG_0, 0),
7998 .fixup_map1 = { 3 },
7999 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
8003 "bounds check based on zero-extended MOV",
8005 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8006 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8007 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8008 BPF_LD_MAP_FD(BPF_REG_1, 0),
8009 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8010 BPF_FUNC_map_lookup_elem),
8011 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8012 /* r2 = 0x0000'0000'ffff'ffff */
8013 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
8015 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
8017 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8018 /* access at offset 0 */
8019 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8021 BPF_MOV64_IMM(BPF_REG_0, 0),
8024 .fixup_map1 = { 3 },
8028 "bounds check based on sign-extended MOV. test1",
8030 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8031 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8032 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8033 BPF_LD_MAP_FD(BPF_REG_1, 0),
8034 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8035 BPF_FUNC_map_lookup_elem),
8036 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8037 /* r2 = 0xffff'ffff'ffff'ffff */
8038 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
8039 /* r2 = 0xffff'ffff */
8040 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
8041 /* r0 = <oob pointer> */
8042 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8043 /* access to OOB pointer */
8044 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8046 BPF_MOV64_IMM(BPF_REG_0, 0),
8049 .fixup_map1 = { 3 },
8050 .errstr = "map_value pointer and 4294967295",
8054 "bounds check based on sign-extended MOV. test2",
8056 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8057 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8059 BPF_LD_MAP_FD(BPF_REG_1, 0),
8060 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8061 BPF_FUNC_map_lookup_elem),
8062 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8063 /* r2 = 0xffff'ffff'ffff'ffff */
8064 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
8065 /* r2 = 0xfff'ffff */
8066 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
8067 /* r0 = <oob pointer> */
8068 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8069 /* access to OOB pointer */
8070 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8072 BPF_MOV64_IMM(BPF_REG_0, 0),
8075 .fixup_map1 = { 3 },
8076 .errstr = "R0 min value is outside of the array range",
8080 "bounds check based on reg_off + var_off + insn_off. test1",
8082 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8083 offsetof(struct __sk_buff, mark)),
8084 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8085 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8087 BPF_LD_MAP_FD(BPF_REG_1, 0),
8088 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8089 BPF_FUNC_map_lookup_elem),
8090 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8091 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8092 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
8093 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8095 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8096 BPF_MOV64_IMM(BPF_REG_0, 0),
8099 .fixup_map1 = { 4 },
8100 .errstr = "value_size=8 off=1073741825",
8102 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8105 "bounds check based on reg_off + var_off + insn_off. test2",
8107 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8108 offsetof(struct __sk_buff, mark)),
8109 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8110 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8112 BPF_LD_MAP_FD(BPF_REG_1, 0),
8113 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8114 BPF_FUNC_map_lookup_elem),
8115 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8116 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
8118 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8119 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8120 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8121 BPF_MOV64_IMM(BPF_REG_0, 0),
8124 .fixup_map1 = { 4 },
8125 .errstr = "value 1073741823",
8127 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8130 "bounds check after truncation of non-boundary-crossing range",
8132 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8133 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8134 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8135 BPF_LD_MAP_FD(BPF_REG_1, 0),
8136 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8137 BPF_FUNC_map_lookup_elem),
8138 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8139 /* r1 = [0x00, 0xff] */
8140 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8141 BPF_MOV64_IMM(BPF_REG_2, 1),
8142 /* r2 = 0x10'0000'0000 */
8143 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
8144 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
8145 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8146 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
8147 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8148 /* r1 = [0x00, 0xff] */
8149 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
8151 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8153 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8154 /* access at offset 0 */
8155 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8157 BPF_MOV64_IMM(BPF_REG_0, 0),
8160 .fixup_map1 = { 3 },
8164 "bounds check after truncation of boundary-crossing range (1)",
8166 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8167 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8168 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8169 BPF_LD_MAP_FD(BPF_REG_1, 0),
8170 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8171 BPF_FUNC_map_lookup_elem),
8172 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8173 /* r1 = [0x00, 0xff] */
8174 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8175 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8176 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8177 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8178 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8179 * [0x0000'0000, 0x0000'007f]
8181 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
8182 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8183 /* r1 = [0x00, 0xff] or
8184 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8186 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8188 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8190 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8191 /* no-op or OOB pointer computation */
8192 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8193 /* potentially OOB access */
8194 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8196 BPF_MOV64_IMM(BPF_REG_0, 0),
8199 .fixup_map1 = { 3 },
8200 /* not actually fully unbounded, but the bound is very high */
8201 .errstr = "R0 unbounded memory access",
8205 "bounds check after truncation of boundary-crossing range (2)",
8207 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8208 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8210 BPF_LD_MAP_FD(BPF_REG_1, 0),
8211 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8212 BPF_FUNC_map_lookup_elem),
8213 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8214 /* r1 = [0x00, 0xff] */
8215 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8217 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8218 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8219 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8220 * [0x0000'0000, 0x0000'007f]
8221 * difference to previous test: truncation via MOV32
8224 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
8225 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8226 /* r1 = [0x00, 0xff] or
8227 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8229 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8231 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8233 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8234 /* no-op or OOB pointer computation */
8235 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8236 /* potentially OOB access */
8237 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8239 BPF_MOV64_IMM(BPF_REG_0, 0),
8242 .fixup_map1 = { 3 },
8243 /* not actually fully unbounded, but the bound is very high */
8244 .errstr = "R0 unbounded memory access",
8248 "bounds check after wrapping 32-bit addition",
8250 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8251 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8253 BPF_LD_MAP_FD(BPF_REG_1, 0),
8254 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8255 BPF_FUNC_map_lookup_elem),
8256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8257 /* r1 = 0x7fff'ffff */
8258 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
8259 /* r1 = 0xffff'fffe */
8260 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8262 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
8264 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8265 /* access at offset 0 */
8266 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8268 BPF_MOV64_IMM(BPF_REG_0, 0),
8271 .fixup_map1 = { 3 },
8275 "bounds check after shift with oversized count operand",
8277 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8278 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8279 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8280 BPF_LD_MAP_FD(BPF_REG_1, 0),
8281 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8282 BPF_FUNC_map_lookup_elem),
8283 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8284 BPF_MOV64_IMM(BPF_REG_2, 32),
8285 BPF_MOV64_IMM(BPF_REG_1, 1),
8286 /* r1 = (u32)1 << (u32)32 = ? */
8287 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
8288 /* r1 = [0x0000, 0xffff] */
8289 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
8290 /* computes unknown pointer, potentially OOB */
8291 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8292 /* potentially OOB access */
8293 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8295 BPF_MOV64_IMM(BPF_REG_0, 0),
8298 .fixup_map1 = { 3 },
8299 .errstr = "R0 max value is outside of the array range",
8303 "bounds check after right shift of maybe-negative number",
8305 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8306 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8308 BPF_LD_MAP_FD(BPF_REG_1, 0),
8309 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8310 BPF_FUNC_map_lookup_elem),
8311 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8312 /* r1 = [0x00, 0xff] */
8313 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8314 /* r1 = [-0x01, 0xfe] */
8315 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
8316 /* r1 = 0 or 0xff'ffff'ffff'ffff */
8317 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8318 /* r1 = 0 or 0xffff'ffff'ffff */
8319 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8320 /* computes unknown pointer, potentially OOB */
8321 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8322 /* potentially OOB access */
8323 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8325 BPF_MOV64_IMM(BPF_REG_0, 0),
8328 .fixup_map1 = { 3 },
8329 .errstr = "R0 unbounded memory access",
8333 "bounds check map access with off+size signed 32bit overflow. test1",
8335 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8336 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8337 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8338 BPF_LD_MAP_FD(BPF_REG_1, 0),
8339 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8340 BPF_FUNC_map_lookup_elem),
8341 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8343 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
8344 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8348 .fixup_map1 = { 3 },
8349 .errstr = "map_value pointer and 2147483646",
8353 "bounds check map access with off+size signed 32bit overflow. test2",
8355 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8356 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8358 BPF_LD_MAP_FD(BPF_REG_1, 0),
8359 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8360 BPF_FUNC_map_lookup_elem),
8361 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8366 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8370 .fixup_map1 = { 3 },
8371 .errstr = "pointer offset 1073741822",
8375 "bounds check map access with off+size signed 32bit overflow. test3",
8377 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8378 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8380 BPF_LD_MAP_FD(BPF_REG_1, 0),
8381 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8382 BPF_FUNC_map_lookup_elem),
8383 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8385 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8386 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8387 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8391 .fixup_map1 = { 3 },
8392 .errstr = "pointer offset -1073741822",
8396 "bounds check map access with off+size signed 32bit overflow. test4",
8398 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8399 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8401 BPF_LD_MAP_FD(BPF_REG_1, 0),
8402 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8403 BPF_FUNC_map_lookup_elem),
8404 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8406 BPF_MOV64_IMM(BPF_REG_1, 1000000),
8407 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
8408 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8409 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8413 .fixup_map1 = { 3 },
8414 .errstr = "map_value pointer and 1000000000000",
8418 "pointer/scalar confusion in state equality check (way 1)",
8420 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8421 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8422 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8423 BPF_LD_MAP_FD(BPF_REG_1, 0),
8424 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8425 BPF_FUNC_map_lookup_elem),
8426 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8427 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8429 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8433 .fixup_map1 = { 3 },
8435 .retval = POINTER_VALUE,
8436 .result_unpriv = REJECT,
8437 .errstr_unpriv = "R0 leaks addr as return value"
8440 "pointer/scalar confusion in state equality check (way 2)",
8442 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8443 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8445 BPF_LD_MAP_FD(BPF_REG_1, 0),
8446 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8447 BPF_FUNC_map_lookup_elem),
8448 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
8449 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8451 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8454 .fixup_map1 = { 3 },
8456 .retval = POINTER_VALUE,
8457 .result_unpriv = REJECT,
8458 .errstr_unpriv = "R0 leaks addr as return value"
8461 "variable-offset ctx access",
8463 /* Get an unknown value */
8464 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8465 /* Make it small and 4-byte aligned */
8466 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8467 /* add it to skb. We now have either &skb->len or
8468 * &skb->pkt_type, but we don't know which
8470 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8471 /* dereference it */
8472 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8475 .errstr = "variable ctx access var_off=(0x0; 0x4)",
8477 .prog_type = BPF_PROG_TYPE_LWT_IN,
8480 "variable-offset stack access",
8482 /* Fill the top 8 bytes of the stack */
8483 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8484 /* Get an unknown value */
8485 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8486 /* Make it small and 4-byte aligned */
8487 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8488 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8489 /* add it to fp. We now have either fp-4 or fp-8, but
8490 * we don't know which
8492 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8493 /* dereference it */
8494 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
8497 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
8499 .prog_type = BPF_PROG_TYPE_LWT_IN,
8502 "indirect variable-offset stack access",
8504 /* Fill the top 8 bytes of the stack */
8505 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8506 /* Get an unknown value */
8507 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8508 /* Make it small and 4-byte aligned */
8509 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8510 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8511 /* add it to fp. We now have either fp-4 or fp-8, but
8512 * we don't know which
8514 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8515 /* dereference it indirectly */
8516 BPF_LD_MAP_FD(BPF_REG_1, 0),
8517 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8518 BPF_FUNC_map_lookup_elem),
8519 BPF_MOV64_IMM(BPF_REG_0, 0),
8522 .fixup_map1 = { 5 },
8523 .errstr = "variable stack read R2",
8525 .prog_type = BPF_PROG_TYPE_LWT_IN,
8528 "direct stack access with 32-bit wraparound. test1",
8530 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8531 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8533 BPF_MOV32_IMM(BPF_REG_0, 0),
8534 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8537 .errstr = "fp pointer and 2147483647",
8541 "direct stack access with 32-bit wraparound. test2",
8543 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8544 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8546 BPF_MOV32_IMM(BPF_REG_0, 0),
8547 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8550 .errstr = "fp pointer and 1073741823",
8554 "direct stack access with 32-bit wraparound. test3",
8556 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8557 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8559 BPF_MOV32_IMM(BPF_REG_0, 0),
8560 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8563 .errstr = "fp pointer offset 1073741822",
8567 "liveness pruning and write screening",
8569 /* Get an unknown value */
8570 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8571 /* branch conditions teach us nothing about R2 */
8572 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8573 BPF_MOV64_IMM(BPF_REG_0, 0),
8574 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8575 BPF_MOV64_IMM(BPF_REG_0, 0),
8578 .errstr = "R0 !read_ok",
8580 .prog_type = BPF_PROG_TYPE_LWT_IN,
8583 "varlen_map_value_access pruning",
8585 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8586 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8588 BPF_LD_MAP_FD(BPF_REG_1, 0),
8589 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8590 BPF_FUNC_map_lookup_elem),
8591 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8592 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
8593 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
8594 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
8595 BPF_MOV32_IMM(BPF_REG_1, 0),
8596 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
8597 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8598 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
8599 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
8600 offsetof(struct test_val, foo)),
8603 .fixup_map2 = { 3 },
8604 .errstr_unpriv = "R0 leaks addr",
8605 .errstr = "R0 unbounded memory access",
8606 .result_unpriv = REJECT,
8608 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8611 "invalid 64-bit BPF_END",
