2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 * Copyright (c) 2017 Facebook
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of version 2 of the GNU General Public
9 * License as published by the Free Software Foundation.
13 #include <asm/types.h>
14 #include <linux/types.h>
26 #include <sys/capability.h>
28 #include <linux/unistd.h>
29 #include <linux/filter.h>
30 #include <linux/bpf_perf_event.h>
31 #include <linux/bpf.h>
32 #include <linux/if_ether.h>
37 # include "autoconf.h"
39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
40 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
43 #include "bpf_rlimit.h"
46 #include "../../../include/linux/filter.h"
48 #define MAX_INSNS BPF_MAXINSNS
51 #define POINTER_VALUE 0xcafe4all
52 #define TEST_DATA_LEN 64
54 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
55 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
57 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
58 static bool unpriv_disabled = false;
62 struct bpf_insn insns[MAX_INSNS];
63 int fixup_map1[MAX_FIXUPS];
64 int fixup_map2[MAX_FIXUPS];
65 int fixup_map3[MAX_FIXUPS];
66 int fixup_map4[MAX_FIXUPS];
67 int fixup_prog1[MAX_FIXUPS];
68 int fixup_prog2[MAX_FIXUPS];
69 int fixup_map_in_map[MAX_FIXUPS];
70 int fixup_cgroup_storage[MAX_FIXUPS];
72 const char *errstr_unpriv;
78 } result, result_unpriv;
79 enum bpf_prog_type prog_type;
81 __u8 data[TEST_DATA_LEN];
82 void (*fill_helper)(struct bpf_test *self);
85 /* Note we want this to be 64 bit aligned so that the end of our array is
86 * actually the end of the structure.
88 #define MAX_ENTRIES 11
100 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
102 /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
104 unsigned int len = BPF_MAXINSNS;
105 struct bpf_insn *insn = self->insns;
108 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
110 for (j = 0; j < PUSH_CNT; j++) {
111 insn[i++] = BPF_LD_ABS(BPF_B, 0);
112 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
114 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
115 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
116 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
117 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
118 BPF_FUNC_skb_vlan_push),
119 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
123 for (j = 0; j < PUSH_CNT; j++) {
124 insn[i++] = BPF_LD_ABS(BPF_B, 0);
125 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
127 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
128 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
129 BPF_FUNC_skb_vlan_pop),
130 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
136 for (; i < len - 1; i++)
137 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
138 insn[len - 1] = BPF_EXIT_INSN();
141 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
143 struct bpf_insn *insn = self->insns;
144 unsigned int len = BPF_MAXINSNS;
147 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
148 insn[i++] = BPF_LD_ABS(BPF_B, 0);
149 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
152 insn[i++] = BPF_LD_ABS(BPF_B, 1);
153 insn[i] = BPF_EXIT_INSN();
156 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
158 struct bpf_insn *insn = self->insns;
162 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
163 while (i < self->retval) {
164 uint64_t val = bpf_semi_rand_get();
165 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
170 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
172 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
173 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
174 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
175 insn[i] = BPF_EXIT_INSN();
177 self->retval = (uint32_t)res;
180 static struct bpf_test tests[] = {
184 BPF_MOV64_IMM(BPF_REG_1, 1),
185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
186 BPF_MOV64_IMM(BPF_REG_2, 3),
187 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
189 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
190 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
197 "DIV32 by 0, zero check 1",
199 BPF_MOV32_IMM(BPF_REG_0, 42),
200 BPF_MOV32_IMM(BPF_REG_1, 0),
201 BPF_MOV32_IMM(BPF_REG_2, 1),
202 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
209 "DIV32 by 0, zero check 2",
211 BPF_MOV32_IMM(BPF_REG_0, 42),
212 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
213 BPF_MOV32_IMM(BPF_REG_2, 1),
214 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
221 "DIV64 by 0, zero check",
223 BPF_MOV32_IMM(BPF_REG_0, 42),
224 BPF_MOV32_IMM(BPF_REG_1, 0),
225 BPF_MOV32_IMM(BPF_REG_2, 1),
226 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
233 "MOD32 by 0, zero check 1",
235 BPF_MOV32_IMM(BPF_REG_0, 42),
236 BPF_MOV32_IMM(BPF_REG_1, 0),
237 BPF_MOV32_IMM(BPF_REG_2, 1),
238 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
245 "MOD32 by 0, zero check 2",
247 BPF_MOV32_IMM(BPF_REG_0, 42),
248 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
249 BPF_MOV32_IMM(BPF_REG_2, 1),
250 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
257 "MOD64 by 0, zero check",
259 BPF_MOV32_IMM(BPF_REG_0, 42),
260 BPF_MOV32_IMM(BPF_REG_1, 0),
261 BPF_MOV32_IMM(BPF_REG_2, 1),
262 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
269 "DIV32 by 0, zero check ok, cls",
271 BPF_MOV32_IMM(BPF_REG_0, 42),
272 BPF_MOV32_IMM(BPF_REG_1, 2),
273 BPF_MOV32_IMM(BPF_REG_2, 16),
274 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
275 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
278 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
283 "DIV32 by 0, zero check 1, cls",
285 BPF_MOV32_IMM(BPF_REG_1, 0),
286 BPF_MOV32_IMM(BPF_REG_0, 1),
287 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
290 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
295 "DIV32 by 0, zero check 2, cls",
297 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
298 BPF_MOV32_IMM(BPF_REG_0, 1),
299 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
302 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
307 "DIV64 by 0, zero check, cls",
309 BPF_MOV32_IMM(BPF_REG_1, 0),
310 BPF_MOV32_IMM(BPF_REG_0, 1),
311 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
314 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
319 "MOD32 by 0, zero check ok, cls",
321 BPF_MOV32_IMM(BPF_REG_0, 42),
322 BPF_MOV32_IMM(BPF_REG_1, 3),
323 BPF_MOV32_IMM(BPF_REG_2, 5),
324 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
325 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
328 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
333 "MOD32 by 0, zero check 1, cls",
335 BPF_MOV32_IMM(BPF_REG_1, 0),
336 BPF_MOV32_IMM(BPF_REG_0, 1),
337 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
340 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
345 "MOD32 by 0, zero check 2, cls",
347 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
348 BPF_MOV32_IMM(BPF_REG_0, 1),
349 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
352 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
357 "MOD64 by 0, zero check 1, cls",
359 BPF_MOV32_IMM(BPF_REG_1, 0),
360 BPF_MOV32_IMM(BPF_REG_0, 2),
361 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
364 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
369 "MOD64 by 0, zero check 2, cls",
371 BPF_MOV32_IMM(BPF_REG_1, 0),
372 BPF_MOV32_IMM(BPF_REG_0, -1),
373 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
376 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
380 /* Just make sure that JITs used udiv/umod as otherwise we get
381 * an exception from INT_MIN/-1 overflow similarly as with div
385 "DIV32 overflow, check 1",
387 BPF_MOV32_IMM(BPF_REG_1, -1),
388 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
389 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
392 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
397 "DIV32 overflow, check 2",
399 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
400 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
403 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
408 "DIV64 overflow, check 1",
410 BPF_MOV64_IMM(BPF_REG_1, -1),
411 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
412 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
415 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
420 "DIV64 overflow, check 2",
422 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
423 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
431 "MOD32 overflow, check 1",
433 BPF_MOV32_IMM(BPF_REG_1, -1),
434 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
435 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
438 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
443 "MOD32 overflow, check 2",
445 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
446 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
449 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
454 "MOD64 overflow, check 1",
456 BPF_MOV64_IMM(BPF_REG_1, -1),
457 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
458 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
459 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
460 BPF_MOV32_IMM(BPF_REG_0, 0),
461 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
462 BPF_MOV32_IMM(BPF_REG_0, 1),
465 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
470 "MOD64 overflow, check 2",
472 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
473 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
474 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
475 BPF_MOV32_IMM(BPF_REG_0, 0),
476 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
477 BPF_MOV32_IMM(BPF_REG_0, 1),
480 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
485 "xor32 zero extend check",
487 BPF_MOV32_IMM(BPF_REG_2, -1),
488 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
489 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
490 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
491 BPF_MOV32_IMM(BPF_REG_0, 2),
492 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
493 BPF_MOV32_IMM(BPF_REG_0, 1),
496 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
504 .errstr = "unknown opcode 00",
512 .errstr = "R0 !read_ok",
521 .errstr = "unreachable",
527 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
528 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
531 .errstr = "unreachable",
537 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
540 .errstr = "jump out of range",
544 "out of range jump2",
546 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
549 .errstr = "jump out of range",
555 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
556 BPF_LD_IMM64(BPF_REG_0, 0),
557 BPF_LD_IMM64(BPF_REG_0, 0),
558 BPF_LD_IMM64(BPF_REG_0, 1),
559 BPF_LD_IMM64(BPF_REG_0, 1),
560 BPF_MOV64_IMM(BPF_REG_0, 2),
563 .errstr = "invalid BPF_LD_IMM insn",
564 .errstr_unpriv = "R1 pointer comparison",
570 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
571 BPF_LD_IMM64(BPF_REG_0, 0),
572 BPF_LD_IMM64(BPF_REG_0, 0),
573 BPF_LD_IMM64(BPF_REG_0, 1),
574 BPF_LD_IMM64(BPF_REG_0, 1),
577 .errstr = "invalid BPF_LD_IMM insn",
578 .errstr_unpriv = "R1 pointer comparison",
584 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
585 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
586 BPF_LD_IMM64(BPF_REG_0, 0),
587 BPF_LD_IMM64(BPF_REG_0, 0),
588 BPF_LD_IMM64(BPF_REG_0, 1),
589 BPF_LD_IMM64(BPF_REG_0, 1),
592 .errstr = "invalid bpf_ld_imm64 insn",
598 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
601 .errstr = "invalid bpf_ld_imm64 insn",
607 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
609 .errstr = "invalid bpf_ld_imm64 insn",
615 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
616 BPF_RAW_INSN(0, 0, 0, 0, 0),
624 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
625 BPF_RAW_INSN(0, 0, 0, 0, 1),
634 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
635 BPF_RAW_INSN(0, 0, 0, 0, 1),
638 .errstr = "uses reserved fields",
644 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
645 BPF_RAW_INSN(0, 0, 0, 1, 1),
648 .errstr = "invalid bpf_ld_imm64 insn",
654 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
655 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
658 .errstr = "invalid bpf_ld_imm64 insn",
664 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
665 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
668 .errstr = "invalid bpf_ld_imm64 insn",
674 BPF_MOV64_IMM(BPF_REG_1, 0),
675 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
676 BPF_RAW_INSN(0, 0, 0, 0, 1),
679 .errstr = "not pointing to valid bpf_map",
685 BPF_MOV64_IMM(BPF_REG_1, 0),
686 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
687 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
690 .errstr = "invalid bpf_ld_imm64 insn",
696 BPF_MOV64_IMM(BPF_REG_0, 1),
697 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
701 .errstr = "unknown opcode c4",
706 BPF_MOV64_IMM(BPF_REG_0, 1),
707 BPF_MOV64_IMM(BPF_REG_1, 5),
708 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
712 .errstr = "unknown opcode cc",
717 BPF_MOV64_IMM(BPF_REG_0, 1),
718 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
726 BPF_MOV64_IMM(BPF_REG_0, 1),
727 BPF_MOV64_IMM(BPF_REG_1, 5),
728 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
736 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
738 .errstr = "not an exit",
744 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
747 .errstr = "back-edge",
753 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
754 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
755 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
756 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
759 .errstr = "back-edge",
765 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
766 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
767 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
768 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
771 .errstr = "back-edge",
775 "read uninitialized register",
777 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
780 .errstr = "R2 !read_ok",
784 "read invalid register",
786 BPF_MOV64_REG(BPF_REG_0, -1),
789 .errstr = "R15 is invalid",
793 "program doesn't init R0 before exit",
795 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
798 .errstr = "R0 !read_ok",
802 "program doesn't init R0 before exit in all branches",
804 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
805 BPF_MOV64_IMM(BPF_REG_0, 1),
806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
809 .errstr = "R0 !read_ok",
810 .errstr_unpriv = "R1 pointer comparison",
814 "stack out of bounds",
816 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
819 .errstr = "invalid stack",
823 "invalid call insn1",
825 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
828 .errstr = "unknown opcode 8d",
832 "invalid call insn2",
834 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
837 .errstr = "BPF_CALL uses reserved",
841 "invalid function call",
843 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
846 .errstr = "invalid func unknown#1234567",
850 "uninitialized stack1",
852 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
854 BPF_LD_MAP_FD(BPF_REG_1, 0),
855 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
856 BPF_FUNC_map_lookup_elem),
860 .errstr = "invalid indirect read from stack",
864 "uninitialized stack2",
866 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
867 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
870 .errstr = "invalid read from stack",
874 "invalid fp arithmetic",
875 /* If this gets ever changed, make sure JITs can deal with it. */
877 BPF_MOV64_IMM(BPF_REG_0, 0),
878 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
879 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
880 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
883 .errstr = "R1 subtraction from stack pointer",
887 "non-invalid fp arithmetic",
889 BPF_MOV64_IMM(BPF_REG_0, 0),
890 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
896 "invalid argument register",
898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
899 BPF_FUNC_get_cgroup_classid),
900 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
901 BPF_FUNC_get_cgroup_classid),
904 .errstr = "R1 !read_ok",
906 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
909 "non-invalid argument register",
911 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
912 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
913 BPF_FUNC_get_cgroup_classid),
914 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
915 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
916 BPF_FUNC_get_cgroup_classid),
920 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
923 "check valid spill/fill",
925 /* spill R1(ctx) into stack */
926 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
927 /* fill it back into R2 */
928 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
929 /* should be able to access R0 = *(R2 + 8) */
930 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
931 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
934 .errstr_unpriv = "R0 leaks addr",
936 .result_unpriv = REJECT,
937 .retval = POINTER_VALUE,
940 "check valid spill/fill, skb mark",
942 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
943 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
944 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
945 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
946 offsetof(struct __sk_buff, mark)),
950 .result_unpriv = ACCEPT,
953 "check corrupted spill/fill",
955 /* spill R1(ctx) into stack */
956 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
957 /* mess up with R1 pointer on stack */
958 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
959 /* fill back into R0 should fail */
960 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
963 .errstr_unpriv = "attempt to corrupt spilled",
964 .errstr = "corrupted spill",
968 "invalid src register in STX",
970 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
973 .errstr = "R15 is invalid",
977 "invalid dst register in STX",
979 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
982 .errstr = "R14 is invalid",
986 "invalid dst register in ST",
988 BPF_ST_MEM(BPF_B, 14, -1, -1),
991 .errstr = "R14 is invalid",
995 "invalid src register in LDX",
997 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1000 .errstr = "R12 is invalid",
1004 "invalid dst register in LDX",
1006 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1009 .errstr = "R11 is invalid",
1015 BPF_RAW_INSN(0, 0, 0, 0, 0),
1018 .errstr = "unknown opcode 00",
1024 BPF_RAW_INSN(1, 0, 0, 0, 0),
1027 .errstr = "BPF_LDX uses reserved fields",
1033 BPF_RAW_INSN(-1, 0, 0, 0, 0),
1036 .errstr = "unknown opcode ff",
1042 BPF_RAW_INSN(-1, -1, -1, -1, -1),
1045 .errstr = "unknown opcode ff",
1051 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1054 .errstr = "BPF_ALU uses reserved fields",
1058 "misaligned read from stack",
1060 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1061 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1064 .errstr = "misaligned stack access",
1068 "invalid map_fd for function call",
1070 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1071 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1073 BPF_LD_MAP_FD(BPF_REG_1, 0),
1074 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1075 BPF_FUNC_map_delete_elem),
1078 .errstr = "fd 0 is not pointing to valid bpf_map",
1082 "don't check return value before access",
1084 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1085 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1087 BPF_LD_MAP_FD(BPF_REG_1, 0),
1088 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1089 BPF_FUNC_map_lookup_elem),
1090 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1093 .fixup_map1 = { 3 },
1094 .errstr = "R0 invalid mem access 'map_value_or_null'",
1098 "access memory with incorrect alignment",
1100 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1101 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1103 BPF_LD_MAP_FD(BPF_REG_1, 0),
1104 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1105 BPF_FUNC_map_lookup_elem),
1106 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1107 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1110 .fixup_map1 = { 3 },
1111 .errstr = "misaligned value access",
1113 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1116 "sometimes access memory with incorrect alignment",
1118 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1119 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1120 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1121 BPF_LD_MAP_FD(BPF_REG_1, 0),
1122 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1123 BPF_FUNC_map_lookup_elem),
1124 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1125 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1127 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1130 .fixup_map1 = { 3 },
1131 .errstr = "R0 invalid mem access",
1132 .errstr_unpriv = "R0 leaks addr",
1134 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1139 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1140 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1141 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1142 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1143 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1144 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1145 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1146 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1147 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1148 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1149 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1150 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1151 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1152 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1153 BPF_MOV64_IMM(BPF_REG_0, 0),
1156 .errstr_unpriv = "R1 pointer comparison",
1157 .result_unpriv = REJECT,
1163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1164 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1165 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1166 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1168 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1169 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1170 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1171 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1172 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1174 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1175 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1176 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1177 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1178 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1179 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1180 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1181 BPF_MOV64_IMM(BPF_REG_0, 0),
1184 .errstr_unpriv = "R1 pointer comparison",
1185 .result_unpriv = REJECT,
1191 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1192 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1193 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1195 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1196 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1197 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1199 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1200 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1201 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1203 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1204 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1205 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1207 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1208 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1209 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1211 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1212 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1213 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1215 BPF_LD_MAP_FD(BPF_REG_1, 0),
1216 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1217 BPF_FUNC_map_delete_elem),
1220 .fixup_map1 = { 24 },
1221 .errstr_unpriv = "R1 pointer comparison",
1222 .result_unpriv = REJECT,
1229 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1230 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1231 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1233 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1234 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1235 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1237 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1238 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1239 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1240 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1241 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1242 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1243 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1244 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1245 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1246 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1247 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1248 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1250 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1251 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1252 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1257 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1259 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1260 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1261 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1262 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1266 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1269 BPF_MOV64_IMM(BPF_REG_0, 0),
1272 .errstr_unpriv = "R1 pointer comparison",
1273 .result_unpriv = REJECT,
1279 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1280 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1281 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1282 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1283 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1284 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1285 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1286 BPF_MOV64_IMM(BPF_REG_0, 0),
1287 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1288 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1289 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1290 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1291 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1292 BPF_MOV64_IMM(BPF_REG_0, 0),
1293 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1294 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1295 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1296 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1297 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1298 BPF_MOV64_IMM(BPF_REG_0, 0),
1299 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1300 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1301 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1302 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1303 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1304 BPF_MOV64_IMM(BPF_REG_0, 0),
1305 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1306 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1307 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1308 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1309 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1310 BPF_MOV64_IMM(BPF_REG_0, 0),
1313 .errstr_unpriv = "R1 pointer comparison",
1314 .result_unpriv = REJECT,
1318 "access skb fields ok",
1320 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1321 offsetof(struct __sk_buff, len)),
1322 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1323 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1324 offsetof(struct __sk_buff, mark)),
1325 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1326 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1327 offsetof(struct __sk_buff, pkt_type)),
1328 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1329 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1330 offsetof(struct __sk_buff, queue_mapping)),
1331 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1332 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1333 offsetof(struct __sk_buff, protocol)),
1334 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1335 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1336 offsetof(struct __sk_buff, vlan_present)),
1337 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1338 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1339 offsetof(struct __sk_buff, vlan_tci)),
1340 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1341 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1342 offsetof(struct __sk_buff, napi_id)),
1343 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1349 "access skb fields bad1",
1351 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1354 .errstr = "invalid bpf_context access",
1358 "access skb fields bad2",
1360 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1361 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1362 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1364 BPF_LD_MAP_FD(BPF_REG_1, 0),
1365 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1366 BPF_FUNC_map_lookup_elem),
1367 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1369 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1370 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1371 offsetof(struct __sk_buff, pkt_type)),
1374 .fixup_map1 = { 4 },
1375 .errstr = "different pointers",
1376 .errstr_unpriv = "R1 pointer comparison",
1380 "access skb fields bad3",
1382 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1383 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1384 offsetof(struct __sk_buff, pkt_type)),
1386 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1387 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1389 BPF_LD_MAP_FD(BPF_REG_1, 0),
1390 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1391 BPF_FUNC_map_lookup_elem),
1392 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1394 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1395 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1397 .fixup_map1 = { 6 },
1398 .errstr = "different pointers",
1399 .errstr_unpriv = "R1 pointer comparison",
1403 "access skb fields bad4",
1405 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1406 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1407 offsetof(struct __sk_buff, len)),
1408 BPF_MOV64_IMM(BPF_REG_0, 0),
1410 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1411 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1413 BPF_LD_MAP_FD(BPF_REG_1, 0),
1414 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1415 BPF_FUNC_map_lookup_elem),
1416 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1418 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1419 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1421 .fixup_map1 = { 7 },
1422 .errstr = "different pointers",
1423 .errstr_unpriv = "R1 pointer comparison",
1427 "invalid access __sk_buff family",
1429 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1430 offsetof(struct __sk_buff, family)),
1433 .errstr = "invalid bpf_context access",
1437 "invalid access __sk_buff remote_ip4",
1439 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1440 offsetof(struct __sk_buff, remote_ip4)),
1443 .errstr = "invalid bpf_context access",
1447 "invalid access __sk_buff local_ip4",
1449 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1450 offsetof(struct __sk_buff, local_ip4)),
1453 .errstr = "invalid bpf_context access",
1457 "invalid access __sk_buff remote_ip6",
1459 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1460 offsetof(struct __sk_buff, remote_ip6)),
1463 .errstr = "invalid bpf_context access",
1467 "invalid access __sk_buff local_ip6",
1469 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1470 offsetof(struct __sk_buff, local_ip6)),
1473 .errstr = "invalid bpf_context access",
1477 "invalid access __sk_buff remote_port",
1479 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1480 offsetof(struct __sk_buff, remote_port)),
1483 .errstr = "invalid bpf_context access",
1487 "invalid access __sk_buff remote_port",
1489 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1490 offsetof(struct __sk_buff, local_port)),
1493 .errstr = "invalid bpf_context access",
1497 "valid access __sk_buff family",
1499 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1500 offsetof(struct __sk_buff, family)),
1504 .prog_type = BPF_PROG_TYPE_SK_SKB,
1507 "valid access __sk_buff remote_ip4",
1509 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1510 offsetof(struct __sk_buff, remote_ip4)),
1514 .prog_type = BPF_PROG_TYPE_SK_SKB,
1517 "valid access __sk_buff local_ip4",
1519 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1520 offsetof(struct __sk_buff, local_ip4)),
1524 .prog_type = BPF_PROG_TYPE_SK_SKB,
1527 "valid access __sk_buff remote_ip6",
1529 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1530 offsetof(struct __sk_buff, remote_ip6[0])),
1531 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1532 offsetof(struct __sk_buff, remote_ip6[1])),
1533 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1534 offsetof(struct __sk_buff, remote_ip6[2])),
1535 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1536 offsetof(struct __sk_buff, remote_ip6[3])),
1540 .prog_type = BPF_PROG_TYPE_SK_SKB,
1543 "valid access __sk_buff local_ip6",
1545 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1546 offsetof(struct __sk_buff, local_ip6[0])),
1547 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1548 offsetof(struct __sk_buff, local_ip6[1])),
1549 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1550 offsetof(struct __sk_buff, local_ip6[2])),
1551 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1552 offsetof(struct __sk_buff, local_ip6[3])),
1556 .prog_type = BPF_PROG_TYPE_SK_SKB,
1559 "valid access __sk_buff remote_port",
1561 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1562 offsetof(struct __sk_buff, remote_port)),
1566 .prog_type = BPF_PROG_TYPE_SK_SKB,
1569 "valid access __sk_buff remote_port",
1571 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572 offsetof(struct __sk_buff, local_port)),
1576 .prog_type = BPF_PROG_TYPE_SK_SKB,
1579 "invalid access of tc_classid for SK_SKB",
1581 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1582 offsetof(struct __sk_buff, tc_classid)),
1586 .prog_type = BPF_PROG_TYPE_SK_SKB,
1587 .errstr = "invalid bpf_context access",
1590 "invalid access of skb->mark for SK_SKB",
1592 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1593 offsetof(struct __sk_buff, mark)),
1597 .prog_type = BPF_PROG_TYPE_SK_SKB,
1598 .errstr = "invalid bpf_context access",
1601 "check skb->mark is not writeable by SK_SKB",
1603 BPF_MOV64_IMM(BPF_REG_0, 0),
1604 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1605 offsetof(struct __sk_buff, mark)),
1609 .prog_type = BPF_PROG_TYPE_SK_SKB,
1610 .errstr = "invalid bpf_context access",
1613 "check skb->tc_index is writeable by SK_SKB",
1615 BPF_MOV64_IMM(BPF_REG_0, 0),
1616 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1617 offsetof(struct __sk_buff, tc_index)),
1621 .prog_type = BPF_PROG_TYPE_SK_SKB,
1624 "check skb->priority is writeable by SK_SKB",
1626 BPF_MOV64_IMM(BPF_REG_0, 0),
1627 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1628 offsetof(struct __sk_buff, priority)),
1632 .prog_type = BPF_PROG_TYPE_SK_SKB,
1635 "direct packet read for SK_SKB",
1637 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1638 offsetof(struct __sk_buff, data)),
1639 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1640 offsetof(struct __sk_buff, data_end)),
1641 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1642 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1643 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1644 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1645 BPF_MOV64_IMM(BPF_REG_0, 0),
1649 .prog_type = BPF_PROG_TYPE_SK_SKB,
1652 "direct packet write for SK_SKB",
1654 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1655 offsetof(struct __sk_buff, data)),
1656 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1657 offsetof(struct __sk_buff, data_end)),
1658 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1660 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1661 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1662 BPF_MOV64_IMM(BPF_REG_0, 0),
1666 .prog_type = BPF_PROG_TYPE_SK_SKB,
1669 "overlapping checks for direct packet access SK_SKB",
1671 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1672 offsetof(struct __sk_buff, data)),
1673 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1674 offsetof(struct __sk_buff, data_end)),
1675 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1677 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1678 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1679 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1680 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1681 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1682 BPF_MOV64_IMM(BPF_REG_0, 0),
1686 .prog_type = BPF_PROG_TYPE_SK_SKB,
1689 "valid access family in SK_MSG",
1691 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1692 offsetof(struct sk_msg_md, family)),
1696 .prog_type = BPF_PROG_TYPE_SK_MSG,
1699 "valid access remote_ip4 in SK_MSG",
1701 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1702 offsetof(struct sk_msg_md, remote_ip4)),
1706 .prog_type = BPF_PROG_TYPE_SK_MSG,
1709 "valid access local_ip4 in SK_MSG",
1711 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1712 offsetof(struct sk_msg_md, local_ip4)),
1716 .prog_type = BPF_PROG_TYPE_SK_MSG,
1719 "valid access remote_port in SK_MSG",
1721 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1722 offsetof(struct sk_msg_md, remote_port)),
1726 .prog_type = BPF_PROG_TYPE_SK_MSG,
1729 "valid access local_port in SK_MSG",
1731 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1732 offsetof(struct sk_msg_md, local_port)),
1736 .prog_type = BPF_PROG_TYPE_SK_MSG,
1739 "valid access remote_ip6 in SK_MSG",
1741 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1742 offsetof(struct sk_msg_md, remote_ip6[0])),
1743 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1744 offsetof(struct sk_msg_md, remote_ip6[1])),
1745 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746 offsetof(struct sk_msg_md, remote_ip6[2])),
1747 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1748 offsetof(struct sk_msg_md, remote_ip6[3])),
1752 .prog_type = BPF_PROG_TYPE_SK_SKB,
1755 "valid access local_ip6 in SK_MSG",
1757 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1758 offsetof(struct sk_msg_md, local_ip6[0])),
1759 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1760 offsetof(struct sk_msg_md, local_ip6[1])),
1761 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1762 offsetof(struct sk_msg_md, local_ip6[2])),
1763 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1764 offsetof(struct sk_msg_md, local_ip6[3])),
1768 .prog_type = BPF_PROG_TYPE_SK_SKB,
1771 "invalid 64B read of family in SK_MSG",
1773 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1774 offsetof(struct sk_msg_md, family)),
1777 .errstr = "invalid bpf_context access",
1779 .prog_type = BPF_PROG_TYPE_SK_MSG,
1782 "invalid read past end of SK_MSG",
1784 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1785 offsetof(struct sk_msg_md, local_port) + 4),
1788 .errstr = "R0 !read_ok",
1790 .prog_type = BPF_PROG_TYPE_SK_MSG,
1793 "invalid read offset in SK_MSG",
1795 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1796 offsetof(struct sk_msg_md, family) + 1),
1799 .errstr = "invalid bpf_context access",
1801 .prog_type = BPF_PROG_TYPE_SK_MSG,
1804 "direct packet read for SK_MSG",
1806 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1807 offsetof(struct sk_msg_md, data)),
1808 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1809 offsetof(struct sk_msg_md, data_end)),
1810 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1812 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1813 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1814 BPF_MOV64_IMM(BPF_REG_0, 0),
1818 .prog_type = BPF_PROG_TYPE_SK_MSG,
1821 "direct packet write for SK_MSG",
1823 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1824 offsetof(struct sk_msg_md, data)),
1825 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1826 offsetof(struct sk_msg_md, data_end)),
1827 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1829 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1830 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1831 BPF_MOV64_IMM(BPF_REG_0, 0),
1835 .prog_type = BPF_PROG_TYPE_SK_MSG,
1838 "overlapping checks for direct packet access SK_MSG",
1840 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1841 offsetof(struct sk_msg_md, data)),
1842 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1843 offsetof(struct sk_msg_md, data_end)),
1844 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1846 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1847 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1849 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1850 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1851 BPF_MOV64_IMM(BPF_REG_0, 0),
1855 .prog_type = BPF_PROG_TYPE_SK_MSG,
1858 "check skb->mark is not writeable by sockets",
1860 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1861 offsetof(struct __sk_buff, mark)),
1864 .errstr = "invalid bpf_context access",
1865 .errstr_unpriv = "R1 leaks addr",
1869 "check skb->tc_index is not writeable by sockets",
1871 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1872 offsetof(struct __sk_buff, tc_index)),
1875 .errstr = "invalid bpf_context access",
1876 .errstr_unpriv = "R1 leaks addr",
1880 "check cb access: byte",
1882 BPF_MOV64_IMM(BPF_REG_0, 0),
1883 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1884 offsetof(struct __sk_buff, cb[0])),
1885 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1886 offsetof(struct __sk_buff, cb[0]) + 1),
1887 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1888 offsetof(struct __sk_buff, cb[0]) + 2),
1889 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1890 offsetof(struct __sk_buff, cb[0]) + 3),
1891 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1892 offsetof(struct __sk_buff, cb[1])),
1893 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1894 offsetof(struct __sk_buff, cb[1]) + 1),
1895 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1896 offsetof(struct __sk_buff, cb[1]) + 2),
1897 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1898 offsetof(struct __sk_buff, cb[1]) + 3),
1899 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1900 offsetof(struct __sk_buff, cb[2])),
1901 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1902 offsetof(struct __sk_buff, cb[2]) + 1),
1903 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1904 offsetof(struct __sk_buff, cb[2]) + 2),
1905 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1906 offsetof(struct __sk_buff, cb[2]) + 3),
1907 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1908 offsetof(struct __sk_buff, cb[3])),
1909 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1910 offsetof(struct __sk_buff, cb[3]) + 1),
1911 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1912 offsetof(struct __sk_buff, cb[3]) + 2),
1913 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1914 offsetof(struct __sk_buff, cb[3]) + 3),
1915 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1916 offsetof(struct __sk_buff, cb[4])),
1917 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1918 offsetof(struct __sk_buff, cb[4]) + 1),
1919 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1920 offsetof(struct __sk_buff, cb[4]) + 2),
1921 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1922 offsetof(struct __sk_buff, cb[4]) + 3),
1923 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1924 offsetof(struct __sk_buff, cb[0])),
1925 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1926 offsetof(struct __sk_buff, cb[0]) + 1),
1927 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1928 offsetof(struct __sk_buff, cb[0]) + 2),
1929 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1930 offsetof(struct __sk_buff, cb[0]) + 3),
1931 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1932 offsetof(struct __sk_buff, cb[1])),
1933 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1934 offsetof(struct __sk_buff, cb[1]) + 1),
1935 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1936 offsetof(struct __sk_buff, cb[1]) + 2),
1937 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1938 offsetof(struct __sk_buff, cb[1]) + 3),
1939 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1940 offsetof(struct __sk_buff, cb[2])),
1941 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1942 offsetof(struct __sk_buff, cb[2]) + 1),
1943 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1944 offsetof(struct __sk_buff, cb[2]) + 2),
1945 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1946 offsetof(struct __sk_buff, cb[2]) + 3),
1947 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1948 offsetof(struct __sk_buff, cb[3])),
1949 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1950 offsetof(struct __sk_buff, cb[3]) + 1),
1951 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1952 offsetof(struct __sk_buff, cb[3]) + 2),
1953 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1954 offsetof(struct __sk_buff, cb[3]) + 3),
1955 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1956 offsetof(struct __sk_buff, cb[4])),
1957 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1958 offsetof(struct __sk_buff, cb[4]) + 1),
1959 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1960 offsetof(struct __sk_buff, cb[4]) + 2),
1961 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1962 offsetof(struct __sk_buff, cb[4]) + 3),
1968 "__sk_buff->hash, offset 0, byte store not permitted",
1970 BPF_MOV64_IMM(BPF_REG_0, 0),
1971 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1972 offsetof(struct __sk_buff, hash)),
1975 .errstr = "invalid bpf_context access",
1979 "__sk_buff->tc_index, offset 3, byte store not permitted",
1981 BPF_MOV64_IMM(BPF_REG_0, 0),
1982 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1983 offsetof(struct __sk_buff, tc_index) + 3),
1986 .errstr = "invalid bpf_context access",
1990 "check skb->hash byte load permitted",
1992 BPF_MOV64_IMM(BPF_REG_0, 0),
1993 #if __BYTE_ORDER == __LITTLE_ENDIAN
1994 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1995 offsetof(struct __sk_buff, hash)),
1997 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1998 offsetof(struct __sk_buff, hash) + 3),
2005 "check skb->hash byte load not permitted 1",
2007 BPF_MOV64_IMM(BPF_REG_0, 0),
2008 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2009 offsetof(struct __sk_buff, hash) + 1),
2012 .errstr = "invalid bpf_context access",
2016 "check skb->hash byte load not permitted 2",
2018 BPF_MOV64_IMM(BPF_REG_0, 0),
2019 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2020 offsetof(struct __sk_buff, hash) + 2),
2023 .errstr = "invalid bpf_context access",
2027 "check skb->hash byte load not permitted 3",
2029 BPF_MOV64_IMM(BPF_REG_0, 0),
2030 #if __BYTE_ORDER == __LITTLE_ENDIAN
2031 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2032 offsetof(struct __sk_buff, hash) + 3),
2034 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2035 offsetof(struct __sk_buff, hash)),
2039 .errstr = "invalid bpf_context access",
2043 "check cb access: byte, wrong type",
2045 BPF_MOV64_IMM(BPF_REG_0, 0),
2046 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2047 offsetof(struct __sk_buff, cb[0])),
2050 .errstr = "invalid bpf_context access",
2052 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2055 "check cb access: half",
2057 BPF_MOV64_IMM(BPF_REG_0, 0),
2058 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2059 offsetof(struct __sk_buff, cb[0])),
2060 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2061 offsetof(struct __sk_buff, cb[0]) + 2),
2062 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2063 offsetof(struct __sk_buff, cb[1])),
2064 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2065 offsetof(struct __sk_buff, cb[1]) + 2),
2066 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2067 offsetof(struct __sk_buff, cb[2])),
2068 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2069 offsetof(struct __sk_buff, cb[2]) + 2),
2070 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2071 offsetof(struct __sk_buff, cb[3])),
2072 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2073 offsetof(struct __sk_buff, cb[3]) + 2),
2074 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2075 offsetof(struct __sk_buff, cb[4])),
2076 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2077 offsetof(struct __sk_buff, cb[4]) + 2),
2078 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2079 offsetof(struct __sk_buff, cb[0])),
2080 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2081 offsetof(struct __sk_buff, cb[0]) + 2),
2082 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2083 offsetof(struct __sk_buff, cb[1])),
2084 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2085 offsetof(struct __sk_buff, cb[1]) + 2),
