2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 * Copyright (c) 2017 Facebook
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of version 2 of the GNU General Public
9 * License as published by the Free Software Foundation.
13 #include <asm/types.h>
14 #include <linux/types.h>
26 #include <sys/capability.h>
28 #include <linux/unistd.h>
29 #include <linux/filter.h>
30 #include <linux/bpf_perf_event.h>
31 #include <linux/bpf.h>
32 #include <linux/if_ether.h>
37 # include "autoconf.h"
39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
40 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
43 #include "bpf_rlimit.h"
46 #include "../../../include/linux/filter.h"
48 #define MAX_INSNS BPF_MAXINSNS
51 #define POINTER_VALUE 0xcafe4all
52 #define TEST_DATA_LEN 64
54 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
55 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
57 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
58 static bool unpriv_disabled = false;
62 struct bpf_insn insns[MAX_INSNS];
63 int fixup_map1[MAX_FIXUPS];
64 int fixup_map2[MAX_FIXUPS];
65 int fixup_map3[MAX_FIXUPS];
66 int fixup_map4[MAX_FIXUPS];
67 int fixup_prog1[MAX_FIXUPS];
68 int fixup_prog2[MAX_FIXUPS];
69 int fixup_map_in_map[MAX_FIXUPS];
70 int fixup_cgroup_storage[MAX_FIXUPS];
72 const char *errstr_unpriv;
78 } result, result_unpriv;
79 enum bpf_prog_type prog_type;
81 __u8 data[TEST_DATA_LEN];
82 void (*fill_helper)(struct bpf_test *self);
85 /* Note we want this to be 64 bit aligned so that the end of our array is
86 * actually the end of the structure.
88 #define MAX_ENTRIES 11
100 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
102 /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
104 unsigned int len = BPF_MAXINSNS;
105 struct bpf_insn *insn = self->insns;
108 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
110 for (j = 0; j < PUSH_CNT; j++) {
111 insn[i++] = BPF_LD_ABS(BPF_B, 0);
112 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
114 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
115 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
116 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
117 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
118 BPF_FUNC_skb_vlan_push),
119 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
123 for (j = 0; j < PUSH_CNT; j++) {
124 insn[i++] = BPF_LD_ABS(BPF_B, 0);
125 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
127 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
128 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
129 BPF_FUNC_skb_vlan_pop),
130 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
136 for (; i < len - 1; i++)
137 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
138 insn[len - 1] = BPF_EXIT_INSN();
141 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
143 struct bpf_insn *insn = self->insns;
144 unsigned int len = BPF_MAXINSNS;
147 insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
148 insn[i++] = BPF_LD_ABS(BPF_B, 0);
149 insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
152 insn[i++] = BPF_LD_ABS(BPF_B, 1);
153 insn[i] = BPF_EXIT_INSN();
156 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
158 struct bpf_insn *insn = self->insns;
162 insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
163 while (i < self->retval) {
164 uint64_t val = bpf_semi_rand_get();
165 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
170 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
172 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
173 insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
174 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
175 insn[i] = BPF_EXIT_INSN();
177 self->retval = (uint32_t)res;
180 static struct bpf_test tests[] = {
184 BPF_MOV64_IMM(BPF_REG_1, 1),
185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
186 BPF_MOV64_IMM(BPF_REG_2, 3),
187 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
189 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
190 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
197 "DIV32 by 0, zero check 1",
199 BPF_MOV32_IMM(BPF_REG_0, 42),
200 BPF_MOV32_IMM(BPF_REG_1, 0),
201 BPF_MOV32_IMM(BPF_REG_2, 1),
202 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
209 "DIV32 by 0, zero check 2",
211 BPF_MOV32_IMM(BPF_REG_0, 42),
212 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
213 BPF_MOV32_IMM(BPF_REG_2, 1),
214 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
221 "DIV64 by 0, zero check",
223 BPF_MOV32_IMM(BPF_REG_0, 42),
224 BPF_MOV32_IMM(BPF_REG_1, 0),
225 BPF_MOV32_IMM(BPF_REG_2, 1),
226 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
233 "MOD32 by 0, zero check 1",
235 BPF_MOV32_IMM(BPF_REG_0, 42),
236 BPF_MOV32_IMM(BPF_REG_1, 0),
237 BPF_MOV32_IMM(BPF_REG_2, 1),
238 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
245 "MOD32 by 0, zero check 2",
247 BPF_MOV32_IMM(BPF_REG_0, 42),
248 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
249 BPF_MOV32_IMM(BPF_REG_2, 1),
250 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
257 "MOD64 by 0, zero check",
259 BPF_MOV32_IMM(BPF_REG_0, 42),
260 BPF_MOV32_IMM(BPF_REG_1, 0),
261 BPF_MOV32_IMM(BPF_REG_2, 1),
262 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
269 "DIV32 by 0, zero check ok, cls",
271 BPF_MOV32_IMM(BPF_REG_0, 42),
272 BPF_MOV32_IMM(BPF_REG_1, 2),
273 BPF_MOV32_IMM(BPF_REG_2, 16),
274 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
275 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
278 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
283 "DIV32 by 0, zero check 1, cls",
285 BPF_MOV32_IMM(BPF_REG_1, 0),
286 BPF_MOV32_IMM(BPF_REG_0, 1),
287 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
290 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
295 "DIV32 by 0, zero check 2, cls",
297 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
298 BPF_MOV32_IMM(BPF_REG_0, 1),
299 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
302 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
307 "DIV64 by 0, zero check, cls",
309 BPF_MOV32_IMM(BPF_REG_1, 0),
310 BPF_MOV32_IMM(BPF_REG_0, 1),
311 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
314 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
319 "MOD32 by 0, zero check ok, cls",
321 BPF_MOV32_IMM(BPF_REG_0, 42),
322 BPF_MOV32_IMM(BPF_REG_1, 3),
323 BPF_MOV32_IMM(BPF_REG_2, 5),
324 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