8613 BPF_MOV32_IMM(BPF_REG_0, 0),
8615 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
8616 .dst_reg = BPF_REG_0,
8623 .errstr = "unknown opcode d7",
8627 "XDP, using ifindex from netdev",
8629 BPF_MOV64_IMM(BPF_REG_0, 0),
8630 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8631 offsetof(struct xdp_md, ingress_ifindex)),
8632 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
8633 BPF_MOV64_IMM(BPF_REG_0, 1),
8637 .prog_type = BPF_PROG_TYPE_XDP,
8641 "meta access, test1",
8643 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8644 offsetof(struct xdp_md, data_meta)),
8645 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8646 offsetof(struct xdp_md, data)),
8647 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8649 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8650 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8651 BPF_MOV64_IMM(BPF_REG_0, 0),
8655 .prog_type = BPF_PROG_TYPE_XDP,
8658 "meta access, test2",
8660 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8661 offsetof(struct xdp_md, data_meta)),
8662 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8663 offsetof(struct xdp_md, data)),
8664 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8665 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
8666 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8668 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8669 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8670 BPF_MOV64_IMM(BPF_REG_0, 0),
8674 .errstr = "invalid access to packet, off=-8",
8675 .prog_type = BPF_PROG_TYPE_XDP,
8678 "meta access, test3",
8680 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8681 offsetof(struct xdp_md, data_meta)),
8682 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8683 offsetof(struct xdp_md, data_end)),
8684 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8685 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8686 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8687 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8688 BPF_MOV64_IMM(BPF_REG_0, 0),
8692 .errstr = "invalid access to packet",
8693 .prog_type = BPF_PROG_TYPE_XDP,
8696 "meta access, test4",
8698 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8699 offsetof(struct xdp_md, data_meta)),
8700 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8701 offsetof(struct xdp_md, data_end)),
8702 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8703 offsetof(struct xdp_md, data)),
8704 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8705 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8706 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8707 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8708 BPF_MOV64_IMM(BPF_REG_0, 0),
8712 .errstr = "invalid access to packet",
8713 .prog_type = BPF_PROG_TYPE_XDP,
8716 "meta access, test5",
8718 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8719 offsetof(struct xdp_md, data_meta)),
8720 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8721 offsetof(struct xdp_md, data)),
8722 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8723 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8724 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
8725 BPF_MOV64_IMM(BPF_REG_2, -8),
8726 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8727 BPF_FUNC_xdp_adjust_meta),
8728 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8729 BPF_MOV64_IMM(BPF_REG_0, 0),
8733 .errstr = "R3 !read_ok",
8734 .prog_type = BPF_PROG_TYPE_XDP,
8737 "meta access, test6",
8739 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8740 offsetof(struct xdp_md, data_meta)),
8741 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8742 offsetof(struct xdp_md, data)),
8743 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8745 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8747 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
8748 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8749 BPF_MOV64_IMM(BPF_REG_0, 0),
8753 .errstr = "invalid access to packet",
8754 .prog_type = BPF_PROG_TYPE_XDP,
8757 "meta access, test7",
8759 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8760 offsetof(struct xdp_md, data_meta)),
8761 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8762 offsetof(struct xdp_md, data)),
8763 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8764 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8765 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8766 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8767 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8768 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8769 BPF_MOV64_IMM(BPF_REG_0, 0),
8773 .prog_type = BPF_PROG_TYPE_XDP,
8776 "meta access, test8",
8778 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8779 offsetof(struct xdp_md, data_meta)),
8780 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8781 offsetof(struct xdp_md, data)),
8782 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8783 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8784 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8785 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8786 BPF_MOV64_IMM(BPF_REG_0, 0),
8790 .prog_type = BPF_PROG_TYPE_XDP,
8793 "meta access, test9",
8795 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8796 offsetof(struct xdp_md, data_meta)),
8797 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8798 offsetof(struct xdp_md, data)),
8799 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8800 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8801 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8802 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8803 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8804 BPF_MOV64_IMM(BPF_REG_0, 0),
8808 .errstr = "invalid access to packet",
8809 .prog_type = BPF_PROG_TYPE_XDP,
8812 "meta access, test10",
8814 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8815 offsetof(struct xdp_md, data_meta)),
8816 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8817 offsetof(struct xdp_md, data)),
8818 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8819 offsetof(struct xdp_md, data_end)),
8820 BPF_MOV64_IMM(BPF_REG_5, 42),
8821 BPF_MOV64_IMM(BPF_REG_6, 24),
8822 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8823 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8824 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8825 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8826 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
8827 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8828 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8829 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8830 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
8831 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
8832 BPF_MOV64_IMM(BPF_REG_0, 0),
8836 .errstr = "invalid access to packet",
8837 .prog_type = BPF_PROG_TYPE_XDP,
8840 "meta access, test11",
8842 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8843 offsetof(struct xdp_md, data_meta)),
8844 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8845 offsetof(struct xdp_md, data)),
8846 BPF_MOV64_IMM(BPF_REG_5, 42),
8847 BPF_MOV64_IMM(BPF_REG_6, 24),
8848 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8849 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8850 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8851 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8852 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
8853 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8854 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8855 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8856 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
8857 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
8858 BPF_MOV64_IMM(BPF_REG_0, 0),
8862 .prog_type = BPF_PROG_TYPE_XDP,
8865 "meta access, test12",
8867 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8868 offsetof(struct xdp_md, data_meta)),
8869 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8870 offsetof(struct xdp_md, data)),
8871 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8872 offsetof(struct xdp_md, data_end)),
8873 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8874 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8875 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
8876 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8877 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8878 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8879 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
8880 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8881 BPF_MOV64_IMM(BPF_REG_0, 0),
8885 .prog_type = BPF_PROG_TYPE_XDP,
8888 "arithmetic ops make PTR_TO_CTX unusable",
8890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
8891 offsetof(struct __sk_buff, data) -
8892 offsetof(struct __sk_buff, mark)),
8893 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8894 offsetof(struct __sk_buff, mark)),
8897 .errstr = "dereference of modified ctx ptr",
8899 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8902 "pkt_end - pkt_start is allowed",
8904 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8905 offsetof(struct __sk_buff, data_end)),
8906 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8907 offsetof(struct __sk_buff, data)),
8908 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
8912 .retval = TEST_DATA_LEN,
8913 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8916 "XDP pkt read, pkt_end mangling, bad access 1",
8918 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8919 offsetof(struct xdp_md, data)),
8920 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8921 offsetof(struct xdp_md, data_end)),
8922 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8923 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
8925 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8926 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8927 BPF_MOV64_IMM(BPF_REG_0, 0),
8930 .errstr = "R3 pointer arithmetic on pkt_end",
8932 .prog_type = BPF_PROG_TYPE_XDP,
8935 "XDP pkt read, pkt_end mangling, bad access 2",
8937 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8938 offsetof(struct xdp_md, data)),
8939 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8940 offsetof(struct xdp_md, data_end)),
8941 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8943 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
8944 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8945 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8946 BPF_MOV64_IMM(BPF_REG_0, 0),
8949 .errstr = "R3 pointer arithmetic on pkt_end",
8951 .prog_type = BPF_PROG_TYPE_XDP,
8954 "XDP pkt read, pkt_data' > pkt_end, good access",
8956 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8957 offsetof(struct xdp_md, data)),
8958 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8959 offsetof(struct xdp_md, data_end)),
8960 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8961 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8962 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8963 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8964 BPF_MOV64_IMM(BPF_REG_0, 0),
8968 .prog_type = BPF_PROG_TYPE_XDP,
8971 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
8973 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8974 offsetof(struct xdp_md, data)),
8975 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8976 offsetof(struct xdp_md, data_end)),
8977 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8978 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8979 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8980 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8981 BPF_MOV64_IMM(BPF_REG_0, 0),
8984 .errstr = "R1 offset is outside of the packet",
8986 .prog_type = BPF_PROG_TYPE_XDP,
8987 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8990 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
8992 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8993 offsetof(struct xdp_md, data)),
8994 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8995 offsetof(struct xdp_md, data_end)),
8996 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8997 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8998 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8999 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9000 BPF_MOV64_IMM(BPF_REG_0, 0),
9003 .errstr = "R1 offset is outside of the packet",
9005 .prog_type = BPF_PROG_TYPE_XDP,
9008 "XDP pkt read, pkt_end > pkt_data', good access",
9010 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9011 offsetof(struct xdp_md, data)),
9012 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9013 offsetof(struct xdp_md, data_end)),
9014 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9015 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9016 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9017 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9018 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9019 BPF_MOV64_IMM(BPF_REG_0, 0),
9023 .prog_type = BPF_PROG_TYPE_XDP,
9024 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9027 "XDP pkt read, pkt_end > pkt_data', bad access 1",
9029 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9030 offsetof(struct xdp_md, data)),
9031 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9032 offsetof(struct xdp_md, data_end)),
9033 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9035 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9036 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9037 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9038 BPF_MOV64_IMM(BPF_REG_0, 0),
9041 .errstr = "R1 offset is outside of the packet",
9043 .prog_type = BPF_PROG_TYPE_XDP,
9046 "XDP pkt read, pkt_end > pkt_data', bad access 2",
9048 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9049 offsetof(struct xdp_md, data)),
9050 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9051 offsetof(struct xdp_md, data_end)),
9052 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9053 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9054 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9055 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9056 BPF_MOV64_IMM(BPF_REG_0, 0),
9059 .errstr = "R1 offset is outside of the packet",
9061 .prog_type = BPF_PROG_TYPE_XDP,
9064 "XDP pkt read, pkt_data' < pkt_end, good access",
9066 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9067 offsetof(struct xdp_md, data)),
9068 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9069 offsetof(struct xdp_md, data_end)),
9070 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9071 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9072 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9073 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9074 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9075 BPF_MOV64_IMM(BPF_REG_0, 0),
9079 .prog_type = BPF_PROG_TYPE_XDP,
9080 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9083 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
9085 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9086 offsetof(struct xdp_md, data)),
9087 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9088 offsetof(struct xdp_md, data_end)),
9089 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9090 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9091 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9092 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9093 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9094 BPF_MOV64_IMM(BPF_REG_0, 0),
9097 .errstr = "R1 offset is outside of the packet",
9099 .prog_type = BPF_PROG_TYPE_XDP,
9102 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
9104 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9105 offsetof(struct xdp_md, data)),
9106 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9107 offsetof(struct xdp_md, data_end)),
9108 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9109 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9110 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9111 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9112 BPF_MOV64_IMM(BPF_REG_0, 0),
9115 .errstr = "R1 offset is outside of the packet",
9117 .prog_type = BPF_PROG_TYPE_XDP,
9120 "XDP pkt read, pkt_end < pkt_data', good access",
9122 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9123 offsetof(struct xdp_md, data)),
9124 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9125 offsetof(struct xdp_md, data_end)),
9126 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9127 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9128 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9129 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9130 BPF_MOV64_IMM(BPF_REG_0, 0),
9134 .prog_type = BPF_PROG_TYPE_XDP,
9137 "XDP pkt read, pkt_end < pkt_data', bad access 1",
9139 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9140 offsetof(struct xdp_md, data)),
9141 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9142 offsetof(struct xdp_md, data_end)),
9143 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9145 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9146 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9147 BPF_MOV64_IMM(BPF_REG_0, 0),
9150 .errstr = "R1 offset is outside of the packet",
9152 .prog_type = BPF_PROG_TYPE_XDP,
9153 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9156 "XDP pkt read, pkt_end < pkt_data', bad access 2",
9158 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9159 offsetof(struct xdp_md, data)),
9160 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9161 offsetof(struct xdp_md, data_end)),
9162 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9163 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9164 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9165 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9166 BPF_MOV64_IMM(BPF_REG_0, 0),
9169 .errstr = "R1 offset is outside of the packet",
9171 .prog_type = BPF_PROG_TYPE_XDP,
9174 "XDP pkt read, pkt_data' >= pkt_end, good access",
9176 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9177 offsetof(struct xdp_md, data)),
9178 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9179 offsetof(struct xdp_md, data_end)),
9180 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9182 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9183 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9184 BPF_MOV64_IMM(BPF_REG_0, 0),
9188 .prog_type = BPF_PROG_TYPE_XDP,
9189 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9192 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
9194 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9195 offsetof(struct xdp_md, data)),
9196 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9197 offsetof(struct xdp_md, data_end)),
9198 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9199 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9200 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9201 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9202 BPF_MOV64_IMM(BPF_REG_0, 0),
9205 .errstr = "R1 offset is outside of the packet",
9207 .prog_type = BPF_PROG_TYPE_XDP,
9210 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
9212 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9213 offsetof(struct xdp_md, data)),
9214 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9215 offsetof(struct xdp_md, data_end)),