2086 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2087 offsetof(struct __sk_buff, cb[2])),
2088 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2089 offsetof(struct __sk_buff, cb[2]) + 2),
2090 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2091 offsetof(struct __sk_buff, cb[3])),
2092 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2093 offsetof(struct __sk_buff, cb[3]) + 2),
2094 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2095 offsetof(struct __sk_buff, cb[4])),
2096 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2097 offsetof(struct __sk_buff, cb[4]) + 2),
2103 "check cb access: half, unaligned",
2105 BPF_MOV64_IMM(BPF_REG_0, 0),
2106 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2107 offsetof(struct __sk_buff, cb[0]) + 1),
2110 .errstr = "misaligned context access",
2112 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2115 "check __sk_buff->hash, offset 0, half store not permitted",
2117 BPF_MOV64_IMM(BPF_REG_0, 0),
2118 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2119 offsetof(struct __sk_buff, hash)),
2122 .errstr = "invalid bpf_context access",
2126 "check __sk_buff->tc_index, offset 2, half store not permitted",
2128 BPF_MOV64_IMM(BPF_REG_0, 0),
2129 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2130 offsetof(struct __sk_buff, tc_index) + 2),
2133 .errstr = "invalid bpf_context access",
2137 "check skb->hash half load permitted",
2139 BPF_MOV64_IMM(BPF_REG_0, 0),
2140 #if __BYTE_ORDER == __LITTLE_ENDIAN
2141 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2142 offsetof(struct __sk_buff, hash)),
2144 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2145 offsetof(struct __sk_buff, hash) + 2),
2152 "check skb->hash half load not permitted",
2154 BPF_MOV64_IMM(BPF_REG_0, 0),
2155 #if __BYTE_ORDER == __LITTLE_ENDIAN
2156 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2157 offsetof(struct __sk_buff, hash) + 2),
2159 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2160 offsetof(struct __sk_buff, hash)),
2164 .errstr = "invalid bpf_context access",
2168 "check cb access: half, wrong type",
2170 BPF_MOV64_IMM(BPF_REG_0, 0),
2171 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2172 offsetof(struct __sk_buff, cb[0])),
2175 .errstr = "invalid bpf_context access",
2177 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2180 "check cb access: word",
2182 BPF_MOV64_IMM(BPF_REG_0, 0),
2183 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2184 offsetof(struct __sk_buff, cb[0])),
2185 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2186 offsetof(struct __sk_buff, cb[1])),
2187 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2188 offsetof(struct __sk_buff, cb[2])),
2189 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2190 offsetof(struct __sk_buff, cb[3])),
2191 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2192 offsetof(struct __sk_buff, cb[4])),
2193 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2194 offsetof(struct __sk_buff, cb[0])),
2195 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2196 offsetof(struct __sk_buff, cb[1])),
2197 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2198 offsetof(struct __sk_buff, cb[2])),
2199 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2200 offsetof(struct __sk_buff, cb[3])),
2201 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2202 offsetof(struct __sk_buff, cb[4])),
2208 "check cb access: word, unaligned 1",
2210 BPF_MOV64_IMM(BPF_REG_0, 0),
2211 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2212 offsetof(struct __sk_buff, cb[0]) + 2),
2215 .errstr = "misaligned context access",
2217 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2220 "check cb access: word, unaligned 2",
2222 BPF_MOV64_IMM(BPF_REG_0, 0),
2223 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2224 offsetof(struct __sk_buff, cb[4]) + 1),
2227 .errstr = "misaligned context access",
2229 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2232 "check cb access: word, unaligned 3",
2234 BPF_MOV64_IMM(BPF_REG_0, 0),
2235 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2236 offsetof(struct __sk_buff, cb[4]) + 2),
2239 .errstr = "misaligned context access",
2241 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2244 "check cb access: word, unaligned 4",
2246 BPF_MOV64_IMM(BPF_REG_0, 0),
2247 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2248 offsetof(struct __sk_buff, cb[4]) + 3),
2251 .errstr = "misaligned context access",
2253 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2256 "check cb access: double",
2258 BPF_MOV64_IMM(BPF_REG_0, 0),
2259 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2260 offsetof(struct __sk_buff, cb[0])),
2261 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2262 offsetof(struct __sk_buff, cb[2])),
2263 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2264 offsetof(struct __sk_buff, cb[0])),
2265 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2266 offsetof(struct __sk_buff, cb[2])),
2272 "check cb access: double, unaligned 1",
2274 BPF_MOV64_IMM(BPF_REG_0, 0),
2275 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2276 offsetof(struct __sk_buff, cb[1])),
2279 .errstr = "misaligned context access",
2281 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2284 "check cb access: double, unaligned 2",
2286 BPF_MOV64_IMM(BPF_REG_0, 0),
2287 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2288 offsetof(struct __sk_buff, cb[3])),
2291 .errstr = "misaligned context access",
2293 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2296 "check cb access: double, oob 1",
2298 BPF_MOV64_IMM(BPF_REG_0, 0),
2299 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2300 offsetof(struct __sk_buff, cb[4])),
2303 .errstr = "invalid bpf_context access",
2307 "check cb access: double, oob 2",
2309 BPF_MOV64_IMM(BPF_REG_0, 0),
2310 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2311 offsetof(struct __sk_buff, cb[4])),
2314 .errstr = "invalid bpf_context access",
2318 "check __sk_buff->ifindex dw store not permitted",
2320 BPF_MOV64_IMM(BPF_REG_0, 0),
2321 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2322 offsetof(struct __sk_buff, ifindex)),
2325 .errstr = "invalid bpf_context access",
2329 "check __sk_buff->ifindex dw load not permitted",
2331 BPF_MOV64_IMM(BPF_REG_0, 0),
2332 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2333 offsetof(struct __sk_buff, ifindex)),
2336 .errstr = "invalid bpf_context access",
2340 "check cb access: double, wrong type",
2342 BPF_MOV64_IMM(BPF_REG_0, 0),
2343 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2344 offsetof(struct __sk_buff, cb[0])),
2347 .errstr = "invalid bpf_context access",
2349 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2352 "check out of range skb->cb access",
2354 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2355 offsetof(struct __sk_buff, cb[0]) + 256),
2358 .errstr = "invalid bpf_context access",
2359 .errstr_unpriv = "",
2361 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2364 "write skb fields from socket prog",
2366 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2367 offsetof(struct __sk_buff, cb[4])),
2368 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2369 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2370 offsetof(struct __sk_buff, mark)),
2371 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2372 offsetof(struct __sk_buff, tc_index)),
2373 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2374 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2375 offsetof(struct __sk_buff, cb[0])),
2376 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2377 offsetof(struct __sk_buff, cb[2])),
2381 .errstr_unpriv = "R1 leaks addr",
2382 .result_unpriv = REJECT,
2385 "write skb fields from tc_cls_act prog",
2387 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2388 offsetof(struct __sk_buff, cb[0])),
2389 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2390 offsetof(struct __sk_buff, mark)),
2391 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2392 offsetof(struct __sk_buff, tc_index)),
2393 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2394 offsetof(struct __sk_buff, tc_index)),
2395 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2396 offsetof(struct __sk_buff, cb[3])),
2399 .errstr_unpriv = "",
2400 .result_unpriv = REJECT,
2402 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2405 "PTR_TO_STACK store/load",
2407 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2409 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2410 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2414 .retval = 0xfaceb00c,
2417 "PTR_TO_STACK store/load - bad alignment on off",
2419 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2421 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2422 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2426 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2429 "PTR_TO_STACK store/load - bad alignment on reg",
2431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2433 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2434 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2438 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2441 "PTR_TO_STACK store/load - out of bounds low",
2443 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2444 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2445 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2446 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2450 .errstr = "invalid stack off=-79992 size=8",
2453 "PTR_TO_STACK store/load - out of bounds high",
2455 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2457 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2458 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2462 .errstr = "invalid stack off=0 size=8",
2465 "unpriv: return pointer",
2467 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2471 .result_unpriv = REJECT,
2472 .errstr_unpriv = "R0 leaks addr",
2473 .retval = POINTER_VALUE,
2476 "unpriv: add const to pointer",
2478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2479 BPF_MOV64_IMM(BPF_REG_0, 0),
2485 "unpriv: add pointer to pointer",
2487 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2488 BPF_MOV64_IMM(BPF_REG_0, 0),
2492 .errstr = "R1 pointer += pointer",
2495 "unpriv: neg pointer",
2497 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2498 BPF_MOV64_IMM(BPF_REG_0, 0),
2502 .result_unpriv = REJECT,
2503 .errstr_unpriv = "R1 pointer arithmetic",
2506 "unpriv: cmp pointer with const",
2508 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2509 BPF_MOV64_IMM(BPF_REG_0, 0),
2513 .result_unpriv = REJECT,
2514 .errstr_unpriv = "R1 pointer comparison",
2517 "unpriv: cmp pointer with pointer",
2519 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2520 BPF_MOV64_IMM(BPF_REG_0, 0),
2524 .result_unpriv = REJECT,
2525 .errstr_unpriv = "R10 pointer comparison",
2528 "unpriv: check that printk is disallowed",
2530 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2531 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2533 BPF_MOV64_IMM(BPF_REG_2, 8),
2534 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2535 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2536 BPF_FUNC_trace_printk),
2537 BPF_MOV64_IMM(BPF_REG_0, 0),
2540 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2541 .result_unpriv = REJECT,
2545 "unpriv: pass pointer to helper function",
2547 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2548 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2549 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2550 BPF_LD_MAP_FD(BPF_REG_1, 0),
2551 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2552 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2553 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2554 BPF_FUNC_map_update_elem),
2555 BPF_MOV64_IMM(BPF_REG_0, 0),
2558 .fixup_map1 = { 3 },
2559 .errstr_unpriv = "R4 leaks addr",
2560 .result_unpriv = REJECT,
2564 "unpriv: indirectly pass pointer on stack to helper function",
2566 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2567 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2569 BPF_LD_MAP_FD(BPF_REG_1, 0),
2570 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2571 BPF_FUNC_map_lookup_elem),
2572 BPF_MOV64_IMM(BPF_REG_0, 0),
2575 .fixup_map1 = { 3 },
2576 .errstr = "invalid indirect read from stack off -8+0 size 8",
2580 "unpriv: mangle pointer on stack 1",
2582 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2583 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2584 BPF_MOV64_IMM(BPF_REG_0, 0),
2587 .errstr_unpriv = "attempt to corrupt spilled",
2588 .result_unpriv = REJECT,
2592 "unpriv: mangle pointer on stack 2",
2594 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2595 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2596 BPF_MOV64_IMM(BPF_REG_0, 0),
2599 .errstr_unpriv = "attempt to corrupt spilled",
2600 .result_unpriv = REJECT,
2604 "unpriv: read pointer from stack in small chunks",
2606 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2607 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2608 BPF_MOV64_IMM(BPF_REG_0, 0),
2611 .errstr = "invalid size",
2615 "unpriv: write pointer into ctx",
2617 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2618 BPF_MOV64_IMM(BPF_REG_0, 0),
2621 .errstr_unpriv = "R1 leaks addr",
2622 .result_unpriv = REJECT,
2623 .errstr = "invalid bpf_context access",
2627 "unpriv: spill/fill of ctx",
2629 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2630 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2631 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2632 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2633 BPF_MOV64_IMM(BPF_REG_0, 0),
2639 "unpriv: spill/fill of ctx 2",
2641 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2642 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2643 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2644 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2645 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2646 BPF_FUNC_get_hash_recalc),
2647 BPF_MOV64_IMM(BPF_REG_0, 0),
2651 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2654 "unpriv: spill/fill of ctx 3",
2656 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2657 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2658 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2659 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2660 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2661 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2662 BPF_FUNC_get_hash_recalc),
2666 .errstr = "R1 type=fp expected=ctx",
2667 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2670 "unpriv: spill/fill of ctx 4",
2672 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2674 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2675 BPF_MOV64_IMM(BPF_REG_0, 1),
2676 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2678 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2679 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2680 BPF_FUNC_get_hash_recalc),
2684 .errstr = "R1 type=inv expected=ctx",
2685 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2688 "unpriv: spill/fill of different pointers stx",
2690 BPF_MOV64_IMM(BPF_REG_3, 42),
2691 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2692 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2693 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2694 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2696 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2697 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2698 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2699 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2700 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2701 offsetof(struct __sk_buff, mark)),
2702 BPF_MOV64_IMM(BPF_REG_0, 0),
2706 .errstr = "same insn cannot be used with different pointers",
2707 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2710 "unpriv: spill/fill of different pointers ldx",
2712 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2714 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2715 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2716 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2717 -(__s32)offsetof(struct bpf_perf_event_data,
2718 sample_period) - 8),
2719 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2720 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2721 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2722 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2723 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2724 offsetof(struct bpf_perf_event_data,
2726 BPF_MOV64_IMM(BPF_REG_0, 0),
2730 .errstr = "same insn cannot be used with different pointers",
2731 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2734 "unpriv: write pointer into map elem value",
2736 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2737 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2739 BPF_LD_MAP_FD(BPF_REG_1, 0),
2740 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2741 BPF_FUNC_map_lookup_elem),
2742 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2743 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2746 .fixup_map1 = { 3 },
2747 .errstr_unpriv = "R0 leaks addr",
2748 .result_unpriv = REJECT,
2752 "unpriv: partial copy of pointer",
2754 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2755 BPF_MOV64_IMM(BPF_REG_0, 0),
2758 .errstr_unpriv = "R10 partial copy",
2759 .result_unpriv = REJECT,
2763 "unpriv: pass pointer to tail_call",
2765 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2766 BPF_LD_MAP_FD(BPF_REG_2, 0),
2767 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2768 BPF_FUNC_tail_call),
2769 BPF_MOV64_IMM(BPF_REG_0, 0),
2772 .fixup_prog1 = { 1 },
2773 .errstr_unpriv = "R3 leaks addr into helper",
2774 .result_unpriv = REJECT,
2778 "unpriv: cmp map pointer with zero",
2780 BPF_MOV64_IMM(BPF_REG_1, 0),
2781 BPF_LD_MAP_FD(BPF_REG_1, 0),
2782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2783 BPF_MOV64_IMM(BPF_REG_0, 0),
2786 .fixup_map1 = { 1 },
2787 .errstr_unpriv = "R1 pointer comparison",
2788 .result_unpriv = REJECT,
2792 "unpriv: write into frame pointer",
2794 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2795 BPF_MOV64_IMM(BPF_REG_0, 0),
2798 .errstr = "frame pointer is read only",
2802 "unpriv: spill/fill frame pointer",
2804 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2805 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2806 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2807 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2808 BPF_MOV64_IMM(BPF_REG_0, 0),
2811 .errstr = "frame pointer is read only",
2815 "unpriv: cmp of frame pointer",
2817 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2818 BPF_MOV64_IMM(BPF_REG_0, 0),
2821 .errstr_unpriv = "R10 pointer comparison",
2822 .result_unpriv = REJECT,
2826 "unpriv: adding of fp",
2828 BPF_MOV64_IMM(BPF_REG_0, 0),
2829 BPF_MOV64_IMM(BPF_REG_1, 0),
2830 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2831 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2837 "unpriv: cmp of stack pointer",
2839 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2840 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2841 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2842 BPF_MOV64_IMM(BPF_REG_0, 0),
2845 .errstr_unpriv = "R2 pointer comparison",
2846 .result_unpriv = REJECT,
2850 "runtime/jit: tail_call within bounds, prog once",
2852 BPF_MOV64_IMM(BPF_REG_3, 0),
2853 BPF_LD_MAP_FD(BPF_REG_2, 0),
2854 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2855 BPF_FUNC_tail_call),
2856 BPF_MOV64_IMM(BPF_REG_0, 1),
2859 .fixup_prog1 = { 1 },
2864 "runtime/jit: tail_call within bounds, prog loop",
2866 BPF_MOV64_IMM(BPF_REG_3, 1),
2867 BPF_LD_MAP_FD(BPF_REG_2, 0),
2868 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2869 BPF_FUNC_tail_call),
2870 BPF_MOV64_IMM(BPF_REG_0, 1),
2873 .fixup_prog1 = { 1 },
2878 "runtime/jit: tail_call within bounds, no prog",
2880 BPF_MOV64_IMM(BPF_REG_3, 2),
2881 BPF_LD_MAP_FD(BPF_REG_2, 0),
2882 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2883 BPF_FUNC_tail_call),
2884 BPF_MOV64_IMM(BPF_REG_0, 1),
2887 .fixup_prog1 = { 1 },
2892 "runtime/jit: tail_call out of bounds",
2894 BPF_MOV64_IMM(BPF_REG_3, 256),
2895 BPF_LD_MAP_FD(BPF_REG_2, 0),
2896 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2897 BPF_FUNC_tail_call),
2898 BPF_MOV64_IMM(BPF_REG_0, 2),
2901 .fixup_prog1 = { 1 },
2906 "runtime/jit: pass negative index to tail_call",
2908 BPF_MOV64_IMM(BPF_REG_3, -1),
2909 BPF_LD_MAP_FD(BPF_REG_2, 0),
2910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2911 BPF_FUNC_tail_call),
2912 BPF_MOV64_IMM(BPF_REG_0, 2),
2915 .fixup_prog1 = { 1 },
2920 "runtime/jit: pass > 32bit index to tail_call",
2922 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2923 BPF_LD_MAP_FD(BPF_REG_2, 0),
2924 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2925 BPF_FUNC_tail_call),
2926 BPF_MOV64_IMM(BPF_REG_0, 2),
2929 .fixup_prog1 = { 2 },
2934 "stack pointer arithmetic",
2936 BPF_MOV64_IMM(BPF_REG_1, 4),
2937 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2938 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2939 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2940 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2941 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2942 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2943 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2944 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2945 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2946 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2947 BPF_MOV64_IMM(BPF_REG_0, 0),
2953 "raw_stack: no skb_load_bytes",
2955 BPF_MOV64_IMM(BPF_REG_2, 4),
2956 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2957 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2958 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2959 BPF_MOV64_IMM(BPF_REG_4, 8),
2960 /* Call to skb_load_bytes() omitted. */
2961 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2965 .errstr = "invalid read from stack off -8+0 size 8",
2966 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2969 "raw_stack: skb_load_bytes, negative len",
2971 BPF_MOV64_IMM(BPF_REG_2, 4),
2972 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2973 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2974 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2975 BPF_MOV64_IMM(BPF_REG_4, -8),
2976 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2977 BPF_FUNC_skb_load_bytes),
2978 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2982 .errstr = "R4 min value is negative",
2983 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2986 "raw_stack: skb_load_bytes, negative len 2",
2988 BPF_MOV64_IMM(BPF_REG_2, 4),
2989 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2990 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2991 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2992 BPF_MOV64_IMM(BPF_REG_4, ~0),
2993 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2994 BPF_FUNC_skb_load_bytes),
2995 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2999 .errstr = "R4 min value is negative",
3000 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3003 "raw_stack: skb_load_bytes, zero len",
3005 BPF_MOV64_IMM(BPF_REG_2, 4),
3006 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3007 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3008 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3009 BPF_MOV64_IMM(BPF_REG_4, 0),
3010 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3011 BPF_FUNC_skb_load_bytes),
3012 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3016 .errstr = "invalid stack type R3",
3017 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3020 "raw_stack: skb_load_bytes, no init",
3022 BPF_MOV64_IMM(BPF_REG_2, 4),
3023 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3024 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3025 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3026 BPF_MOV64_IMM(BPF_REG_4, 8),
3027 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3028 BPF_FUNC_skb_load_bytes),
3029 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3033 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3036 "raw_stack: skb_load_bytes, init",
3038 BPF_MOV64_IMM(BPF_REG_2, 4),
3039 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3041 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3042 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3043 BPF_MOV64_IMM(BPF_REG_4, 8),
3044 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3045 BPF_FUNC_skb_load_bytes),
3046 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3050 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3053 "raw_stack: skb_load_bytes, spilled regs around bounds",
3055 BPF_MOV64_IMM(BPF_REG_2, 4),
3056 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3057 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3058 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3059 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3060 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3061 BPF_MOV64_IMM(BPF_REG_4, 8),
3062 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3063 BPF_FUNC_skb_load_bytes),
3064 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3065 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3066 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3067 offsetof(struct __sk_buff, mark)),
3068 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3069 offsetof(struct __sk_buff, priority)),
3070 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3074 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3077 "raw_stack: skb_load_bytes, spilled regs corruption",
3079 BPF_MOV64_IMM(BPF_REG_2, 4),
3080 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3082 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3083 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3084 BPF_MOV64_IMM(BPF_REG_4, 8),
3085 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3086 BPF_FUNC_skb_load_bytes),
3087 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3088 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3089 offsetof(struct __sk_buff, mark)),
3093 .errstr = "R0 invalid mem access 'inv'",
3094 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3097 "raw_stack: skb_load_bytes, spilled regs corruption 2",
3099 BPF_MOV64_IMM(BPF_REG_2, 4),
3100 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3102 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3103 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3104 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3105 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3106 BPF_MOV64_IMM(BPF_REG_4, 8),
3107 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3108 BPF_FUNC_skb_load_bytes),
3109 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3110 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3111 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3112 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3113 offsetof(struct __sk_buff, mark)),
3114 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3115 offsetof(struct __sk_buff, priority)),
3116 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3117 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3118 offsetof(struct __sk_buff, pkt_type)),
3119 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3123 .errstr = "R3 invalid mem access 'inv'",
3124 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3127 "raw_stack: skb_load_bytes, spilled regs + data",
3129 BPF_MOV64_IMM(BPF_REG_2, 4),
3130 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3132 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3133 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3134 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3135 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3136 BPF_MOV64_IMM(BPF_REG_4, 8),
3137 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3138 BPF_FUNC_skb_load_bytes),
3139 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3140 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3141 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3142 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3143 offsetof(struct __sk_buff, mark)),
3144 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3145 offsetof(struct __sk_buff, priority)),
3146 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3147 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3151 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3154 "raw_stack: skb_load_bytes, invalid access 1",
3156 BPF_MOV64_IMM(BPF_REG_2, 4),
3157 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3158 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3159 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3160 BPF_MOV64_IMM(BPF_REG_4, 8),
3161 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3162 BPF_FUNC_skb_load_bytes),
3163 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3167 .errstr = "invalid stack type R3 off=-513 access_size=8",
3168 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3171 "raw_stack: skb_load_bytes, invalid access 2",
3173 BPF_MOV64_IMM(BPF_REG_2, 4),
3174 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3175 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3176 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3177 BPF_MOV64_IMM(BPF_REG_4, 8),
3178 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3179 BPF_FUNC_skb_load_bytes),
3180 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3184 .errstr = "invalid stack type R3 off=-1 access_size=8",
3185 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3188 "raw_stack: skb_load_bytes, invalid access 3",
3190 BPF_MOV64_IMM(BPF_REG_2, 4),
3191 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3193 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3194 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3195 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3196 BPF_FUNC_skb_load_bytes),
3197 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3201 .errstr = "R4 min value is negative",
3202 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3205 "raw_stack: skb_load_bytes, invalid access 4",
3207 BPF_MOV64_IMM(BPF_REG_2, 4),
3208 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3210 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3211 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3212 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3213 BPF_FUNC_skb_load_bytes),
3214 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3218 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3219 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3222 "raw_stack: skb_load_bytes, invalid access 5",
3224 BPF_MOV64_IMM(BPF_REG_2, 4),
3225 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3227 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3228 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3229 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3230 BPF_FUNC_skb_load_bytes),
3231 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3235 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3236 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3239 "raw_stack: skb_load_bytes, invalid access 6",
3241 BPF_MOV64_IMM(BPF_REG_2, 4),
3242 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3243 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3244 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3245 BPF_MOV64_IMM(BPF_REG_4, 0),
3246 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3247 BPF_FUNC_skb_load_bytes),
3248 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3252 .errstr = "invalid stack type R3 off=-512 access_size=0",
3253 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3256 "raw_stack: skb_load_bytes, large access",
3258 BPF_MOV64_IMM(BPF_REG_2, 4),
3259 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3260 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3261 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3262 BPF_MOV64_IMM(BPF_REG_4, 512),
3263 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3264 BPF_FUNC_skb_load_bytes),
3265 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3269 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3272 "context stores via ST",
3274 BPF_MOV64_IMM(BPF_REG_0, 0),
3275 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3278 .errstr = "BPF_ST stores into R1 context is not allowed",
3280 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3283 "context stores via XADD",
3285 BPF_MOV64_IMM(BPF_REG_0, 0),
3286 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3287 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3290 .errstr = "BPF_XADD stores into R1 context is not allowed",
3292 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3295 "direct packet access: test1",
3297 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3298 offsetof(struct __sk_buff, data)),
3299 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3300 offsetof(struct __sk_buff, data_end)),
3301 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3302 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3303 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3304 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3305 BPF_MOV64_IMM(BPF_REG_0, 0),
3309 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3312 "direct packet access: test2",
3314 BPF_MOV64_IMM(BPF_REG_0, 1),
3315 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3316 offsetof(struct __sk_buff, data_end)),
3317 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3318 offsetof(struct __sk_buff, data)),
3319 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3321 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3322 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3323 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3324 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3325 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3326 offsetof(struct __sk_buff, data)),
3327 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3328 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3329 offsetof(struct __sk_buff, len)),
3330 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3331 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3332 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3333 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3334 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3335 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3336 offsetof(struct __sk_buff, data_end)),
3337 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3338 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3339 BPF_MOV64_IMM(BPF_REG_0, 0),
3343 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3346 "direct packet access: test3",
3348 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3349 offsetof(struct __sk_buff, data)),
3350 BPF_MOV64_IMM(BPF_REG_0, 0),
3353 .errstr = "invalid bpf_context access off=76",
3355 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3358 "direct packet access: test4 (write)",
3360 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3361 offsetof(struct __sk_buff, data)),
3362 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3363 offsetof(struct __sk_buff, data_end)),
3364 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3365 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3366 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3367 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3368 BPF_MOV64_IMM(BPF_REG_0, 0),
3372 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3375 "direct packet access: test5 (pkt_end >= reg, good access)",
3377 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3378 offsetof(struct __sk_buff, data)),
3379 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3380 offsetof(struct __sk_buff, data_end)),
3381 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3382 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3383 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3384 BPF_MOV64_IMM(BPF_REG_0, 1),
3386 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3387 BPF_MOV64_IMM(BPF_REG_0, 0),
3391 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3394 "direct packet access: test6 (pkt_end >= reg, bad access)",
3396 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3397 offsetof(struct __sk_buff, data)),
3398 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3399 offsetof(struct __sk_buff, data_end)),
3400 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3401 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3402 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3403 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3404 BPF_MOV64_IMM(BPF_REG_0, 1),
3406 BPF_MOV64_IMM(BPF_REG_0, 0),
3409 .errstr = "invalid access to packet",
3411 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3414 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3416 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3417 offsetof(struct __sk_buff, data)),
3418 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3419 offsetof(struct __sk_buff, data_end)),
3420 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3421 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3422 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3423 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3424 BPF_MOV64_IMM(BPF_REG_0, 1),
3426 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3427 BPF_MOV64_IMM(BPF_REG_0, 0),
3430 .errstr = "invalid access to packet",
3432 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3435 "direct packet access: test8 (double test, variant 1)",
3437 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3438 offsetof(struct __sk_buff, data)),
3439 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3440 offsetof(struct __sk_buff, data_end)),
3441 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3443 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3444 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3445 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3446 BPF_MOV64_IMM(BPF_REG_0, 1),
3448 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3449 BPF_MOV64_IMM(BPF_REG_0, 0),
3453 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3456 "direct packet access: test9 (double test, variant 2)",
3458 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3459 offsetof(struct __sk_buff, data)),
3460 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3461 offsetof(struct __sk_buff, data_end)),
3462 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3463 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3464 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3465 BPF_MOV64_IMM(BPF_REG_0, 1),
3467 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3468 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3469 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3470 BPF_MOV64_IMM(BPF_REG_0, 0),
3474 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3477 "direct packet access: test10 (write invalid)",
3479 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3480 offsetof(struct __sk_buff, data)),
3481 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3482 offsetof(struct __sk_buff, data_end)),
3483 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3484 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3485 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3486 BPF_MOV64_IMM(BPF_REG_0, 0),
3488 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3489 BPF_MOV64_IMM(BPF_REG_0, 0),
3492 .errstr = "invalid access to packet",
3494 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3497 "direct packet access: test11 (shift, good access)",
3499 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3500 offsetof(struct __sk_buff, data)),
3501 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3502 offsetof(struct __sk_buff, data_end)),
3503 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3504 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3505 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3506 BPF_MOV64_IMM(BPF_REG_3, 144),
3507 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3508 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3509 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3510 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3511 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3512 BPF_MOV64_IMM(BPF_REG_0, 1),
3514 BPF_MOV64_IMM(BPF_REG_0, 0),
3518 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3522 "direct packet access: test12 (and, good access)",
3524 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3525 offsetof(struct __sk_buff, data)),
3526 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3527 offsetof(struct __sk_buff, data_end)),
3528 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3529 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3530 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3531 BPF_MOV64_IMM(BPF_REG_3, 144),
3532 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3534 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3535 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3536 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3537 BPF_MOV64_IMM(BPF_REG_0, 1),
3539 BPF_MOV64_IMM(BPF_REG_0, 0),
3543 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3547 "direct packet access: test13 (branches, good access)",
3549 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3550 offsetof(struct __sk_buff, data)),
3551 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3552 offsetof(struct __sk_buff, data_end)),
3553 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3554 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3555 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3556 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3557 offsetof(struct __sk_buff, mark)),
3558 BPF_MOV64_IMM(BPF_REG_4, 1),
3559 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3560 BPF_MOV64_IMM(BPF_REG_3, 14),
3561 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3562 BPF_MOV64_IMM(BPF_REG_3, 24),
3563 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3564 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3565 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3566 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3567 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3568 BPF_MOV64_IMM(BPF_REG_0, 1),
3570 BPF_MOV64_IMM(BPF_REG_0, 0),
3574 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3578 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3580 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3581 offsetof(struct __sk_buff, data)),
3582 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3583 offsetof(struct __sk_buff, data_end)),
3584 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3586 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3587 BPF_MOV64_IMM(BPF_REG_5, 12),
3588 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3589 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3590 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3591 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3592 BPF_MOV64_IMM(BPF_REG_0, 1),
3594 BPF_MOV64_IMM(BPF_REG_0, 0),
3598 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3602 "direct packet access: test15 (spill with xadd)",
3604 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3605 offsetof(struct __sk_buff, data)),
3606 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3607 offsetof(struct __sk_buff, data_end)),
3608 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3610 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3611 BPF_MOV64_IMM(BPF_REG_5, 4096),
3612 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3613 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3614 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3615 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3616 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3617 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3618 BPF_MOV64_IMM(BPF_REG_0, 0),
3621 .errstr = "R2 invalid mem access 'inv'",
3623 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3626 "direct packet access: test16 (arith on data_end)",
3628 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3629 offsetof(struct __sk_buff, data)),
3630 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3631 offsetof(struct __sk_buff, data_end)),
3632 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3633 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3634 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3635 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3636 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3637 BPF_MOV64_IMM(BPF_REG_0, 0),
3640 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3642 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3645 "direct packet access: test17 (pruning, alignment)",
3647 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3648 offsetof(struct __sk_buff, data)),
3649 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3650 offsetof(struct __sk_buff, data_end)),
3651 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3652 offsetof(struct __sk_buff, mark)),
3653 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3654 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3655 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3656 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3657 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3658 BPF_MOV64_IMM(BPF_REG_0, 0),
3660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3663 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3665 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3666 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3669 "direct packet access: test18 (imm += pkt_ptr, 1)",
3671 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3672 offsetof(struct __sk_buff, data)),
3673 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3674 offsetof(struct __sk_buff, data_end)),
3675 BPF_MOV64_IMM(BPF_REG_0, 8),
3676 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3677 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3678 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3679 BPF_MOV64_IMM(BPF_REG_0, 0),
3683 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3686 "direct packet access: test19 (imm += pkt_ptr, 2)",
3688 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3689 offsetof(struct __sk_buff, data)),
3690 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3691 offsetof(struct __sk_buff, data_end)),
3692 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3693 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3694 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3695 BPF_MOV64_IMM(BPF_REG_4, 4),
3696 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3697 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3698 BPF_MOV64_IMM(BPF_REG_0, 0),
3702 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3705 "direct packet access: test20 (x += pkt_ptr, 1)",
3707 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3708 offsetof(struct __sk_buff, data)),
3709 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3710 offsetof(struct __sk_buff, data_end)),
3711 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3712 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3713 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3714 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3715 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3716 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3717 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3718 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3719 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3720 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3721 BPF_MOV64_IMM(BPF_REG_0, 0),
3724 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3728 "direct packet access: test21 (x += pkt_ptr, 2)",
3730 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3731 offsetof(struct __sk_buff, data)),
3732 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3733 offsetof(struct __sk_buff, data_end)),
3734 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3735 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3736 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3737 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3738 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3739 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3740 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3741 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3742 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3743 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3744 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3745 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3746 BPF_MOV64_IMM(BPF_REG_0, 0),
3749 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3753 "direct packet access: test22 (x += pkt_ptr, 3)",
3755 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3756 offsetof(struct __sk_buff, data)),
3757 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3758 offsetof(struct __sk_buff, data_end)),