325 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
328 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
333 "MOD32 by 0, zero check 1, cls",
335 BPF_MOV32_IMM(BPF_REG_1, 0),
336 BPF_MOV32_IMM(BPF_REG_0, 1),
337 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
340 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
345 "MOD32 by 0, zero check 2, cls",
347 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
348 BPF_MOV32_IMM(BPF_REG_0, 1),
349 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
352 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
357 "MOD64 by 0, zero check 1, cls",
359 BPF_MOV32_IMM(BPF_REG_1, 0),
360 BPF_MOV32_IMM(BPF_REG_0, 2),
361 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
364 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
369 "MOD64 by 0, zero check 2, cls",
371 BPF_MOV32_IMM(BPF_REG_1, 0),
372 BPF_MOV32_IMM(BPF_REG_0, -1),
373 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
376 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
380 /* Just make sure that JITs used udiv/umod as otherwise we get
381 * an exception from INT_MIN/-1 overflow similarly as with div
385 "DIV32 overflow, check 1",
387 BPF_MOV32_IMM(BPF_REG_1, -1),
388 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
389 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
392 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
397 "DIV32 overflow, check 2",
399 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
400 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
403 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
408 "DIV64 overflow, check 1",
410 BPF_MOV64_IMM(BPF_REG_1, -1),
411 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
412 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
415 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
420 "DIV64 overflow, check 2",
422 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
423 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
431 "MOD32 overflow, check 1",
433 BPF_MOV32_IMM(BPF_REG_1, -1),
434 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
435 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
438 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
443 "MOD32 overflow, check 2",
445 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
446 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
449 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
454 "MOD64 overflow, check 1",
456 BPF_MOV64_IMM(BPF_REG_1, -1),
457 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
458 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
459 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
460 BPF_MOV32_IMM(BPF_REG_0, 0),
461 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
462 BPF_MOV32_IMM(BPF_REG_0, 1),
465 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
470 "MOD64 overflow, check 2",
472 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
473 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
474 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
475 BPF_MOV32_IMM(BPF_REG_0, 0),
476 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
477 BPF_MOV32_IMM(BPF_REG_0, 1),
480 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
485 "xor32 zero extend check",
487 BPF_MOV32_IMM(BPF_REG_2, -1),
488 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
489 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
490 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
491 BPF_MOV32_IMM(BPF_REG_0, 2),
492 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
493 BPF_MOV32_IMM(BPF_REG_0, 1),
496 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
504 .errstr = "unknown opcode 00",
512 .errstr = "R0 !read_ok",
521 .errstr = "unreachable",
527 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
528 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
531 .errstr = "unreachable",
537 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
540 .errstr = "jump out of range",
544 "out of range jump2",
546 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
549 .errstr = "jump out of range",
555 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
556 BPF_LD_IMM64(BPF_REG_0, 0),
557 BPF_LD_IMM64(BPF_REG_0, 0),
558 BPF_LD_IMM64(BPF_REG_0, 1),
559 BPF_LD_IMM64(BPF_REG_0, 1),
560 BPF_MOV64_IMM(BPF_REG_0, 2),
563 .errstr = "invalid BPF_LD_IMM insn",
564 .errstr_unpriv = "R1 pointer comparison",
570 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
571 BPF_LD_IMM64(BPF_REG_0, 0),
572 BPF_LD_IMM64(BPF_REG_0, 0),
573 BPF_LD_IMM64(BPF_REG_0, 1),
574 BPF_LD_IMM64(BPF_REG_0, 1),
577 .errstr = "invalid BPF_LD_IMM insn",
578 .errstr_unpriv = "R1 pointer comparison",
584 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
585 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
586 BPF_LD_IMM64(BPF_REG_0, 0),
587 BPF_LD_IMM64(BPF_REG_0, 0),
588 BPF_LD_IMM64(BPF_REG_0, 1),
589 BPF_LD_IMM64(BPF_REG_0, 1),
592 .errstr = "invalid bpf_ld_imm64 insn",
598 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
601 .errstr = "invalid bpf_ld_imm64 insn",
607 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
609 .errstr = "invalid bpf_ld_imm64 insn",
615 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
616 BPF_RAW_INSN(0, 0, 0, 0, 0),
624 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
625 BPF_RAW_INSN(0, 0, 0, 0, 1),
634 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
635 BPF_RAW_INSN(0, 0, 0, 0, 1),
638 .errstr = "uses reserved fields",
644 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
645 BPF_RAW_INSN(0, 0, 0, 1, 1),
648 .errstr = "invalid bpf_ld_imm64 insn",
654 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
655 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
658 .errstr = "invalid bpf_ld_imm64 insn",
664 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
665 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
668 .errstr = "invalid bpf_ld_imm64 insn",
674 BPF_MOV64_IMM(BPF_REG_1, 0),
675 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
676 BPF_RAW_INSN(0, 0, 0, 0, 1),
679 .errstr = "not pointing to valid bpf_map",
685 BPF_MOV64_IMM(BPF_REG_1, 0),
686 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
687 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
690 .errstr = "invalid bpf_ld_imm64 insn",
696 BPF_MOV64_IMM(BPF_REG_0, 1),
697 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
701 .errstr = "unknown opcode c4",
706 BPF_MOV64_IMM(BPF_REG_0, 1),