9216 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9217 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9218 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9219 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9220 BPF_MOV64_IMM(BPF_REG_0, 0),
9223 .errstr = "R1 offset is outside of the packet",
9225 .prog_type = BPF_PROG_TYPE_XDP,
9226 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9229 "XDP pkt read, pkt_end >= pkt_data', good access",
9231 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9232 offsetof(struct xdp_md, data)),
9233 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9234 offsetof(struct xdp_md, data_end)),
9235 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9237 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9238 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9239 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9240 BPF_MOV64_IMM(BPF_REG_0, 0),
9244 .prog_type = BPF_PROG_TYPE_XDP,
9247 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
9249 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9250 offsetof(struct xdp_md, data)),
9251 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9252 offsetof(struct xdp_md, data_end)),
9253 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9254 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9255 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9256 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9257 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9258 BPF_MOV64_IMM(BPF_REG_0, 0),
9261 .errstr = "R1 offset is outside of the packet",
9263 .prog_type = BPF_PROG_TYPE_XDP,
9264 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9267 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
9269 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9270 offsetof(struct xdp_md, data)),
9271 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9272 offsetof(struct xdp_md, data_end)),
9273 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9275 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9276 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9277 BPF_MOV64_IMM(BPF_REG_0, 0),
9280 .errstr = "R1 offset is outside of the packet",
9282 .prog_type = BPF_PROG_TYPE_XDP,
9285 "XDP pkt read, pkt_data' <= pkt_end, good access",
9287 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9288 offsetof(struct xdp_md, data)),
9289 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9290 offsetof(struct xdp_md, data_end)),
9291 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9292 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9293 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9294 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9295 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9296 BPF_MOV64_IMM(BPF_REG_0, 0),
9300 .prog_type = BPF_PROG_TYPE_XDP,
9303 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
9305 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9306 offsetof(struct xdp_md, data)),
9307 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9308 offsetof(struct xdp_md, data_end)),
9309 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9310 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9311 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9312 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9313 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9314 BPF_MOV64_IMM(BPF_REG_0, 0),
9317 .errstr = "R1 offset is outside of the packet",
9319 .prog_type = BPF_PROG_TYPE_XDP,
9320 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9323 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
9325 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9326 offsetof(struct xdp_md, data)),
9327 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9328 offsetof(struct xdp_md, data_end)),
9329 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9331 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9332 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9333 BPF_MOV64_IMM(BPF_REG_0, 0),
9336 .errstr = "R1 offset is outside of the packet",
9338 .prog_type = BPF_PROG_TYPE_XDP,
9341 "XDP pkt read, pkt_end <= pkt_data', good access",
9343 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9344 offsetof(struct xdp_md, data)),
9345 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9346 offsetof(struct xdp_md, data_end)),
9347 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9349 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9350 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9351 BPF_MOV64_IMM(BPF_REG_0, 0),
9355 .prog_type = BPF_PROG_TYPE_XDP,
9356 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9359 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
9361 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9362 offsetof(struct xdp_md, data)),
9363 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9364 offsetof(struct xdp_md, data_end)),
9365 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9366 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9367 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9368 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9369 BPF_MOV64_IMM(BPF_REG_0, 0),
9372 .errstr = "R1 offset is outside of the packet",
9374 .prog_type = BPF_PROG_TYPE_XDP,
9377 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
9379 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9380 offsetof(struct xdp_md, data)),
9381 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9382 offsetof(struct xdp_md, data_end)),
9383 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9384 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9385 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9386 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9387 BPF_MOV64_IMM(BPF_REG_0, 0),
9390 .errstr = "R1 offset is outside of the packet",
9392 .prog_type = BPF_PROG_TYPE_XDP,
9393 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9396 "XDP pkt read, pkt_meta' > pkt_data, good access",
9398 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9399 offsetof(struct xdp_md, data_meta)),
9400 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9401 offsetof(struct xdp_md, data)),
9402 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9403 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9404 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9405 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9406 BPF_MOV64_IMM(BPF_REG_0, 0),
9410 .prog_type = BPF_PROG_TYPE_XDP,
9413 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
9415 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9416 offsetof(struct xdp_md, data_meta)),
9417 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9418 offsetof(struct xdp_md, data)),
9419 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9421 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9422 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9423 BPF_MOV64_IMM(BPF_REG_0, 0),
9426 .errstr = "R1 offset is outside of the packet",
9428 .prog_type = BPF_PROG_TYPE_XDP,
9429 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9432 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
9434 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9435 offsetof(struct xdp_md, data_meta)),
9436 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9437 offsetof(struct xdp_md, data)),
9438 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9440 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9441 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9442 BPF_MOV64_IMM(BPF_REG_0, 0),
9445 .errstr = "R1 offset is outside of the packet",
9447 .prog_type = BPF_PROG_TYPE_XDP,
9450 "XDP pkt read, pkt_data > pkt_meta', good access",
9452 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9453 offsetof(struct xdp_md, data_meta)),
9454 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9455 offsetof(struct xdp_md, data)),
9456 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9457 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9458 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9459 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9460 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9461 BPF_MOV64_IMM(BPF_REG_0, 0),
9465 .prog_type = BPF_PROG_TYPE_XDP,
9466 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9469 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
9471 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9472 offsetof(struct xdp_md, data_meta)),
9473 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9474 offsetof(struct xdp_md, data)),
9475 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9476 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9477 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9478 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9479 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9480 BPF_MOV64_IMM(BPF_REG_0, 0),
9483 .errstr = "R1 offset is outside of the packet",
9485 .prog_type = BPF_PROG_TYPE_XDP,
9488 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
9490 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9491 offsetof(struct xdp_md, data_meta)),
9492 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9493 offsetof(struct xdp_md, data)),
9494 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9495 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9496 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9497 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9498 BPF_MOV64_IMM(BPF_REG_0, 0),
9501 .errstr = "R1 offset is outside of the packet",
9503 .prog_type = BPF_PROG_TYPE_XDP,
9506 "XDP pkt read, pkt_meta' < pkt_data, good access",
9508 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9509 offsetof(struct xdp_md, data_meta)),
9510 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9511 offsetof(struct xdp_md, data)),
9512 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9514 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9515 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9516 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9517 BPF_MOV64_IMM(BPF_REG_0, 0),
9521 .prog_type = BPF_PROG_TYPE_XDP,
9522 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9525 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
9527 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9528 offsetof(struct xdp_md, data_meta)),
9529 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9530 offsetof(struct xdp_md, data)),
9531 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9533 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9534 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9535 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9536 BPF_MOV64_IMM(BPF_REG_0, 0),
9539 .errstr = "R1 offset is outside of the packet",
9541 .prog_type = BPF_PROG_TYPE_XDP,
9544 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
9546 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9547 offsetof(struct xdp_md, data_meta)),
9548 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9549 offsetof(struct xdp_md, data)),
9550 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9551 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9552 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9553 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9554 BPF_MOV64_IMM(BPF_REG_0, 0),
9557 .errstr = "R1 offset is outside of the packet",
9559 .prog_type = BPF_PROG_TYPE_XDP,
9562 "XDP pkt read, pkt_data < pkt_meta', good access",
9564 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9565 offsetof(struct xdp_md, data_meta)),
9566 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9567 offsetof(struct xdp_md, data)),
9568 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9570 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9571 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9572 BPF_MOV64_IMM(BPF_REG_0, 0),
9576 .prog_type = BPF_PROG_TYPE_XDP,
9579 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
9581 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9582 offsetof(struct xdp_md, data_meta)),
9583 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9584 offsetof(struct xdp_md, data)),
9585 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9586 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9587 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9588 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9589 BPF_MOV64_IMM(BPF_REG_0, 0),
9592 .errstr = "R1 offset is outside of the packet",
9594 .prog_type = BPF_PROG_TYPE_XDP,
9595 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9598 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
9600 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9601 offsetof(struct xdp_md, data_meta)),
9602 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9603 offsetof(struct xdp_md, data)),
9604 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9606 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9607 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9608 BPF_MOV64_IMM(BPF_REG_0, 0),
9611 .errstr = "R1 offset is outside of the packet",
9613 .prog_type = BPF_PROG_TYPE_XDP,
9616 "XDP pkt read, pkt_meta' >= pkt_data, good access",
9618 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9619 offsetof(struct xdp_md, data_meta)),
9620 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9621 offsetof(struct xdp_md, data)),
9622 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9623 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9624 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9625 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9626 BPF_MOV64_IMM(BPF_REG_0, 0),
9630 .prog_type = BPF_PROG_TYPE_XDP,
9631 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9634 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
9636 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9637 offsetof(struct xdp_md, data_meta)),
9638 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9639 offsetof(struct xdp_md, data)),
9640 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9641 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9642 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9643 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9644 BPF_MOV64_IMM(BPF_REG_0, 0),
9647 .errstr = "R1 offset is outside of the packet",
9649 .prog_type = BPF_PROG_TYPE_XDP,
9652 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
9654 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9655 offsetof(struct xdp_md, data_meta)),
9656 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9657 offsetof(struct xdp_md, data)),
9658 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9660 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9661 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9662 BPF_MOV64_IMM(BPF_REG_0, 0),
9665 .errstr = "R1 offset is outside of the packet",
9667 .prog_type = BPF_PROG_TYPE_XDP,
9668 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9671 "XDP pkt read, pkt_data >= pkt_meta', good access",
9673 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9674 offsetof(struct xdp_md, data_meta)),
9675 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9676 offsetof(struct xdp_md, data)),
9677 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9678 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9679 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9680 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9681 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9682 BPF_MOV64_IMM(BPF_REG_0, 0),
9686 .prog_type = BPF_PROG_TYPE_XDP,
9689 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
9691 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9692 offsetof(struct xdp_md, data_meta)),
9693 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9694 offsetof(struct xdp_md, data)),
9695 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9696 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9697 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9698 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9699 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9700 BPF_MOV64_IMM(BPF_REG_0, 0),
9703 .errstr = "R1 offset is outside of the packet",
9705 .prog_type = BPF_PROG_TYPE_XDP,
9706 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9709 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
9711 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9712 offsetof(struct xdp_md, data_meta)),
9713 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9714 offsetof(struct xdp_md, data)),
9715 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9717 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9718 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9719 BPF_MOV64_IMM(BPF_REG_0, 0),
9722 .errstr = "R1 offset is outside of the packet",
9724 .prog_type = BPF_PROG_TYPE_XDP,
9727 "XDP pkt read, pkt_meta' <= pkt_data, good access",
9729 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9730 offsetof(struct xdp_md, data_meta)),
9731 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9732 offsetof(struct xdp_md, data)),
9733 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9734 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9735 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9736 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9737 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9738 BPF_MOV64_IMM(BPF_REG_0, 0),
9742 .prog_type = BPF_PROG_TYPE_XDP,
9745 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
9747 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9748 offsetof(struct xdp_md, data_meta)),
9749 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9750 offsetof(struct xdp_md, data)),
9751 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9753 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9754 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9755 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9756 BPF_MOV64_IMM(BPF_REG_0, 0),
9759 .errstr = "R1 offset is outside of the packet",
9761 .prog_type = BPF_PROG_TYPE_XDP,
9762 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9765 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
9767 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9768 offsetof(struct xdp_md, data_meta)),
9769 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9770 offsetof(struct xdp_md, data)),
9771 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9772 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9773 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9774 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9775 BPF_MOV64_IMM(BPF_REG_0, 0),
9778 .errstr = "R1 offset is outside of the packet",
9780 .prog_type = BPF_PROG_TYPE_XDP,
9783 "XDP pkt read, pkt_data <= pkt_meta', good access",
9785 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9786 offsetof(struct xdp_md, data_meta)),
9787 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9788 offsetof(struct xdp_md, data)),
9789 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9790 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9791 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9792 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9793 BPF_MOV64_IMM(BPF_REG_0, 0),
9797 .prog_type = BPF_PROG_TYPE_XDP,
9798 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9801 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
9803 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9804 offsetof(struct xdp_md, data_meta)),
9805 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9806 offsetof(struct xdp_md, data)),