3759 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3760 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3761 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3762 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3763 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3764 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3765 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3766 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3767 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3768 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3769 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3770 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3771 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3772 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3773 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3774 BPF_MOV64_IMM(BPF_REG_2, 1),
3775 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3776 BPF_MOV64_IMM(BPF_REG_0, 0),
3779 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3783 "direct packet access: test23 (x += pkt_ptr, 4)",
3785 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3786 offsetof(struct __sk_buff, data)),
3787 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3788 offsetof(struct __sk_buff, data_end)),
3789 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3790 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3791 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3792 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3793 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3794 BPF_MOV64_IMM(BPF_REG_0, 31),
3795 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3796 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3797 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3798 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3799 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3800 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3801 BPF_MOV64_IMM(BPF_REG_0, 0),
3804 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3806 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3809 "direct packet access: test24 (x += pkt_ptr, 5)",
3811 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3812 offsetof(struct __sk_buff, data)),
3813 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3814 offsetof(struct __sk_buff, data_end)),
3815 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3816 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3817 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3818 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3819 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3820 BPF_MOV64_IMM(BPF_REG_0, 64),
3821 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3822 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3823 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3825 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3826 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3827 BPF_MOV64_IMM(BPF_REG_0, 0),
3830 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3834 "direct packet access: test25 (marking on <, good access)",
3836 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3837 offsetof(struct __sk_buff, data)),
3838 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3839 offsetof(struct __sk_buff, data_end)),
3840 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3841 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3842 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3843 BPF_MOV64_IMM(BPF_REG_0, 0),
3845 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3846 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3849 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3852 "direct packet access: test26 (marking on <, bad access)",
3854 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3855 offsetof(struct __sk_buff, data)),
3856 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3857 offsetof(struct __sk_buff, data_end)),
3858 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3859 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3860 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3861 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3862 BPF_MOV64_IMM(BPF_REG_0, 0),
3864 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3867 .errstr = "invalid access to packet",
3868 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3871 "direct packet access: test27 (marking on <=, good access)",
3873 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3874 offsetof(struct __sk_buff, data)),
3875 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3876 offsetof(struct __sk_buff, data_end)),
3877 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3878 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3879 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3880 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3881 BPF_MOV64_IMM(BPF_REG_0, 1),
3885 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3889 "direct packet access: test28 (marking on <=, bad access)",
3891 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3892 offsetof(struct __sk_buff, data)),
3893 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3894 offsetof(struct __sk_buff, data_end)),
3895 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3897 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3898 BPF_MOV64_IMM(BPF_REG_0, 1),
3900 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3901 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3904 .errstr = "invalid access to packet",
3905 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3908 "helper access to packet: test1, valid packet_ptr range",
3910 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3911 offsetof(struct xdp_md, data)),
3912 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3913 offsetof(struct xdp_md, data_end)),
3914 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3916 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3917 BPF_LD_MAP_FD(BPF_REG_1, 0),
3918 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3919 BPF_MOV64_IMM(BPF_REG_4, 0),
3920 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3921 BPF_FUNC_map_update_elem),
3922 BPF_MOV64_IMM(BPF_REG_0, 0),
3925 .fixup_map1 = { 5 },
3926 .result_unpriv = ACCEPT,
3928 .prog_type = BPF_PROG_TYPE_XDP,
3931 "helper access to packet: test2, unchecked packet_ptr",
3933 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3934 offsetof(struct xdp_md, data)),
3935 BPF_LD_MAP_FD(BPF_REG_1, 0),
3936 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3937 BPF_FUNC_map_lookup_elem),
3938 BPF_MOV64_IMM(BPF_REG_0, 0),
3941 .fixup_map1 = { 1 },
3943 .errstr = "invalid access to packet",
3944 .prog_type = BPF_PROG_TYPE_XDP,
3947 "helper access to packet: test3, variable add",
3949 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3950 offsetof(struct xdp_md, data)),
3951 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3952 offsetof(struct xdp_md, data_end)),
3953 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3954 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3955 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3956 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3957 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3958 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3959 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3961 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3962 BPF_LD_MAP_FD(BPF_REG_1, 0),
3963 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3964 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3965 BPF_FUNC_map_lookup_elem),
3966 BPF_MOV64_IMM(BPF_REG_0, 0),
3969 .fixup_map1 = { 11 },
3971 .prog_type = BPF_PROG_TYPE_XDP,
3974 "helper access to packet: test4, packet_ptr with bad range",
3976 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3977 offsetof(struct xdp_md, data)),
3978 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3979 offsetof(struct xdp_md, data_end)),
3980 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3982 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3983 BPF_MOV64_IMM(BPF_REG_0, 0),
3985 BPF_LD_MAP_FD(BPF_REG_1, 0),
3986 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3987 BPF_FUNC_map_lookup_elem),
3988 BPF_MOV64_IMM(BPF_REG_0, 0),
3991 .fixup_map1 = { 7 },
3993 .errstr = "invalid access to packet",
3994 .prog_type = BPF_PROG_TYPE_XDP,
3997 "helper access to packet: test5, packet_ptr with too short range",
3999 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4000 offsetof(struct xdp_md, data)),
4001 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4002 offsetof(struct xdp_md, data_end)),
4003 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4004 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4006 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4007 BPF_LD_MAP_FD(BPF_REG_1, 0),
4008 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4009 BPF_FUNC_map_lookup_elem),
4010 BPF_MOV64_IMM(BPF_REG_0, 0),
4013 .fixup_map1 = { 6 },
4015 .errstr = "invalid access to packet",
4016 .prog_type = BPF_PROG_TYPE_XDP,
4019 "helper access to packet: test6, cls valid packet_ptr range",
4021 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4022 offsetof(struct __sk_buff, data)),
4023 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4024 offsetof(struct __sk_buff, data_end)),
4025 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4026 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4027 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4028 BPF_LD_MAP_FD(BPF_REG_1, 0),
4029 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4030 BPF_MOV64_IMM(BPF_REG_4, 0),
4031 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4032 BPF_FUNC_map_update_elem),
4033 BPF_MOV64_IMM(BPF_REG_0, 0),
4036 .fixup_map1 = { 5 },
4038 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4041 "helper access to packet: test7, cls unchecked packet_ptr",
4043 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4044 offsetof(struct __sk_buff, data)),
4045 BPF_LD_MAP_FD(BPF_REG_1, 0),
4046 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4047 BPF_FUNC_map_lookup_elem),
4048 BPF_MOV64_IMM(BPF_REG_0, 0),
4051 .fixup_map1 = { 1 },
4053 .errstr = "invalid access to packet",
4054 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4057 "helper access to packet: test8, cls variable add",
4059 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4060 offsetof(struct __sk_buff, data)),
4061 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4062 offsetof(struct __sk_buff, data_end)),
4063 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4064 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4065 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4066 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4067 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4068 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4069 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4070 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4071 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4072 BPF_LD_MAP_FD(BPF_REG_1, 0),
4073 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4074 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4075 BPF_FUNC_map_lookup_elem),
4076 BPF_MOV64_IMM(BPF_REG_0, 0),
4079 .fixup_map1 = { 11 },
4081 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4084 "helper access to packet: test9, cls packet_ptr with bad range",
4086 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4087 offsetof(struct __sk_buff, data)),
4088 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4089 offsetof(struct __sk_buff, data_end)),
4090 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4091 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4092 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4093 BPF_MOV64_IMM(BPF_REG_0, 0),
4095 BPF_LD_MAP_FD(BPF_REG_1, 0),
4096 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4097 BPF_FUNC_map_lookup_elem),
4098 BPF_MOV64_IMM(BPF_REG_0, 0),
4101 .fixup_map1 = { 7 },
4103 .errstr = "invalid access to packet",
4104 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4107 "helper access to packet: test10, cls packet_ptr with too short range",
4109 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4110 offsetof(struct __sk_buff, data)),
4111 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4112 offsetof(struct __sk_buff, data_end)),
4113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4114 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4116 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4117 BPF_LD_MAP_FD(BPF_REG_1, 0),
4118 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4119 BPF_FUNC_map_lookup_elem),
4120 BPF_MOV64_IMM(BPF_REG_0, 0),
4123 .fixup_map1 = { 6 },
4125 .errstr = "invalid access to packet",
4126 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4129 "helper access to packet: test11, cls unsuitable helper 1",
4131 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4132 offsetof(struct __sk_buff, data)),
4133 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4134 offsetof(struct __sk_buff, data_end)),
4135 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4136 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4137 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4138 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4139 BPF_MOV64_IMM(BPF_REG_2, 0),
4140 BPF_MOV64_IMM(BPF_REG_4, 42),
4141 BPF_MOV64_IMM(BPF_REG_5, 0),
4142 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4143 BPF_FUNC_skb_store_bytes),
4144 BPF_MOV64_IMM(BPF_REG_0, 0),
4148 .errstr = "helper access to the packet",
4149 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4152 "helper access to packet: test12, cls unsuitable helper 2",
4154 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4155 offsetof(struct __sk_buff, data)),
4156 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4157 offsetof(struct __sk_buff, data_end)),
4158 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4159 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4160 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4161 BPF_MOV64_IMM(BPF_REG_2, 0),
4162 BPF_MOV64_IMM(BPF_REG_4, 4),
4163 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4164 BPF_FUNC_skb_load_bytes),
4165 BPF_MOV64_IMM(BPF_REG_0, 0),
4169 .errstr = "helper access to the packet",
4170 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4173 "helper access to packet: test13, cls helper ok",
4175 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4176 offsetof(struct __sk_buff, data)),
4177 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4178 offsetof(struct __sk_buff, data_end)),
4179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4180 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4182 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4183 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4184 BPF_MOV64_IMM(BPF_REG_2, 4),
4185 BPF_MOV64_IMM(BPF_REG_3, 0),
4186 BPF_MOV64_IMM(BPF_REG_4, 0),
4187 BPF_MOV64_IMM(BPF_REG_5, 0),
4188 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4189 BPF_FUNC_csum_diff),
4190 BPF_MOV64_IMM(BPF_REG_0, 0),
4194 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4197 "helper access to packet: test14, cls helper ok sub",
4199 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4200 offsetof(struct __sk_buff, data)),
4201 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4202 offsetof(struct __sk_buff, data_end)),
4203 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4204 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4206 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4207 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4208 BPF_MOV64_IMM(BPF_REG_2, 4),
4209 BPF_MOV64_IMM(BPF_REG_3, 0),
4210 BPF_MOV64_IMM(BPF_REG_4, 0),
4211 BPF_MOV64_IMM(BPF_REG_5, 0),
4212 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4213 BPF_FUNC_csum_diff),
4214 BPF_MOV64_IMM(BPF_REG_0, 0),
4218 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4221 "helper access to packet: test15, cls helper fail sub",
4223 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4224 offsetof(struct __sk_buff, data)),
4225 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4226 offsetof(struct __sk_buff, data_end)),
4227 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4230 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4231 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4232 BPF_MOV64_IMM(BPF_REG_2, 4),
4233 BPF_MOV64_IMM(BPF_REG_3, 0),
4234 BPF_MOV64_IMM(BPF_REG_4, 0),
4235 BPF_MOV64_IMM(BPF_REG_5, 0),
4236 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4237 BPF_FUNC_csum_diff),
4238 BPF_MOV64_IMM(BPF_REG_0, 0),
4242 .errstr = "invalid access to packet",
4243 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4246 "helper access to packet: test16, cls helper fail range 1",
4248 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4249 offsetof(struct __sk_buff, data)),
4250 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4251 offsetof(struct __sk_buff, data_end)),
4252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4253 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4254 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4255 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4256 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4257 BPF_MOV64_IMM(BPF_REG_2, 8),
4258 BPF_MOV64_IMM(BPF_REG_3, 0),
4259 BPF_MOV64_IMM(BPF_REG_4, 0),
4260 BPF_MOV64_IMM(BPF_REG_5, 0),
4261 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4262 BPF_FUNC_csum_diff),
4263 BPF_MOV64_IMM(BPF_REG_0, 0),
4267 .errstr = "invalid access to packet",
4268 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4271 "helper access to packet: test17, cls helper fail range 2",
4273 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4274 offsetof(struct __sk_buff, data)),
4275 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4276 offsetof(struct __sk_buff, data_end)),
4277 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4278 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4279 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4280 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4281 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4282 BPF_MOV64_IMM(BPF_REG_2, -9),
4283 BPF_MOV64_IMM(BPF_REG_3, 0),
4284 BPF_MOV64_IMM(BPF_REG_4, 0),
4285 BPF_MOV64_IMM(BPF_REG_5, 0),
4286 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4287 BPF_FUNC_csum_diff),
4288 BPF_MOV64_IMM(BPF_REG_0, 0),
4292 .errstr = "R2 min value is negative",
4293 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4296 "helper access to packet: test18, cls helper fail range 3",
4298 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4299 offsetof(struct __sk_buff, data)),
4300 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4301 offsetof(struct __sk_buff, data_end)),
4302 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4303 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4305 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4306 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4307 BPF_MOV64_IMM(BPF_REG_2, ~0),
4308 BPF_MOV64_IMM(BPF_REG_3, 0),
4309 BPF_MOV64_IMM(BPF_REG_4, 0),
4310 BPF_MOV64_IMM(BPF_REG_5, 0),
4311 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4312 BPF_FUNC_csum_diff),
4313 BPF_MOV64_IMM(BPF_REG_0, 0),
4317 .errstr = "R2 min value is negative",
4318 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4321 "helper access to packet: test19, cls helper range zero",
4323 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4324 offsetof(struct __sk_buff, data)),
4325 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4326 offsetof(struct __sk_buff, data_end)),
4327 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4328 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4329 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4330 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4331 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4332 BPF_MOV64_IMM(BPF_REG_2, 0),
4333 BPF_MOV64_IMM(BPF_REG_3, 0),
4334 BPF_MOV64_IMM(BPF_REG_4, 0),
4335 BPF_MOV64_IMM(BPF_REG_5, 0),
4336 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4337 BPF_FUNC_csum_diff),
4338 BPF_MOV64_IMM(BPF_REG_0, 0),
4342 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4345 "helper access to packet: test20, pkt end as input",
4347 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4348 offsetof(struct __sk_buff, data)),
4349 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4350 offsetof(struct __sk_buff, data_end)),
4351 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4352 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4354 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4355 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4356 BPF_MOV64_IMM(BPF_REG_2, 4),
4357 BPF_MOV64_IMM(BPF_REG_3, 0),
4358 BPF_MOV64_IMM(BPF_REG_4, 0),
4359 BPF_MOV64_IMM(BPF_REG_5, 0),
4360 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4361 BPF_FUNC_csum_diff),
4362 BPF_MOV64_IMM(BPF_REG_0, 0),
4366 .errstr = "R1 type=pkt_end expected=fp",
4367 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4370 "helper access to packet: test21, wrong reg",
4372 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4373 offsetof(struct __sk_buff, data)),
4374 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4375 offsetof(struct __sk_buff, data_end)),
4376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4377 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4379 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4380 BPF_MOV64_IMM(BPF_REG_2, 4),
4381 BPF_MOV64_IMM(BPF_REG_3, 0),
4382 BPF_MOV64_IMM(BPF_REG_4, 0),
4383 BPF_MOV64_IMM(BPF_REG_5, 0),
4384 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4385 BPF_FUNC_csum_diff),
4386 BPF_MOV64_IMM(BPF_REG_0, 0),
4390 .errstr = "invalid access to packet",
4391 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4394 "valid map access into an array with a constant",
4396 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4397 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4399 BPF_LD_MAP_FD(BPF_REG_1, 0),
4400 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4401 BPF_FUNC_map_lookup_elem),
4402 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4403 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4404 offsetof(struct test_val, foo)),
4407 .fixup_map2 = { 3 },
4408 .errstr_unpriv = "R0 leaks addr",
4409 .result_unpriv = REJECT,
4413 "valid map access into an array with a register",
4415 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4416 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4417 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4418 BPF_LD_MAP_FD(BPF_REG_1, 0),
4419 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4420 BPF_FUNC_map_lookup_elem),
4421 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4422 BPF_MOV64_IMM(BPF_REG_1, 4),
4423 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4424 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4425 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4426 offsetof(struct test_val, foo)),
4429 .fixup_map2 = { 3 },
4430 .errstr_unpriv = "R0 leaks addr",
4431 .result_unpriv = REJECT,
4433 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4436 "valid map access into an array with a variable",
4438 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4439 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4441 BPF_LD_MAP_FD(BPF_REG_1, 0),
4442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4443 BPF_FUNC_map_lookup_elem),
4444 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4445 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4446 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4447 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4448 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4449 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4450 offsetof(struct test_val, foo)),
4453 .fixup_map2 = { 3 },
4454 .errstr_unpriv = "R0 leaks addr",
4455 .result_unpriv = REJECT,
4457 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4460 "valid map access into an array with a signed variable",
4462 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4463 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4465 BPF_LD_MAP_FD(BPF_REG_1, 0),
4466 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4467 BPF_FUNC_map_lookup_elem),
4468 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4469 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4470 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4471 BPF_MOV32_IMM(BPF_REG_1, 0),
4472 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4473 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4474 BPF_MOV32_IMM(BPF_REG_1, 0),
4475 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4476 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4477 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4478 offsetof(struct test_val, foo)),
4481 .fixup_map2 = { 3 },
4482 .errstr_unpriv = "R0 leaks addr",
4483 .result_unpriv = REJECT,
4485 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4488 "invalid map access into an array with a constant",
4490 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4491 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4492 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4493 BPF_LD_MAP_FD(BPF_REG_1, 0),
4494 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4495 BPF_FUNC_map_lookup_elem),
4496 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4497 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4498 offsetof(struct test_val, foo)),
4501 .fixup_map2 = { 3 },
4502 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4506 "invalid map access into an array with a register",
4508 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4509 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4510 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4511 BPF_LD_MAP_FD(BPF_REG_1, 0),
4512 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4513 BPF_FUNC_map_lookup_elem),
4514 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4515 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4516 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4517 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4518 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4519 offsetof(struct test_val, foo)),
4522 .fixup_map2 = { 3 },
4523 .errstr = "R0 min value is outside of the array range",
4525 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4528 "invalid map access into an array with a variable",
4530 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4531 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4533 BPF_LD_MAP_FD(BPF_REG_1, 0),
4534 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4535 BPF_FUNC_map_lookup_elem),
4536 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4537 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4538 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4539 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4540 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4541 offsetof(struct test_val, foo)),
4544 .fixup_map2 = { 3 },
4545 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4547 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4550 "invalid map access into an array with no floor check",
4552 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4553 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4554 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4555 BPF_LD_MAP_FD(BPF_REG_1, 0),
4556 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4557 BPF_FUNC_map_lookup_elem),
4558 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4559 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4560 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4561 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4562 BPF_MOV32_IMM(BPF_REG_1, 0),
4563 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4564 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4565 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4566 offsetof(struct test_val, foo)),
4569 .fixup_map2 = { 3 },
4570 .errstr_unpriv = "R0 leaks addr",
4571 .errstr = "R0 unbounded memory access",
4572 .result_unpriv = REJECT,
4574 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4577 "invalid map access into an array with a invalid max check",
4579 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4580 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4582 BPF_LD_MAP_FD(BPF_REG_1, 0),
4583 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4584 BPF_FUNC_map_lookup_elem),
4585 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4586 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4587 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4588 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4589 BPF_MOV32_IMM(BPF_REG_1, 0),
4590 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4591 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4592 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4593 offsetof(struct test_val, foo)),
4596 .fixup_map2 = { 3 },
4597 .errstr_unpriv = "R0 leaks addr",
4598 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
4599 .result_unpriv = REJECT,
4601 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4604 "invalid map access into an array with a invalid max check",
4606 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4607 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4609 BPF_LD_MAP_FD(BPF_REG_1, 0),
4610 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4611 BPF_FUNC_map_lookup_elem),
4612 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4613 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4614 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4615 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4616 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4617 BPF_LD_MAP_FD(BPF_REG_1, 0),
4618 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4619 BPF_FUNC_map_lookup_elem),
4620 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4621 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4622 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4623 offsetof(struct test_val, foo)),
4626 .fixup_map2 = { 3, 11 },
4627 .errstr = "R0 pointer += pointer",
4629 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4632 "valid cgroup storage access",
4634 BPF_MOV64_IMM(BPF_REG_2, 0),
4635 BPF_LD_MAP_FD(BPF_REG_1, 0),
4636 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4637 BPF_FUNC_get_local_storage),
4638 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4639 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4640 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4643 .fixup_cgroup_storage = { 1 },
4645 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4648 "invalid cgroup storage access 1",
4650 BPF_MOV64_IMM(BPF_REG_2, 0),
4651 BPF_LD_MAP_FD(BPF_REG_1, 0),
4652 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4653 BPF_FUNC_get_local_storage),
4654 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4655 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4656 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4659 .fixup_map1 = { 1 },
4661 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
4662 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4665 "invalid cgroup storage access 2",
4667 BPF_MOV64_IMM(BPF_REG_2, 0),
4668 BPF_LD_MAP_FD(BPF_REG_1, 1),
4669 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4670 BPF_FUNC_get_local_storage),
4671 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4675 .errstr = "fd 1 is not pointing to valid bpf_map",
4676 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4679 "invalid per-cgroup storage access 3",
4681 BPF_MOV64_IMM(BPF_REG_2, 0),
4682 BPF_LD_MAP_FD(BPF_REG_1, 0),
4683 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4684 BPF_FUNC_get_local_storage),
4685 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
4686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4687 BPF_MOV64_IMM(BPF_REG_0, 0),
4690 .fixup_cgroup_storage = { 1 },
4692 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
4693 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4696 "invalid cgroup storage access 4",
4698 BPF_MOV64_IMM(BPF_REG_2, 0),
4699 BPF_LD_MAP_FD(BPF_REG_1, 0),
4700 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4701 BPF_FUNC_get_local_storage),
4702 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
4703 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4704 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4707 .fixup_cgroup_storage = { 1 },
4709 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
4710 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4713 "invalid cgroup storage access 5",
4715 BPF_MOV64_IMM(BPF_REG_2, 7),
4716 BPF_LD_MAP_FD(BPF_REG_1, 0),
4717 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4718 BPF_FUNC_get_local_storage),
4719 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4720 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4721 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4724 .fixup_cgroup_storage = { 1 },
4726 .errstr = "get_local_storage() doesn't support non-zero flags",
4727 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4730 "invalid cgroup storage access 6",
4732 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
4733 BPF_LD_MAP_FD(BPF_REG_1, 0),
4734 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4735 BPF_FUNC_get_local_storage),
4736 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4737 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4738 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4741 .fixup_cgroup_storage = { 1 },
4743 .errstr = "get_local_storage() doesn't support non-zero flags",
4744 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4747 "multiple registers share map_lookup_elem result",
4749 BPF_MOV64_IMM(BPF_REG_1, 10),
4750 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4751 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4753 BPF_LD_MAP_FD(BPF_REG_1, 0),
4754 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4755 BPF_FUNC_map_lookup_elem),
4756 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4757 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4758 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4761 .fixup_map1 = { 4 },
4763 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4766 "alu ops on ptr_to_map_value_or_null, 1",
4768 BPF_MOV64_IMM(BPF_REG_1, 10),
4769 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4770 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4771 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4772 BPF_LD_MAP_FD(BPF_REG_1, 0),
4773 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4774 BPF_FUNC_map_lookup_elem),
4775 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4776 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4779 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4782 .fixup_map1 = { 4 },
4783 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4785 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4788 "alu ops on ptr_to_map_value_or_null, 2",
4790 BPF_MOV64_IMM(BPF_REG_1, 10),
4791 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4792 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4794 BPF_LD_MAP_FD(BPF_REG_1, 0),
4795 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4796 BPF_FUNC_map_lookup_elem),
4797 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4798 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4799 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4800 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4803 .fixup_map1 = { 4 },
4804 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4806 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4809 "alu ops on ptr_to_map_value_or_null, 3",
4811 BPF_MOV64_IMM(BPF_REG_1, 10),
4812 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4813 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4815 BPF_LD_MAP_FD(BPF_REG_1, 0),
4816 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4817 BPF_FUNC_map_lookup_elem),
4818 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4819 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4820 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4821 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4824 .fixup_map1 = { 4 },
4825 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4827 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4830 "invalid memory access with multiple map_lookup_elem calls",
4832 BPF_MOV64_IMM(BPF_REG_1, 10),
4833 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4834 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4835 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4836 BPF_LD_MAP_FD(BPF_REG_1, 0),
4837 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4838 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4839 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4840 BPF_FUNC_map_lookup_elem),
4841 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4842 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4843 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4844 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4845 BPF_FUNC_map_lookup_elem),
4846 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4847 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4850 .fixup_map1 = { 4 },
4852 .errstr = "R4 !read_ok",
4853 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4856 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4858 BPF_MOV64_IMM(BPF_REG_1, 10),
4859 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4860 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4861 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4862 BPF_LD_MAP_FD(BPF_REG_1, 0),
4863 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4864 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4865 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4866 BPF_FUNC_map_lookup_elem),
4867 BPF_MOV64_IMM(BPF_REG_2, 10),
4868 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4869 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4870 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4871 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4872 BPF_FUNC_map_lookup_elem),
4873 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4874 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4875 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4878 .fixup_map1 = { 4 },
4880 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4883 "invalid map access from else condition",
4885 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4886 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4887 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4888 BPF_LD_MAP_FD(BPF_REG_1, 0),
4889 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4890 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4891 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4892 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4893 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4894 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4895 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4896 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4899 .fixup_map2 = { 3 },
4900 .errstr = "R0 unbounded memory access",
4902 .errstr_unpriv = "R0 leaks addr",
4903 .result_unpriv = REJECT,
4904 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4907 "constant register |= constant should keep constant type",
4909 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4910 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4911 BPF_MOV64_IMM(BPF_REG_2, 34),
4912 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4913 BPF_MOV64_IMM(BPF_REG_3, 0),
4914 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4918 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4921 "constant register |= constant should not bypass stack boundary checks",
4923 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4925 BPF_MOV64_IMM(BPF_REG_2, 34),
4926 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4927 BPF_MOV64_IMM(BPF_REG_3, 0),
4928 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4931 .errstr = "invalid stack type R1 off=-48 access_size=58",
4933 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4936 "constant register |= constant register should keep constant type",
4938 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4939 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4940 BPF_MOV64_IMM(BPF_REG_2, 34),
4941 BPF_MOV64_IMM(BPF_REG_4, 13),
4942 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4943 BPF_MOV64_IMM(BPF_REG_3, 0),
4944 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4948 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4951 "constant register |= constant register should not bypass stack boundary checks",
4953 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4954 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4955 BPF_MOV64_IMM(BPF_REG_2, 34),
4956 BPF_MOV64_IMM(BPF_REG_4, 24),
4957 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4958 BPF_MOV64_IMM(BPF_REG_3, 0),
4959 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4962 .errstr = "invalid stack type R1 off=-48 access_size=58",
4964 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4967 "invalid direct packet write for LWT_IN",
4969 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4970 offsetof(struct __sk_buff, data)),
4971 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4972 offsetof(struct __sk_buff, data_end)),
4973 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4974 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4975 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4976 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4977 BPF_MOV64_IMM(BPF_REG_0, 0),
4980 .errstr = "cannot write into packet",
4982 .prog_type = BPF_PROG_TYPE_LWT_IN,
4985 "invalid direct packet write for LWT_OUT",
4987 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4988 offsetof(struct __sk_buff, data)),
4989 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4990 offsetof(struct __sk_buff, data_end)),
4991 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4992 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4993 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4994 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4995 BPF_MOV64_IMM(BPF_REG_0, 0),
4998 .errstr = "cannot write into packet",
5000 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5003 "direct packet write for LWT_XMIT",
5005 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5006 offsetof(struct __sk_buff, data)),
5007 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5008 offsetof(struct __sk_buff, data_end)),
5009 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5010 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5011 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5012 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5013 BPF_MOV64_IMM(BPF_REG_0, 0),
5017 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5020 "direct packet read for LWT_IN",
5022 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5023 offsetof(struct __sk_buff, data)),
5024 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5025 offsetof(struct __sk_buff, data_end)),
5026 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5027 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5028 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5029 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5030 BPF_MOV64_IMM(BPF_REG_0, 0),
5034 .prog_type = BPF_PROG_TYPE_LWT_IN,
5037 "direct packet read for LWT_OUT",
5039 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5040 offsetof(struct __sk_buff, data)),
5041 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5042 offsetof(struct __sk_buff, data_end)),
5043 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5044 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5045 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5046 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5047 BPF_MOV64_IMM(BPF_REG_0, 0),
5051 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5054 "direct packet read for LWT_XMIT",
5056 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5057 offsetof(struct __sk_buff, data)),
5058 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5059 offsetof(struct __sk_buff, data_end)),
5060 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5061 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5062 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5063 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5064 BPF_MOV64_IMM(BPF_REG_0, 0),
5068 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5071 "overlapping checks for direct packet access",
5073 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5074 offsetof(struct __sk_buff, data)),
5075 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5076 offsetof(struct __sk_buff, data_end)),
5077 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5078 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5079 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
5080 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
5081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
5082 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
5083 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
5084 BPF_MOV64_IMM(BPF_REG_0, 0),
5088 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5091 "make headroom for LWT_XMIT",
5093 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5094 BPF_MOV64_IMM(BPF_REG_2, 34),
5095 BPF_MOV64_IMM(BPF_REG_3, 0),
5096 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5097 /* split for s390 to succeed */
5098 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5099 BPF_MOV64_IMM(BPF_REG_2, 42),
5100 BPF_MOV64_IMM(BPF_REG_3, 0),
5101 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5102 BPF_MOV64_IMM(BPF_REG_0, 0),
5106 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5109 "invalid access of tc_classid for LWT_IN",
5111 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5112 offsetof(struct __sk_buff, tc_classid)),
5116 .errstr = "invalid bpf_context access",
5119 "invalid access of tc_classid for LWT_OUT",
5121 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5122 offsetof(struct __sk_buff, tc_classid)),
5126 .errstr = "invalid bpf_context access",
5129 "invalid access of tc_classid for LWT_XMIT",
5131 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5132 offsetof(struct __sk_buff, tc_classid)),
5136 .errstr = "invalid bpf_context access",
5139 "leak pointer into ctx 1",
5141 BPF_MOV64_IMM(BPF_REG_0, 0),
5142 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5143 offsetof(struct __sk_buff, cb[0])),
5144 BPF_LD_MAP_FD(BPF_REG_2, 0),
5145 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
5146 offsetof(struct __sk_buff, cb[0])),
5149 .fixup_map1 = { 2 },
5150 .errstr_unpriv = "R2 leaks addr into mem",
5151 .result_unpriv = REJECT,
5153 .errstr = "BPF_XADD stores into R1 context is not allowed",
5156 "leak pointer into ctx 2",
5158 BPF_MOV64_IMM(BPF_REG_0, 0),
5159 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5160 offsetof(struct __sk_buff, cb[0])),
5161 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
5162 offsetof(struct __sk_buff, cb[0])),
5165 .errstr_unpriv = "R10 leaks addr into mem",
5166 .result_unpriv = REJECT,
5168 .errstr = "BPF_XADD stores into R1 context is not allowed",
5171 "leak pointer into ctx 3",
5173 BPF_MOV64_IMM(BPF_REG_0, 0),
5174 BPF_LD_MAP_FD(BPF_REG_2, 0),
5175 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
5176 offsetof(struct __sk_buff, cb[0])),
5179 .fixup_map1 = { 1 },
5180 .errstr_unpriv = "R2 leaks addr into ctx",
5181 .result_unpriv = REJECT,
5185 "leak pointer into map val",
5187 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5188 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5189 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5190 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5191 BPF_LD_MAP_FD(BPF_REG_1, 0),
5192 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5193 BPF_FUNC_map_lookup_elem),
5194 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5195 BPF_MOV64_IMM(BPF_REG_3, 0),
5196 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
5197 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
5198 BPF_MOV64_IMM(BPF_REG_0, 0),
5201 .fixup_map1 = { 4 },
5202 .errstr_unpriv = "R6 leaks addr into mem",
5203 .result_unpriv = REJECT,
5207 "helper access to map: full range",
5209 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5211 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5212 BPF_LD_MAP_FD(BPF_REG_1, 0),
5213 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5214 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5215 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5216 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5217 BPF_MOV64_IMM(BPF_REG_3, 0),
5218 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5221 .fixup_map2 = { 3 },
5223 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5226 "helper access to map: partial range",
5228 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5230 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5231 BPF_LD_MAP_FD(BPF_REG_1, 0),
5232 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5233 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5234 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5235 BPF_MOV64_IMM(BPF_REG_2, 8),
5236 BPF_MOV64_IMM(BPF_REG_3, 0),