707 BPF_MOV64_IMM(BPF_REG_1, 5),
708 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
712 .errstr = "unknown opcode cc",
717 BPF_MOV64_IMM(BPF_REG_0, 1),
718 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
726 BPF_MOV64_IMM(BPF_REG_0, 1),
727 BPF_MOV64_IMM(BPF_REG_1, 5),
728 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
736 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
738 .errstr = "not an exit",
744 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
747 .errstr = "back-edge",
753 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
754 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
755 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
756 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
759 .errstr = "back-edge",
765 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
766 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
767 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
768 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
771 .errstr = "back-edge",
775 "read uninitialized register",
777 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
780 .errstr = "R2 !read_ok",
784 "read invalid register",
786 BPF_MOV64_REG(BPF_REG_0, -1),
789 .errstr = "R15 is invalid",
793 "program doesn't init R0 before exit",
795 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
798 .errstr = "R0 !read_ok",
802 "program doesn't init R0 before exit in all branches",
804 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
805 BPF_MOV64_IMM(BPF_REG_0, 1),
806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
809 .errstr = "R0 !read_ok",
810 .errstr_unpriv = "R1 pointer comparison",
814 "stack out of bounds",
816 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
819 .errstr = "invalid stack",
823 "invalid call insn1",
825 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
828 .errstr = "unknown opcode 8d",
832 "invalid call insn2",
834 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
837 .errstr = "BPF_CALL uses reserved",
841 "invalid function call",
843 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
846 .errstr = "invalid func unknown#1234567",
850 "uninitialized stack1",
852 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
854 BPF_LD_MAP_FD(BPF_REG_1, 0),
855 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
856 BPF_FUNC_map_lookup_elem),
860 .errstr = "invalid indirect read from stack",
864 "uninitialized stack2",
866 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
867 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
870 .errstr = "invalid read from stack",
874 "invalid fp arithmetic",
875 /* If this gets ever changed, make sure JITs can deal with it. */
877 BPF_MOV64_IMM(BPF_REG_0, 0),
878 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
879 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
880 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
883 .errstr = "R1 subtraction from stack pointer",
887 "non-invalid fp arithmetic",
889 BPF_MOV64_IMM(BPF_REG_0, 0),
890 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
896 "invalid argument register",
898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
899 BPF_FUNC_get_cgroup_classid),
900 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
901 BPF_FUNC_get_cgroup_classid),
904 .errstr = "R1 !read_ok",
906 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
909 "non-invalid argument register",
911 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
912 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
913 BPF_FUNC_get_cgroup_classid),
914 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
915 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
916 BPF_FUNC_get_cgroup_classid),
920 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
923 "check valid spill/fill",
925 /* spill R1(ctx) into stack */
926 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
927 /* fill it back into R2 */
928 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
929 /* should be able to access R0 = *(R2 + 8) */
930 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
931 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
934 .errstr_unpriv = "R0 leaks addr",
936 .result_unpriv = REJECT,
937 .retval = POINTER_VALUE,
940 "check valid spill/fill, skb mark",
942 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
943 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
944 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
945 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
946 offsetof(struct __sk_buff, mark)),
950 .result_unpriv = ACCEPT,
953 "check corrupted spill/fill",
955 /* spill R1(ctx) into stack */
956 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
957 /* mess up with R1 pointer on stack */
958 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
959 /* fill back into R0 should fail */
960 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
963 .errstr_unpriv = "attempt to corrupt spilled",
964 .errstr = "corrupted spill",
968 "invalid src register in STX",
970 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
973 .errstr = "R15 is invalid",
977 "invalid dst register in STX",
979 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
982 .errstr = "R14 is invalid",
986 "invalid dst register in ST",
988 BPF_ST_MEM(BPF_B, 14, -1, -1),
991 .errstr = "R14 is invalid",
995 "invalid src register in LDX",
997 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1000 .errstr = "R12 is invalid",
1004 "invalid dst register in LDX",
1006 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1009 .errstr = "R11 is invalid",
1015 BPF_RAW_INSN(0, 0, 0, 0, 0),
1018 .errstr = "unknown opcode 00",
1024 BPF_RAW_INSN(1, 0, 0, 0, 0),
1027 .errstr = "BPF_LDX uses reserved fields",
1033 BPF_RAW_INSN(-1, 0, 0, 0, 0),
1036 .errstr = "unknown opcode ff",
1042 BPF_RAW_INSN(-1, -1, -1, -1, -1),
1045 .errstr = "unknown opcode ff",
1051 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1054 .errstr = "BPF_ALU uses reserved fields",
1058 "misaligned read from stack",
1060 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1061 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1064 .errstr = "misaligned stack access",
1068 "invalid map_fd for function call",
1070 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1071 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1073 BPF_LD_MAP_FD(BPF_REG_1, 0),
1074 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1075 BPF_FUNC_map_delete_elem),