9807 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9808 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9809 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9810 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9811 BPF_MOV64_IMM(BPF_REG_0, 0),
9814 .errstr = "R1 offset is outside of the packet",
9816 .prog_type = BPF_PROG_TYPE_XDP,
9819 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
9821 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9822 offsetof(struct xdp_md, data_meta)),
9823 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9824 offsetof(struct xdp_md, data)),
9825 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9827 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9828 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9829 BPF_MOV64_IMM(BPF_REG_0, 0),
9832 .errstr = "R1 offset is outside of the packet",
9834 .prog_type = BPF_PROG_TYPE_XDP,
9835 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9838 "check deducing bounds from const, 1",
9840 BPF_MOV64_IMM(BPF_REG_0, 1),
9841 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
9842 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9846 .errstr = "R0 tried to subtract pointer from scalar",
9849 "check deducing bounds from const, 2",
9851 BPF_MOV64_IMM(BPF_REG_0, 1),
9852 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
9854 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
9856 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9863 "check deducing bounds from const, 3",
9865 BPF_MOV64_IMM(BPF_REG_0, 0),
9866 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9867 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9871 .errstr = "R0 tried to subtract pointer from scalar",
9874 "check deducing bounds from const, 4",
9876 BPF_MOV64_IMM(BPF_REG_0, 0),
9877 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
9879 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9881 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9887 "check deducing bounds from const, 5",
9889 BPF_MOV64_IMM(BPF_REG_0, 0),
9890 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9891 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9895 .errstr = "R0 tried to subtract pointer from scalar",
9898 "check deducing bounds from const, 6",
9900 BPF_MOV64_IMM(BPF_REG_0, 0),
9901 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9903 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9907 .errstr = "R0 tried to subtract pointer from scalar",
9910 "check deducing bounds from const, 7",
9912 BPF_MOV64_IMM(BPF_REG_0, ~0),
9913 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9914 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9915 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9916 offsetof(struct __sk_buff, mark)),
9920 .errstr = "dereference of modified ctx ptr",
9923 "check deducing bounds from const, 8",
9925 BPF_MOV64_IMM(BPF_REG_0, ~0),
9926 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9927 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
9928 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9929 offsetof(struct __sk_buff, mark)),
9933 .errstr = "dereference of modified ctx ptr",
9936 "check deducing bounds from const, 9",
9938 BPF_MOV64_IMM(BPF_REG_0, 0),
9939 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9940 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9944 .errstr = "R0 tried to subtract pointer from scalar",
9947 "check deducing bounds from const, 10",
9949 BPF_MOV64_IMM(BPF_REG_0, 0),
9950 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9951 /* Marks reg as unknown. */
9952 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
9953 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9957 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
9960 "bpf_exit with invalid return code. test1",
9962 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9965 .errstr = "R0 has value (0x0; 0xffffffff)",
9967 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9970 "bpf_exit with invalid return code. test2",
9972 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9973 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
9977 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9980 "bpf_exit with invalid return code. test3",
9982 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9983 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
9986 .errstr = "R0 has value (0x0; 0x3)",
9988 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9991 "bpf_exit with invalid return code. test4",
9993 BPF_MOV64_IMM(BPF_REG_0, 1),
9997 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10000 "bpf_exit with invalid return code. test5",
10002 BPF_MOV64_IMM(BPF_REG_0, 2),
10005 .errstr = "R0 has value (0x2; 0x0)",
10007 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10010 "bpf_exit with invalid return code. test6",
10012 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10015 .errstr = "R0 is not a known value (ctx)",
10017 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10020 "bpf_exit with invalid return code. test7",
10022 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10023 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
10024 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
10027 .errstr = "R0 has unknown scalar value",
10029 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10032 "calls: basic sanity",
10034 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10035 BPF_MOV64_IMM(BPF_REG_0, 1),
10037 BPF_MOV64_IMM(BPF_REG_0, 2),
10040 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10044 "calls: not on unpriviledged",
10046 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10047 BPF_MOV64_IMM(BPF_REG_0, 1),
10049 BPF_MOV64_IMM(BPF_REG_0, 2),
10052 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
10053 .result_unpriv = REJECT,
10058 "calls: div by 0 in subprog",
10060 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10061 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10062 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10063 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10064 offsetof(struct __sk_buff, data_end)),
10065 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10067 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10068 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10069 BPF_MOV64_IMM(BPF_REG_0, 1),
10071 BPF_MOV32_IMM(BPF_REG_2, 0),
10072 BPF_MOV32_IMM(BPF_REG_3, 1),
10073 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
10074 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10075 offsetof(struct __sk_buff, data)),
10078 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10083 "calls: multiple ret types in subprog 1",
10085 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10086 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10087 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10088 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10089 offsetof(struct __sk_buff, data_end)),
10090 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10091 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10092 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10093 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10094 BPF_MOV64_IMM(BPF_REG_0, 1),
10096 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10097 offsetof(struct __sk_buff, data)),
10098 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10099 BPF_MOV32_IMM(BPF_REG_0, 42),
10102 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10104 .errstr = "R0 invalid mem access 'inv'",
10107 "calls: multiple ret types in subprog 2",
10109 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10110 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10111 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10112 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10113 offsetof(struct __sk_buff, data_end)),
10114 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10116 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10117 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10118 BPF_MOV64_IMM(BPF_REG_0, 1),
10120 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10121 offsetof(struct __sk_buff, data)),
10122 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10123 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
10124 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10125 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10126 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10127 BPF_LD_MAP_FD(BPF_REG_1, 0),
10128 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10129 BPF_FUNC_map_lookup_elem),
10130 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10131 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
10132 offsetof(struct __sk_buff, data)),
10133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
10136 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10137 .fixup_map1 = { 16 },
10139 .errstr = "R0 min value is outside of the array range",
10142 "calls: overlapping caller/callee",
10144 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
10145 BPF_MOV64_IMM(BPF_REG_0, 1),
10148 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10149 .errstr = "last insn is not an exit or jmp",
10153 "calls: wrong recursive calls",
10155 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10156 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10157 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10158 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10159 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10160 BPF_MOV64_IMM(BPF_REG_0, 1),
10163 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10164 .errstr = "jump out of range",
10168 "calls: wrong src reg",
10170 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
10171 BPF_MOV64_IMM(BPF_REG_0, 1),
10174 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10175 .errstr = "BPF_CALL uses reserved fields",
10179 "calls: wrong off value",
10181 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
10182 BPF_MOV64_IMM(BPF_REG_0, 1),
10184 BPF_MOV64_IMM(BPF_REG_0, 2),
10187 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10188 .errstr = "BPF_CALL uses reserved fields",
10192 "calls: jump back loop",
10194 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10195 BPF_MOV64_IMM(BPF_REG_0, 1),
10198 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10199 .errstr = "back-edge from insn 0 to 0",
10203 "calls: conditional call",
10205 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10206 offsetof(struct __sk_buff, mark)),
10207 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10208 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10209 BPF_MOV64_IMM(BPF_REG_0, 1),
10211 BPF_MOV64_IMM(BPF_REG_0, 2),
10214 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10215 .errstr = "jump out of range",
10219 "calls: conditional call 2",
10221 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10222 offsetof(struct __sk_buff, mark)),
10223 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10224 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10225 BPF_MOV64_IMM(BPF_REG_0, 1),
10227 BPF_MOV64_IMM(BPF_REG_0, 2),
10229 BPF_MOV64_IMM(BPF_REG_0, 3),
10232 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10236 "calls: conditional call 3",
10238 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10239 offsetof(struct __sk_buff, mark)),
10240 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10241 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10242 BPF_MOV64_IMM(BPF_REG_0, 1),
10244 BPF_MOV64_IMM(BPF_REG_0, 1),
10245 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10246 BPF_MOV64_IMM(BPF_REG_0, 3),
10247 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10249 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10250 .errstr = "back-edge from insn",
10254 "calls: conditional call 4",
10256 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10257 offsetof(struct __sk_buff, mark)),
10258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10259 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10260 BPF_MOV64_IMM(BPF_REG_0, 1),
10262 BPF_MOV64_IMM(BPF_REG_0, 1),
10263 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
10264 BPF_MOV64_IMM(BPF_REG_0, 3),
10267 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10271 "calls: conditional call 5",
10273 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10274 offsetof(struct __sk_buff, mark)),
10275 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10276 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10277 BPF_MOV64_IMM(BPF_REG_0, 1),
10279 BPF_MOV64_IMM(BPF_REG_0, 1),
10280 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10281 BPF_MOV64_IMM(BPF_REG_0, 3),
10284 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10285 .errstr = "back-edge from insn",
10289 "calls: conditional call 6",
10291 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10292 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
10294 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10295 offsetof(struct __sk_buff, mark)),
10298 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10299 .errstr = "back-edge from insn",
10303 "calls: using r0 returned by callee",
10305 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10307 BPF_MOV64_IMM(BPF_REG_0, 2),
10310 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10314 "calls: using uninit r0 from callee",
10316 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10320 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10321 .errstr = "!read_ok",
10325 "calls: callee is using r1",
10327 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10329 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10330 offsetof(struct __sk_buff, len)),
10333 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
10335 .retval = TEST_DATA_LEN,
10338 "calls: callee using args1",
10340 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10342 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10345 .errstr_unpriv = "allowed for root only",
10346 .result_unpriv = REJECT,
10348 .retval = POINTER_VALUE,
10351 "calls: callee using wrong args2",
10353 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10355 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10358 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10359 .errstr = "R2 !read_ok",
10363 "calls: callee using two args",
10365 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10366 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
10367 offsetof(struct __sk_buff, len)),
10368 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
10369 offsetof(struct __sk_buff, len)),
10370 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10372 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10373 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
10376 .errstr_unpriv = "allowed for root only",
10377 .result_unpriv = REJECT,
10379 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
10382 "calls: callee changing pkt pointers",
10384 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
10385 offsetof(struct xdp_md, data)),
10386 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
10387 offsetof(struct xdp_md, data_end)),
10388 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
10389 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
10390 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
10391 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10392 /* clear_all_pkt_pointers() has to walk all frames
10393 * to make sure that pkt pointers in the caller
10394 * are cleared when callee is calling a helper that
10395 * adjusts packet size
10397 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10398 BPF_MOV32_IMM(BPF_REG_0, 0),
10400 BPF_MOV64_IMM(BPF_REG_2, 0),
10401 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10402 BPF_FUNC_xdp_adjust_head),
10406 .errstr = "R6 invalid mem access 'inv'",
10407 .prog_type = BPF_PROG_TYPE_XDP,
10410 "calls: two calls with args",
10412 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10414 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10415 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10416 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10417 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10418 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10419 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10420 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10422 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10423 offsetof(struct __sk_buff, len)),
10426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10428 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
10431 "calls: calls with stack arith",
10433 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10435 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10437 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10438 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10441 BPF_MOV64_IMM(BPF_REG_0, 42),
10442 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10445 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10450 "calls: calls with misaligned stack access",
10452 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10454 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
10457 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10460 BPF_MOV64_IMM(BPF_REG_0, 42),
10461 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10464 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10465 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
10466 .errstr = "misaligned stack access",
10470 "calls: calls control flow, jump test",
10472 BPF_MOV64_IMM(BPF_REG_0, 42),
10473 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10474 BPF_MOV64_IMM(BPF_REG_0, 43),
10475 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10476 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10479 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10484 "calls: calls control flow, jump test 2",
10486 BPF_MOV64_IMM(BPF_REG_0, 42),
10487 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10488 BPF_MOV64_IMM(BPF_REG_0, 43),
10489 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10490 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10493 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10494 .errstr = "jump out of range from insn 1 to 4",
10498 "calls: two calls with bad jump",
10500 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10502 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10503 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10504 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10505 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10506 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10507 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10508 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10510 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10511 offsetof(struct __sk_buff, len)),
10512 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
10515 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10516 .errstr = "jump out of range from insn 11 to 9",
10520 "calls: recursive call. test1",
10522 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10524 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10527 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10528 .errstr = "back-edge",
10532 "calls: recursive call. test2",
10534 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10536 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10539 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10540 .errstr = "back-edge",