5237 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5240 .fixup_map2 = { 3 },
5242 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5245 "helper access to map: empty range",
5247 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5248 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5249 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5250 BPF_LD_MAP_FD(BPF_REG_1, 0),
5251 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5252 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5253 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5254 BPF_MOV64_IMM(BPF_REG_2, 0),
5255 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5258 .fixup_map2 = { 3 },
5259 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
5261 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5264 "helper access to map: out-of-bound range",
5266 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5267 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5268 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5269 BPF_LD_MAP_FD(BPF_REG_1, 0),
5270 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5271 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5272 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5273 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5274 BPF_MOV64_IMM(BPF_REG_3, 0),
5275 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5278 .fixup_map2 = { 3 },
5279 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
5281 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5284 "helper access to map: negative range",
5286 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5287 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5288 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5289 BPF_LD_MAP_FD(BPF_REG_1, 0),
5290 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5291 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5292 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5293 BPF_MOV64_IMM(BPF_REG_2, -8),
5294 BPF_MOV64_IMM(BPF_REG_3, 0),
5295 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5298 .fixup_map2 = { 3 },
5299 .errstr = "R2 min value is negative",
5301 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5304 "helper access to adjusted map (via const imm): full range",
5306 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5308 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5309 BPF_LD_MAP_FD(BPF_REG_1, 0),
5310 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5311 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5312 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5313 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5314 offsetof(struct test_val, foo)),
5315 BPF_MOV64_IMM(BPF_REG_2,
5316 sizeof(struct test_val) -
5317 offsetof(struct test_val, foo)),
5318 BPF_MOV64_IMM(BPF_REG_3, 0),
5319 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5322 .fixup_map2 = { 3 },
5324 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5327 "helper access to adjusted map (via const imm): partial range",
5329 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5331 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5332 BPF_LD_MAP_FD(BPF_REG_1, 0),
5333 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5334 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5335 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5337 offsetof(struct test_val, foo)),
5338 BPF_MOV64_IMM(BPF_REG_2, 8),
5339 BPF_MOV64_IMM(BPF_REG_3, 0),
5340 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5343 .fixup_map2 = { 3 },
5345 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5348 "helper access to adjusted map (via const imm): empty range",
5350 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5351 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5352 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5353 BPF_LD_MAP_FD(BPF_REG_1, 0),
5354 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5355 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5356 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5358 offsetof(struct test_val, foo)),
5359 BPF_MOV64_IMM(BPF_REG_2, 0),
5360 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5363 .fixup_map2 = { 3 },
5364 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5366 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5369 "helper access to adjusted map (via const imm): out-of-bound range",
5371 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5372 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5373 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5374 BPF_LD_MAP_FD(BPF_REG_1, 0),
5375 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5376 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5377 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5379 offsetof(struct test_val, foo)),
5380 BPF_MOV64_IMM(BPF_REG_2,
5381 sizeof(struct test_val) -
5382 offsetof(struct test_val, foo) + 8),
5383 BPF_MOV64_IMM(BPF_REG_3, 0),
5384 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5387 .fixup_map2 = { 3 },
5388 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5390 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5393 "helper access to adjusted map (via const imm): negative range (> adjustment)",
5395 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5396 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5397 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5398 BPF_LD_MAP_FD(BPF_REG_1, 0),
5399 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5400 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5401 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5403 offsetof(struct test_val, foo)),
5404 BPF_MOV64_IMM(BPF_REG_2, -8),
5405 BPF_MOV64_IMM(BPF_REG_3, 0),
5406 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5409 .fixup_map2 = { 3 },
5410 .errstr = "R2 min value is negative",
5412 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5415 "helper access to adjusted map (via const imm): negative range (< adjustment)",
5417 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5418 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5419 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5420 BPF_LD_MAP_FD(BPF_REG_1, 0),
5421 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5422 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5423 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5425 offsetof(struct test_val, foo)),
5426 BPF_MOV64_IMM(BPF_REG_2, -1),
5427 BPF_MOV64_IMM(BPF_REG_3, 0),
5428 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5431 .fixup_map2 = { 3 },
5432 .errstr = "R2 min value is negative",
5434 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5437 "helper access to adjusted map (via const reg): full range",
5439 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5441 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5442 BPF_LD_MAP_FD(BPF_REG_1, 0),
5443 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5444 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5445 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5446 BPF_MOV64_IMM(BPF_REG_3,
5447 offsetof(struct test_val, foo)),
5448 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5449 BPF_MOV64_IMM(BPF_REG_2,
5450 sizeof(struct test_val) -
5451 offsetof(struct test_val, foo)),
5452 BPF_MOV64_IMM(BPF_REG_3, 0),
5453 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5456 .fixup_map2 = { 3 },
5458 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5461 "helper access to adjusted map (via const reg): partial range",
5463 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5465 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5466 BPF_LD_MAP_FD(BPF_REG_1, 0),
5467 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5468 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5469 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5470 BPF_MOV64_IMM(BPF_REG_3,
5471 offsetof(struct test_val, foo)),
5472 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5473 BPF_MOV64_IMM(BPF_REG_2, 8),
5474 BPF_MOV64_IMM(BPF_REG_3, 0),
5475 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5478 .fixup_map2 = { 3 },
5480 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5483 "helper access to adjusted map (via const reg): empty range",
5485 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5486 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5487 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5488 BPF_LD_MAP_FD(BPF_REG_1, 0),
5489 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5490 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5491 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5492 BPF_MOV64_IMM(BPF_REG_3, 0),
5493 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5494 BPF_MOV64_IMM(BPF_REG_2, 0),
5495 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5498 .fixup_map2 = { 3 },
5499 .errstr = "R1 min value is outside of the array range",
5501 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5504 "helper access to adjusted map (via const reg): out-of-bound range",
5506 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5507 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5508 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5509 BPF_LD_MAP_FD(BPF_REG_1, 0),
5510 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5511 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5512 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5513 BPF_MOV64_IMM(BPF_REG_3,
5514 offsetof(struct test_val, foo)),
5515 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5516 BPF_MOV64_IMM(BPF_REG_2,
5517 sizeof(struct test_val) -
5518 offsetof(struct test_val, foo) + 8),
5519 BPF_MOV64_IMM(BPF_REG_3, 0),
5520 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5523 .fixup_map2 = { 3 },
5524 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5526 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5529 "helper access to adjusted map (via const reg): negative range (> adjustment)",
5531 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5533 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5534 BPF_LD_MAP_FD(BPF_REG_1, 0),
5535 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5536 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5537 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5538 BPF_MOV64_IMM(BPF_REG_3,
5539 offsetof(struct test_val, foo)),
5540 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5541 BPF_MOV64_IMM(BPF_REG_2, -8),
5542 BPF_MOV64_IMM(BPF_REG_3, 0),
5543 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5546 .fixup_map2 = { 3 },
5547 .errstr = "R2 min value is negative",
5549 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5552 "helper access to adjusted map (via const reg): negative range (< adjustment)",
5554 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5555 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5556 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5557 BPF_LD_MAP_FD(BPF_REG_1, 0),
5558 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5559 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5560 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5561 BPF_MOV64_IMM(BPF_REG_3,
5562 offsetof(struct test_val, foo)),
5563 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5564 BPF_MOV64_IMM(BPF_REG_2, -1),
5565 BPF_MOV64_IMM(BPF_REG_3, 0),
5566 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5569 .fixup_map2 = { 3 },
5570 .errstr = "R2 min value is negative",
5572 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5575 "helper access to adjusted map (via variable): full range",
5577 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5578 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5579 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5580 BPF_LD_MAP_FD(BPF_REG_1, 0),
5581 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5582 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5583 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5584 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5585 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5586 offsetof(struct test_val, foo), 4),
5587 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5588 BPF_MOV64_IMM(BPF_REG_2,
5589 sizeof(struct test_val) -
5590 offsetof(struct test_val, foo)),
5591 BPF_MOV64_IMM(BPF_REG_3, 0),
5592 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5595 .fixup_map2 = { 3 },
5597 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5600 "helper access to adjusted map (via variable): partial range",
5602 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5604 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5605 BPF_LD_MAP_FD(BPF_REG_1, 0),
5606 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5607 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5608 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5609 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5610 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5611 offsetof(struct test_val, foo), 4),
5612 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5613 BPF_MOV64_IMM(BPF_REG_2, 8),
5614 BPF_MOV64_IMM(BPF_REG_3, 0),
5615 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5618 .fixup_map2 = { 3 },
5620 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5623 "helper access to adjusted map (via variable): empty range",
5625 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5627 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5628 BPF_LD_MAP_FD(BPF_REG_1, 0),
5629 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5630 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5631 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5632 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5633 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5634 offsetof(struct test_val, foo), 3),
5635 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5636 BPF_MOV64_IMM(BPF_REG_2, 0),
5637 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5640 .fixup_map2 = { 3 },
5641 .errstr = "R1 min value is outside of the array range",
5643 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5646 "helper access to adjusted map (via variable): no max check",
5648 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5649 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5650 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5651 BPF_LD_MAP_FD(BPF_REG_1, 0),
5652 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5653 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5654 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5655 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5656 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5657 BPF_MOV64_IMM(BPF_REG_2, 1),
5658 BPF_MOV64_IMM(BPF_REG_3, 0),
5659 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5662 .fixup_map2 = { 3 },
5663 .errstr = "R1 unbounded memory access",
5665 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5668 "helper access to adjusted map (via variable): wrong max check",
5670 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5671 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5672 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5673 BPF_LD_MAP_FD(BPF_REG_1, 0),
5674 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5675 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5676 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5677 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5678 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5679 offsetof(struct test_val, foo), 4),
5680 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5681 BPF_MOV64_IMM(BPF_REG_2,
5682 sizeof(struct test_val) -
5683 offsetof(struct test_val, foo) + 1),
5684 BPF_MOV64_IMM(BPF_REG_3, 0),
5685 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5688 .fixup_map2 = { 3 },
5689 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
5691 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5694 "helper access to map: bounds check using <, good access",
5696 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5697 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5698 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5699 BPF_LD_MAP_FD(BPF_REG_1, 0),
5700 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5701 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5702 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5703 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5704 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5705 BPF_MOV64_IMM(BPF_REG_0, 0),
5707 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5708 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5709 BPF_MOV64_IMM(BPF_REG_0, 0),
5712 .fixup_map2 = { 3 },
5714 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5717 "helper access to map: bounds check using <, bad access",
5719 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5720 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5721 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5722 BPF_LD_MAP_FD(BPF_REG_1, 0),
5723 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5724 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5725 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5726 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5727 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5728 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5729 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5730 BPF_MOV64_IMM(BPF_REG_0, 0),
5732 BPF_MOV64_IMM(BPF_REG_0, 0),
5735 .fixup_map2 = { 3 },
5737 .errstr = "R1 unbounded memory access",
5738 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5741 "helper access to map: bounds check using <=, good access",
5743 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5745 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5746 BPF_LD_MAP_FD(BPF_REG_1, 0),
5747 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5748 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5749 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5750 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5751 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5752 BPF_MOV64_IMM(BPF_REG_0, 0),
5754 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5755 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5756 BPF_MOV64_IMM(BPF_REG_0, 0),
5759 .fixup_map2 = { 3 },
5761 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5764 "helper access to map: bounds check using <=, bad access",
5766 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5767 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5768 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5769 BPF_LD_MAP_FD(BPF_REG_1, 0),
5770 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5771 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5772 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5773 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5774 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5775 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5776 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5777 BPF_MOV64_IMM(BPF_REG_0, 0),
5779 BPF_MOV64_IMM(BPF_REG_0, 0),
5782 .fixup_map2 = { 3 },
5784 .errstr = "R1 unbounded memory access",
5785 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5788 "helper access to map: bounds check using s<, good access",
5790 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5792 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5793 BPF_LD_MAP_FD(BPF_REG_1, 0),
5794 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5796 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5797 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5798 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5799 BPF_MOV64_IMM(BPF_REG_0, 0),
5801 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5802 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5803 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5804 BPF_MOV64_IMM(BPF_REG_0, 0),
5807 .fixup_map2 = { 3 },
5809 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5812 "helper access to map: bounds check using s<, good access 2",
5814 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5815 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5816 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5817 BPF_LD_MAP_FD(BPF_REG_1, 0),
5818 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5820 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5821 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5822 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5823 BPF_MOV64_IMM(BPF_REG_0, 0),
5825 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5826 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5827 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5828 BPF_MOV64_IMM(BPF_REG_0, 0),
5831 .fixup_map2 = { 3 },
5833 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5836 "helper access to map: bounds check using s<, bad access",
5838 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5839 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5840 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5841 BPF_LD_MAP_FD(BPF_REG_1, 0),
5842 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5844 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5845 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5846 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5847 BPF_MOV64_IMM(BPF_REG_0, 0),
5849 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5850 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5851 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5852 BPF_MOV64_IMM(BPF_REG_0, 0),
5855 .fixup_map2 = { 3 },
5857 .errstr = "R1 min value is negative",
5858 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5861 "helper access to map: bounds check using s<=, good access",
5863 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5864 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5865 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5866 BPF_LD_MAP_FD(BPF_REG_1, 0),
5867 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5868 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5869 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5870 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5871 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5872 BPF_MOV64_IMM(BPF_REG_0, 0),
5874 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5875 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5876 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5877 BPF_MOV64_IMM(BPF_REG_0, 0),
5880 .fixup_map2 = { 3 },
5882 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5885 "helper access to map: bounds check using s<=, good access 2",
5887 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5888 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5889 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5890 BPF_LD_MAP_FD(BPF_REG_1, 0),
5891 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5892 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5893 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5894 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5895 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5896 BPF_MOV64_IMM(BPF_REG_0, 0),
5898 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5899 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5900 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5901 BPF_MOV64_IMM(BPF_REG_0, 0),
5904 .fixup_map2 = { 3 },
5906 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5909 "helper access to map: bounds check using s<=, bad access",
5911 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5912 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5913 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5914 BPF_LD_MAP_FD(BPF_REG_1, 0),
5915 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5916 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5917 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5918 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5919 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5920 BPF_MOV64_IMM(BPF_REG_0, 0),
5922 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5923 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5924 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5925 BPF_MOV64_IMM(BPF_REG_0, 0),
5928 .fixup_map2 = { 3 },
5930 .errstr = "R1 min value is negative",
5931 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5934 "map lookup helper access to map",
5936 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5937 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5938 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5939 BPF_LD_MAP_FD(BPF_REG_1, 0),
5940 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5941 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5943 BPF_LD_MAP_FD(BPF_REG_1, 0),
5944 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5947 .fixup_map3 = { 3, 8 },
5949 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5952 "map update helper access to map",
5954 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5956 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5957 BPF_LD_MAP_FD(BPF_REG_1, 0),
5958 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5959 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5960 BPF_MOV64_IMM(BPF_REG_4, 0),
5961 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5962 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5963 BPF_LD_MAP_FD(BPF_REG_1, 0),
5964 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5967 .fixup_map3 = { 3, 10 },
5969 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5972 "map update helper access to map: wrong size",
5974 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5976 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5977 BPF_LD_MAP_FD(BPF_REG_1, 0),
5978 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5979 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5980 BPF_MOV64_IMM(BPF_REG_4, 0),
5981 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5982 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5983 BPF_LD_MAP_FD(BPF_REG_1, 0),
5984 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5987 .fixup_map1 = { 3 },
5988 .fixup_map3 = { 10 },
5990 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
5991 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5994 "map helper access to adjusted map (via const imm)",
5996 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5997 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5998 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5999 BPF_LD_MAP_FD(BPF_REG_1, 0),
6000 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6001 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6002 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6003 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6004 offsetof(struct other_val, bar)),
6005 BPF_LD_MAP_FD(BPF_REG_1, 0),
6006 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6009 .fixup_map3 = { 3, 9 },
6011 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6014 "map helper access to adjusted map (via const imm): out-of-bound 1",
6016 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6018 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6019 BPF_LD_MAP_FD(BPF_REG_1, 0),
6020 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6021 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6022 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6024 sizeof(struct other_val) - 4),
6025 BPF_LD_MAP_FD(BPF_REG_1, 0),
6026 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6029 .fixup_map3 = { 3, 9 },
6031 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6032 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6035 "map helper access to adjusted map (via const imm): out-of-bound 2",
6037 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6038 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6039 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6040 BPF_LD_MAP_FD(BPF_REG_1, 0),
6041 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6042 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6043 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6044 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6045 BPF_LD_MAP_FD(BPF_REG_1, 0),
6046 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6049 .fixup_map3 = { 3, 9 },
6051 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6052 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6055 "map helper access to adjusted map (via const reg)",
6057 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6059 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6060 BPF_LD_MAP_FD(BPF_REG_1, 0),
6061 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6062 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6063 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6064 BPF_MOV64_IMM(BPF_REG_3,
6065 offsetof(struct other_val, bar)),
6066 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6067 BPF_LD_MAP_FD(BPF_REG_1, 0),
6068 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6071 .fixup_map3 = { 3, 10 },
6073 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6076 "map helper access to adjusted map (via const reg): out-of-bound 1",
6078 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6079 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6080 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6081 BPF_LD_MAP_FD(BPF_REG_1, 0),
6082 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6083 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6084 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6085 BPF_MOV64_IMM(BPF_REG_3,
6086 sizeof(struct other_val) - 4),
6087 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6088 BPF_LD_MAP_FD(BPF_REG_1, 0),
6089 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6092 .fixup_map3 = { 3, 10 },
6094 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6095 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6098 "map helper access to adjusted map (via const reg): out-of-bound 2",
6100 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6102 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6103 BPF_LD_MAP_FD(BPF_REG_1, 0),
6104 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6105 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6106 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6107 BPF_MOV64_IMM(BPF_REG_3, -4),
6108 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6109 BPF_LD_MAP_FD(BPF_REG_1, 0),
6110 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6113 .fixup_map3 = { 3, 10 },
6115 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6116 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6119 "map helper access to adjusted map (via variable)",
6121 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6122 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6123 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6124 BPF_LD_MAP_FD(BPF_REG_1, 0),
6125 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6126 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6127 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6128 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6129 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6130 offsetof(struct other_val, bar), 4),
6131 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6132 BPF_LD_MAP_FD(BPF_REG_1, 0),
6133 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6136 .fixup_map3 = { 3, 11 },
6138 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6141 "map helper access to adjusted map (via variable): no max check",
6143 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6145 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6146 BPF_LD_MAP_FD(BPF_REG_1, 0),
6147 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6148 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6149 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6150 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6151 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6152 BPF_LD_MAP_FD(BPF_REG_1, 0),
6153 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6156 .fixup_map3 = { 3, 10 },
6158 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
6159 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6162 "map helper access to adjusted map (via variable): wrong max check",
6164 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6165 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6166 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6167 BPF_LD_MAP_FD(BPF_REG_1, 0),
6168 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6169 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6170 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6171 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6172 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6173 offsetof(struct other_val, bar) + 1, 4),
6174 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6175 BPF_LD_MAP_FD(BPF_REG_1, 0),
6176 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6179 .fixup_map3 = { 3, 11 },
6181 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
6182 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6185 "map element value is preserved across register spilling",
6187 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6189 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6190 BPF_LD_MAP_FD(BPF_REG_1, 0),
6191 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6192 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6193 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6194 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6196 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6197 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6198 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6201 .fixup_map2 = { 3 },
6202 .errstr_unpriv = "R0 leaks addr",
6204 .result_unpriv = REJECT,
6207 "map element value or null is marked on register spilling",
6209 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6211 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6212 BPF_LD_MAP_FD(BPF_REG_1, 0),
6213 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6214 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6215 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
6216 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6217 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6218 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6219 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6222 .fixup_map2 = { 3 },
6223 .errstr_unpriv = "R0 leaks addr",
6225 .result_unpriv = REJECT,
6228 "map element value store of cleared call register",
6230 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6231 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6232 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6233 BPF_LD_MAP_FD(BPF_REG_1, 0),
6234 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6235 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
6236 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
6239 .fixup_map2 = { 3 },
6240 .errstr_unpriv = "R1 !read_ok",
6241 .errstr = "R1 !read_ok",
6243 .result_unpriv = REJECT,
6246 "map element value with unaligned store",
6248 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6250 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6251 BPF_LD_MAP_FD(BPF_REG_1, 0),
6252 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
6254 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6255 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6256 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
6257 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
6258 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6259 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
6260 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
6261 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
6262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
6263 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
6264 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
6265 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
6266 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
6267 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
6268 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
6269 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
6270 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
6273 .fixup_map2 = { 3 },
6274 .errstr_unpriv = "R0 leaks addr",
6276 .result_unpriv = REJECT,
6277 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6280 "map element value with unaligned load",
6282 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6283 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6284 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6285 BPF_LD_MAP_FD(BPF_REG_1, 0),
6286 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6287 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6288 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6289 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
6290 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6291 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6292 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
6293 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6294 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
6295 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
6296 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
6297 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6298 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
6301 .fixup_map2 = { 3 },
6302 .errstr_unpriv = "R0 leaks addr",
6304 .result_unpriv = REJECT,
6305 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6308 "map element value illegal alu op, 1",
6310 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6312 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6313 BPF_LD_MAP_FD(BPF_REG_1, 0),
6314 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6315 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6316 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
6317 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6320 .fixup_map2 = { 3 },
6321 .errstr = "R0 bitwise operator &= on pointer",
6325 "map element value illegal alu op, 2",
6327 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6329 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6330 BPF_LD_MAP_FD(BPF_REG_1, 0),
6331 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6332 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6333 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
6334 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6337 .fixup_map2 = { 3 },
6338 .errstr = "R0 32-bit pointer arithmetic prohibited",
6342 "map element value illegal alu op, 3",
6344 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6345 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6346 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6347 BPF_LD_MAP_FD(BPF_REG_1, 0),
6348 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6349 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6350 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
6351 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6354 .fixup_map2 = { 3 },
6355 .errstr = "R0 pointer arithmetic with /= operator",
6359 "map element value illegal alu op, 4",
6361 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6363 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6364 BPF_LD_MAP_FD(BPF_REG_1, 0),
6365 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6366 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6367 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
6368 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6371 .fixup_map2 = { 3 },
6372 .errstr_unpriv = "R0 pointer arithmetic prohibited",
6373 .errstr = "invalid mem access 'inv'",
6375 .result_unpriv = REJECT,
6378 "map element value illegal alu op, 5",
6380 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6381 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6382 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6383 BPF_LD_MAP_FD(BPF_REG_1, 0),
6384 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6385 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6386 BPF_MOV64_IMM(BPF_REG_3, 4096),
6387 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6389 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6390 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
6391 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
6392 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6395 .fixup_map2 = { 3 },
6396 .errstr = "R0 invalid mem access 'inv'",
6400 "map element value is preserved across register spilling",
6402 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6403 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6404 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6405 BPF_LD_MAP_FD(BPF_REG_1, 0),
6406 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6407 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
6409 offsetof(struct test_val, foo)),
6410 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6411 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6413 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6414 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6415 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6418 .fixup_map2 = { 3 },
6419 .errstr_unpriv = "R0 leaks addr",
6421 .result_unpriv = REJECT,
6422 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6425 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
6427 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6428 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6429 BPF_MOV64_IMM(BPF_REG_0, 0),
6430 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6431 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6432 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6433 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6434 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6435 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6436 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6437 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6438 BPF_MOV64_IMM(BPF_REG_2, 16),
6439 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6440 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6441 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6442 BPF_MOV64_IMM(BPF_REG_4, 0),
6443 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6444 BPF_MOV64_IMM(BPF_REG_3, 0),
6445 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6446 BPF_MOV64_IMM(BPF_REG_0, 0),
6450 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6453 "helper access to variable memory: stack, bitwise AND, zero included",
6455 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6457 BPF_MOV64_IMM(BPF_REG_2, 16),
6458 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6459 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6460 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6461 BPF_MOV64_IMM(BPF_REG_3, 0),
6462 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6465 .errstr = "invalid indirect read from stack off -64+0 size 64",
6467 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6470 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
6472 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6474 BPF_MOV64_IMM(BPF_REG_2, 16),
6475 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6476 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6477 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
6478 BPF_MOV64_IMM(BPF_REG_4, 0),
6479 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6480 BPF_MOV64_IMM(BPF_REG_3, 0),
6481 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6482 BPF_MOV64_IMM(BPF_REG_0, 0),
6485 .errstr = "invalid stack type R1 off=-64 access_size=65",
6487 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6490 "helper access to variable memory: stack, JMP, correct bounds",
6492 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6494 BPF_MOV64_IMM(BPF_REG_0, 0),
6495 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6496 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6497 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6498 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6499 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6500 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6501 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6502 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6503 BPF_MOV64_IMM(BPF_REG_2, 16),
6504 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6505 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6506 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
6507 BPF_MOV64_IMM(BPF_REG_4, 0),
6508 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6509 BPF_MOV64_IMM(BPF_REG_3, 0),
6510 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6511 BPF_MOV64_IMM(BPF_REG_0, 0),
6515 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6518 "helper access to variable memory: stack, JMP (signed), correct bounds",
6520 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6522 BPF_MOV64_IMM(BPF_REG_0, 0),
6523 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6524 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6525 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6526 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6527 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6528 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6529 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6530 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6531 BPF_MOV64_IMM(BPF_REG_2, 16),
6532 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6533 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6534 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
6535 BPF_MOV64_IMM(BPF_REG_4, 0),
6536 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6537 BPF_MOV64_IMM(BPF_REG_3, 0),
6538 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6539 BPF_MOV64_IMM(BPF_REG_0, 0),
6543 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6546 "helper access to variable memory: stack, JMP, bounds + offset",
6548 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6549 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6550 BPF_MOV64_IMM(BPF_REG_2, 16),
6551 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6552 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6553 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
6554 BPF_MOV64_IMM(BPF_REG_4, 0),
6555 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
6556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6557 BPF_MOV64_IMM(BPF_REG_3, 0),
6558 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6559 BPF_MOV64_IMM(BPF_REG_0, 0),
6562 .errstr = "invalid stack type R1 off=-64 access_size=65",
6564 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6567 "helper access to variable memory: stack, JMP, wrong max",
6569 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6570 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6571 BPF_MOV64_IMM(BPF_REG_2, 16),
6572 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6573 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6574 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
6575 BPF_MOV64_IMM(BPF_REG_4, 0),
6576 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6577 BPF_MOV64_IMM(BPF_REG_3, 0),
6578 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6579 BPF_MOV64_IMM(BPF_REG_0, 0),
6582 .errstr = "invalid stack type R1 off=-64 access_size=65",
6584 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6587 "helper access to variable memory: stack, JMP, no max check",
6589 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6591 BPF_MOV64_IMM(BPF_REG_2, 16),
6592 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6593 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6594 BPF_MOV64_IMM(BPF_REG_4, 0),
6595 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6596 BPF_MOV64_IMM(BPF_REG_3, 0),
6597 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6598 BPF_MOV64_IMM(BPF_REG_0, 0),
6601 /* because max wasn't checked, signed min is negative */
6602 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
6604 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6607 "helper access to variable memory: stack, JMP, no min check",
6609 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6610 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6611 BPF_MOV64_IMM(BPF_REG_2, 16),
6612 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6613 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6614 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
6615 BPF_MOV64_IMM(BPF_REG_3, 0),
6616 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6617 BPF_MOV64_IMM(BPF_REG_0, 0),
6620 .errstr = "invalid indirect read from stack off -64+0 size 64",
6622 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6625 "helper access to variable memory: stack, JMP (signed), no min check",
6627 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6629 BPF_MOV64_IMM(BPF_REG_2, 16),
6630 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6631 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6632 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
6633 BPF_MOV64_IMM(BPF_REG_3, 0),
6634 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6635 BPF_MOV64_IMM(BPF_REG_0, 0),
6638 .errstr = "R2 min value is negative",
6640 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6643 "helper access to variable memory: map, JMP, correct bounds",