1078 .errstr = "fd 0 is not pointing to valid bpf_map",
1082 "don't check return value before access",
1084 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1085 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1087 BPF_LD_MAP_FD(BPF_REG_1, 0),
1088 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1089 BPF_FUNC_map_lookup_elem),
1090 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1093 .fixup_map1 = { 3 },
1094 .errstr = "R0 invalid mem access 'map_value_or_null'",
1098 "access memory with incorrect alignment",
1100 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1101 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1103 BPF_LD_MAP_FD(BPF_REG_1, 0),
1104 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1105 BPF_FUNC_map_lookup_elem),
1106 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1107 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1110 .fixup_map1 = { 3 },
1111 .errstr = "misaligned value access",
1113 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1116 "sometimes access memory with incorrect alignment",
1118 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1119 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1120 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1121 BPF_LD_MAP_FD(BPF_REG_1, 0),
1122 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1123 BPF_FUNC_map_lookup_elem),
1124 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1125 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1127 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1130 .fixup_map1 = { 3 },
1131 .errstr = "R0 invalid mem access",
1132 .errstr_unpriv = "R0 leaks addr",
1134 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1139 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1140 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1141 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1142 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1143 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1144 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1145 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1146 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1147 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1148 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1149 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1150 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1151 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1152 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1153 BPF_MOV64_IMM(BPF_REG_0, 0),
1156 .errstr_unpriv = "R1 pointer comparison",
1157 .result_unpriv = REJECT,
1163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1164 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1165 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1166 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1168 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1169 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1170 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1171 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1172 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1174 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1175 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1176 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1177 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1178 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1179 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1180 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1181 BPF_MOV64_IMM(BPF_REG_0, 0),
1184 .errstr_unpriv = "R1 pointer comparison",
1185 .result_unpriv = REJECT,
1191 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1192 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1193 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1195 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1196 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1197 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1199 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1200 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1201 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1203 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1204 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1205 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1207 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1208 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1209 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1210 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1211 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1212 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1213 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1215 BPF_LD_MAP_FD(BPF_REG_1, 0),
1216 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1217 BPF_FUNC_map_delete_elem),
1220 .fixup_map1 = { 24 },
1221 .errstr_unpriv = "R1 pointer comparison",
1222 .result_unpriv = REJECT,
1229 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1230 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1231 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1232 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1233 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1234 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1235 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1236 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1237 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1238 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1239 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1240 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1241 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1242 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1243 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1244 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1245 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1246 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1247 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1248 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1250 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1251 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1252 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1255 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1257 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1258 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1259 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1260 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1261 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1262 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1263 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1264 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1266 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1267 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1269 BPF_MOV64_IMM(BPF_REG_0, 0),