10544 "calls: unreachable code",
10546 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10548 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10550 BPF_MOV64_IMM(BPF_REG_0, 0),
10552 BPF_MOV64_IMM(BPF_REG_0, 0),
10555 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10556 .errstr = "unreachable insn 6",
10560 "calls: invalid call",
10562 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10564 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
10567 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10568 .errstr = "invalid destination",
10572 "calls: invalid call 2",
10574 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10576 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
10579 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10580 .errstr = "invalid destination",
10584 "calls: jumping across function bodies. test1",
10586 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10587 BPF_MOV64_IMM(BPF_REG_0, 0),
10589 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
10592 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10593 .errstr = "jump out of range",
10597 "calls: jumping across function bodies. test2",
10599 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
10600 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10601 BPF_MOV64_IMM(BPF_REG_0, 0),
10605 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10606 .errstr = "jump out of range",
10610 "calls: call without exit",
10612 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10614 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10616 BPF_MOV64_IMM(BPF_REG_0, 0),
10617 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
10619 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10620 .errstr = "not an exit",
10624 "calls: call into middle of ld_imm64",
10626 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10627 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10628 BPF_MOV64_IMM(BPF_REG_0, 0),
10630 BPF_LD_IMM64(BPF_REG_0, 0),
10633 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10634 .errstr = "last insn",
10638 "calls: call into middle of other call",
10640 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10641 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10642 BPF_MOV64_IMM(BPF_REG_0, 0),
10644 BPF_MOV64_IMM(BPF_REG_0, 0),
10645 BPF_MOV64_IMM(BPF_REG_0, 0),
10648 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10649 .errstr = "last insn",
10653 "calls: ld_abs with changing ctx data in callee",
10655 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10656 BPF_LD_ABS(BPF_B, 0),
10657 BPF_LD_ABS(BPF_H, 0),
10658 BPF_LD_ABS(BPF_W, 0),
10659 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
10660 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10661 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
10662 BPF_LD_ABS(BPF_B, 0),
10663 BPF_LD_ABS(BPF_H, 0),
10664 BPF_LD_ABS(BPF_W, 0),
10666 BPF_MOV64_IMM(BPF_REG_2, 1),
10667 BPF_MOV64_IMM(BPF_REG_3, 2),
10668 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10669 BPF_FUNC_skb_vlan_push),
10672 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10673 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
10677 "calls: two calls with bad fallthrough",
10679 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10681 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10682 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10683 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10684 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10685 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10686 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10687 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10688 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
10689 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10690 offsetof(struct __sk_buff, len)),
10693 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10694 .errstr = "not an exit",
10698 "calls: two calls with stack read",
10700 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10701 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10702 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10705 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10706 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10707 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10708 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10709 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10710 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10711 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10713 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10716 .prog_type = BPF_PROG_TYPE_XDP,
10720 "calls: two calls with stack write",
10723 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10724 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10725 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10726 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10728 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10729 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10733 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10734 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10735 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
10736 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
10737 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10738 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10739 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
10740 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
10741 /* write into stack frame of main prog */
10742 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10746 /* read from stack frame of main prog */
10747 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10750 .prog_type = BPF_PROG_TYPE_XDP,
10754 "calls: stack overflow using two frames (pre-call access)",
10757 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10758 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
10762 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10763 BPF_MOV64_IMM(BPF_REG_0, 0),
10766 .prog_type = BPF_PROG_TYPE_XDP,
10767 .errstr = "combined stack size",
10771 "calls: stack overflow using two frames (post-call access)",
10774 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
10775 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10779 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10780 BPF_MOV64_IMM(BPF_REG_0, 0),
10783 .prog_type = BPF_PROG_TYPE_XDP,
10784 .errstr = "combined stack size",
10788 "calls: stack depth check using three frames. test1",
10791 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10792 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10793 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10794 BPF_MOV64_IMM(BPF_REG_0, 0),
10797 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10800 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10801 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10804 .prog_type = BPF_PROG_TYPE_XDP,
10805 /* stack_main=32, stack_A=256, stack_B=64
10806 * and max(main+A, main+A+B) < 512
10811 "calls: stack depth check using three frames. test2",
10814 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10815 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10816 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10817 BPF_MOV64_IMM(BPF_REG_0, 0),
10820 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10823 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10824 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10827 .prog_type = BPF_PROG_TYPE_XDP,
10828 /* stack_main=32, stack_A=64, stack_B=256
10829 * and max(main+A, main+A+B) < 512
10834 "calls: stack depth check using three frames. test3",
10837 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10838 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10839 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10840 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
10841 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
10842 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10843 BPF_MOV64_IMM(BPF_REG_0, 0),
10846 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
10848 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
10849 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10851 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
10852 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
10853 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10856 .prog_type = BPF_PROG_TYPE_XDP,
10857 /* stack_main=64, stack_A=224, stack_B=256
10858 * and max(main+A, main+A+B) > 512
10860 .errstr = "combined stack",
10864 "calls: stack depth check using three frames. test4",
10865 /* void main(void) {
10870 * void func1(int alloc_or_recurse) {
10871 * if (alloc_or_recurse) {
10872 * frame_pointer[-300] = 1;
10874 * func2(alloc_or_recurse);
10877 * void func2(int alloc_or_recurse) {
10878 * if (alloc_or_recurse) {
10879 * frame_pointer[-300] = 1;
10885 BPF_MOV64_IMM(BPF_REG_1, 0),
10886 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10887 BPF_MOV64_IMM(BPF_REG_1, 1),
10888 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10889 BPF_MOV64_IMM(BPF_REG_1, 1),
10890 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
10891 BPF_MOV64_IMM(BPF_REG_0, 0),
10894 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
10895 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10897 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10900 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10901 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10904 .prog_type = BPF_PROG_TYPE_XDP,
10906 .errstr = "combined stack",
10909 "calls: stack depth check using three frames. test5",
10912 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
10915 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10918 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
10921 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
10924 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
10927 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
10930 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
10933 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
10936 BPF_MOV64_IMM(BPF_REG_0, 0),
10939 .prog_type = BPF_PROG_TYPE_XDP,
10940 .errstr = "call stack",
10944 "calls: spill into caller stack frame",
10946 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10947 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10948 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10949 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10951 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
10952 BPF_MOV64_IMM(BPF_REG_0, 0),
10955 .prog_type = BPF_PROG_TYPE_XDP,
10956 .errstr = "cannot spill",
10960 "calls: write into caller stack frame",
10962 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10963 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10964 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10965 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10966 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10968 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
10969 BPF_MOV64_IMM(BPF_REG_0, 0),
10972 .prog_type = BPF_PROG_TYPE_XDP,
10977 "calls: write into callee stack frame",
10979 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10980 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
10982 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
10986 .prog_type = BPF_PROG_TYPE_XDP,
10987 .errstr = "cannot return stack pointer",
10991 "calls: two calls with stack write and void return",
10994 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10995 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10996 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10997 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10998 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10999 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11000 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11004 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11005 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11006 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11007 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11008 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11012 /* write into stack frame of main prog */
11013 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
11014 BPF_EXIT_INSN(), /* void return */
11016 .prog_type = BPF_PROG_TYPE_XDP,
11020 "calls: ambiguous return value",
11022 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11023 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
11024 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11025 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11026 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11027 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11029 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
11030 BPF_MOV64_IMM(BPF_REG_0, 0),
11033 .errstr_unpriv = "allowed for root only",
11034 .result_unpriv = REJECT,
11035 .errstr = "R0 !read_ok",
11039 "calls: two calls that return map_value",
11042 /* pass fp-16, fp-8 into a function */
11043 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11044 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11045 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11046 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11047 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11049 /* fetch map_value_ptr from the stack of this function */
11050 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11051 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11052 /* write into map value */
11053 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11054 /* fetch secound map_value_ptr from the stack */
11055 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11056 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11057 /* write into map value */
11058 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11059 BPF_MOV64_IMM(BPF_REG_0, 0),
11063 /* call 3rd function twice */
11064 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11065 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11066 /* first time with fp-8 */
11067 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11068 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11069 /* second time with fp-16 */
11070 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11074 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11075 /* lookup from map */
11076 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11077 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11078 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11079 BPF_LD_MAP_FD(BPF_REG_1, 0),
11080 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11081 BPF_FUNC_map_lookup_elem),
11082 /* write map_value_ptr into stack frame of main prog */
11083 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11084 BPF_MOV64_IMM(BPF_REG_0, 0),
11085 BPF_EXIT_INSN(), /* return 0 */
11087 .prog_type = BPF_PROG_TYPE_XDP,
11088 .fixup_map1 = { 23 },
11092 "calls: two calls that return map_value with bool condition",
11095 /* pass fp-16, fp-8 into a function */
11096 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11098 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11099 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11100 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11101 BPF_MOV64_IMM(BPF_REG_0, 0),
11105 /* call 3rd function twice */
11106 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11107 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11108 /* first time with fp-8 */
11109 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11110 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11111 /* fetch map_value_ptr from the stack of this function */
11112 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11113 /* write into map value */
11114 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11115 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11116 /* second time with fp-16 */
11117 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11118 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11119 /* fetch secound map_value_ptr from the stack */
11120 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11121 /* write into map value */
11122 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11126 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11127 /* lookup from map */
11128 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11129 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11131 BPF_LD_MAP_FD(BPF_REG_1, 0),
11132 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11133 BPF_FUNC_map_lookup_elem),
11134 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11135 BPF_MOV64_IMM(BPF_REG_0, 0),
11136 BPF_EXIT_INSN(), /* return 0 */
11137 /* write map_value_ptr into stack frame of main prog */
11138 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11139 BPF_MOV64_IMM(BPF_REG_0, 1),
11140 BPF_EXIT_INSN(), /* return 1 */
11142 .prog_type = BPF_PROG_TYPE_XDP,
11143 .fixup_map1 = { 23 },
11147 "calls: two calls that return map_value with incorrect bool check",
11150 /* pass fp-16, fp-8 into a function */
11151 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11153 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11154 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11155 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11156 BPF_MOV64_IMM(BPF_REG_0, 0),
11160 /* call 3rd function twice */
11161 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11162 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11163 /* first time with fp-8 */
11164 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11165 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11166 /* fetch map_value_ptr from the stack of this function */
11167 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11168 /* write into map value */
11169 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11170 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11171 /* second time with fp-16 */
11172 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11173 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11174 /* fetch secound map_value_ptr from the stack */
11175 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11176 /* write into map value */
11177 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11181 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11182 /* lookup from map */
11183 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11184 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11186 BPF_LD_MAP_FD(BPF_REG_1, 0),
11187 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11188 BPF_FUNC_map_lookup_elem),
11189 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11190 BPF_MOV64_IMM(BPF_REG_0, 0),
11191 BPF_EXIT_INSN(), /* return 0 */
11192 /* write map_value_ptr into stack frame of main prog */
11193 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11194 BPF_MOV64_IMM(BPF_REG_0, 1),
11195 BPF_EXIT_INSN(), /* return 1 */
11197 .prog_type = BPF_PROG_TYPE_XDP,
11198 .fixup_map1 = { 23 },
11200 .errstr = "invalid read from stack off -16+0 size 8",
11203 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
11206 /* pass fp-16, fp-8 into a function */
11207 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11209 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11211 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11212 BPF_MOV64_IMM(BPF_REG_0, 0),