6645 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6646 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6647 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6648 BPF_LD_MAP_FD(BPF_REG_1, 0),
6649 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6650 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6651 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6652 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6653 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6654 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6655 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6656 sizeof(struct test_val), 4),
6657 BPF_MOV64_IMM(BPF_REG_4, 0),
6658 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6659 BPF_MOV64_IMM(BPF_REG_3, 0),
6660 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6661 BPF_MOV64_IMM(BPF_REG_0, 0),
6664 .fixup_map2 = { 3 },
6666 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6669 "helper access to variable memory: map, JMP, wrong max",
6671 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6672 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6673 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6674 BPF_LD_MAP_FD(BPF_REG_1, 0),
6675 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6676 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6677 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6678 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6679 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6680 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6681 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6682 sizeof(struct test_val) + 1, 4),
6683 BPF_MOV64_IMM(BPF_REG_4, 0),
6684 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6685 BPF_MOV64_IMM(BPF_REG_3, 0),
6686 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6687 BPF_MOV64_IMM(BPF_REG_0, 0),
6690 .fixup_map2 = { 3 },
6691 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
6693 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6696 "helper access to variable memory: map adjusted, JMP, correct bounds",
6698 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6700 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6701 BPF_LD_MAP_FD(BPF_REG_1, 0),
6702 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6703 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6704 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6705 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6706 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6707 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6708 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6709 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6710 sizeof(struct test_val) - 20, 4),
6711 BPF_MOV64_IMM(BPF_REG_4, 0),
6712 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6713 BPF_MOV64_IMM(BPF_REG_3, 0),
6714 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6715 BPF_MOV64_IMM(BPF_REG_0, 0),
6718 .fixup_map2 = { 3 },
6720 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6723 "helper access to variable memory: map adjusted, JMP, wrong max",
6725 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6727 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6728 BPF_LD_MAP_FD(BPF_REG_1, 0),
6729 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6730 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6731 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6732 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6733 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6734 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6735 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6736 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6737 sizeof(struct test_val) - 19, 4),
6738 BPF_MOV64_IMM(BPF_REG_4, 0),
6739 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6740 BPF_MOV64_IMM(BPF_REG_3, 0),
6741 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6742 BPF_MOV64_IMM(BPF_REG_0, 0),
6745 .fixup_map2 = { 3 },
6746 .errstr = "R1 min value is outside of the array range",
6748 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6751 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6753 BPF_MOV64_IMM(BPF_REG_1, 0),
6754 BPF_MOV64_IMM(BPF_REG_2, 0),
6755 BPF_MOV64_IMM(BPF_REG_3, 0),
6756 BPF_MOV64_IMM(BPF_REG_4, 0),
6757 BPF_MOV64_IMM(BPF_REG_5, 0),
6758 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6762 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6765 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6767 BPF_MOV64_IMM(BPF_REG_1, 0),
6768 BPF_MOV64_IMM(BPF_REG_2, 1),
6769 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6770 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6771 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6772 BPF_MOV64_IMM(BPF_REG_3, 0),
6773 BPF_MOV64_IMM(BPF_REG_4, 0),
6774 BPF_MOV64_IMM(BPF_REG_5, 0),
6775 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6778 .errstr = "R1 type=inv expected=fp",
6780 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6783 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6785 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6786 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6787 BPF_MOV64_IMM(BPF_REG_2, 0),
6788 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6789 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
6790 BPF_MOV64_IMM(BPF_REG_3, 0),
6791 BPF_MOV64_IMM(BPF_REG_4, 0),
6792 BPF_MOV64_IMM(BPF_REG_5, 0),
6793 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6797 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6800 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6802 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6803 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6804 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6805 BPF_LD_MAP_FD(BPF_REG_1, 0),
6806 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6807 BPF_FUNC_map_lookup_elem),
6808 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6809 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6810 BPF_MOV64_IMM(BPF_REG_2, 0),
6811 BPF_MOV64_IMM(BPF_REG_3, 0),
6812 BPF_MOV64_IMM(BPF_REG_4, 0),
6813 BPF_MOV64_IMM(BPF_REG_5, 0),
6814 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6817 .fixup_map1 = { 3 },
6819 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6822 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6824 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6825 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6827 BPF_LD_MAP_FD(BPF_REG_1, 0),
6828 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6829 BPF_FUNC_map_lookup_elem),
6830 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6831 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6832 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
6833 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6834 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6835 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6836 BPF_MOV64_IMM(BPF_REG_3, 0),
6837 BPF_MOV64_IMM(BPF_REG_4, 0),
6838 BPF_MOV64_IMM(BPF_REG_5, 0),
6839 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6842 .fixup_map1 = { 3 },
6844 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6847 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6849 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6850 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6851 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6852 BPF_LD_MAP_FD(BPF_REG_1, 0),
6853 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6854 BPF_FUNC_map_lookup_elem),
6855 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6856 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6857 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6858 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6859 BPF_MOV64_IMM(BPF_REG_3, 0),
6860 BPF_MOV64_IMM(BPF_REG_4, 0),
6861 BPF_MOV64_IMM(BPF_REG_5, 0),
6862 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6865 .fixup_map1 = { 3 },
6867 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6870 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
6872 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6873 offsetof(struct __sk_buff, data)),
6874 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6875 offsetof(struct __sk_buff, data_end)),
6876 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
6877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6878 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
6879 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6880 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
6881 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6882 BPF_MOV64_IMM(BPF_REG_3, 0),
6883 BPF_MOV64_IMM(BPF_REG_4, 0),
6884 BPF_MOV64_IMM(BPF_REG_5, 0),
6885 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6889 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6890 .retval = 0 /* csum_diff of 64-byte packet */,
6893 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6895 BPF_MOV64_IMM(BPF_REG_1, 0),
6896 BPF_MOV64_IMM(BPF_REG_2, 0),
6897 BPF_MOV64_IMM(BPF_REG_3, 0),
6898 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6901 .errstr = "R1 type=inv expected=fp",
6903 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6906 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6908 BPF_MOV64_IMM(BPF_REG_1, 0),
6909 BPF_MOV64_IMM(BPF_REG_2, 1),
6910 BPF_MOV64_IMM(BPF_REG_3, 0),
6911 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6914 .errstr = "R1 type=inv expected=fp",
6916 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6919 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6921 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6922 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6923 BPF_MOV64_IMM(BPF_REG_2, 0),
6924 BPF_MOV64_IMM(BPF_REG_3, 0),
6925 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6929 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6932 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6934 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6935 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6936 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6937 BPF_LD_MAP_FD(BPF_REG_1, 0),
6938 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6939 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6940 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6941 BPF_MOV64_IMM(BPF_REG_2, 0),
6942 BPF_MOV64_IMM(BPF_REG_3, 0),
6943 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6946 .fixup_map1 = { 3 },
6948 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6951 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6953 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6954 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6956 BPF_LD_MAP_FD(BPF_REG_1, 0),
6957 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6958 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6959 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6960 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6961 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6962 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6963 BPF_MOV64_IMM(BPF_REG_3, 0),
6964 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6967 .fixup_map1 = { 3 },
6969 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6972 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6974 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6975 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6976 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6977 BPF_LD_MAP_FD(BPF_REG_1, 0),
6978 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6979 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6980 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6981 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6982 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
6983 BPF_MOV64_IMM(BPF_REG_3, 0),
6984 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6987 .fixup_map1 = { 3 },
6989 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6992 "helper access to variable memory: 8 bytes leak",
6994 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6995 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6996 BPF_MOV64_IMM(BPF_REG_0, 0),
6997 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6998 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6999 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7000 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7001 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7002 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7003 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7004 BPF_MOV64_IMM(BPF_REG_2, 1),
7005 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7006 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7007 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
7008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7009 BPF_MOV64_IMM(BPF_REG_3, 0),
7010 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7011 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7014 .errstr = "invalid indirect read from stack off -64+32 size 64",
7016 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7019 "helper access to variable memory: 8 bytes no leak (init memory)",
7021 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7022 BPF_MOV64_IMM(BPF_REG_0, 0),
7023 BPF_MOV64_IMM(BPF_REG_0, 0),
7024 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7025 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7026 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7027 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7028 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7029 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7030 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7031 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7032 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7033 BPF_MOV64_IMM(BPF_REG_2, 0),
7034 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
7035 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
7036 BPF_MOV64_IMM(BPF_REG_3, 0),
7037 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7038 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7042 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7045 "invalid and of negative number",
7047 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7048 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7049 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7050 BPF_LD_MAP_FD(BPF_REG_1, 0),
7051 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7052 BPF_FUNC_map_lookup_elem),
7053 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7054 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7055 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
7056 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
7057 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7058 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7059 offsetof(struct test_val, foo)),
7062 .fixup_map2 = { 3 },
7063 .errstr = "R0 max value is outside of the array range",
7065 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7068 "invalid range check",
7070 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7071 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7073 BPF_LD_MAP_FD(BPF_REG_1, 0),
7074 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7075 BPF_FUNC_map_lookup_elem),
7076 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
7077 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7078 BPF_MOV64_IMM(BPF_REG_9, 1),
7079 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
7080 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
7081 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
7082 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
7083 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
7084 BPF_MOV32_IMM(BPF_REG_3, 1),
7085 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
7086 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
7087 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
7088 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
7089 BPF_MOV64_REG(BPF_REG_0, 0),
7092 .fixup_map2 = { 3 },
7093 .errstr = "R0 max value is outside of the array range",
7095 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7098 "map in map access",
7100 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7101 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7103 BPF_LD_MAP_FD(BPF_REG_1, 0),
7104 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7105 BPF_FUNC_map_lookup_elem),
7106 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7107 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7108 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7109 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7110 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7111 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7112 BPF_FUNC_map_lookup_elem),
7113 BPF_MOV64_IMM(BPF_REG_0, 0),
7116 .fixup_map_in_map = { 3 },
7120 "invalid inner map pointer",
7122 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7123 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7124 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7125 BPF_LD_MAP_FD(BPF_REG_1, 0),
7126 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7127 BPF_FUNC_map_lookup_elem),
7128 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7129 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7130 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7132 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7134 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7135 BPF_FUNC_map_lookup_elem),
7136 BPF_MOV64_IMM(BPF_REG_0, 0),
7139 .fixup_map_in_map = { 3 },
7140 .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
7144 "forgot null checking on the inner map pointer",
7146 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7147 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7148 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7149 BPF_LD_MAP_FD(BPF_REG_1, 0),
7150 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7151 BPF_FUNC_map_lookup_elem),
7152 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7153 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7154 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7155 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7156 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7157 BPF_FUNC_map_lookup_elem),
7158 BPF_MOV64_IMM(BPF_REG_0, 0),
7161 .fixup_map_in_map = { 3 },
7162 .errstr = "R1 type=map_value_or_null expected=map_ptr",
7166 "ld_abs: check calling conv, r1",
7168 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7169 BPF_MOV64_IMM(BPF_REG_1, 0),
7170 BPF_LD_ABS(BPF_W, -0x200000),
7171 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7174 .errstr = "R1 !read_ok",
7178 "ld_abs: check calling conv, r2",
7180 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7181 BPF_MOV64_IMM(BPF_REG_2, 0),
7182 BPF_LD_ABS(BPF_W, -0x200000),
7183 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7186 .errstr = "R2 !read_ok",
7190 "ld_abs: check calling conv, r3",
7192 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7193 BPF_MOV64_IMM(BPF_REG_3, 0),
7194 BPF_LD_ABS(BPF_W, -0x200000),
7195 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7198 .errstr = "R3 !read_ok",
7202 "ld_abs: check calling conv, r4",
7204 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7205 BPF_MOV64_IMM(BPF_REG_4, 0),
7206 BPF_LD_ABS(BPF_W, -0x200000),
7207 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7210 .errstr = "R4 !read_ok",
7214 "ld_abs: check calling conv, r5",
7216 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7217 BPF_MOV64_IMM(BPF_REG_5, 0),
7218 BPF_LD_ABS(BPF_W, -0x200000),
7219 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7222 .errstr = "R5 !read_ok",
7226 "ld_abs: check calling conv, r7",
7228 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7229 BPF_MOV64_IMM(BPF_REG_7, 0),
7230 BPF_LD_ABS(BPF_W, -0x200000),
7231 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7237 "ld_abs: tests on r6 and skb data reload helper",
7239 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7240 BPF_LD_ABS(BPF_B, 0),
7241 BPF_LD_ABS(BPF_H, 0),
7242 BPF_LD_ABS(BPF_W, 0),
7243 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
7244 BPF_MOV64_IMM(BPF_REG_6, 0),
7245 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
7246 BPF_MOV64_IMM(BPF_REG_2, 1),
7247 BPF_MOV64_IMM(BPF_REG_3, 2),
7248 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7249 BPF_FUNC_skb_vlan_push),
7250 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
7251 BPF_LD_ABS(BPF_B, 0),
7252 BPF_LD_ABS(BPF_H, 0),
7253 BPF_LD_ABS(BPF_W, 0),
7254 BPF_MOV64_IMM(BPF_REG_0, 42),
7257 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7259 .retval = 42 /* ultimate return value */,
7262 "ld_ind: check calling conv, r1",
7264 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7265 BPF_MOV64_IMM(BPF_REG_1, 1),
7266 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
7267 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7270 .errstr = "R1 !read_ok",
7274 "ld_ind: check calling conv, r2",
7276 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7277 BPF_MOV64_IMM(BPF_REG_2, 1),
7278 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
7279 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7282 .errstr = "R2 !read_ok",
7286 "ld_ind: check calling conv, r3",
7288 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7289 BPF_MOV64_IMM(BPF_REG_3, 1),
7290 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
7291 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7294 .errstr = "R3 !read_ok",
7298 "ld_ind: check calling conv, r4",
7300 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7301 BPF_MOV64_IMM(BPF_REG_4, 1),
7302 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
7303 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7306 .errstr = "R4 !read_ok",
7310 "ld_ind: check calling conv, r5",
7312 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7313 BPF_MOV64_IMM(BPF_REG_5, 1),
7314 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
7315 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7318 .errstr = "R5 !read_ok",
7322 "ld_ind: check calling conv, r7",
7324 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7325 BPF_MOV64_IMM(BPF_REG_7, 1),
7326 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
7327 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7334 "check bpf_perf_event_data->sample_period byte load permitted",
7336 BPF_MOV64_IMM(BPF_REG_0, 0),
7337 #if __BYTE_ORDER == __LITTLE_ENDIAN
7338 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7339 offsetof(struct bpf_perf_event_data, sample_period)),
7341 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7342 offsetof(struct bpf_perf_event_data, sample_period) + 7),
7347 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7350 "check bpf_perf_event_data->sample_period half load permitted",
7352 BPF_MOV64_IMM(BPF_REG_0, 0),
7353 #if __BYTE_ORDER == __LITTLE_ENDIAN
7354 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7355 offsetof(struct bpf_perf_event_data, sample_period)),
7357 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7358 offsetof(struct bpf_perf_event_data, sample_period) + 6),
7363 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7366 "check bpf_perf_event_data->sample_period word load permitted",
7368 BPF_MOV64_IMM(BPF_REG_0, 0),
7369 #if __BYTE_ORDER == __LITTLE_ENDIAN
7370 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7371 offsetof(struct bpf_perf_event_data, sample_period)),
7373 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7374 offsetof(struct bpf_perf_event_data, sample_period) + 4),
7379 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7382 "check bpf_perf_event_data->sample_period dword load permitted",
7384 BPF_MOV64_IMM(BPF_REG_0, 0),
7385 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
7386 offsetof(struct bpf_perf_event_data, sample_period)),
7390 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7393 "check skb->data half load not permitted",
7395 BPF_MOV64_IMM(BPF_REG_0, 0),
7396 #if __BYTE_ORDER == __LITTLE_ENDIAN
7397 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7398 offsetof(struct __sk_buff, data)),
7400 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7401 offsetof(struct __sk_buff, data) + 2),
7406 .errstr = "invalid bpf_context access",
7409 "check skb->tc_classid half load not permitted for lwt prog",
7411 BPF_MOV64_IMM(BPF_REG_0, 0),
7412 #if __BYTE_ORDER == __LITTLE_ENDIAN
7413 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7414 offsetof(struct __sk_buff, tc_classid)),
7416 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7417 offsetof(struct __sk_buff, tc_classid) + 2),
7422 .errstr = "invalid bpf_context access",
7423 .prog_type = BPF_PROG_TYPE_LWT_IN,
7426 "bounds checks mixing signed and unsigned, positive bounds",
7428 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7429 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7430 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7431 BPF_LD_MAP_FD(BPF_REG_1, 0),
7432 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7433 BPF_FUNC_map_lookup_elem),
7434 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7435 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7436 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7437 BPF_MOV64_IMM(BPF_REG_2, 2),
7438 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
7439 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
7440 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7441 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7442 BPF_MOV64_IMM(BPF_REG_0, 0),
7445 .fixup_map1 = { 3 },
7446 .errstr = "unbounded min value",
7450 "bounds checks mixing signed and unsigned",
7452 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7453 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7454 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7455 BPF_LD_MAP_FD(BPF_REG_1, 0),
7456 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7457 BPF_FUNC_map_lookup_elem),
7458 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7459 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7460 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7461 BPF_MOV64_IMM(BPF_REG_2, -1),
7462 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7463 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7464 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7465 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7466 BPF_MOV64_IMM(BPF_REG_0, 0),
7469 .fixup_map1 = { 3 },
7470 .errstr = "unbounded min value",
7474 "bounds checks mixing signed and unsigned, variant 2",
7476 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7477 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7479 BPF_LD_MAP_FD(BPF_REG_1, 0),
7480 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7481 BPF_FUNC_map_lookup_elem),
7482 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7483 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7484 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7485 BPF_MOV64_IMM(BPF_REG_2, -1),
7486 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7487 BPF_MOV64_IMM(BPF_REG_8, 0),
7488 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
7489 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7490 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7491 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7492 BPF_MOV64_IMM(BPF_REG_0, 0),
7495 .fixup_map1 = { 3 },
7496 .errstr = "unbounded min value",
7500 "bounds checks mixing signed and unsigned, variant 3",
7502 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7503 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7504 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7505 BPF_LD_MAP_FD(BPF_REG_1, 0),
7506 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7507 BPF_FUNC_map_lookup_elem),
7508 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7509 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7510 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7511 BPF_MOV64_IMM(BPF_REG_2, -1),
7512 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
7513 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
7514 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7515 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7516 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7517 BPF_MOV64_IMM(BPF_REG_0, 0),
7520 .fixup_map1 = { 3 },
7521 .errstr = "unbounded min value",
7525 "bounds checks mixing signed and unsigned, variant 4",
7527 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7528 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7529 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7530 BPF_LD_MAP_FD(BPF_REG_1, 0),
7531 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7532 BPF_FUNC_map_lookup_elem),
7533 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7534 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7535 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7536 BPF_MOV64_IMM(BPF_REG_2, 1),
7537 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
7538 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7539 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7540 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7541 BPF_MOV64_IMM(BPF_REG_0, 0),
7544 .fixup_map1 = { 3 },
7548 "bounds checks mixing signed and unsigned, variant 5",
7550 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7551 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7552 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7553 BPF_LD_MAP_FD(BPF_REG_1, 0),
7554 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7555 BPF_FUNC_map_lookup_elem),
7556 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7557 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7558 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7559 BPF_MOV64_IMM(BPF_REG_2, -1),
7560 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7561 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
7562 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
7563 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7564 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7565 BPF_MOV64_IMM(BPF_REG_0, 0),
7568 .fixup_map1 = { 3 },
7569 .errstr = "unbounded min value",
7573 "bounds checks mixing signed and unsigned, variant 6",
7575 BPF_MOV64_IMM(BPF_REG_2, 0),
7576 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
7577 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
7578 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7579 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
7580 BPF_MOV64_IMM(BPF_REG_6, -1),
7581 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
7582 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
7583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7584 BPF_MOV64_IMM(BPF_REG_5, 0),
7585 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
7586 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7587 BPF_FUNC_skb_load_bytes),
7588 BPF_MOV64_IMM(BPF_REG_0, 0),
7591 .errstr = "R4 min value is negative, either use unsigned",
7595 "bounds checks mixing signed and unsigned, variant 7",
7597 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7598 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7599 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7600 BPF_LD_MAP_FD(BPF_REG_1, 0),
7601 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7602 BPF_FUNC_map_lookup_elem),
7603 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7604 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7605 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7606 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
7607 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7608 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7609 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7610 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7611 BPF_MOV64_IMM(BPF_REG_0, 0),
7614 .fixup_map1 = { 3 },
7618 "bounds checks mixing signed and unsigned, variant 8",
7620 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7621 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7622 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7623 BPF_LD_MAP_FD(BPF_REG_1, 0),
7624 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7625 BPF_FUNC_map_lookup_elem),
7626 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7627 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7628 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7629 BPF_MOV64_IMM(BPF_REG_2, -1),
7630 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7631 BPF_MOV64_IMM(BPF_REG_0, 0),
7633 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7634 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7635 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7636 BPF_MOV64_IMM(BPF_REG_0, 0),
7639 .fixup_map1 = { 3 },
7640 .errstr = "unbounded min value",
7644 "bounds checks mixing signed and unsigned, variant 9",
7646 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7647 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7649 BPF_LD_MAP_FD(BPF_REG_1, 0),
7650 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7651 BPF_FUNC_map_lookup_elem),
7652 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7653 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7654 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7655 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
7656 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7657 BPF_MOV64_IMM(BPF_REG_0, 0),
7659 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7660 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7661 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7662 BPF_MOV64_IMM(BPF_REG_0, 0),
7665 .fixup_map1 = { 3 },
7669 "bounds checks mixing signed and unsigned, variant 10",
7671 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7672 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7674 BPF_LD_MAP_FD(BPF_REG_1, 0),
7675 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7676 BPF_FUNC_map_lookup_elem),
7677 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7678 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7679 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7680 BPF_MOV64_IMM(BPF_REG_2, 0),
7681 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7682 BPF_MOV64_IMM(BPF_REG_0, 0),
7684 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7685 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7686 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7687 BPF_MOV64_IMM(BPF_REG_0, 0),
7690 .fixup_map1 = { 3 },
7691 .errstr = "unbounded min value",
7695 "bounds checks mixing signed and unsigned, variant 11",
7697 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7698 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7700 BPF_LD_MAP_FD(BPF_REG_1, 0),
7701 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7702 BPF_FUNC_map_lookup_elem),
7703 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7704 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7705 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7706 BPF_MOV64_IMM(BPF_REG_2, -1),
7707 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7709 BPF_MOV64_IMM(BPF_REG_0, 0),
7711 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7712 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7713 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7714 BPF_MOV64_IMM(BPF_REG_0, 0),
7717 .fixup_map1 = { 3 },
7718 .errstr = "unbounded min value",
7722 "bounds checks mixing signed and unsigned, variant 12",
7724 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7725 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7727 BPF_LD_MAP_FD(BPF_REG_1, 0),
7728 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7729 BPF_FUNC_map_lookup_elem),
7730 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7731 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7732 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7733 BPF_MOV64_IMM(BPF_REG_2, -6),
7734 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7735 BPF_MOV64_IMM(BPF_REG_0, 0),
7737 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7738 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7739 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7740 BPF_MOV64_IMM(BPF_REG_0, 0),
7743 .fixup_map1 = { 3 },
7744 .errstr = "unbounded min value",
7748 "bounds checks mixing signed and unsigned, variant 13",
7750 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7751 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7752 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7753 BPF_LD_MAP_FD(BPF_REG_1, 0),
7754 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7755 BPF_FUNC_map_lookup_elem),
7756 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7757 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7758 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7759 BPF_MOV64_IMM(BPF_REG_2, 2),
7760 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7761 BPF_MOV64_IMM(BPF_REG_7, 1),
7762 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
7763 BPF_MOV64_IMM(BPF_REG_0, 0),
7765 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
7766 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
7767 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
7768 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7769 BPF_MOV64_IMM(BPF_REG_0, 0),
7772 .fixup_map1 = { 3 },
7773 .errstr = "unbounded min value",
7777 "bounds checks mixing signed and unsigned, variant 14",
7779 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
7780 offsetof(struct __sk_buff, mark)),
7781 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7782 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7783 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7784 BPF_LD_MAP_FD(BPF_REG_1, 0),
7785 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7786 BPF_FUNC_map_lookup_elem),
7787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7788 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7789 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7790 BPF_MOV64_IMM(BPF_REG_2, -1),
7791 BPF_MOV64_IMM(BPF_REG_8, 2),
7792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
7793 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
7794 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7795 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7796 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7797 BPF_MOV64_IMM(BPF_REG_0, 0),
7799 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
7800 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
7802 .fixup_map1 = { 4 },
7803 .errstr = "R0 invalid mem access 'inv'",
7807 "bounds checks mixing signed and unsigned, variant 15",
7809 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7810 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7812 BPF_LD_MAP_FD(BPF_REG_1, 0),
7813 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7814 BPF_FUNC_map_lookup_elem),
7815 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7816 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7817 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7818 BPF_MOV64_IMM(BPF_REG_2, -6),
7819 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7820 BPF_MOV64_IMM(BPF_REG_0, 0),
7822 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7823 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
7824 BPF_MOV64_IMM(BPF_REG_0, 0),
7826 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7827 BPF_MOV64_IMM(BPF_REG_0, 0),
7830 .fixup_map1 = { 3 },
7831 .errstr = "unbounded min value",
7833 .result_unpriv = REJECT,
7836 "subtraction bounds (map value) variant 1",
7838 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7839 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7840 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7841 BPF_LD_MAP_FD(BPF_REG_1, 0),
7842 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7843 BPF_FUNC_map_lookup_elem),
7844 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7845 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7846 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
7847 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7848 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
7849 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7850 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
7851 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7852 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7854 BPF_MOV64_IMM(BPF_REG_0, 0),
7857 .fixup_map1 = { 3 },
7858 .errstr = "R0 max value is outside of the array range",
7862 "subtraction bounds (map value) variant 2",
7864 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7865 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7866 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7867 BPF_LD_MAP_FD(BPF_REG_1, 0),
7868 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7869 BPF_FUNC_map_lookup_elem),
7870 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7871 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7872 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
7873 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7874 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
7875 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7876 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7877 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7879 BPF_MOV64_IMM(BPF_REG_0, 0),
7882 .fixup_map1 = { 3 },
7883 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
7887 "bounds check based on zero-extended MOV",
7889 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7890 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7891 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7892 BPF_LD_MAP_FD(BPF_REG_1, 0),
7893 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7894 BPF_FUNC_map_lookup_elem),
7895 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7896 /* r2 = 0x0000'0000'ffff'ffff */
7897 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
7899 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7901 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7902 /* access at offset 0 */
7903 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7905 BPF_MOV64_IMM(BPF_REG_0, 0),
7908 .fixup_map1 = { 3 },
7912 "bounds check based on sign-extended MOV. test1",
7914 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7915 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7917 BPF_LD_MAP_FD(BPF_REG_1, 0),
7918 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7919 BPF_FUNC_map_lookup_elem),
7920 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7921 /* r2 = 0xffff'ffff'ffff'ffff */
7922 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7923 /* r2 = 0xffff'ffff */
7924 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7925 /* r0 = <oob pointer> */
7926 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7927 /* access to OOB pointer */
7928 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7930 BPF_MOV64_IMM(BPF_REG_0, 0),
7933 .fixup_map1 = { 3 },
7934 .errstr = "map_value pointer and 4294967295",
7938 "bounds check based on sign-extended MOV. test2",
7940 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7941 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7943 BPF_LD_MAP_FD(BPF_REG_1, 0),
7944 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7945 BPF_FUNC_map_lookup_elem),
7946 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7947 /* r2 = 0xffff'ffff'ffff'ffff */
7948 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7949 /* r2 = 0xfff'ffff */
7950 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
7951 /* r0 = <oob pointer> */
7952 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7953 /* access to OOB pointer */
7954 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7956 BPF_MOV64_IMM(BPF_REG_0, 0),
7959 .fixup_map1 = { 3 },
7960 .errstr = "R0 min value is outside of the array range",
7964 "bounds check based on reg_off + var_off + insn_off. test1",
7966 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7967 offsetof(struct __sk_buff, mark)),
7968 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7969 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7971 BPF_LD_MAP_FD(BPF_REG_1, 0),
7972 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7973 BPF_FUNC_map_lookup_elem),
7974 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7975 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7976 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
7977 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7978 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7979 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7980 BPF_MOV64_IMM(BPF_REG_0, 0),
7983 .fixup_map1 = { 4 },
7984 .errstr = "value_size=8 off=1073741825",
7986 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7989 "bounds check based on reg_off + var_off + insn_off. test2",
7991 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7992 offsetof(struct __sk_buff, mark)),
7993 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7994 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7995 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7996 BPF_LD_MAP_FD(BPF_REG_1, 0),
7997 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7998 BPF_FUNC_map_lookup_elem),
7999 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8000 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8001 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
8002 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8003 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8004 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8005 BPF_MOV64_IMM(BPF_REG_0, 0),
8008 .fixup_map1 = { 4 },
8009 .errstr = "value 1073741823",
8011 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8014 "bounds check after truncation of non-boundary-crossing range",
8016 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8017 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8018 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8019 BPF_LD_MAP_FD(BPF_REG_1, 0),
8020 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8021 BPF_FUNC_map_lookup_elem),
8022 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8023 /* r1 = [0x00, 0xff] */
8024 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8025 BPF_MOV64_IMM(BPF_REG_2, 1),
8026 /* r2 = 0x10'0000'0000 */
8027 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
8028 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
8029 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8030 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
8031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8032 /* r1 = [0x00, 0xff] */
8033 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
8035 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8037 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8038 /* access at offset 0 */
8039 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8041 BPF_MOV64_IMM(BPF_REG_0, 0),
8044 .fixup_map1 = { 3 },
8048 "bounds check after truncation of boundary-crossing range (1)",
8050 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8051 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8052 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8053 BPF_LD_MAP_FD(BPF_REG_1, 0),
8054 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8055 BPF_FUNC_map_lookup_elem),
8056 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8057 /* r1 = [0x00, 0xff] */
8058 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8059 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8060 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8061 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8062 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8063 * [0x0000'0000, 0x0000'007f]
8065 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
8066 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8067 /* r1 = [0x00, 0xff] or
8068 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8070 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8072 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8074 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8075 /* no-op or OOB pointer computation */
8076 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8077 /* potentially OOB access */
8078 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8080 BPF_MOV64_IMM(BPF_REG_0, 0),
8083 .fixup_map1 = { 3 },
8084 /* not actually fully unbounded, but the bound is very high */
8085 .errstr = "R0 unbounded memory access",
8089 "bounds check after truncation of boundary-crossing range (2)",
8091 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8092 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8093 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8094 BPF_LD_MAP_FD(BPF_REG_1, 0),
8095 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8096 BPF_FUNC_map_lookup_elem),
8097 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8098 /* r1 = [0x00, 0xff] */
8099 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8100 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8101 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8103 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8104 * [0x0000'0000, 0x0000'007f]
8105 * difference to previous test: truncation via MOV32
8108 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
8109 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8110 /* r1 = [0x00, 0xff] or