11216 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11217 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11218 /* 1st lookup from map */
11219 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11220 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11221 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11222 BPF_LD_MAP_FD(BPF_REG_1, 0),
11223 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11224 BPF_FUNC_map_lookup_elem),
11225 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11226 BPF_MOV64_IMM(BPF_REG_8, 0),
11227 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11228 /* write map_value_ptr into stack frame of main prog at fp-8 */
11229 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11230 BPF_MOV64_IMM(BPF_REG_8, 1),
11232 /* 2nd lookup from map */
11233 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11234 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11235 BPF_LD_MAP_FD(BPF_REG_1, 0),
11236 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11237 BPF_FUNC_map_lookup_elem),
11238 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11239 BPF_MOV64_IMM(BPF_REG_9, 0),
11240 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11241 /* write map_value_ptr into stack frame of main prog at fp-16 */
11242 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11243 BPF_MOV64_IMM(BPF_REG_9, 1),
11245 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11246 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11247 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11248 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11249 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11250 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11254 /* if arg2 == 1 do *arg1 = 0 */
11255 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11256 /* fetch map_value_ptr from the stack of this function */
11257 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11258 /* write into map value */
11259 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11261 /* if arg4 == 1 do *arg3 = 0 */
11262 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11263 /* fetch map_value_ptr from the stack of this function */
11264 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11265 /* write into map value */
11266 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11269 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11270 .fixup_map1 = { 12, 22 },
11272 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11275 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
11278 /* pass fp-16, fp-8 into a function */
11279 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11281 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11282 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11283 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11284 BPF_MOV64_IMM(BPF_REG_0, 0),
11288 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11289 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11290 /* 1st lookup from map */
11291 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11292 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11293 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11294 BPF_LD_MAP_FD(BPF_REG_1, 0),
11295 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11296 BPF_FUNC_map_lookup_elem),
11297 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11298 BPF_MOV64_IMM(BPF_REG_8, 0),
11299 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11300 /* write map_value_ptr into stack frame of main prog at fp-8 */
11301 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11302 BPF_MOV64_IMM(BPF_REG_8, 1),
11304 /* 2nd lookup from map */
11305 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11306 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11307 BPF_LD_MAP_FD(BPF_REG_1, 0),
11308 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11309 BPF_FUNC_map_lookup_elem),
11310 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11311 BPF_MOV64_IMM(BPF_REG_9, 0),
11312 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11313 /* write map_value_ptr into stack frame of main prog at fp-16 */
11314 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11315 BPF_MOV64_IMM(BPF_REG_9, 1),
11317 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11318 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11319 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11320 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11321 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11322 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11326 /* if arg2 == 1 do *arg1 = 0 */
11327 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11328 /* fetch map_value_ptr from the stack of this function */
11329 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11330 /* write into map value */
11331 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11333 /* if arg4 == 1 do *arg3 = 0 */
11334 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11335 /* fetch map_value_ptr from the stack of this function */
11336 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11337 /* write into map value */
11338 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11341 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11342 .fixup_map1 = { 12, 22 },
11346 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
11349 /* pass fp-16, fp-8 into a function */
11350 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11351 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11352 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11354 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11355 BPF_MOV64_IMM(BPF_REG_0, 0),
11359 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11360 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11361 /* 1st lookup from map */
11362 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
11363 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11365 BPF_LD_MAP_FD(BPF_REG_1, 0),
11366 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11367 BPF_FUNC_map_lookup_elem),
11368 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11369 BPF_MOV64_IMM(BPF_REG_8, 0),
11370 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11371 /* write map_value_ptr into stack frame of main prog at fp-8 */
11372 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11373 BPF_MOV64_IMM(BPF_REG_8, 1),
11375 /* 2nd lookup from map */
11376 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11377 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11378 BPF_LD_MAP_FD(BPF_REG_1, 0),
11379 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11380 BPF_FUNC_map_lookup_elem),
11381 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11382 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
11383 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11384 /* write map_value_ptr into stack frame of main prog at fp-16 */
11385 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11386 BPF_MOV64_IMM(BPF_REG_9, 1),
11388 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11389 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
11390 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11391 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11392 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11393 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
11394 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
11397 /* if arg2 == 1 do *arg1 = 0 */
11398 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11399 /* fetch map_value_ptr from the stack of this function */
11400 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11401 /* write into map value */
11402 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11404 /* if arg4 == 1 do *arg3 = 0 */
11405 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11406 /* fetch map_value_ptr from the stack of this function */
11407 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11408 /* write into map value */
11409 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11410 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
11412 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11413 .fixup_map1 = { 12, 22 },
11415 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11418 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
11421 /* pass fp-16, fp-8 into a function */
11422 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11423 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11424 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11425 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11426 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11427 BPF_MOV64_IMM(BPF_REG_0, 0),
11431 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11432 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11433 /* 1st lookup from map */
11434 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11435 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11437 BPF_LD_MAP_FD(BPF_REG_1, 0),
11438 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11439 BPF_FUNC_map_lookup_elem),
11440 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11441 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11442 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11443 BPF_MOV64_IMM(BPF_REG_8, 0),
11444 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11445 BPF_MOV64_IMM(BPF_REG_8, 1),
11447 /* 2nd lookup from map */
11448 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11449 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11450 BPF_LD_MAP_FD(BPF_REG_1, 0),
11451 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11452 BPF_FUNC_map_lookup_elem),
11453 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11454 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11455 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11456 BPF_MOV64_IMM(BPF_REG_9, 0),
11457 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11458 BPF_MOV64_IMM(BPF_REG_9, 1),
11460 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11461 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11462 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11463 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11464 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11465 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11469 /* if arg2 == 1 do *arg1 = 0 */
11470 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11471 /* fetch map_value_ptr from the stack of this function */
11472 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11473 /* write into map value */
11474 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11476 /* if arg4 == 1 do *arg3 = 0 */
11477 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11478 /* fetch map_value_ptr from the stack of this function */
11479 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11480 /* write into map value */
11481 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11484 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11485 .fixup_map1 = { 12, 22 },
11489 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
11492 /* pass fp-16, fp-8 into a function */
11493 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11494 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11495 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11496 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11497 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11498 BPF_MOV64_IMM(BPF_REG_0, 0),
11502 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11503 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11504 /* 1st lookup from map */
11505 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11506 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11507 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11508 BPF_LD_MAP_FD(BPF_REG_1, 0),
11509 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11510 BPF_FUNC_map_lookup_elem),
11511 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11512 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11513 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11514 BPF_MOV64_IMM(BPF_REG_8, 0),
11515 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11516 BPF_MOV64_IMM(BPF_REG_8, 1),
11518 /* 2nd lookup from map */
11519 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11521 BPF_LD_MAP_FD(BPF_REG_1, 0),
11522 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11523 BPF_FUNC_map_lookup_elem),
11524 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11525 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11526 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11527 BPF_MOV64_IMM(BPF_REG_9, 0),
11528 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11529 BPF_MOV64_IMM(BPF_REG_9, 1),
11531 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11532 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11533 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11534 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11535 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11536 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11540 /* if arg2 == 1 do *arg1 = 0 */
11541 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11542 /* fetch map_value_ptr from the stack of this function */
11543 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11544 /* write into map value */
11545 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11547 /* if arg4 == 0 do *arg3 = 0 */
11548 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
11549 /* fetch map_value_ptr from the stack of this function */
11550 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11551 /* write into map value */
11552 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11555 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11556 .fixup_map1 = { 12, 22 },
11558 .errstr = "R0 invalid mem access 'inv'",
11561 "calls: pkt_ptr spill into caller stack",
11563 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11564 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11565 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11569 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11570 offsetof(struct __sk_buff, data)),
11571 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11572 offsetof(struct __sk_buff, data_end)),
11573 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11574 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11575 /* spill unchecked pkt_ptr into stack of caller */
11576 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11577 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11578 /* now the pkt range is verified, read pkt_ptr from stack */
11579 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11580 /* write 4 bytes into packet */
11581 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11585 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11586 .retval = POINTER_VALUE,
11589 "calls: pkt_ptr spill into caller stack 2",
11591 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11593 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11594 /* Marking is still kept, but not in all cases safe. */
11595 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11596 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11600 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11601 offsetof(struct __sk_buff, data)),
11602 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11603 offsetof(struct __sk_buff, data_end)),
11604 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11606 /* spill unchecked pkt_ptr into stack of caller */
11607 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11608 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11609 /* now the pkt range is verified, read pkt_ptr from stack */
11610 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11611 /* write 4 bytes into packet */
11612 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11615 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11616 .errstr = "invalid access to packet",
11620 "calls: pkt_ptr spill into caller stack 3",
11622 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11623 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11624 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11625 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11626 /* Marking is still kept and safe here. */
11627 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11628 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11632 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11633 offsetof(struct __sk_buff, data)),
11634 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11635 offsetof(struct __sk_buff, data_end)),
11636 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11637 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11638 /* spill unchecked pkt_ptr into stack of caller */
11639 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11640 BPF_MOV64_IMM(BPF_REG_5, 0),
11641 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11642 BPF_MOV64_IMM(BPF_REG_5, 1),
11643 /* now the pkt range is verified, read pkt_ptr from stack */
11644 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11645 /* write 4 bytes into packet */
11646 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11647 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11650 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11655 "calls: pkt_ptr spill into caller stack 4",
11657 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11658 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11659 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11660 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11661 /* Check marking propagated. */
11662 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11663 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11667 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11668 offsetof(struct __sk_buff, data)),
11669 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11670 offsetof(struct __sk_buff, data_end)),
11671 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11672 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11673 /* spill unchecked pkt_ptr into stack of caller */
11674 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11675 BPF_MOV64_IMM(BPF_REG_5, 0),
11676 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11677 BPF_MOV64_IMM(BPF_REG_5, 1),
11678 /* don't read back pkt_ptr from stack here */
11679 /* write 4 bytes into packet */
11680 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11681 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11684 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11689 "calls: pkt_ptr spill into caller stack 5",
11691 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11692 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11693 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
11694 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11695 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11696 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11700 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11701 offsetof(struct __sk_buff, data)),
11702 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11703 offsetof(struct __sk_buff, data_end)),
11704 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11705 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11706 BPF_MOV64_IMM(BPF_REG_5, 0),
11707 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11708 /* spill checked pkt_ptr into stack of caller */
11709 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11710 BPF_MOV64_IMM(BPF_REG_5, 1),
11711 /* don't read back pkt_ptr from stack here */
11712 /* write 4 bytes into packet */
11713 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11714 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11717 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11718 .errstr = "same insn cannot be used with different",
11722 "calls: pkt_ptr spill into caller stack 6",
11724 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11725 offsetof(struct __sk_buff, data_end)),
11726 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11728 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11729 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11730 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11731 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11735 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11736 offsetof(struct __sk_buff, data)),
11737 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11738 offsetof(struct __sk_buff, data_end)),
11739 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11740 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11741 BPF_MOV64_IMM(BPF_REG_5, 0),
11742 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11743 /* spill checked pkt_ptr into stack of caller */
11744 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11745 BPF_MOV64_IMM(BPF_REG_5, 1),
11746 /* don't read back pkt_ptr from stack here */
11747 /* write 4 bytes into packet */
11748 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11749 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11752 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11753 .errstr = "R4 invalid mem access",
11757 "calls: pkt_ptr spill into caller stack 7",
11759 BPF_MOV64_IMM(BPF_REG_2, 0),
11760 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11762 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11763 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11764 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11765 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11769 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11770 offsetof(struct __sk_buff, data)),
11771 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11772 offsetof(struct __sk_buff, data_end)),
11773 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11775 BPF_MOV64_IMM(BPF_REG_5, 0),
11776 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11777 /* spill checked pkt_ptr into stack of caller */
11778 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11779 BPF_MOV64_IMM(BPF_REG_5, 1),
11780 /* don't read back pkt_ptr from stack here */
11781 /* write 4 bytes into packet */
11782 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11783 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11786 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11787 .errstr = "R4 invalid mem access",
11791 "calls: pkt_ptr spill into caller stack 8",
11793 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11794 offsetof(struct __sk_buff, data)),
11795 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11796 offsetof(struct __sk_buff, data_end)),
11797 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11798 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11799 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11801 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11802 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11803 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11804 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11805 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11806 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11810 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11811 offsetof(struct __sk_buff, data)),
11812 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11813 offsetof(struct __sk_buff, data_end)),
11814 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11815 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11816 BPF_MOV64_IMM(BPF_REG_5, 0),
11817 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11818 /* spill checked pkt_ptr into stack of caller */
11819 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11820 BPF_MOV64_IMM(BPF_REG_5, 1),
11821 /* don't read back pkt_ptr from stack here */
11822 /* write 4 bytes into packet */
11823 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11824 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11827 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11831 "calls: pkt_ptr spill into caller stack 9",
11833 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11834 offsetof(struct __sk_buff, data)),
11835 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11836 offsetof(struct __sk_buff, data_end)),
11837 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11838 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11839 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11841 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11843 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11844 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11845 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11846 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11850 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11851 offsetof(struct __sk_buff, data)),
11852 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11853 offsetof(struct __sk_buff, data_end)),
11854 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11855 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11856 BPF_MOV64_IMM(BPF_REG_5, 0),
11857 /* spill unchecked pkt_ptr into stack of caller */
11858 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11859 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11860 BPF_MOV64_IMM(BPF_REG_5, 1),
11861 /* don't read back pkt_ptr from stack here */
11862 /* write 4 bytes into packet */
11863 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11864 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11867 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11868 .errstr = "invalid access to packet",
11872 "calls: caller stack init to zero or map_value_or_null",
11874 BPF_MOV64_IMM(BPF_REG_0, 0),
11875 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11876 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11878 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11879 /* fetch map_value_or_null or const_zero from stack */
11880 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11881 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11882 /* store into map_value */
11883 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
11887 /* if (ctx == 0) return; */
11888 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
11889 /* else bpf_map_lookup() and *(fp - 8) = r0 */
11890 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
11891 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11892 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11893 BPF_LD_MAP_FD(BPF_REG_1, 0),
11894 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11895 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11896 BPF_FUNC_map_lookup_elem),
11897 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11898 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11901 .fixup_map1 = { 13 },
11903 .prog_type = BPF_PROG_TYPE_XDP,
11906 "calls: stack init to zero and pruning",
11908 /* first make allocated_stack 16 byte */
11909 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
11910 /* now fork the execution such that the false branch
11911 * of JGT insn will be verified second and it skisp zero
11912 * init of fp-8 stack slot. If stack liveness marking
11913 * is missing live_read marks from call map_lookup
11914 * processing then pruning will incorrectly assume
11915 * that fp-8 stack slot was unused in the fall-through
11916 * branch and will accept the program incorrectly
11918 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
11919 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11920 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
11921 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11922 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11923 BPF_LD_MAP_FD(BPF_REG_1, 0),
11924 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11925 BPF_FUNC_map_lookup_elem),
11928 .fixup_map2 = { 6 },
11929 .errstr = "invalid indirect read from stack off -8+0 size 8",
11931 .prog_type = BPF_PROG_TYPE_XDP,
11934 "calls: two calls returning different map pointers for lookup (hash, array)",
11937 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11939 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11941 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11942 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11943 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11944 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11945 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11946 BPF_FUNC_map_lookup_elem),
11947 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11948 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11949 offsetof(struct test_val, foo)),
11950 BPF_MOV64_IMM(BPF_REG_0, 1),
11953 BPF_LD_MAP_FD(BPF_REG_0, 0),
11956 BPF_LD_MAP_FD(BPF_REG_0, 0),
11959 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11960 .fixup_map2 = { 13 },
11961 .fixup_map4 = { 16 },
11966 "calls: two calls returning different map pointers for lookup (hash, map in map)",
11969 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11971 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11973 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11974 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11975 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11976 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11977 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11978 BPF_FUNC_map_lookup_elem),
11979 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11980 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11981 offsetof(struct test_val, foo)),
11982 BPF_MOV64_IMM(BPF_REG_0, 1),
11985 BPF_LD_MAP_FD(BPF_REG_0, 0),
11988 BPF_LD_MAP_FD(BPF_REG_0, 0),
11991 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11992 .fixup_map_in_map = { 16 },
11993 .fixup_map4 = { 13 },
11995 .errstr = "R0 invalid mem access 'map_ptr'",
11998 "cond: two branches returning different map pointers for lookup (tail, tail)",
12000 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12001 offsetof(struct __sk_buff, mark)),
12002 BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
12003 BPF_LD_MAP_FD(BPF_REG_2, 0),
12004 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12005 BPF_LD_MAP_FD(BPF_REG_2, 0),
12006 BPF_MOV64_IMM(BPF_REG_3, 7),
12007 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12008 BPF_FUNC_tail_call),
12009 BPF_MOV64_IMM(BPF_REG_0, 1),
12012 .fixup_prog1 = { 5 },
12013 .fixup_prog2 = { 2 },
12014 .result_unpriv = REJECT,
12015 .errstr_unpriv = "tail_call abusing map_ptr",
12020 "cond: two branches returning same map pointers for lookup (tail, tail)",
12022 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12023 offsetof(struct __sk_buff, mark)),
12024 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
12025 BPF_LD_MAP_FD(BPF_REG_2, 0),
12026 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12027 BPF_LD_MAP_FD(BPF_REG_2, 0),
12028 BPF_MOV64_IMM(BPF_REG_3, 7),
12029 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12030 BPF_FUNC_tail_call),
12031 BPF_MOV64_IMM(BPF_REG_0, 1),
12034 .fixup_prog2 = { 2, 5 },
12035 .result_unpriv = ACCEPT,
12040 "search pruning: all branches should be verified (nop operation)",
12042 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12043 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12044 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
12045 BPF_LD_MAP_FD(BPF_REG_1, 0),
12046 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
12047 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
12048 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
12049 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
12050 BPF_MOV64_IMM(BPF_REG_4, 0),
12052 BPF_MOV64_IMM(BPF_REG_4, 1),
12053 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
12054 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
12055 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
12056 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
12057 BPF_MOV64_IMM(BPF_REG_6, 0),
12058 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
12061 .fixup_map1 = { 3 },
12062 .errstr = "R6 invalid mem access 'inv'",
12064 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12067 "search pruning: all branches should be verified (invalid stack access)",
12069 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12070 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12071 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
12072 BPF_LD_MAP_FD(BPF_REG_1, 0),
12073 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
12074 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
12075 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
12076 BPF_MOV64_IMM(BPF_REG_4, 0),
12077 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
12078 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
12080 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
12081 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
12082 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
12085 .fixup_map1 = { 3 },
12086 .errstr = "invalid read from stack off -16+0 size 8",
12088 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12091 "jit: lsh, rsh, arsh by 1",
12093 BPF_MOV64_IMM(BPF_REG_0, 1),
12094 BPF_MOV64_IMM(BPF_REG_1, 0xff),
12095 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
12096 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
12097 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
12099 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
12100 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
12101 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
12103 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
12104 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
12106 BPF_MOV64_IMM(BPF_REG_0, 2),
12113 "jit: mov32 for ldimm64, 1",
12115 BPF_MOV64_IMM(BPF_REG_0, 2),
12116 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
12117 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
12118 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
12119 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12120 BPF_MOV64_IMM(BPF_REG_0, 1),
12127 "jit: mov32 for ldimm64, 2",
12129 BPF_MOV64_IMM(BPF_REG_0, 1),
12130 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
12131 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
12132 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12133 BPF_MOV64_IMM(BPF_REG_0, 2),
12140 "jit: various mul tests",
12142 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12143 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12144 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
12145 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12146 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12147 BPF_MOV64_IMM(BPF_REG_0, 1),
12149 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12150 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12151 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12152 BPF_MOV64_IMM(BPF_REG_0, 1),
12154 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
12155 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12156 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12157 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12158 BPF_MOV64_IMM(BPF_REG_0, 1),
12160 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12161 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12162 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12163 BPF_MOV64_IMM(BPF_REG_0, 1),
12165 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
12166 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
12167 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12168 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
12169 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
12170 BPF_MOV64_IMM(BPF_REG_0, 1),
12172 BPF_MOV64_IMM(BPF_REG_0, 2),
12179 "xadd/w check unaligned stack",
12181 BPF_MOV64_IMM(BPF_REG_0, 1),
12182 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12183 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
12184 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12188 .errstr = "misaligned stack access off",
12189 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12192 "xadd/w check unaligned map",
12194 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12195 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12196 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12197 BPF_LD_MAP_FD(BPF_REG_1, 0),
12198 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12199 BPF_FUNC_map_lookup_elem),
12200 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
12202 BPF_MOV64_IMM(BPF_REG_1, 1),
12203 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
12204 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
12207 .fixup_map1 = { 3 },
12209 .errstr = "misaligned value access off",
12210 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12213 "xadd/w check unaligned pkt",
12215 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12216 offsetof(struct xdp_md, data)),
12217 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12218 offsetof(struct xdp_md, data_end)),
12219 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
12220 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
12221 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
12222 BPF_MOV64_IMM(BPF_REG_0, 99),
12223 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
12224 BPF_MOV64_IMM(BPF_REG_0, 1),
12225 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12226 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
12227 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
12228 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
12229 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
12233 .errstr = "BPF_XADD stores into R2 ctx",
12234 .prog_type = BPF_PROG_TYPE_XDP,
12237 "xadd/w check whether src/dst got mangled, 1",
12239 BPF_MOV64_IMM(BPF_REG_0, 1),
12240 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12241 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12242 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12243 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12244 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12245 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12246 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12247 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12249 BPF_MOV64_IMM(BPF_REG_0, 42),
12253 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12257 "xadd/w check whether src/dst got mangled, 2",
12259 BPF_MOV64_IMM(BPF_REG_0, 1),
12260 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12261 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12262 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12263 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12264 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12265 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12266 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12267 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
12269 BPF_MOV64_IMM(BPF_REG_0, 42),