8111 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8113 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8115 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8117 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8118 /* no-op or OOB pointer computation */
8119 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8120 /* potentially OOB access */
8121 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8123 BPF_MOV64_IMM(BPF_REG_0, 0),
8126 .fixup_map1 = { 3 },
8127 /* not actually fully unbounded, but the bound is very high */
8128 .errstr = "R0 unbounded memory access",
8132 "bounds check after wrapping 32-bit addition",
8134 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8135 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8136 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8137 BPF_LD_MAP_FD(BPF_REG_1, 0),
8138 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8139 BPF_FUNC_map_lookup_elem),
8140 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8141 /* r1 = 0x7fff'ffff */
8142 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
8143 /* r1 = 0xffff'fffe */
8144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8146 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
8148 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8149 /* access at offset 0 */
8150 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8152 BPF_MOV64_IMM(BPF_REG_0, 0),
8155 .fixup_map1 = { 3 },
8159 "bounds check after shift with oversized count operand",
8161 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8162 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8163 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8164 BPF_LD_MAP_FD(BPF_REG_1, 0),
8165 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8166 BPF_FUNC_map_lookup_elem),
8167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8168 BPF_MOV64_IMM(BPF_REG_2, 32),
8169 BPF_MOV64_IMM(BPF_REG_1, 1),
8170 /* r1 = (u32)1 << (u32)32 = ? */
8171 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
8172 /* r1 = [0x0000, 0xffff] */
8173 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
8174 /* computes unknown pointer, potentially OOB */
8175 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8176 /* potentially OOB access */
8177 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8179 BPF_MOV64_IMM(BPF_REG_0, 0),
8182 .fixup_map1 = { 3 },
8183 .errstr = "R0 max value is outside of the array range",
8187 "bounds check after right shift of maybe-negative number",
8189 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8190 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8191 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8192 BPF_LD_MAP_FD(BPF_REG_1, 0),
8193 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8194 BPF_FUNC_map_lookup_elem),
8195 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8196 /* r1 = [0x00, 0xff] */
8197 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8198 /* r1 = [-0x01, 0xfe] */
8199 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
8200 /* r1 = 0 or 0xff'ffff'ffff'ffff */
8201 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8202 /* r1 = 0 or 0xffff'ffff'ffff */
8203 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8204 /* computes unknown pointer, potentially OOB */
8205 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8206 /* potentially OOB access */
8207 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8209 BPF_MOV64_IMM(BPF_REG_0, 0),
8212 .fixup_map1 = { 3 },
8213 .errstr = "R0 unbounded memory access",
8217 "bounds check map access with off+size signed 32bit overflow. test1",
8219 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8220 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8221 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8222 BPF_LD_MAP_FD(BPF_REG_1, 0),
8223 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8224 BPF_FUNC_map_lookup_elem),
8225 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8227 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
8228 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8232 .fixup_map1 = { 3 },
8233 .errstr = "map_value pointer and 2147483646",
8237 "bounds check map access with off+size signed 32bit overflow. test2",
8239 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8240 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8241 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8242 BPF_LD_MAP_FD(BPF_REG_1, 0),
8243 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8244 BPF_FUNC_map_lookup_elem),
8245 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8248 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8250 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8254 .fixup_map1 = { 3 },
8255 .errstr = "pointer offset 1073741822",
8259 "bounds check map access with off+size signed 32bit overflow. test3",
8261 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8262 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8264 BPF_LD_MAP_FD(BPF_REG_1, 0),
8265 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8266 BPF_FUNC_map_lookup_elem),
8267 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8269 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8270 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8271 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8275 .fixup_map1 = { 3 },
8276 .errstr = "pointer offset -1073741822",
8280 "bounds check map access with off+size signed 32bit overflow. test4",
8282 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8283 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8284 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8285 BPF_LD_MAP_FD(BPF_REG_1, 0),
8286 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8287 BPF_FUNC_map_lookup_elem),
8288 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8290 BPF_MOV64_IMM(BPF_REG_1, 1000000),
8291 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
8292 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8293 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8297 .fixup_map1 = { 3 },
8298 .errstr = "map_value pointer and 1000000000000",
8302 "pointer/scalar confusion in state equality check (way 1)",
8304 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8305 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8306 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8307 BPF_LD_MAP_FD(BPF_REG_1, 0),
8308 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8309 BPF_FUNC_map_lookup_elem),
8310 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8311 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8313 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8317 .fixup_map1 = { 3 },
8319 .retval = POINTER_VALUE,
8320 .result_unpriv = REJECT,
8321 .errstr_unpriv = "R0 leaks addr as return value"
8324 "pointer/scalar confusion in state equality check (way 2)",
8326 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8327 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8329 BPF_LD_MAP_FD(BPF_REG_1, 0),
8330 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8331 BPF_FUNC_map_lookup_elem),
8332 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
8333 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8335 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8338 .fixup_map1 = { 3 },
8340 .retval = POINTER_VALUE,
8341 .result_unpriv = REJECT,
8342 .errstr_unpriv = "R0 leaks addr as return value"
8345 "variable-offset ctx access",
8347 /* Get an unknown value */
8348 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8349 /* Make it small and 4-byte aligned */
8350 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8351 /* add it to skb. We now have either &skb->len or
8352 * &skb->pkt_type, but we don't know which
8354 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8355 /* dereference it */
8356 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8359 .errstr = "variable ctx access var_off=(0x0; 0x4)",
8361 .prog_type = BPF_PROG_TYPE_LWT_IN,
8364 "variable-offset stack access",
8366 /* Fill the top 8 bytes of the stack */
8367 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8368 /* Get an unknown value */
8369 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8370 /* Make it small and 4-byte aligned */
8371 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8372 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8373 /* add it to fp. We now have either fp-4 or fp-8, but
8374 * we don't know which
8376 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8377 /* dereference it */
8378 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
8381 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
8383 .prog_type = BPF_PROG_TYPE_LWT_IN,
8386 "indirect variable-offset stack access",
8388 /* Fill the top 8 bytes of the stack */
8389 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8390 /* Get an unknown value */
8391 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8392 /* Make it small and 4-byte aligned */
8393 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8394 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8395 /* add it to fp. We now have either fp-4 or fp-8, but
8396 * we don't know which
8398 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8399 /* dereference it indirectly */
8400 BPF_LD_MAP_FD(BPF_REG_1, 0),
8401 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8402 BPF_FUNC_map_lookup_elem),
8403 BPF_MOV64_IMM(BPF_REG_0, 0),
8406 .fixup_map1 = { 5 },
8407 .errstr = "variable stack read R2",
8409 .prog_type = BPF_PROG_TYPE_LWT_IN,
8412 "direct stack access with 32-bit wraparound. test1",
8414 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8416 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8417 BPF_MOV32_IMM(BPF_REG_0, 0),
8418 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8421 .errstr = "fp pointer and 2147483647",
8425 "direct stack access with 32-bit wraparound. test2",
8427 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8428 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8429 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8430 BPF_MOV32_IMM(BPF_REG_0, 0),
8431 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8434 .errstr = "fp pointer and 1073741823",
8438 "direct stack access with 32-bit wraparound. test3",
8440 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8441 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8443 BPF_MOV32_IMM(BPF_REG_0, 0),
8444 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8447 .errstr = "fp pointer offset 1073741822",
8451 "liveness pruning and write screening",
8453 /* Get an unknown value */
8454 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8455 /* branch conditions teach us nothing about R2 */
8456 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8457 BPF_MOV64_IMM(BPF_REG_0, 0),
8458 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8459 BPF_MOV64_IMM(BPF_REG_0, 0),
8462 .errstr = "R0 !read_ok",
8464 .prog_type = BPF_PROG_TYPE_LWT_IN,
8467 "varlen_map_value_access pruning",
8469 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8470 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8471 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8472 BPF_LD_MAP_FD(BPF_REG_1, 0),
8473 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8474 BPF_FUNC_map_lookup_elem),
8475 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8476 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
8477 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
8478 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
8479 BPF_MOV32_IMM(BPF_REG_1, 0),
8480 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
8481 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8482 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
8483 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
8484 offsetof(struct test_val, foo)),
8487 .fixup_map2 = { 3 },
8488 .errstr_unpriv = "R0 leaks addr",
8489 .errstr = "R0 unbounded memory access",
8490 .result_unpriv = REJECT,
8492 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8495 "invalid 64-bit BPF_END",
8497 BPF_MOV32_IMM(BPF_REG_0, 0),
8499 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
8500 .dst_reg = BPF_REG_0,
8507 .errstr = "unknown opcode d7",
8511 "XDP, using ifindex from netdev",
8513 BPF_MOV64_IMM(BPF_REG_0, 0),
8514 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8515 offsetof(struct xdp_md, ingress_ifindex)),
8516 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
8517 BPF_MOV64_IMM(BPF_REG_0, 1),
8521 .prog_type = BPF_PROG_TYPE_XDP,
8525 "meta access, test1",
8527 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8528 offsetof(struct xdp_md, data_meta)),
8529 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8530 offsetof(struct xdp_md, data)),
8531 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8533 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8534 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8535 BPF_MOV64_IMM(BPF_REG_0, 0),
8539 .prog_type = BPF_PROG_TYPE_XDP,
8542 "meta access, test2",
8544 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8545 offsetof(struct xdp_md, data_meta)),
8546 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8547 offsetof(struct xdp_md, data)),
8548 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8549 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
8550 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8551 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8552 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8553 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8554 BPF_MOV64_IMM(BPF_REG_0, 0),
8558 .errstr = "invalid access to packet, off=-8",
8559 .prog_type = BPF_PROG_TYPE_XDP,
8562 "meta access, test3",
8564 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8565 offsetof(struct xdp_md, data_meta)),
8566 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8567 offsetof(struct xdp_md, data_end)),
8568 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8570 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8571 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8572 BPF_MOV64_IMM(BPF_REG_0, 0),
8576 .errstr = "invalid access to packet",
8577 .prog_type = BPF_PROG_TYPE_XDP,
8580 "meta access, test4",
8582 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8583 offsetof(struct xdp_md, data_meta)),
8584 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8585 offsetof(struct xdp_md, data_end)),
8586 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8587 offsetof(struct xdp_md, data)),
8588 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8589 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8590 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8591 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8592 BPF_MOV64_IMM(BPF_REG_0, 0),
8596 .errstr = "invalid access to packet",
8597 .prog_type = BPF_PROG_TYPE_XDP,
8600 "meta access, test5",
8602 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8603 offsetof(struct xdp_md, data_meta)),
8604 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8605 offsetof(struct xdp_md, data)),
8606 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8608 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
8609 BPF_MOV64_IMM(BPF_REG_2, -8),
8610 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8611 BPF_FUNC_xdp_adjust_meta),
8612 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8613 BPF_MOV64_IMM(BPF_REG_0, 0),
8617 .errstr = "R3 !read_ok",
8618 .prog_type = BPF_PROG_TYPE_XDP,
8621 "meta access, test6",
8623 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8624 offsetof(struct xdp_md, data_meta)),
8625 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8626 offsetof(struct xdp_md, data)),
8627 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8629 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8630 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8631 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
8632 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8633 BPF_MOV64_IMM(BPF_REG_0, 0),
8637 .errstr = "invalid access to packet",
8638 .prog_type = BPF_PROG_TYPE_XDP,
8641 "meta access, test7",
8643 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8644 offsetof(struct xdp_md, data_meta)),
8645 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8646 offsetof(struct xdp_md, data)),
8647 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8649 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8650 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8651 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8652 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8653 BPF_MOV64_IMM(BPF_REG_0, 0),
8657 .prog_type = BPF_PROG_TYPE_XDP,
8660 "meta access, test8",
8662 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8663 offsetof(struct xdp_md, data_meta)),
8664 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8665 offsetof(struct xdp_md, data)),
8666 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8668 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8669 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8670 BPF_MOV64_IMM(BPF_REG_0, 0),
8674 .prog_type = BPF_PROG_TYPE_XDP,
8677 "meta access, test9",
8679 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8680 offsetof(struct xdp_md, data_meta)),
8681 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8682 offsetof(struct xdp_md, data)),
8683 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8684 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8685 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8686 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8687 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8688 BPF_MOV64_IMM(BPF_REG_0, 0),
8692 .errstr = "invalid access to packet",
8693 .prog_type = BPF_PROG_TYPE_XDP,
8696 "meta access, test10",
8698 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8699 offsetof(struct xdp_md, data_meta)),
8700 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8701 offsetof(struct xdp_md, data)),
8702 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8703 offsetof(struct xdp_md, data_end)),
8704 BPF_MOV64_IMM(BPF_REG_5, 42),
8705 BPF_MOV64_IMM(BPF_REG_6, 24),
8706 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8707 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8708 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8709 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8710 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
8711 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8712 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8714 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
8715 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
8716 BPF_MOV64_IMM(BPF_REG_0, 0),
8720 .errstr = "invalid access to packet",
8721 .prog_type = BPF_PROG_TYPE_XDP,
8724 "meta access, test11",
8726 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8727 offsetof(struct xdp_md, data_meta)),
8728 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8729 offsetof(struct xdp_md, data)),
8730 BPF_MOV64_IMM(BPF_REG_5, 42),
8731 BPF_MOV64_IMM(BPF_REG_6, 24),
8732 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8733 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8734 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8735 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8736 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
8737 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8738 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8739 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8740 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
8741 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
8742 BPF_MOV64_IMM(BPF_REG_0, 0),
8746 .prog_type = BPF_PROG_TYPE_XDP,
8749 "meta access, test12",
8751 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8752 offsetof(struct xdp_md, data_meta)),
8753 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8754 offsetof(struct xdp_md, data)),
8755 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8756 offsetof(struct xdp_md, data_end)),
8757 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8758 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8759 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
8760 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8761 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8762 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8763 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
8764 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8765 BPF_MOV64_IMM(BPF_REG_0, 0),
8769 .prog_type = BPF_PROG_TYPE_XDP,
8772 "arithmetic ops make PTR_TO_CTX unusable",
8774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
8775 offsetof(struct __sk_buff, data) -
8776 offsetof(struct __sk_buff, mark)),
8777 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8778 offsetof(struct __sk_buff, mark)),
8781 .errstr = "dereference of modified ctx ptr",
8783 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8786 "pkt_end - pkt_start is allowed",
8788 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8789 offsetof(struct __sk_buff, data_end)),
8790 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8791 offsetof(struct __sk_buff, data)),
8792 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
8796 .retval = TEST_DATA_LEN,
8797 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8800 "XDP pkt read, pkt_end mangling, bad access 1",
8802 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8803 offsetof(struct xdp_md, data)),
8804 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8805 offsetof(struct xdp_md, data_end)),
8806 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8807 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8808 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
8809 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8810 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8811 BPF_MOV64_IMM(BPF_REG_0, 0),
8814 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8816 .prog_type = BPF_PROG_TYPE_XDP,
8819 "XDP pkt read, pkt_end mangling, bad access 2",
8821 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8822 offsetof(struct xdp_md, data)),
8823 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8824 offsetof(struct xdp_md, data_end)),
8825 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8827 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
8828 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8829 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8830 BPF_MOV64_IMM(BPF_REG_0, 0),
8833 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8835 .prog_type = BPF_PROG_TYPE_XDP,
8838 "XDP pkt read, pkt_data' > pkt_end, good access",
8840 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8841 offsetof(struct xdp_md, data)),
8842 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8843 offsetof(struct xdp_md, data_end)),
8844 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8846 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8847 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8848 BPF_MOV64_IMM(BPF_REG_0, 0),
8852 .prog_type = BPF_PROG_TYPE_XDP,
8855 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
8857 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8858 offsetof(struct xdp_md, data)),
8859 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8860 offsetof(struct xdp_md, data_end)),
8861 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8862 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8863 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8864 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8865 BPF_MOV64_IMM(BPF_REG_0, 0),
8868 .errstr = "R1 offset is outside of the packet",
8870 .prog_type = BPF_PROG_TYPE_XDP,
8871 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8874 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
8876 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8877 offsetof(struct xdp_md, data)),
8878 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8879 offsetof(struct xdp_md, data_end)),
8880 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8881 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8882 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8883 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8884 BPF_MOV64_IMM(BPF_REG_0, 0),
8887 .errstr = "R1 offset is outside of the packet",
8889 .prog_type = BPF_PROG_TYPE_XDP,
8892 "XDP pkt read, pkt_end > pkt_data', good access",
8894 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8895 offsetof(struct xdp_md, data)),
8896 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8897 offsetof(struct xdp_md, data_end)),
8898 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8899 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8900 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8901 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8902 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8903 BPF_MOV64_IMM(BPF_REG_0, 0),
8907 .prog_type = BPF_PROG_TYPE_XDP,
8908 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8911 "XDP pkt read, pkt_end > pkt_data', bad access 1",
8913 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8914 offsetof(struct xdp_md, data)),
8915 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8916 offsetof(struct xdp_md, data_end)),
8917 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8919 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8920 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8921 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8922 BPF_MOV64_IMM(BPF_REG_0, 0),
8925 .errstr = "R1 offset is outside of the packet",
8927 .prog_type = BPF_PROG_TYPE_XDP,
8930 "XDP pkt read, pkt_end > pkt_data', bad access 2",
8932 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8933 offsetof(struct xdp_md, data)),
8934 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8935 offsetof(struct xdp_md, data_end)),
8936 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8937 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8938 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8939 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8940 BPF_MOV64_IMM(BPF_REG_0, 0),
8943 .errstr = "R1 offset is outside of the packet",
8945 .prog_type = BPF_PROG_TYPE_XDP,
8948 "XDP pkt read, pkt_data' < pkt_end, good access",
8950 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8951 offsetof(struct xdp_md, data)),
8952 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8953 offsetof(struct xdp_md, data_end)),
8954 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8956 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8957 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8958 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8959 BPF_MOV64_IMM(BPF_REG_0, 0),
8963 .prog_type = BPF_PROG_TYPE_XDP,
8964 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8967 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
8969 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8970 offsetof(struct xdp_md, data)),
8971 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8972 offsetof(struct xdp_md, data_end)),
8973 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8974 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8975 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8976 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8977 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8978 BPF_MOV64_IMM(BPF_REG_0, 0),
8981 .errstr = "R1 offset is outside of the packet",
8983 .prog_type = BPF_PROG_TYPE_XDP,
8986 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
8988 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8989 offsetof(struct xdp_md, data)),
8990 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8991 offsetof(struct xdp_md, data_end)),
8992 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8994 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8995 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8996 BPF_MOV64_IMM(BPF_REG_0, 0),
8999 .errstr = "R1 offset is outside of the packet",
9001 .prog_type = BPF_PROG_TYPE_XDP,
9004 "XDP pkt read, pkt_end < pkt_data', good access",
9006 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9007 offsetof(struct xdp_md, data)),
9008 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9009 offsetof(struct xdp_md, data_end)),
9010 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9012 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9013 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9014 BPF_MOV64_IMM(BPF_REG_0, 0),
9018 .prog_type = BPF_PROG_TYPE_XDP,
9021 "XDP pkt read, pkt_end < pkt_data', bad access 1",
9023 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9024 offsetof(struct xdp_md, data)),
9025 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9026 offsetof(struct xdp_md, data_end)),
9027 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9028 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9029 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9030 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9031 BPF_MOV64_IMM(BPF_REG_0, 0),
9034 .errstr = "R1 offset is outside of the packet",
9036 .prog_type = BPF_PROG_TYPE_XDP,
9037 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9040 "XDP pkt read, pkt_end < pkt_data', bad access 2",
9042 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9043 offsetof(struct xdp_md, data)),
9044 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9045 offsetof(struct xdp_md, data_end)),
9046 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9047 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9048 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9049 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9050 BPF_MOV64_IMM(BPF_REG_0, 0),
9053 .errstr = "R1 offset is outside of the packet",
9055 .prog_type = BPF_PROG_TYPE_XDP,
9058 "XDP pkt read, pkt_data' >= pkt_end, good access",
9060 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9061 offsetof(struct xdp_md, data)),
9062 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9063 offsetof(struct xdp_md, data_end)),
9064 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9066 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9067 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9068 BPF_MOV64_IMM(BPF_REG_0, 0),
9072 .prog_type = BPF_PROG_TYPE_XDP,
9073 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9076 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
9078 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9079 offsetof(struct xdp_md, data)),
9080 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9081 offsetof(struct xdp_md, data_end)),
9082 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9084 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9085 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9086 BPF_MOV64_IMM(BPF_REG_0, 0),
9089 .errstr = "R1 offset is outside of the packet",
9091 .prog_type = BPF_PROG_TYPE_XDP,
9094 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
9096 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9097 offsetof(struct xdp_md, data)),
9098 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9099 offsetof(struct xdp_md, data_end)),
9100 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9102 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9103 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9104 BPF_MOV64_IMM(BPF_REG_0, 0),
9107 .errstr = "R1 offset is outside of the packet",
9109 .prog_type = BPF_PROG_TYPE_XDP,
9110 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9113 "XDP pkt read, pkt_end >= pkt_data', good access",
9115 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9116 offsetof(struct xdp_md, data)),
9117 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9118 offsetof(struct xdp_md, data_end)),
9119 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9120 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9121 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9122 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9123 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9124 BPF_MOV64_IMM(BPF_REG_0, 0),
9128 .prog_type = BPF_PROG_TYPE_XDP,
9131 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
9133 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9134 offsetof(struct xdp_md, data)),
9135 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9136 offsetof(struct xdp_md, data_end)),
9137 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9139 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9140 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9141 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9142 BPF_MOV64_IMM(BPF_REG_0, 0),
9145 .errstr = "R1 offset is outside of the packet",
9147 .prog_type = BPF_PROG_TYPE_XDP,
9148 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9151 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
9153 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9154 offsetof(struct xdp_md, data)),
9155 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9156 offsetof(struct xdp_md, data_end)),
9157 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9158 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9159 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9160 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9161 BPF_MOV64_IMM(BPF_REG_0, 0),
9164 .errstr = "R1 offset is outside of the packet",
9166 .prog_type = BPF_PROG_TYPE_XDP,
9169 "XDP pkt read, pkt_data' <= pkt_end, good access",
9171 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9172 offsetof(struct xdp_md, data)),
9173 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9174 offsetof(struct xdp_md, data_end)),
9175 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9177 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9178 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9179 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9180 BPF_MOV64_IMM(BPF_REG_0, 0),
9184 .prog_type = BPF_PROG_TYPE_XDP,
9187 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
9189 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9190 offsetof(struct xdp_md, data)),
9191 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9192 offsetof(struct xdp_md, data_end)),
9193 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9195 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9196 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9197 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9198 BPF_MOV64_IMM(BPF_REG_0, 0),
9201 .errstr = "R1 offset is outside of the packet",
9203 .prog_type = BPF_PROG_TYPE_XDP,
9204 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9207 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
9209 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9210 offsetof(struct xdp_md, data)),
9211 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9212 offsetof(struct xdp_md, data_end)),
9213 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9215 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9216 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9217 BPF_MOV64_IMM(BPF_REG_0, 0),
9220 .errstr = "R1 offset is outside of the packet",
9222 .prog_type = BPF_PROG_TYPE_XDP,
9225 "XDP pkt read, pkt_end <= pkt_data', good access",
9227 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9228 offsetof(struct xdp_md, data)),
9229 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9230 offsetof(struct xdp_md, data_end)),
9231 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9232 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9233 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9234 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9235 BPF_MOV64_IMM(BPF_REG_0, 0),
9239 .prog_type = BPF_PROG_TYPE_XDP,
9240 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9243 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
9245 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9246 offsetof(struct xdp_md, data)),
9247 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9248 offsetof(struct xdp_md, data_end)),
9249 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9251 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9252 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9253 BPF_MOV64_IMM(BPF_REG_0, 0),
9256 .errstr = "R1 offset is outside of the packet",
9258 .prog_type = BPF_PROG_TYPE_XDP,
9261 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
9263 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9264 offsetof(struct xdp_md, data)),
9265 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9266 offsetof(struct xdp_md, data_end)),
9267 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9268 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9269 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9270 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9271 BPF_MOV64_IMM(BPF_REG_0, 0),
9274 .errstr = "R1 offset is outside of the packet",
9276 .prog_type = BPF_PROG_TYPE_XDP,
9277 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9280 "XDP pkt read, pkt_meta' > pkt_data, good access",
9282 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9283 offsetof(struct xdp_md, data_meta)),
9284 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9285 offsetof(struct xdp_md, data)),
9286 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9287 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9288 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9289 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9290 BPF_MOV64_IMM(BPF_REG_0, 0),
9294 .prog_type = BPF_PROG_TYPE_XDP,
9297 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
9299 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9300 offsetof(struct xdp_md, data_meta)),
9301 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9302 offsetof(struct xdp_md, data)),
9303 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9304 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9305 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9306 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9307 BPF_MOV64_IMM(BPF_REG_0, 0),
9310 .errstr = "R1 offset is outside of the packet",
9312 .prog_type = BPF_PROG_TYPE_XDP,
9313 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9316 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
9318 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9319 offsetof(struct xdp_md, data_meta)),
9320 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9321 offsetof(struct xdp_md, data)),
9322 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9323 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9324 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9325 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9326 BPF_MOV64_IMM(BPF_REG_0, 0),
9329 .errstr = "R1 offset is outside of the packet",
9331 .prog_type = BPF_PROG_TYPE_XDP,
9334 "XDP pkt read, pkt_data > pkt_meta', good access",
9336 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9337 offsetof(struct xdp_md, data_meta)),
9338 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9339 offsetof(struct xdp_md, data)),
9340 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9341 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9342 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9343 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9344 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9345 BPF_MOV64_IMM(BPF_REG_0, 0),
9349 .prog_type = BPF_PROG_TYPE_XDP,
9350 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9353 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
9355 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9356 offsetof(struct xdp_md, data_meta)),
9357 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9358 offsetof(struct xdp_md, data)),
9359 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9361 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9362 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9363 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9364 BPF_MOV64_IMM(BPF_REG_0, 0),
9367 .errstr = "R1 offset is outside of the packet",
9369 .prog_type = BPF_PROG_TYPE_XDP,
9372 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
9374 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9375 offsetof(struct xdp_md, data_meta)),
9376 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9377 offsetof(struct xdp_md, data)),
9378 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9380 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9381 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9382 BPF_MOV64_IMM(BPF_REG_0, 0),
9385 .errstr = "R1 offset is outside of the packet",
9387 .prog_type = BPF_PROG_TYPE_XDP,
9390 "XDP pkt read, pkt_meta' < pkt_data, good access",
9392 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9393 offsetof(struct xdp_md, data_meta)),
9394 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9395 offsetof(struct xdp_md, data)),
9396 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9397 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9398 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9399 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9400 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9401 BPF_MOV64_IMM(BPF_REG_0, 0),
9405 .prog_type = BPF_PROG_TYPE_XDP,
9406 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9409 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
9411 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9412 offsetof(struct xdp_md, data_meta)),
9413 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9414 offsetof(struct xdp_md, data)),
9415 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9416 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9417 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9418 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9419 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9420 BPF_MOV64_IMM(BPF_REG_0, 0),
9423 .errstr = "R1 offset is outside of the packet",
9425 .prog_type = BPF_PROG_TYPE_XDP,
9428 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
9430 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9431 offsetof(struct xdp_md, data_meta)),
9432 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9433 offsetof(struct xdp_md, data)),
9434 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9436 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9437 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9438 BPF_MOV64_IMM(BPF_REG_0, 0),
9441 .errstr = "R1 offset is outside of the packet",
9443 .prog_type = BPF_PROG_TYPE_XDP,
9446 "XDP pkt read, pkt_data < pkt_meta', good access",
9448 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9449 offsetof(struct xdp_md, data_meta)),
9450 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9451 offsetof(struct xdp_md, data)),
9452 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9454 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9455 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9456 BPF_MOV64_IMM(BPF_REG_0, 0),
9460 .prog_type = BPF_PROG_TYPE_XDP,
9463 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
9465 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9466 offsetof(struct xdp_md, data_meta)),
9467 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9468 offsetof(struct xdp_md, data)),
9469 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9470 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9471 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9472 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9473 BPF_MOV64_IMM(BPF_REG_0, 0),
9476 .errstr = "R1 offset is outside of the packet",
9478 .prog_type = BPF_PROG_TYPE_XDP,
9479 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9482 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
9484 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9485 offsetof(struct xdp_md, data_meta)),
9486 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9487 offsetof(struct xdp_md, data)),
9488 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9489 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9490 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9491 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9492 BPF_MOV64_IMM(BPF_REG_0, 0),
9495 .errstr = "R1 offset is outside of the packet",
9497 .prog_type = BPF_PROG_TYPE_XDP,
9500 "XDP pkt read, pkt_meta' >= pkt_data, good access",
9502 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9503 offsetof(struct xdp_md, data_meta)),
9504 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9505 offsetof(struct xdp_md, data)),
9506 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9507 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9508 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9509 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9510 BPF_MOV64_IMM(BPF_REG_0, 0),
9514 .prog_type = BPF_PROG_TYPE_XDP,
9515 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9518 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
9520 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9521 offsetof(struct xdp_md, data_meta)),
9522 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9523 offsetof(struct xdp_md, data)),
9524 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9525 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9526 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9527 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9528 BPF_MOV64_IMM(BPF_REG_0, 0),
9531 .errstr = "R1 offset is outside of the packet",
9533 .prog_type = BPF_PROG_TYPE_XDP,
9536 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
9538 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9539 offsetof(struct xdp_md, data_meta)),
9540 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9541 offsetof(struct xdp_md, data)),
9542 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9543 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9544 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9545 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9546 BPF_MOV64_IMM(BPF_REG_0, 0),
9549 .errstr = "R1 offset is outside of the packet",
9551 .prog_type = BPF_PROG_TYPE_XDP,
9552 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9555 "XDP pkt read, pkt_data >= pkt_meta', good access",
9557 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9558 offsetof(struct xdp_md, data_meta)),
9559 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9560 offsetof(struct xdp_md, data)),
9561 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9562 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9563 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9564 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9565 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9566 BPF_MOV64_IMM(BPF_REG_0, 0),
9570 .prog_type = BPF_PROG_TYPE_XDP,
9573 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
9575 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9576 offsetof(struct xdp_md, data_meta)),
9577 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9578 offsetof(struct xdp_md, data)),
9579 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9580 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9581 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9582 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9583 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9584 BPF_MOV64_IMM(BPF_REG_0, 0),
9587 .errstr = "R1 offset is outside of the packet",
9589 .prog_type = BPF_PROG_TYPE_XDP,
9590 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9593 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
9595 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9596 offsetof(struct xdp_md, data_meta)),
9597 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9598 offsetof(struct xdp_md, data)),
9599 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9600 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9601 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9602 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9603 BPF_MOV64_IMM(BPF_REG_0, 0),
9606 .errstr = "R1 offset is outside of the packet",
9608 .prog_type = BPF_PROG_TYPE_XDP,
9611 "XDP pkt read, pkt_meta' <= pkt_data, good access",
9613 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9614 offsetof(struct xdp_md, data_meta)),
9615 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9616 offsetof(struct xdp_md, data)),
9617 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9618 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9619 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9620 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9621 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9622 BPF_MOV64_IMM(BPF_REG_0, 0),
9626 .prog_type = BPF_PROG_TYPE_XDP,
9629 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
9631 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9632 offsetof(struct xdp_md, data_meta)),
9633 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9634 offsetof(struct xdp_md, data)),
9635 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9636 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9637 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9638 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9639 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9640 BPF_MOV64_IMM(BPF_REG_0, 0),
9643 .errstr = "R1 offset is outside of the packet",
9645 .prog_type = BPF_PROG_TYPE_XDP,
9646 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9649 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
9651 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9652 offsetof(struct xdp_md, data_meta)),
9653 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9654 offsetof(struct xdp_md, data)),
9655 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9656 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9657 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9658 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9659 BPF_MOV64_IMM(BPF_REG_0, 0),
9662 .errstr = "R1 offset is outside of the packet",
9664 .prog_type = BPF_PROG_TYPE_XDP,
9667 "XDP pkt read, pkt_data <= pkt_meta', good access",
9669 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9670 offsetof(struct xdp_md, data_meta)),
9671 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9672 offsetof(struct xdp_md, data)),
9673 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9674 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9675 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9676 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9677 BPF_MOV64_IMM(BPF_REG_0, 0),
9681 .prog_type = BPF_PROG_TYPE_XDP,
9682 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9685 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
9687 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9688 offsetof(struct xdp_md, data_meta)),
9689 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9690 offsetof(struct xdp_md, data)),
9691 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9692 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9693 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9694 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9695 BPF_MOV64_IMM(BPF_REG_0, 0),
9698 .errstr = "R1 offset is outside of the packet",
9700 .prog_type = BPF_PROG_TYPE_XDP,
9703 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
9705 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9706 offsetof(struct xdp_md, data_meta)),
9707 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9708 offsetof(struct xdp_md, data)),
9709 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9710 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9711 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9712 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9713 BPF_MOV64_IMM(BPF_REG_0, 0),
9716 .errstr = "R1 offset is outside of the packet",
9718 .prog_type = BPF_PROG_TYPE_XDP,
9719 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9722 "check deducing bounds from const, 1",
9724 BPF_MOV64_IMM(BPF_REG_0, 1),
9725 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
9726 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9730 .errstr = "R0 tried to subtract pointer from scalar",
9733 "check deducing bounds from const, 2",
9735 BPF_MOV64_IMM(BPF_REG_0, 1),
9736 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
9738 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
9740 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9747 "check deducing bounds from const, 3",
9749 BPF_MOV64_IMM(BPF_REG_0, 0),
9750 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9751 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9755 .errstr = "R0 tried to subtract pointer from scalar",
9758 "check deducing bounds from const, 4",
9760 BPF_MOV64_IMM(BPF_REG_0, 0),
9761 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
9763 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9765 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9771 "check deducing bounds from const, 5",
9773 BPF_MOV64_IMM(BPF_REG_0, 0),
9774 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9775 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9779 .errstr = "R0 tried to subtract pointer from scalar",
9782 "check deducing bounds from const, 6",
9784 BPF_MOV64_IMM(BPF_REG_0, 0),
9785 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9787 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9791 .errstr = "R0 tried to subtract pointer from scalar",
9794 "check deducing bounds from const, 7",
9796 BPF_MOV64_IMM(BPF_REG_0, ~0),
9797 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9798 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9799 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9800 offsetof(struct __sk_buff, mark)),
9804 .errstr = "dereference of modified ctx ptr",
9807 "check deducing bounds from const, 8",
9809 BPF_MOV64_IMM(BPF_REG_0, ~0),
9810 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9811 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
9812 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9813 offsetof(struct __sk_buff, mark)),
9817 .errstr = "dereference of modified ctx ptr",
9820 "check deducing bounds from const, 9",
9822 BPF_MOV64_IMM(BPF_REG_0, 0),
9823 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9824 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9828 .errstr = "R0 tried to subtract pointer from scalar",
9831 "check deducing bounds from const, 10",
9833 BPF_MOV64_IMM(BPF_REG_0, 0),
9834 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9835 /* Marks reg as unknown. */
9836 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
9837 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9841 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
9844 "bpf_exit with invalid return code. test1",
9846 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9849 .errstr = "R0 has value (0x0; 0xffffffff)",
9851 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9854 "bpf_exit with invalid return code. test2",
9856 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9857 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
9861 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9864 "bpf_exit with invalid return code. test3",
9866 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9867 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
9870 .errstr = "R0 has value (0x0; 0x3)",
9872 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9875 "bpf_exit with invalid return code. test4",
9877 BPF_MOV64_IMM(BPF_REG_0, 1),
9881 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9884 "bpf_exit with invalid return code. test5",
9886 BPF_MOV64_IMM(BPF_REG_0, 2),
9889 .errstr = "R0 has value (0x2; 0x0)",
9891 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9894 "bpf_exit with invalid return code. test6",
9896 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9899 .errstr = "R0 is not a known value (ctx)",
9901 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9904 "bpf_exit with invalid return code. test7",
9906 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9907 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
9908 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
9911 .errstr = "R0 has unknown scalar value",
9913 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9916 "calls: basic sanity",
9918 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9919 BPF_MOV64_IMM(BPF_REG_0, 1),
9921 BPF_MOV64_IMM(BPF_REG_0, 2),
9924 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9928 "calls: not on unpriviledged",
9930 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9931 BPF_MOV64_IMM(BPF_REG_0, 1),
9933 BPF_MOV64_IMM(BPF_REG_0, 2),
9936 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
9937 .result_unpriv = REJECT,
9942 "calls: div by 0 in subprog",
9944 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9945 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9946 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9947 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9948 offsetof(struct __sk_buff, data_end)),
9949 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9950 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9951 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9952 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9953 BPF_MOV64_IMM(BPF_REG_0, 1),
9955 BPF_MOV32_IMM(BPF_REG_2, 0),
9956 BPF_MOV32_IMM(BPF_REG_3, 1),
9957 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
9958 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9959 offsetof(struct __sk_buff, data)),
9962 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9967 "calls: multiple ret types in subprog 1",
9969 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9970 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9971 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9972 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9973 offsetof(struct __sk_buff, data_end)),
9974 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9976 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9977 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9978 BPF_MOV64_IMM(BPF_REG_0, 1),
9980 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9981 offsetof(struct __sk_buff, data)),
9982 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9983 BPF_MOV32_IMM(BPF_REG_0, 42),
9986 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9988 .errstr = "R0 invalid mem access 'inv'",
9991 "calls: multiple ret types in subprog 2",
9993 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9994 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9995 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9996 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9997 offsetof(struct __sk_buff, data_end)),
9998 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9999 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10000 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10001 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10002 BPF_MOV64_IMM(BPF_REG_0, 1),
10004 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10005 offsetof(struct __sk_buff, data)),
10006 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10007 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
10008 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10009 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10010 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10011 BPF_LD_MAP_FD(BPF_REG_1, 0),
10012 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10013 BPF_FUNC_map_lookup_elem),
10014 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10015 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
10016 offsetof(struct __sk_buff, data)),
10017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
10020 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10021 .fixup_map1 = { 16 },
10023 .errstr = "R0 min value is outside of the array range",
10026 "calls: overlapping caller/callee",
10028 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
10029 BPF_MOV64_IMM(BPF_REG_0, 1),
10032 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10033 .errstr = "last insn is not an exit or jmp",
10037 "calls: wrong recursive calls",
10039 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10040 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10041 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10042 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10043 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10044 BPF_MOV64_IMM(BPF_REG_0, 1),
10047 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10048 .errstr = "jump out of range",
10052 "calls: wrong src reg",
10054 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
10055 BPF_MOV64_IMM(BPF_REG_0, 1),
10058 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10059 .errstr = "BPF_CALL uses reserved fields",
10063 "calls: wrong off value",
10065 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
10066 BPF_MOV64_IMM(BPF_REG_0, 1),
10068 BPF_MOV64_IMM(BPF_REG_0, 2),
10071 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10072 .errstr = "BPF_CALL uses reserved fields",
10076 "calls: jump back loop",
10078 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10079 BPF_MOV64_IMM(BPF_REG_0, 1),
10082 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10083 .errstr = "back-edge from insn 0 to 0",
10087 "calls: conditional call",
10089 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10090 offsetof(struct __sk_buff, mark)),
10091 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10092 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10093 BPF_MOV64_IMM(BPF_REG_0, 1),
10095 BPF_MOV64_IMM(BPF_REG_0, 2),
10098 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10099 .errstr = "jump out of range",
10103 "calls: conditional call 2",
10105 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10106 offsetof(struct __sk_buff, mark)),
10107 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10108 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10109 BPF_MOV64_IMM(BPF_REG_0, 1),
10111 BPF_MOV64_IMM(BPF_REG_0, 2),
10113 BPF_MOV64_IMM(BPF_REG_0, 3),
10116 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10120 "calls: conditional call 3",
10122 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10123 offsetof(struct __sk_buff, mark)),
10124 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10125 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10126 BPF_MOV64_IMM(BPF_REG_0, 1),
10128 BPF_MOV64_IMM(BPF_REG_0, 1),
10129 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10130 BPF_MOV64_IMM(BPF_REG_0, 3),
10131 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10133 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10134 .errstr = "back-edge from insn",
10138 "calls: conditional call 4",
10140 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10141 offsetof(struct __sk_buff, mark)),
10142 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10143 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10144 BPF_MOV64_IMM(BPF_REG_0, 1),
10146 BPF_MOV64_IMM(BPF_REG_0, 1),
10147 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
10148 BPF_MOV64_IMM(BPF_REG_0, 3),
10151 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10155 "calls: conditional call 5",
10157 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10158 offsetof(struct __sk_buff, mark)),
10159 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10160 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10161 BPF_MOV64_IMM(BPF_REG_0, 1),
10163 BPF_MOV64_IMM(BPF_REG_0, 1),
10164 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10165 BPF_MOV64_IMM(BPF_REG_0, 3),
10168 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10169 .errstr = "back-edge from insn",
10173 "calls: conditional call 6",
10175 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10176 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
10178 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10179 offsetof(struct __sk_buff, mark)),
10182 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10183 .errstr = "back-edge from insn",
10187 "calls: using r0 returned by callee",
10189 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10191 BPF_MOV64_IMM(BPF_REG_0, 2),
10194 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10198 "calls: using uninit r0 from callee",
10200 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10204 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10205 .errstr = "!read_ok",
10209 "calls: callee is using r1",
10211 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10213 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10214 offsetof(struct __sk_buff, len)),
10217 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
10219 .retval = TEST_DATA_LEN,
10222 "calls: callee using args1",
10224 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10226 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10229 .errstr_unpriv = "allowed for root only",
10230 .result_unpriv = REJECT,
10232 .retval = POINTER_VALUE,
10235 "calls: callee using wrong args2",
10237 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10239 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10242 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10243 .errstr = "R2 !read_ok",
10247 "calls: callee using two args",
10249 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10250 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
10251 offsetof(struct __sk_buff, len)),
10252 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
10253 offsetof(struct __sk_buff, len)),
10254 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10256 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10257 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
10260 .errstr_unpriv = "allowed for root only",
10261 .result_unpriv = REJECT,
10263 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
10266 "calls: callee changing pkt pointers",
10268 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
10269 offsetof(struct xdp_md, data)),
10270 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
10271 offsetof(struct xdp_md, data_end)),
10272 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
10273 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
10274 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
10275 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10276 /* clear_all_pkt_pointers() has to walk all frames
10277 * to make sure that pkt pointers in the caller
10278 * are cleared when callee is calling a helper that
10279 * adjusts packet size
10281 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10282 BPF_MOV32_IMM(BPF_REG_0, 0),
10284 BPF_MOV64_IMM(BPF_REG_2, 0),
10285 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10286 BPF_FUNC_xdp_adjust_head),
10290 .errstr = "R6 invalid mem access 'inv'",
10291 .prog_type = BPF_PROG_TYPE_XDP,
10294 "calls: two calls with args",
10296 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10298 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10300 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10301 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10302 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10303 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10304 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10306 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10307 offsetof(struct __sk_buff, len)),
10310 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10312 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
10315 "calls: calls with stack arith",
10317 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10318 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10319 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10321 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10322 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10324 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10325 BPF_MOV64_IMM(BPF_REG_0, 42),
10326 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10329 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10334 "calls: calls with misaligned stack access",
10336 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10337 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10338 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10340 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
10341 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10343 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10344 BPF_MOV64_IMM(BPF_REG_0, 42),
10345 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10348 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10349 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
10350 .errstr = "misaligned stack access",
10354 "calls: calls control flow, jump test",
10356 BPF_MOV64_IMM(BPF_REG_0, 42),
10357 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10358 BPF_MOV64_IMM(BPF_REG_0, 43),
10359 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10360 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10363 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10368 "calls: calls control flow, jump test 2",
10370 BPF_MOV64_IMM(BPF_REG_0, 42),
10371 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10372 BPF_MOV64_IMM(BPF_REG_0, 43),
10373 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10374 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10377 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10378 .errstr = "jump out of range from insn 1 to 4",
10382 "calls: two calls with bad jump",
10384 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10386 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10387 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10388 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10389 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10390 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10391 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10392 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10394 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10395 offsetof(struct __sk_buff, len)),
10396 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
10399 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10400 .errstr = "jump out of range from insn 11 to 9",
10404 "calls: recursive call. test1",
10406 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10408 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10411 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10412 .errstr = "back-edge",
10416 "calls: recursive call. test2",
10418 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10420 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10423 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10424 .errstr = "back-edge",
10428 "calls: unreachable code",
10430 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10432 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10434 BPF_MOV64_IMM(BPF_REG_0, 0),
10436 BPF_MOV64_IMM(BPF_REG_0, 0),
10439 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10440 .errstr = "unreachable insn 6",
10444 "calls: invalid call",
10446 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10448 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
10451 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10452 .errstr = "invalid destination",
10456 "calls: invalid call 2",
10458 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10460 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
10463 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10464 .errstr = "invalid destination",
10468 "calls: jumping across function bodies. test1",
10470 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10471 BPF_MOV64_IMM(BPF_REG_0, 0),
10473 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
10476 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10477 .errstr = "jump out of range",
10481 "calls: jumping across function bodies. test2",
10483 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
10484 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10485 BPF_MOV64_IMM(BPF_REG_0, 0),
10489 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10490 .errstr = "jump out of range",
10494 "calls: call without exit",
10496 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10498 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10500 BPF_MOV64_IMM(BPF_REG_0, 0),
10501 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
10503 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10504 .errstr = "not an exit",
10508 "calls: call into middle of ld_imm64",
10510 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10511 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10512 BPF_MOV64_IMM(BPF_REG_0, 0),
10514 BPF_LD_IMM64(BPF_REG_0, 0),
10517 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10518 .errstr = "last insn",
10522 "calls: call into middle of other call",
10524 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10525 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10526 BPF_MOV64_IMM(BPF_REG_0, 0),
10528 BPF_MOV64_IMM(BPF_REG_0, 0),
10529 BPF_MOV64_IMM(BPF_REG_0, 0),
10532 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10533 .errstr = "last insn",
10537 "calls: ld_abs with changing ctx data in callee",
10539 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10540 BPF_LD_ABS(BPF_B, 0),
10541 BPF_LD_ABS(BPF_H, 0),
10542 BPF_LD_ABS(BPF_W, 0),
10543 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
10544 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10545 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
10546 BPF_LD_ABS(BPF_B, 0),
10547 BPF_LD_ABS(BPF_H, 0),
10548 BPF_LD_ABS(BPF_W, 0),
10550 BPF_MOV64_IMM(BPF_REG_2, 1),
10551 BPF_MOV64_IMM(BPF_REG_3, 2),
10552 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10553 BPF_FUNC_skb_vlan_push),
10556 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10557 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
10561 "calls: two calls with bad fallthrough",
10563 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10565 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10566 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10567 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10568 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10569 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10570 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10571 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10572 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
10573 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10574 offsetof(struct __sk_buff, len)),
10577 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10578 .errstr = "not an exit",
10582 "calls: two calls with stack read",
10584 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10585 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10586 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10587 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10589 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10590 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10591 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10592 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10593 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10594 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10595 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10597 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10600 .prog_type = BPF_PROG_TYPE_XDP,
10604 "calls: two calls with stack write",
10607 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10608 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10610 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10611 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10612 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10613 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10617 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10618 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10619 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
10620 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
10621 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10622 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10623 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
10624 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
10625 /* write into stack frame of main prog */
10626 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10630 /* read from stack frame of main prog */
10631 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10634 .prog_type = BPF_PROG_TYPE_XDP,
10638 "calls: stack overflow using two frames (pre-call access)",
10641 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10642 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
10646 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10647 BPF_MOV64_IMM(BPF_REG_0, 0),
10650 .prog_type = BPF_PROG_TYPE_XDP,
10651 .errstr = "combined stack size",
10655 "calls: stack overflow using two frames (post-call access)",
10658 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
10659 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10663 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10664 BPF_MOV64_IMM(BPF_REG_0, 0),
10667 .prog_type = BPF_PROG_TYPE_XDP,
10668 .errstr = "combined stack size",
10672 "calls: stack depth check using three frames. test1",
10675 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10676 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10677 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10678 BPF_MOV64_IMM(BPF_REG_0, 0),
10681 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10684 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10685 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10688 .prog_type = BPF_PROG_TYPE_XDP,
10689 /* stack_main=32, stack_A=256, stack_B=64
10690 * and max(main+A, main+A+B) < 512
10695 "calls: stack depth check using three frames. test2",
10698 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10699 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10700 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10701 BPF_MOV64_IMM(BPF_REG_0, 0),
10704 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10707 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10708 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10711 .prog_type = BPF_PROG_TYPE_XDP,
10712 /* stack_main=32, stack_A=64, stack_B=256
10713 * and max(main+A, main+A+B) < 512
10718 "calls: stack depth check using three frames. test3",
10721 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10722 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10723 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10724 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
10725 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
10726 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10727 BPF_MOV64_IMM(BPF_REG_0, 0),
10730 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
10732 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
10733 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10735 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
10736 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
10737 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10740 .prog_type = BPF_PROG_TYPE_XDP,
10741 /* stack_main=64, stack_A=224, stack_B=256
10742 * and max(main+A, main+A+B) > 512
10744 .errstr = "combined stack",
10748 "calls: stack depth check using three frames. test4",
10749 /* void main(void) {
10754 * void func1(int alloc_or_recurse) {
10755 * if (alloc_or_recurse) {
10756 * frame_pointer[-300] = 1;
10758 * func2(alloc_or_recurse);
10761 * void func2(int alloc_or_recurse) {
10762 * if (alloc_or_recurse) {
10763 * frame_pointer[-300] = 1;
10769 BPF_MOV64_IMM(BPF_REG_1, 0),
10770 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10771 BPF_MOV64_IMM(BPF_REG_1, 1),
10772 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10773 BPF_MOV64_IMM(BPF_REG_1, 1),
10774 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
10775 BPF_MOV64_IMM(BPF_REG_0, 0),
10778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
10779 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10781 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10784 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10785 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10788 .prog_type = BPF_PROG_TYPE_XDP,
10790 .errstr = "combined stack",
10793 "calls: stack depth check using three frames. test5",
10796 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
10799 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10802 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
10805 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
10808 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
10811 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
10814 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
10817 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
10820 BPF_MOV64_IMM(BPF_REG_0, 0),
10823 .prog_type = BPF_PROG_TYPE_XDP,
10824 .errstr = "call stack",
10828 "calls: spill into caller stack frame",
10830 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10831 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10832 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10833 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10835 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
10836 BPF_MOV64_IMM(BPF_REG_0, 0),
10839 .prog_type = BPF_PROG_TYPE_XDP,
10840 .errstr = "cannot spill",
10844 "calls: write into caller stack frame",
10846 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10848 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10849 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10850 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10852 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
10853 BPF_MOV64_IMM(BPF_REG_0, 0),
10856 .prog_type = BPF_PROG_TYPE_XDP,
10861 "calls: write into callee stack frame",
10863 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10864 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
10866 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10867 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
10870 .prog_type = BPF_PROG_TYPE_XDP,
10871 .errstr = "cannot return stack pointer",
10875 "calls: two calls with stack write and void return",
10878 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10879 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10881 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10882 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10883 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10884 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10888 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10889 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10890 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10891 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10892 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10896 /* write into stack frame of main prog */
10897 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
10898 BPF_EXIT_INSN(), /* void return */
10900 .prog_type = BPF_PROG_TYPE_XDP,
10904 "calls: ambiguous return value",
10906 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10907 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10908 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10909 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10911 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10913 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10914 BPF_MOV64_IMM(BPF_REG_0, 0),
10917 .errstr_unpriv = "allowed for root only",
10918 .result_unpriv = REJECT,
10919 .errstr = "R0 !read_ok",
10923 "calls: two calls that return map_value",
10926 /* pass fp-16, fp-8 into a function */
10927 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10929 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10930 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10931 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10933 /* fetch map_value_ptr from the stack of this function */
10934 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
10935 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10936 /* write into map value */
10937 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10938 /* fetch secound map_value_ptr from the stack */
10939 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10940 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10941 /* write into map value */
10942 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10943 BPF_MOV64_IMM(BPF_REG_0, 0),
10947 /* call 3rd function twice */
10948 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10949 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10950 /* first time with fp-8 */
10951 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10952 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10953 /* second time with fp-16 */
10954 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10958 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10959 /* lookup from map */
10960 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10961 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10962 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10963 BPF_LD_MAP_FD(BPF_REG_1, 0),
10964 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10965 BPF_FUNC_map_lookup_elem),
10966 /* write map_value_ptr into stack frame of main prog */
10967 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10968 BPF_MOV64_IMM(BPF_REG_0, 0),
10969 BPF_EXIT_INSN(), /* return 0 */
10971 .prog_type = BPF_PROG_TYPE_XDP,
10972 .fixup_map1 = { 23 },
10976 "calls: two calls that return map_value with bool condition",
10979 /* pass fp-16, fp-8 into a function */
10980 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10982 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10984 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10985 BPF_MOV64_IMM(BPF_REG_0, 0),
10989 /* call 3rd function twice */
10990 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10991 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10992 /* first time with fp-8 */
10993 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10994 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10995 /* fetch map_value_ptr from the stack of this function */
10996 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10997 /* write into map value */
10998 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10999 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11000 /* second time with fp-16 */
11001 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11002 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11003 /* fetch secound map_value_ptr from the stack */
11004 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11005 /* write into map value */
11006 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11010 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11011 /* lookup from map */
11012 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11013 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11014 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11015 BPF_LD_MAP_FD(BPF_REG_1, 0),
11016 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11017 BPF_FUNC_map_lookup_elem),
11018 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11019 BPF_MOV64_IMM(BPF_REG_0, 0),
11020 BPF_EXIT_INSN(), /* return 0 */
11021 /* write map_value_ptr into stack frame of main prog */
11022 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11023 BPF_MOV64_IMM(BPF_REG_0, 1),
11024 BPF_EXIT_INSN(), /* return 1 */
11026 .prog_type = BPF_PROG_TYPE_XDP,
11027 .fixup_map1 = { 23 },
11031 "calls: two calls that return map_value with incorrect bool check",
11034 /* pass fp-16, fp-8 into a function */
11035 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11036 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11037 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11038 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11039 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11040 BPF_MOV64_IMM(BPF_REG_0, 0),
11044 /* call 3rd function twice */
11045 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11046 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11047 /* first time with fp-8 */
11048 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11049 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11050 /* fetch map_value_ptr from the stack of this function */
11051 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11052 /* write into map value */
11053 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11054 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11055 /* second time with fp-16 */
11056 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11057 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11058 /* fetch secound map_value_ptr from the stack */
11059 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11060 /* write into map value */
11061 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11065 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11066 /* lookup from map */
11067 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11068 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11069 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11070 BPF_LD_MAP_FD(BPF_REG_1, 0),
11071 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11072 BPF_FUNC_map_lookup_elem),
11073 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11074 BPF_MOV64_IMM(BPF_REG_0, 0),
11075 BPF_EXIT_INSN(), /* return 0 */
11076 /* write map_value_ptr into stack frame of main prog */
11077 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11078 BPF_MOV64_IMM(BPF_REG_0, 1),
11079 BPF_EXIT_INSN(), /* return 1 */
11081 .prog_type = BPF_PROG_TYPE_XDP,
11082 .fixup_map1 = { 23 },
11084 .errstr = "invalid read from stack off -16+0 size 8",
11087 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
11090 /* pass fp-16, fp-8 into a function */
11091 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11092 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11093 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11095 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11096 BPF_MOV64_IMM(BPF_REG_0, 0),
11100 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11101 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11102 /* 1st lookup from map */
11103 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11104 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11105 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11106 BPF_LD_MAP_FD(BPF_REG_1, 0),
11107 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11108 BPF_FUNC_map_lookup_elem),
11109 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11110 BPF_MOV64_IMM(BPF_REG_8, 0),
11111 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11112 /* write map_value_ptr into stack frame of main prog at fp-8 */
11113 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11114 BPF_MOV64_IMM(BPF_REG_8, 1),
11116 /* 2nd lookup from map */
11117 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11118 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11119 BPF_LD_MAP_FD(BPF_REG_1, 0),
11120 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11121 BPF_FUNC_map_lookup_elem),
11122 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11123 BPF_MOV64_IMM(BPF_REG_9, 0),
11124 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11125 /* write map_value_ptr into stack frame of main prog at fp-16 */
11126 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11127 BPF_MOV64_IMM(BPF_REG_9, 1),
11129 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11130 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11131 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11132 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11133 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11134 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11138 /* if arg2 == 1 do *arg1 = 0 */
11139 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11140 /* fetch map_value_ptr from the stack of this function */
11141 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11142 /* write into map value */
11143 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11145 /* if arg4 == 1 do *arg3 = 0 */
11146 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11147 /* fetch map_value_ptr from the stack of this function */
11148 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11149 /* write into map value */
11150 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11153 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11154 .fixup_map1 = { 12, 22 },
11156 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11159 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
11162 /* pass fp-16, fp-8 into a function */
11163 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11164 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11165 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11166 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11167 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11168 BPF_MOV64_IMM(BPF_REG_0, 0),
11172 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11173 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11174 /* 1st lookup from map */
11175 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11176 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11177 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11178 BPF_LD_MAP_FD(BPF_REG_1, 0),
11179 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11180 BPF_FUNC_map_lookup_elem),
11181 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11182 BPF_MOV64_IMM(BPF_REG_8, 0),
11183 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11184 /* write map_value_ptr into stack frame of main prog at fp-8 */
11185 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11186 BPF_MOV64_IMM(BPF_REG_8, 1),
11188 /* 2nd lookup from map */
11189 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11190 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11191 BPF_LD_MAP_FD(BPF_REG_1, 0),
11192 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11193 BPF_FUNC_map_lookup_elem),
11194 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11195 BPF_MOV64_IMM(BPF_REG_9, 0),
11196 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11197 /* write map_value_ptr into stack frame of main prog at fp-16 */
11198 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11199 BPF_MOV64_IMM(BPF_REG_9, 1),
11201 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11202 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11203 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11204 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11205 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11206 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11210 /* if arg2 == 1 do *arg1 = 0 */
11211 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11212 /* fetch map_value_ptr from the stack of this function */
11213 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11214 /* write into map value */
11215 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11217 /* if arg4 == 1 do *arg3 = 0 */
11218 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11219 /* fetch map_value_ptr from the stack of this function */
11220 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11221 /* write into map value */
11222 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11225 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11226 .fixup_map1 = { 12, 22 },
11230 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
11233 /* pass fp-16, fp-8 into a function */
11234 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11235 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11236 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11237 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11238 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11239 BPF_MOV64_IMM(BPF_REG_0, 0),
11243 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11244 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11245 /* 1st lookup from map */
11246 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
11247 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11248 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11249 BPF_LD_MAP_FD(BPF_REG_1, 0),
11250 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11251 BPF_FUNC_map_lookup_elem),
11252 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11253 BPF_MOV64_IMM(BPF_REG_8, 0),
11254 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11255 /* write map_value_ptr into stack frame of main prog at fp-8 */
11256 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11257 BPF_MOV64_IMM(BPF_REG_8, 1),
11259 /* 2nd lookup from map */
11260 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11261 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11262 BPF_LD_MAP_FD(BPF_REG_1, 0),
11263 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11264 BPF_FUNC_map_lookup_elem),
11265 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11266 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
11267 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11268 /* write map_value_ptr into stack frame of main prog at fp-16 */
11269 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11270 BPF_MOV64_IMM(BPF_REG_9, 1),
11272 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11273 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
11274 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11275 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11276 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11277 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
11278 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
11281 /* if arg2 == 1 do *arg1 = 0 */
11282 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11283 /* fetch map_value_ptr from the stack of this function */
11284 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11285 /* write into map value */
11286 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11288 /* if arg4 == 1 do *arg3 = 0 */
11289 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11290 /* fetch map_value_ptr from the stack of this function */
11291 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11292 /* write into map value */
11293 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11294 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
11296 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11297 .fixup_map1 = { 12, 22 },
11299 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11302 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
11305 /* pass fp-16, fp-8 into a function */
11306 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11308 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11309 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11310 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11311 BPF_MOV64_IMM(BPF_REG_0, 0),