12273 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12277 "bpf_get_stack return R0 within range",
12279 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12280 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12281 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12282 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12283 BPF_LD_MAP_FD(BPF_REG_1, 0),
12284 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12285 BPF_FUNC_map_lookup_elem),
12286 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
12287 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12288 BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
12289 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12290 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12291 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
12292 BPF_MOV64_IMM(BPF_REG_4, 256),
12293 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12294 BPF_MOV64_IMM(BPF_REG_1, 0),
12295 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
12296 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
12297 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
12298 BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
12299 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
12300 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12301 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
12302 BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
12303 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
12304 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
12305 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
12306 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
12307 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12308 BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
12309 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
12310 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
12311 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12312 BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
12313 BPF_MOV64_IMM(BPF_REG_4, 0),
12314 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12317 .fixup_map2 = { 4 },
12319 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12322 "ld_abs: invalid op 1",
12324 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12325 BPF_LD_ABS(BPF_DW, 0),
12328 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12330 .errstr = "unknown opcode",
12333 "ld_abs: invalid op 2",
12335 BPF_MOV32_IMM(BPF_REG_0, 256),
12336 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12337 BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
12340 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12342 .errstr = "unknown opcode",
12345 "ld_abs: nmap reduced",
12347 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12348 BPF_LD_ABS(BPF_H, 12),
12349 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
12350 BPF_LD_ABS(BPF_H, 12),
12351 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
12352 BPF_MOV32_IMM(BPF_REG_0, 18),
12353 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
12354 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
12355 BPF_LD_IND(BPF_W, BPF_REG_7, 14),
12356 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
12357 BPF_MOV32_IMM(BPF_REG_0, 280971478),
12358 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12359 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12360 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
12361 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12362 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
12363 BPF_LD_ABS(BPF_H, 12),
12364 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
12365 BPF_MOV32_IMM(BPF_REG_0, 22),
12366 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12367 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12368 BPF_LD_IND(BPF_H, BPF_REG_7, 14),
12369 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
12370 BPF_MOV32_IMM(BPF_REG_0, 17366),
12371 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
12372 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
12373 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
12374 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12375 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12376 BPF_MOV32_IMM(BPF_REG_0, 256),
12378 BPF_MOV32_IMM(BPF_REG_0, 0),
12382 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
12383 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
12384 0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
12386 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12391 "ld_abs: div + abs, test 1",
12393 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12394 BPF_LD_ABS(BPF_B, 3),
12395 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12396 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12397 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12398 BPF_LD_ABS(BPF_B, 4),
12399 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12400 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12404 10, 20, 30, 40, 50,
12406 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12411 "ld_abs: div + abs, test 2",
12413 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12414 BPF_LD_ABS(BPF_B, 3),
12415 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12416 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12417 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12418 BPF_LD_ABS(BPF_B, 128),
12419 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12420 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12424 10, 20, 30, 40, 50,
12426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12431 "ld_abs: div + abs, test 3",
12433 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12434 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12435 BPF_LD_ABS(BPF_B, 3),
12436 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12440 10, 20, 30, 40, 50,
12442 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12447 "ld_abs: div + abs, test 4",
12449 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12450 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12451 BPF_LD_ABS(BPF_B, 256),
12452 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12456 10, 20, 30, 40, 50,
12458 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12463 "ld_abs: vlan + abs, test 1",
12468 .fill_helper = bpf_fill_ld_abs_vlan_push_pop,
12469 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12474 "ld_abs: vlan + abs, test 2",
12476 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12477 BPF_LD_ABS(BPF_B, 0),
12478 BPF_LD_ABS(BPF_H, 0),
12479 BPF_LD_ABS(BPF_W, 0),
12480 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
12481 BPF_MOV64_IMM(BPF_REG_6, 0),
12482 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12483 BPF_MOV64_IMM(BPF_REG_2, 1),
12484 BPF_MOV64_IMM(BPF_REG_3, 2),
12485 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12486 BPF_FUNC_skb_vlan_push),
12487 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
12488 BPF_LD_ABS(BPF_B, 0),
12489 BPF_LD_ABS(BPF_H, 0),
12490 BPF_LD_ABS(BPF_W, 0),
12491 BPF_MOV64_IMM(BPF_REG_0, 42),
12497 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12502 "ld_abs: jump around ld_abs",
12507 .fill_helper = bpf_fill_jump_around_ld_abs,
12508 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12513 "ld_dw: xor semi-random 64 bit imms, test 1",
12516 .fill_helper = bpf_fill_rand_ld_dw,
12517 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12522 "ld_dw: xor semi-random 64 bit imms, test 2",
12525 .fill_helper = bpf_fill_rand_ld_dw,
12526 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12531 "ld_dw: xor semi-random 64 bit imms, test 3",
12534 .fill_helper = bpf_fill_rand_ld_dw,
12535 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12540 "ld_dw: xor semi-random 64 bit imms, test 4",
12543 .fill_helper = bpf_fill_rand_ld_dw,
12544 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12549 "pass unmodified ctx pointer to helper",
12551 BPF_MOV64_IMM(BPF_REG_2, 0),
12552 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12553 BPF_FUNC_csum_update),
12554 BPF_MOV64_IMM(BPF_REG_0, 0),
12557 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12561 "pass modified ctx pointer to helper, 1",
12563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
12564 BPF_MOV64_IMM(BPF_REG_2, 0),
12565 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12566 BPF_FUNC_csum_update),
12567 BPF_MOV64_IMM(BPF_REG_0, 0),
12570 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12572 .errstr = "dereference of modified ctx ptr",
12575 "pass modified ctx pointer to helper, 2",
12577 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
12578 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12579 BPF_FUNC_get_socket_cookie),
12580 BPF_MOV64_IMM(BPF_REG_0, 0),
12583 .result_unpriv = REJECT,
12585 .errstr_unpriv = "dereference of modified ctx ptr",
12586 .errstr = "dereference of modified ctx ptr",
12589 "pass modified ctx pointer to helper, 3",
12591 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
12592 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
12593 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
12594 BPF_MOV64_IMM(BPF_REG_2, 0),
12595 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12596 BPF_FUNC_csum_update),
12597 BPF_MOV64_IMM(BPF_REG_0, 0),
12600 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12602 .errstr = "variable ctx access var_off=(0x0; 0x4)",
12605 "mov64 src == dst",
12607 BPF_MOV64_IMM(BPF_REG_2, 0),
12608 BPF_MOV64_REG(BPF_REG_2, BPF_REG_2),
12609 // Check bounds are OK
12610 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
12611 BPF_MOV64_IMM(BPF_REG_0, 0),
12614 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12618 "mov64 src != dst",
12620 BPF_MOV64_IMM(BPF_REG_3, 0),
12621 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
12622 // Check bounds are OK
12623 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
12624 BPF_MOV64_IMM(BPF_REG_0, 0),
12627 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12632 static int probe_filter_length(const struct bpf_insn *fp)
12636 for (len = MAX_INSNS - 1; len > 0; --len)
12637 if (fp[len].code != 0 || fp[len].imm != 0)
12642 static int create_map(uint32_t type, uint32_t size_key,
12643 uint32_t size_value, uint32_t max_elem)
12647 fd = bpf_create_map(type, size_key, size_value, max_elem,
12648 type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
12650 printf("Failed to create hash map '%s'!\n", strerror(errno));
12655 static int create_prog_dummy1(enum bpf_map_type prog_type)
12657 struct bpf_insn prog[] = {
12658 BPF_MOV64_IMM(BPF_REG_0, 42),
12662 return bpf_load_program(prog_type, prog,
12663 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12666 static int create_prog_dummy2(enum bpf_map_type prog_type, int mfd, int idx)
12668 struct bpf_insn prog[] = {
12669 BPF_MOV64_IMM(BPF_REG_3, idx),
12670 BPF_LD_MAP_FD(BPF_REG_2, mfd),
12671 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12672 BPF_FUNC_tail_call),
12673 BPF_MOV64_IMM(BPF_REG_0, 41),
12677 return bpf_load_program(prog_type, prog,
12678 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12681 static int create_prog_array(enum bpf_map_type prog_type, uint32_t max_elem,
12685 int mfd, p1fd, p2fd;
12687 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
12688 sizeof(int), max_elem, 0);
12690 printf("Failed to create prog array '%s'!\n", strerror(errno));
12694 p1fd = create_prog_dummy1(prog_type);
12695 p2fd = create_prog_dummy2(prog_type, mfd, p2key);
12696 if (p1fd < 0 || p2fd < 0)
12698 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
12700 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
12713 static int create_map_in_map(void)
12715 int inner_map_fd, outer_map_fd;
12717 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12718 sizeof(int), 1, 0);
12719 if (inner_map_fd < 0) {
12720 printf("Failed to create array '%s'!\n", strerror(errno));
12721 return inner_map_fd;
12724 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
12725 sizeof(int), inner_map_fd, 1, 0);
12726 if (outer_map_fd < 0)
12727 printf("Failed to create array of maps '%s'!\n",
12730 close(inner_map_fd);
12732 return outer_map_fd;
12735 static int create_cgroup_storage(bool percpu)
12737 enum bpf_map_type type = percpu ? BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE :
12738 BPF_MAP_TYPE_CGROUP_STORAGE;
12741 fd = bpf_create_map(type, sizeof(struct bpf_cgroup_storage_key),
12742 TEST_DATA_LEN, 0, 0);
12744 printf("Failed to create cgroup storage '%s'!\n",
12750 static char bpf_vlog[UINT_MAX >> 8];
12752 static void do_test_fixup(struct bpf_test *test, enum bpf_map_type prog_type,
12753 struct bpf_insn *prog, int *map_fds)
12755 int *fixup_map1 = test->fixup_map1;
12756 int *fixup_map2 = test->fixup_map2;
12757 int *fixup_map3 = test->fixup_map3;
12758 int *fixup_map4 = test->fixup_map4;
12759 int *fixup_prog1 = test->fixup_prog1;
12760 int *fixup_prog2 = test->fixup_prog2;
12761 int *fixup_map_in_map = test->fixup_map_in_map;
12762 int *fixup_cgroup_storage = test->fixup_cgroup_storage;
12763 int *fixup_percpu_cgroup_storage = test->fixup_percpu_cgroup_storage;
12765 if (test->fill_helper)
12766 test->fill_helper(test);
12768 /* Allocating HTs with 1 elem is fine here, since we only test
12769 * for verifier and not do a runtime lookup, so the only thing
12770 * that really matters is value size in this case.
12773 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12774 sizeof(long long), 1);
12776 prog[*fixup_map1].imm = map_fds[0];
12778 } while (*fixup_map1);
12782 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12783 sizeof(struct test_val), 1);
12785 prog[*fixup_map2].imm = map_fds[1];
12787 } while (*fixup_map2);
12791 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12792 sizeof(struct other_val), 1);
12794 prog[*fixup_map3].imm = map_fds[2];
12796 } while (*fixup_map3);
12800 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12801 sizeof(struct test_val), 1);
12803 prog[*fixup_map4].imm = map_fds[3];
12805 } while (*fixup_map4);
12808 if (*fixup_prog1) {
12809 map_fds[4] = create_prog_array(prog_type, 4, 0);
12811 prog[*fixup_prog1].imm = map_fds[4];
12813 } while (*fixup_prog1);
12816 if (*fixup_prog2) {
12817 map_fds[5] = create_prog_array(prog_type, 8, 7);
12819 prog[*fixup_prog2].imm = map_fds[5];
12821 } while (*fixup_prog2);
12824 if (*fixup_map_in_map) {
12825 map_fds[6] = create_map_in_map();
12827 prog[*fixup_map_in_map].imm = map_fds[6];
12828 fixup_map_in_map++;
12829 } while (*fixup_map_in_map);
12832 if (*fixup_cgroup_storage) {
12833 map_fds[7] = create_cgroup_storage(false);
12835 prog[*fixup_cgroup_storage].imm = map_fds[7];
12836 fixup_cgroup_storage++;
12837 } while (*fixup_cgroup_storage);
12840 if (*fixup_percpu_cgroup_storage) {
12841 map_fds[8] = create_cgroup_storage(true);
12843 prog[*fixup_percpu_cgroup_storage].imm = map_fds[8];
12844 fixup_percpu_cgroup_storage++;
12845 } while (*fixup_percpu_cgroup_storage);
12849 static void do_test_single(struct bpf_test *test, bool unpriv,
12850 int *passes, int *errors)
12852 int fd_prog, expected_ret, reject_from_alignment;
12853 int prog_len, prog_type = test->prog_type;
12854 struct bpf_insn *prog = test->insns;
12855 int map_fds[MAX_NR_MAPS];
12856 const char *expected_err;
12860 for (i = 0; i < MAX_NR_MAPS; i++)
12864 prog_type = BPF_PROG_TYPE_SOCKET_FILTER;
12865 do_test_fixup(test, prog_type, prog, map_fds);
12866 prog_len = probe_filter_length(prog);
12868 fd_prog = bpf_verify_program(prog_type, prog, prog_len,
12869 test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
12870 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
12872 expected_ret = unpriv && test->result_unpriv != UNDEF ?
12873 test->result_unpriv : test->result;
12874 expected_err = unpriv && test->errstr_unpriv ?
12875 test->errstr_unpriv : test->errstr;
12877 reject_from_alignment = fd_prog < 0 &&
12878 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
12879 strstr(bpf_vlog, "Unknown alignment.");
12880 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
12881 if (reject_from_alignment) {
12882 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
12887 if (expected_ret == ACCEPT) {
12888 if (fd_prog < 0 && !reject_from_alignment) {
12889 printf("FAIL\nFailed to load prog '%s'!\n",
12894 if (fd_prog >= 0) {
12895 printf("FAIL\nUnexpected success to load!\n");
12898 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
12899 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
12900 expected_err, bpf_vlog);
12905 if (fd_prog >= 0) {
12906 __u8 tmp[TEST_DATA_LEN << 2];
12907 __u32 size_tmp = sizeof(tmp);
12909 err = bpf_prog_test_run(fd_prog, 1, test->data,
12910 sizeof(test->data), tmp, &size_tmp,
12912 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
12913 printf("Unexpected bpf_prog_test_run error\n");
12916 if (!err && retval != test->retval &&
12917 test->retval != POINTER_VALUE) {
12918 printf("FAIL retval %d != %d\n", retval, test->retval);
12923 printf("OK%s\n", reject_from_alignment ?
12924 " (NOTE: reject due to unknown alignment)" : "");
12927 for (i = 0; i < MAX_NR_MAPS; i++)
12933 printf("%s", bpf_vlog);
12937 static bool is_admin(void)
12940 cap_flag_value_t sysadmin = CAP_CLEAR;
12941 const cap_value_t cap_val = CAP_SYS_ADMIN;
12943 #ifdef CAP_IS_SUPPORTED
12944 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
12945 perror("cap_get_flag");
12949 caps = cap_get_proc();
12951 perror("cap_get_proc");
12954 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
12955 perror("cap_get_flag");
12956 if (cap_free(caps))
12957 perror("cap_free");
12958 return (sysadmin == CAP_SET);
12961 static int set_admin(bool admin)
12964 const cap_value_t cap_val = CAP_SYS_ADMIN;
12967 caps = cap_get_proc();
12969 perror("cap_get_proc");
12972 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
12973 admin ? CAP_SET : CAP_CLEAR)) {
12974 perror("cap_set_flag");
12977 if (cap_set_proc(caps)) {
12978 perror("cap_set_proc");
12983 if (cap_free(caps))
12984 perror("cap_free");
12988 static void get_unpriv_disabled()
12993 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
12995 perror("fopen /proc/sys/"UNPRIV_SYSCTL);
12996 unpriv_disabled = true;
12999 if (fgets(buf, 2, fd) == buf && atoi(buf))
13000 unpriv_disabled = true;
13004 static int do_test(bool unpriv, unsigned int from, unsigned int to)
13006 int i, passes = 0, errors = 0, skips = 0;
13008 for (i = from; i < to; i++) {
13009 struct bpf_test *test = &tests[i];
13011 /* Program types that are not supported by non-root we
13014 if (!test->prog_type && unpriv_disabled) {
13015 printf("#%d/u %s SKIP\n", i, test->descr);
13017 } else if (!test->prog_type) {
13020 printf("#%d/u %s ", i, test->descr);
13021 do_test_single(test, true, &passes, &errors);
13027 printf("#%d/p %s SKIP\n", i, test->descr);
13030 printf("#%d/p %s ", i, test->descr);
13031 do_test_single(test, false, &passes, &errors);
13035 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
13037 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
13040 int main(int argc, char **argv)
13042 unsigned int from = 0, to = ARRAY_SIZE(tests);
13043 bool unpriv = !is_admin();
13046 unsigned int l = atoi(argv[argc - 2]);
13047 unsigned int u = atoi(argv[argc - 1]);
13049 if (l < to && u < to) {
13053 } else if (argc == 2) {
13054 unsigned int t = atoi(argv[argc - 1]);
13062 get_unpriv_disabled();
13063 if (unpriv && unpriv_disabled) {
13064 printf("Cannot run as unprivileged user with sysctl %s.\n",
13066 return EXIT_FAILURE;
13069 bpf_semi_rand_init();
13070 return do_test(unpriv, from, to);
OSDN Git Service