11315 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11316 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11317 /* 1st lookup from map */
11318 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11319 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11321 BPF_LD_MAP_FD(BPF_REG_1, 0),
11322 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11323 BPF_FUNC_map_lookup_elem),
11324 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11325 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11326 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11327 BPF_MOV64_IMM(BPF_REG_8, 0),
11328 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11329 BPF_MOV64_IMM(BPF_REG_8, 1),
11331 /* 2nd lookup from map */
11332 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11333 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11334 BPF_LD_MAP_FD(BPF_REG_1, 0),
11335 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11336 BPF_FUNC_map_lookup_elem),
11337 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11338 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11339 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11340 BPF_MOV64_IMM(BPF_REG_9, 0),
11341 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11342 BPF_MOV64_IMM(BPF_REG_9, 1),
11344 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11345 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11346 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11347 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11348 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11349 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11353 /* if arg2 == 1 do *arg1 = 0 */
11354 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11355 /* fetch map_value_ptr from the stack of this function */
11356 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11357 /* write into map value */
11358 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11360 /* if arg4 == 1 do *arg3 = 0 */
11361 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11362 /* fetch map_value_ptr from the stack of this function */
11363 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11364 /* write into map value */
11365 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11368 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11369 .fixup_map1 = { 12, 22 },
11373 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
11376 /* pass fp-16, fp-8 into a function */
11377 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11379 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11380 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11381 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11382 BPF_MOV64_IMM(BPF_REG_0, 0),
11386 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11387 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11388 /* 1st lookup from map */
11389 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11390 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11392 BPF_LD_MAP_FD(BPF_REG_1, 0),
11393 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11394 BPF_FUNC_map_lookup_elem),
11395 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11396 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11397 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11398 BPF_MOV64_IMM(BPF_REG_8, 0),
11399 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11400 BPF_MOV64_IMM(BPF_REG_8, 1),
11402 /* 2nd lookup from map */
11403 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11405 BPF_LD_MAP_FD(BPF_REG_1, 0),
11406 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11407 BPF_FUNC_map_lookup_elem),
11408 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11409 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11410 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11411 BPF_MOV64_IMM(BPF_REG_9, 0),
11412 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11413 BPF_MOV64_IMM(BPF_REG_9, 1),
11415 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11416 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11417 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11418 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11419 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11420 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11424 /* if arg2 == 1 do *arg1 = 0 */
11425 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11426 /* fetch map_value_ptr from the stack of this function */
11427 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11428 /* write into map value */
11429 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11431 /* if arg4 == 0 do *arg3 = 0 */
11432 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
11433 /* fetch map_value_ptr from the stack of this function */
11434 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11435 /* write into map value */
11436 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11439 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11440 .fixup_map1 = { 12, 22 },
11442 .errstr = "R0 invalid mem access 'inv'",
11445 "calls: pkt_ptr spill into caller stack",
11447 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11449 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11453 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11454 offsetof(struct __sk_buff, data)),
11455 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11456 offsetof(struct __sk_buff, data_end)),
11457 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11459 /* spill unchecked pkt_ptr into stack of caller */
11460 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11461 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11462 /* now the pkt range is verified, read pkt_ptr from stack */
11463 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11464 /* write 4 bytes into packet */
11465 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11469 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11470 .retval = POINTER_VALUE,
11473 "calls: pkt_ptr spill into caller stack 2",
11475 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11476 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11477 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11478 /* Marking is still kept, but not in all cases safe. */
11479 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11480 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11484 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11485 offsetof(struct __sk_buff, data)),
11486 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11487 offsetof(struct __sk_buff, data_end)),
11488 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11489 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11490 /* spill unchecked pkt_ptr into stack of caller */
11491 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11492 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11493 /* now the pkt range is verified, read pkt_ptr from stack */
11494 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11495 /* write 4 bytes into packet */
11496 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11499 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11500 .errstr = "invalid access to packet",
11504 "calls: pkt_ptr spill into caller stack 3",
11506 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11507 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11508 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11509 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11510 /* Marking is still kept and safe here. */
11511 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11512 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11516 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11517 offsetof(struct __sk_buff, data)),
11518 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11519 offsetof(struct __sk_buff, data_end)),
11520 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11522 /* spill unchecked pkt_ptr into stack of caller */
11523 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11524 BPF_MOV64_IMM(BPF_REG_5, 0),
11525 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11526 BPF_MOV64_IMM(BPF_REG_5, 1),
11527 /* now the pkt range is verified, read pkt_ptr from stack */
11528 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11529 /* write 4 bytes into packet */
11530 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11531 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11534 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11539 "calls: pkt_ptr spill into caller stack 4",
11541 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11543 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11544 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11545 /* Check marking propagated. */
11546 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11547 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11551 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11552 offsetof(struct __sk_buff, data)),
11553 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11554 offsetof(struct __sk_buff, data_end)),
11555 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11557 /* spill unchecked pkt_ptr into stack of caller */
11558 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11559 BPF_MOV64_IMM(BPF_REG_5, 0),
11560 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11561 BPF_MOV64_IMM(BPF_REG_5, 1),
11562 /* don't read back pkt_ptr from stack here */
11563 /* write 4 bytes into packet */
11564 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11565 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11568 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11573 "calls: pkt_ptr spill into caller stack 5",
11575 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11576 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11577 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
11578 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11579 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11580 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11584 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11585 offsetof(struct __sk_buff, data)),
11586 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11587 offsetof(struct __sk_buff, data_end)),
11588 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11589 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11590 BPF_MOV64_IMM(BPF_REG_5, 0),
11591 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11592 /* spill checked pkt_ptr into stack of caller */
11593 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11594 BPF_MOV64_IMM(BPF_REG_5, 1),
11595 /* don't read back pkt_ptr from stack here */
11596 /* write 4 bytes into packet */
11597 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11598 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11601 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11602 .errstr = "same insn cannot be used with different",
11606 "calls: pkt_ptr spill into caller stack 6",
11608 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11609 offsetof(struct __sk_buff, data_end)),
11610 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11611 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11612 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11613 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11614 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11615 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11619 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11620 offsetof(struct __sk_buff, data)),
11621 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11622 offsetof(struct __sk_buff, data_end)),
11623 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11624 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11625 BPF_MOV64_IMM(BPF_REG_5, 0),
11626 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11627 /* spill checked pkt_ptr into stack of caller */
11628 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11629 BPF_MOV64_IMM(BPF_REG_5, 1),
11630 /* don't read back pkt_ptr from stack here */
11631 /* write 4 bytes into packet */
11632 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11633 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11636 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11637 .errstr = "R4 invalid mem access",
11641 "calls: pkt_ptr spill into caller stack 7",
11643 BPF_MOV64_IMM(BPF_REG_2, 0),
11644 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11645 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11646 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11647 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11648 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11649 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11653 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11654 offsetof(struct __sk_buff, data)),
11655 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11656 offsetof(struct __sk_buff, data_end)),
11657 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11658 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11659 BPF_MOV64_IMM(BPF_REG_5, 0),
11660 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11661 /* spill checked pkt_ptr into stack of caller */
11662 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11663 BPF_MOV64_IMM(BPF_REG_5, 1),
11664 /* don't read back pkt_ptr from stack here */
11665 /* write 4 bytes into packet */
11666 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11667 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11670 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11671 .errstr = "R4 invalid mem access",
11675 "calls: pkt_ptr spill into caller stack 8",
11677 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11678 offsetof(struct __sk_buff, data)),
11679 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11680 offsetof(struct __sk_buff, data_end)),
11681 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11682 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11683 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11685 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11687 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11688 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11689 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11690 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11694 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11695 offsetof(struct __sk_buff, data)),
11696 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11697 offsetof(struct __sk_buff, data_end)),
11698 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11700 BPF_MOV64_IMM(BPF_REG_5, 0),
11701 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11702 /* spill checked pkt_ptr into stack of caller */
11703 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11704 BPF_MOV64_IMM(BPF_REG_5, 1),
11705 /* don't read back pkt_ptr from stack here */
11706 /* write 4 bytes into packet */
11707 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11708 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11711 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11715 "calls: pkt_ptr spill into caller stack 9",
11717 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11718 offsetof(struct __sk_buff, data)),
11719 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11720 offsetof(struct __sk_buff, data_end)),
11721 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11722 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11723 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11725 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11726 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11727 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11728 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11729 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11730 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11734 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11735 offsetof(struct __sk_buff, data)),
11736 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11737 offsetof(struct __sk_buff, data_end)),
11738 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11739 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11740 BPF_MOV64_IMM(BPF_REG_5, 0),
11741 /* spill unchecked pkt_ptr into stack of caller */
11742 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11743 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11744 BPF_MOV64_IMM(BPF_REG_5, 1),
11745 /* don't read back pkt_ptr from stack here */
11746 /* write 4 bytes into packet */
11747 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11748 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11751 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11752 .errstr = "invalid access to packet",
11756 "calls: caller stack init to zero or map_value_or_null",
11758 BPF_MOV64_IMM(BPF_REG_0, 0),
11759 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11760 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11762 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11763 /* fetch map_value_or_null or const_zero from stack */
11764 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11765 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11766 /* store into map_value */
11767 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
11771 /* if (ctx == 0) return; */
11772 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
11773 /* else bpf_map_lookup() and *(fp - 8) = r0 */
11774 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
11775 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11776 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11777 BPF_LD_MAP_FD(BPF_REG_1, 0),
11778 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11779 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11780 BPF_FUNC_map_lookup_elem),
11781 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11782 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11785 .fixup_map1 = { 13 },
11787 .prog_type = BPF_PROG_TYPE_XDP,
11790 "calls: stack init to zero and pruning",
11792 /* first make allocated_stack 16 byte */
11793 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
11794 /* now fork the execution such that the false branch
11795 * of JGT insn will be verified second and it skisp zero
11796 * init of fp-8 stack slot. If stack liveness marking
11797 * is missing live_read marks from call map_lookup
11798 * processing then pruning will incorrectly assume
11799 * that fp-8 stack slot was unused in the fall-through
11800 * branch and will accept the program incorrectly
11802 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
11803 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11804 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
11805 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11807 BPF_LD_MAP_FD(BPF_REG_1, 0),
11808 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11809 BPF_FUNC_map_lookup_elem),
11812 .fixup_map2 = { 6 },
11813 .errstr = "invalid indirect read from stack off -8+0 size 8",
11815 .prog_type = BPF_PROG_TYPE_XDP,
11818 "calls: two calls returning different map pointers for lookup (hash, array)",
11821 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11823 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11825 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11826 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11827 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11829 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11830 BPF_FUNC_map_lookup_elem),
11831 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11832 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11833 offsetof(struct test_val, foo)),
11834 BPF_MOV64_IMM(BPF_REG_0, 1),
11837 BPF_LD_MAP_FD(BPF_REG_0, 0),
11840 BPF_LD_MAP_FD(BPF_REG_0, 0),
11843 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11844 .fixup_map2 = { 13 },
11845 .fixup_map4 = { 16 },
11850 "calls: two calls returning different map pointers for lookup (hash, map in map)",
11853 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11855 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11857 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11858 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11859 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11860 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11861 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11862 BPF_FUNC_map_lookup_elem),
11863 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11864 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11865 offsetof(struct test_val, foo)),
11866 BPF_MOV64_IMM(BPF_REG_0, 1),
11869 BPF_LD_MAP_FD(BPF_REG_0, 0),
11872 BPF_LD_MAP_FD(BPF_REG_0, 0),
11875 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11876 .fixup_map_in_map = { 16 },
11877 .fixup_map4 = { 13 },
11879 .errstr = "R0 invalid mem access 'map_ptr'",
11882 "cond: two branches returning different map pointers for lookup (tail, tail)",
11884 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11885 offsetof(struct __sk_buff, mark)),
11886 BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
11887 BPF_LD_MAP_FD(BPF_REG_2, 0),
11888 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11889 BPF_LD_MAP_FD(BPF_REG_2, 0),
11890 BPF_MOV64_IMM(BPF_REG_3, 7),
11891 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11892 BPF_FUNC_tail_call),
11893 BPF_MOV64_IMM(BPF_REG_0, 1),
11896 .fixup_prog1 = { 5 },
11897 .fixup_prog2 = { 2 },
11898 .result_unpriv = REJECT,
11899 .errstr_unpriv = "tail_call abusing map_ptr",
11904 "cond: two branches returning same map pointers for lookup (tail, tail)",
11906 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11907 offsetof(struct __sk_buff, mark)),
11908 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
11909 BPF_LD_MAP_FD(BPF_REG_2, 0),
11910 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11911 BPF_LD_MAP_FD(BPF_REG_2, 0),
11912 BPF_MOV64_IMM(BPF_REG_3, 7),
11913 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11914 BPF_FUNC_tail_call),
11915 BPF_MOV64_IMM(BPF_REG_0, 1),
11918 .fixup_prog2 = { 2, 5 },
11919 .result_unpriv = ACCEPT,
11924 "search pruning: all branches should be verified (nop operation)",
11926 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11928 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11929 BPF_LD_MAP_FD(BPF_REG_1, 0),
11930 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11931 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
11932 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11933 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11934 BPF_MOV64_IMM(BPF_REG_4, 0),
11936 BPF_MOV64_IMM(BPF_REG_4, 1),
11937 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11938 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11939 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11940 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
11941 BPF_MOV64_IMM(BPF_REG_6, 0),
11942 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
11945 .fixup_map1 = { 3 },
11946 .errstr = "R6 invalid mem access 'inv'",
11948 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11951 "search pruning: all branches should be verified (invalid stack access)",
11953 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11954 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11955 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11956 BPF_LD_MAP_FD(BPF_REG_1, 0),
11957 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11958 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
11959 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11960 BPF_MOV64_IMM(BPF_REG_4, 0),
11961 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11962 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11964 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
11965 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11966 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11969 .fixup_map1 = { 3 },
11970 .errstr = "invalid read from stack off -16+0 size 8",
11972 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11975 "jit: lsh, rsh, arsh by 1",
11977 BPF_MOV64_IMM(BPF_REG_0, 1),
11978 BPF_MOV64_IMM(BPF_REG_1, 0xff),
11979 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
11980 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
11981 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
11983 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
11984 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
11985 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
11987 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
11988 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
11990 BPF_MOV64_IMM(BPF_REG_0, 2),
11997 "jit: mov32 for ldimm64, 1",
11999 BPF_MOV64_IMM(BPF_REG_0, 2),
12000 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
12001 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
12002 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
12003 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12004 BPF_MOV64_IMM(BPF_REG_0, 1),
12011 "jit: mov32 for ldimm64, 2",
12013 BPF_MOV64_IMM(BPF_REG_0, 1),
12014 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
12015 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
12016 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12017 BPF_MOV64_IMM(BPF_REG_0, 2),
12024 "jit: various mul tests",
12026 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12027 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12028 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
12029 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12030 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12031 BPF_MOV64_IMM(BPF_REG_0, 1),
12033 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12034 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12035 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12036 BPF_MOV64_IMM(BPF_REG_0, 1),
12038 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
12039 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12040 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12041 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12042 BPF_MOV64_IMM(BPF_REG_0, 1),
12044 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12045 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12046 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12047 BPF_MOV64_IMM(BPF_REG_0, 1),
12049 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
12050 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
12051 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12052 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
12053 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
12054 BPF_MOV64_IMM(BPF_REG_0, 1),
12056 BPF_MOV64_IMM(BPF_REG_0, 2),
12063 "xadd/w check unaligned stack",
12065 BPF_MOV64_IMM(BPF_REG_0, 1),
12066 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12067 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
12068 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12072 .errstr = "misaligned stack access off",
12073 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12076 "xadd/w check unaligned map",
12078 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12079 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12081 BPF_LD_MAP_FD(BPF_REG_1, 0),
12082 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12083 BPF_FUNC_map_lookup_elem),
12084 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
12086 BPF_MOV64_IMM(BPF_REG_1, 1),
12087 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
12088 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
12091 .fixup_map1 = { 3 },
12093 .errstr = "misaligned value access off",
12094 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12097 "xadd/w check unaligned pkt",
12099 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12100 offsetof(struct xdp_md, data)),
12101 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12102 offsetof(struct xdp_md, data_end)),
12103 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
12104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
12105 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
12106 BPF_MOV64_IMM(BPF_REG_0, 99),
12107 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
12108 BPF_MOV64_IMM(BPF_REG_0, 1),
12109 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12110 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
12111 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
12112 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
12113 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
12117 .errstr = "BPF_XADD stores into R2 packet",
12118 .prog_type = BPF_PROG_TYPE_XDP,
12121 "xadd/w check whether src/dst got mangled, 1",
12123 BPF_MOV64_IMM(BPF_REG_0, 1),
12124 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12125 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12126 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12127 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12128 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12129 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12130 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12131 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12133 BPF_MOV64_IMM(BPF_REG_0, 42),
12137 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12141 "xadd/w check whether src/dst got mangled, 2",
12143 BPF_MOV64_IMM(BPF_REG_0, 1),
12144 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12145 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12146 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12147 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12148 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12149 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12150 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12151 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
12153 BPF_MOV64_IMM(BPF_REG_0, 42),
12157 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12161 "bpf_get_stack return R0 within range",
12163 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12164 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12165 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12166 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12167 BPF_LD_MAP_FD(BPF_REG_1, 0),
12168 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12169 BPF_FUNC_map_lookup_elem),
12170 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
12171 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12172 BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
12173 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12174 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12175 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
12176 BPF_MOV64_IMM(BPF_REG_4, 256),
12177 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12178 BPF_MOV64_IMM(BPF_REG_1, 0),
12179 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
12180 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
12181 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
12182 BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
12183 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
12184 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12185 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
12186 BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
12187 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
12188 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
12189 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
12190 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
12191 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12192 BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
12193 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
12194 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
12195 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12196 BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
12197 BPF_MOV64_IMM(BPF_REG_4, 0),
12198 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12201 .fixup_map2 = { 4 },
12203 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12206 "ld_abs: invalid op 1",
12208 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12209 BPF_LD_ABS(BPF_DW, 0),
12212 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12214 .errstr = "unknown opcode",
12217 "ld_abs: invalid op 2",
12219 BPF_MOV32_IMM(BPF_REG_0, 256),
12220 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12221 BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
12224 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12226 .errstr = "unknown opcode",
12229 "ld_abs: nmap reduced",
12231 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12232 BPF_LD_ABS(BPF_H, 12),
12233 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
12234 BPF_LD_ABS(BPF_H, 12),
12235 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
12236 BPF_MOV32_IMM(BPF_REG_0, 18),
12237 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
12238 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
12239 BPF_LD_IND(BPF_W, BPF_REG_7, 14),
12240 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
12241 BPF_MOV32_IMM(BPF_REG_0, 280971478),
12242 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12243 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12244 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
12245 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12246 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
12247 BPF_LD_ABS(BPF_H, 12),
12248 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
12249 BPF_MOV32_IMM(BPF_REG_0, 22),
12250 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12251 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12252 BPF_LD_IND(BPF_H, BPF_REG_7, 14),
12253 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
12254 BPF_MOV32_IMM(BPF_REG_0, 17366),
12255 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
12256 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
12257 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
12258 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12259 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12260 BPF_MOV32_IMM(BPF_REG_0, 256),
12262 BPF_MOV32_IMM(BPF_REG_0, 0),
12266 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
12267 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
12268 0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
12270 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12275 "ld_abs: div + abs, test 1",
12277 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12278 BPF_LD_ABS(BPF_B, 3),
12279 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12280 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12281 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12282 BPF_LD_ABS(BPF_B, 4),
12283 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12284 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12288 10, 20, 30, 40, 50,
12290 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12295 "ld_abs: div + abs, test 2",
12297 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12298 BPF_LD_ABS(BPF_B, 3),
12299 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12300 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12301 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12302 BPF_LD_ABS(BPF_B, 128),
12303 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12304 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12308 10, 20, 30, 40, 50,
12310 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12315 "ld_abs: div + abs, test 3",
12317 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12318 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12319 BPF_LD_ABS(BPF_B, 3),
12320 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12324 10, 20, 30, 40, 50,
12326 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12331 "ld_abs: div + abs, test 4",
12333 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12334 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12335 BPF_LD_ABS(BPF_B, 256),
12336 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12340 10, 20, 30, 40, 50,
12342 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12347 "ld_abs: vlan + abs, test 1",
12352 .fill_helper = bpf_fill_ld_abs_vlan_push_pop,
12353 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12358 "ld_abs: vlan + abs, test 2",
12360 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12361 BPF_LD_ABS(BPF_B, 0),
12362 BPF_LD_ABS(BPF_H, 0),
12363 BPF_LD_ABS(BPF_W, 0),
12364 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
12365 BPF_MOV64_IMM(BPF_REG_6, 0),
12366 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12367 BPF_MOV64_IMM(BPF_REG_2, 1),
12368 BPF_MOV64_IMM(BPF_REG_3, 2),
12369 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12370 BPF_FUNC_skb_vlan_push),
12371 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
12372 BPF_LD_ABS(BPF_B, 0),
12373 BPF_LD_ABS(BPF_H, 0),
12374 BPF_LD_ABS(BPF_W, 0),
12375 BPF_MOV64_IMM(BPF_REG_0, 42),
12381 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12386 "ld_abs: jump around ld_abs",
12391 .fill_helper = bpf_fill_jump_around_ld_abs,
12392 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12397 "ld_dw: xor semi-random 64 bit imms, test 1",
12400 .fill_helper = bpf_fill_rand_ld_dw,
12401 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12406 "ld_dw: xor semi-random 64 bit imms, test 2",
12409 .fill_helper = bpf_fill_rand_ld_dw,
12410 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12415 "ld_dw: xor semi-random 64 bit imms, test 3",
12418 .fill_helper = bpf_fill_rand_ld_dw,
12419 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12424 "ld_dw: xor semi-random 64 bit imms, test 4",
12427 .fill_helper = bpf_fill_rand_ld_dw,
12428 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12433 "pass unmodified ctx pointer to helper",
12435 BPF_MOV64_IMM(BPF_REG_2, 0),
12436 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12437 BPF_FUNC_csum_update),
12438 BPF_MOV64_IMM(BPF_REG_0, 0),
12441 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12445 "pass modified ctx pointer to helper, 1",
12447 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
12448 BPF_MOV64_IMM(BPF_REG_2, 0),
12449 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12450 BPF_FUNC_csum_update),
12451 BPF_MOV64_IMM(BPF_REG_0, 0),
12454 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12456 .errstr = "dereference of modified ctx ptr",
12459 "pass modified ctx pointer to helper, 2",
12461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
12462 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12463 BPF_FUNC_get_socket_cookie),
12464 BPF_MOV64_IMM(BPF_REG_0, 0),
12467 .result_unpriv = REJECT,
12469 .errstr_unpriv = "dereference of modified ctx ptr",
12470 .errstr = "dereference of modified ctx ptr",
12473 "pass modified ctx pointer to helper, 3",
12475 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
12476 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
12477 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
12478 BPF_MOV64_IMM(BPF_REG_2, 0),
12479 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12480 BPF_FUNC_csum_update),
12481 BPF_MOV64_IMM(BPF_REG_0, 0),
12484 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12486 .errstr = "variable ctx access var_off=(0x0; 0x4)",
12489 "mov64 src == dst",
12491 BPF_MOV64_IMM(BPF_REG_2, 0),
12492 BPF_MOV64_REG(BPF_REG_2, BPF_REG_2),
12493 // Check bounds are OK
12494 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
12495 BPF_MOV64_IMM(BPF_REG_0, 0),
12498 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12502 "mov64 src != dst",
12504 BPF_MOV64_IMM(BPF_REG_3, 0),
12505 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
12506 // Check bounds are OK
12507 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
12508 BPF_MOV64_IMM(BPF_REG_0, 0),
12511 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12515 "calls: ctx read at start of subprog",
12517 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12518 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
12519 BPF_JMP_REG(BPF_JSGT, BPF_REG_0, BPF_REG_0, 0),
12520 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12521 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12522 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12524 BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
12525 BPF_MOV64_IMM(BPF_REG_0, 0),
12528 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
12529 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
12530 .result_unpriv = REJECT,
12535 static int probe_filter_length(const struct bpf_insn *fp)
12539 for (len = MAX_INSNS - 1; len > 0; --len)
12540 if (fp[len].code != 0 || fp[len].imm != 0)
12545 static int create_map(uint32_t type, uint32_t size_key,
12546 uint32_t size_value, uint32_t max_elem)
12550 fd = bpf_create_map(type, size_key, size_value, max_elem,
12551 type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
12553 printf("Failed to create hash map '%s'!\n", strerror(errno));
12558 static int create_prog_dummy1(void)
12560 struct bpf_insn prog[] = {
12561 BPF_MOV64_IMM(BPF_REG_0, 42),
12565 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12566 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12569 static int create_prog_dummy2(int mfd, int idx)
12571 struct bpf_insn prog[] = {
12572 BPF_MOV64_IMM(BPF_REG_3, idx),
12573 BPF_LD_MAP_FD(BPF_REG_2, mfd),
12574 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12575 BPF_FUNC_tail_call),
12576 BPF_MOV64_IMM(BPF_REG_0, 41),
12580 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12581 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12584 static int create_prog_array(uint32_t max_elem, int p1key)
12587 int mfd, p1fd, p2fd;
12589 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
12590 sizeof(int), max_elem, 0);
12592 printf("Failed to create prog array '%s'!\n", strerror(errno));
12596 p1fd = create_prog_dummy1();
12597 p2fd = create_prog_dummy2(mfd, p2key);
12598 if (p1fd < 0 || p2fd < 0)
12600 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
12602 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
12615 static int create_map_in_map(void)
12617 int inner_map_fd, outer_map_fd;
12619 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12620 sizeof(int), 1, 0);
12621 if (inner_map_fd < 0) {
12622 printf("Failed to create array '%s'!\n", strerror(errno));
12623 return inner_map_fd;
12626 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
12627 sizeof(int), inner_map_fd, 1, 0);
12628 if (outer_map_fd < 0)
12629 printf("Failed to create array of maps '%s'!\n",
12632 close(inner_map_fd);
12634 return outer_map_fd;
12637 static int create_cgroup_storage(void)
12641 fd = bpf_create_map(BPF_MAP_TYPE_CGROUP_STORAGE,
12642 sizeof(struct bpf_cgroup_storage_key),
12643 TEST_DATA_LEN, 0, 0);
12645 printf("Failed to create array '%s'!\n", strerror(errno));
12650 static char bpf_vlog[UINT_MAX >> 8];
12652 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
12655 int *fixup_map1 = test->fixup_map1;
12656 int *fixup_map2 = test->fixup_map2;
12657 int *fixup_map3 = test->fixup_map3;
12658 int *fixup_map4 = test->fixup_map4;
12659 int *fixup_prog1 = test->fixup_prog1;
12660 int *fixup_prog2 = test->fixup_prog2;
12661 int *fixup_map_in_map = test->fixup_map_in_map;
12662 int *fixup_cgroup_storage = test->fixup_cgroup_storage;
12664 if (test->fill_helper)
12665 test->fill_helper(test);
12667 /* Allocating HTs with 1 elem is fine here, since we only test
12668 * for verifier and not do a runtime lookup, so the only thing
12669 * that really matters is value size in this case.
12672 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12673 sizeof(long long), 1);
12675 prog[*fixup_map1].imm = map_fds[0];
12677 } while (*fixup_map1);
12681 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12682 sizeof(struct test_val), 1);
12684 prog[*fixup_map2].imm = map_fds[1];
12686 } while (*fixup_map2);
12690 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12691 sizeof(struct other_val), 1);
12693 prog[*fixup_map3].imm = map_fds[2];
12695 } while (*fixup_map3);
12699 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12700 sizeof(struct test_val), 1);
12702 prog[*fixup_map4].imm = map_fds[3];
12704 } while (*fixup_map4);
12707 if (*fixup_prog1) {
12708 map_fds[4] = create_prog_array(4, 0);
12710 prog[*fixup_prog1].imm = map_fds[4];
12712 } while (*fixup_prog1);
12715 if (*fixup_prog2) {
12716 map_fds[5] = create_prog_array(8, 7);
12718 prog[*fixup_prog2].imm = map_fds[5];
12720 } while (*fixup_prog2);
12723 if (*fixup_map_in_map) {
12724 map_fds[6] = create_map_in_map();
12726 prog[*fixup_map_in_map].imm = map_fds[6];
12727 fixup_map_in_map++;
12728 } while (*fixup_map_in_map);
12731 if (*fixup_cgroup_storage) {
12732 map_fds[7] = create_cgroup_storage();
12734 prog[*fixup_cgroup_storage].imm = map_fds[7];
12735 fixup_cgroup_storage++;
12736 } while (*fixup_cgroup_storage);
12740 static void do_test_single(struct bpf_test *test, bool unpriv,
12741 int *passes, int *errors)
12743 int fd_prog, expected_ret, reject_from_alignment;
12744 int prog_len, prog_type = test->prog_type;
12745 struct bpf_insn *prog = test->insns;
12746 int map_fds[MAX_NR_MAPS];
12747 const char *expected_err;
12751 for (i = 0; i < MAX_NR_MAPS; i++)
12754 do_test_fixup(test, prog, map_fds);
12755 prog_len = probe_filter_length(prog);
12757 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
12758 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
12759 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
12761 expected_ret = unpriv && test->result_unpriv != UNDEF ?
12762 test->result_unpriv : test->result;
12763 expected_err = unpriv && test->errstr_unpriv ?
12764 test->errstr_unpriv : test->errstr;
12766 reject_from_alignment = fd_prog < 0 &&
12767 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
12768 strstr(bpf_vlog, "Unknown alignment.");
12769 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
12770 if (reject_from_alignment) {
12771 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
12776 if (expected_ret == ACCEPT) {
12777 if (fd_prog < 0 && !reject_from_alignment) {
12778 printf("FAIL\nFailed to load prog '%s'!\n",
12783 if (fd_prog >= 0) {
12784 printf("FAIL\nUnexpected success to load!\n");
12787 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
12788 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
12789 expected_err, bpf_vlog);
12794 if (fd_prog >= 0) {
12795 __u8 tmp[TEST_DATA_LEN << 2];
12796 __u32 size_tmp = sizeof(tmp);
12798 err = bpf_prog_test_run(fd_prog, 1, test->data,
12799 sizeof(test->data), tmp, &size_tmp,
12801 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
12802 printf("Unexpected bpf_prog_test_run error\n");
12805 if (!err && retval != test->retval &&
12806 test->retval != POINTER_VALUE) {
12807 printf("FAIL retval %d != %d\n", retval, test->retval);
12812 printf("OK%s\n", reject_from_alignment ?
12813 " (NOTE: reject due to unknown alignment)" : "");
12816 for (i = 0; i < MAX_NR_MAPS; i++)
12822 printf("%s", bpf_vlog);
12826 static bool is_admin(void)
12829 cap_flag_value_t sysadmin = CAP_CLEAR;
12830 const cap_value_t cap_val = CAP_SYS_ADMIN;
12832 #ifdef CAP_IS_SUPPORTED
12833 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
12834 perror("cap_get_flag");
12838 caps = cap_get_proc();
12840 perror("cap_get_proc");
12843 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
12844 perror("cap_get_flag");
12845 if (cap_free(caps))
12846 perror("cap_free");
12847 return (sysadmin == CAP_SET);
12850 static int set_admin(bool admin)
12853 const cap_value_t cap_val = CAP_SYS_ADMIN;
12856 caps = cap_get_proc();
12858 perror("cap_get_proc");
12861 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
12862 admin ? CAP_SET : CAP_CLEAR)) {
12863 perror("cap_set_flag");
12866 if (cap_set_proc(caps)) {
12867 perror("cap_set_proc");
12872 if (cap_free(caps))
12873 perror("cap_free");
12877 static void get_unpriv_disabled()
12882 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
12884 perror("fopen /proc/sys/"UNPRIV_SYSCTL);
12885 unpriv_disabled = true;
12888 if (fgets(buf, 2, fd) == buf && atoi(buf))
12889 unpriv_disabled = true;
12893 static int do_test(bool unpriv, unsigned int from, unsigned int to)
12895 int i, passes = 0, errors = 0, skips = 0;
12897 for (i = from; i < to; i++) {
12898 struct bpf_test *test = &tests[i];
12900 /* Program types that are not supported by non-root we
12903 if (!test->prog_type && unpriv_disabled) {
12904 printf("#%d/u %s SKIP\n", i, test->descr);
12906 } else if (!test->prog_type) {
12909 printf("#%d/u %s ", i, test->descr);
12910 do_test_single(test, true, &passes, &errors);
12916 printf("#%d/p %s SKIP\n", i, test->descr);
12919 printf("#%d/p %s ", i, test->descr);
12920 do_test_single(test, false, &passes, &errors);
12924 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
12926 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
12929 int main(int argc, char **argv)
12931 unsigned int from = 0, to = ARRAY_SIZE(tests);
12932 bool unpriv = !is_admin();
12935 unsigned int l = atoi(argv[argc - 2]);
12936 unsigned int u = atoi(argv[argc - 1]);
12938 if (l < to && u < to) {
12942 } else if (argc == 2) {
12943 unsigned int t = atoi(argv[argc - 1]);
12951 get_unpriv_disabled();
12952 if (unpriv && unpriv_disabled) {
12953 printf("Cannot run as unprivileged user with sysctl %s.\n",
12955 return EXIT_FAILURE;
12958 bpf_semi_rand_init();
12959 return do_test(unpriv, from, to);
OSDN Git Service