1272 .errstr_unpriv = "R1 pointer comparison",
1273 .result_unpriv = REJECT,
1279 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1280 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1281 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1282 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1283 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1284 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1285 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1286 BPF_MOV64_IMM(BPF_REG_0, 0),
1287 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1288 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1289 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1290 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1291 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1292 BPF_MOV64_IMM(BPF_REG_0, 0),
1293 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1294 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1295 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1296 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1297 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1298 BPF_MOV64_IMM(BPF_REG_0, 0),
1299 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1300 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1301 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1302 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1303 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1304 BPF_MOV64_IMM(BPF_REG_0, 0),
1305 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1306 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1307 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1308 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1309 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1310 BPF_MOV64_IMM(BPF_REG_0, 0),
1313 .errstr_unpriv = "R1 pointer comparison",
1314 .result_unpriv = REJECT,
1318 "access skb fields ok",
1320 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1321 offsetof(struct __sk_buff, len)),
1322 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1323 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1324 offsetof(struct __sk_buff, mark)),
1325 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1326 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1327 offsetof(struct __sk_buff, pkt_type)),
1328 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1329 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1330 offsetof(struct __sk_buff, queue_mapping)),
1331 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1332 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1333 offsetof(struct __sk_buff, protocol)),
1334 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1335 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1336 offsetof(struct __sk_buff, vlan_present)),
1337 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1338 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1339 offsetof(struct __sk_buff, vlan_tci)),
1340 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1341 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1342 offsetof(struct __sk_buff, napi_id)),
1343 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1349 "access skb fields bad1",
1351 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1354 .errstr = "invalid bpf_context access",
1358 "access skb fields bad2",
1360 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1361 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1362 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1364 BPF_LD_MAP_FD(BPF_REG_1, 0),
1365 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1366 BPF_FUNC_map_lookup_elem),
1367 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1369 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1370 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1371 offsetof(struct __sk_buff, pkt_type)),
1374 .fixup_map1 = { 4 },
1375 .errstr = "different pointers",
1376 .errstr_unpriv = "R1 pointer comparison",
1380 "access skb fields bad3",
1382 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1383 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1384 offsetof(struct __sk_buff, pkt_type)),
1386 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1387 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1389 BPF_LD_MAP_FD(BPF_REG_1, 0),
1390 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1391 BPF_FUNC_map_lookup_elem),
1392 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1394 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1395 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1397 .fixup_map1 = { 6 },
1398 .errstr = "different pointers",
1399 .errstr_unpriv = "R1 pointer comparison",
1403 "access skb fields bad4",
1405 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1406 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1407 offsetof(struct __sk_buff, len)),
1408 BPF_MOV64_IMM(BPF_REG_0, 0),
1410 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1411 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1413 BPF_LD_MAP_FD(BPF_REG_1, 0),
1414 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1415 BPF_FUNC_map_lookup_elem),
1416 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1418 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1419 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1421 .fixup_map1 = { 7 },
1422 .errstr = "different pointers",
1423 .errstr_unpriv = "R1 pointer comparison",
1427 "invalid access __sk_buff family",
1429 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1430 offsetof(struct __sk_buff, family)),
1433 .errstr = "invalid bpf_context access",
1437 "invalid access __sk_buff remote_ip4",
1439 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1440 offsetof(struct __sk_buff, remote_ip4)),
1443 .errstr = "invalid bpf_context access",
1447 "invalid access __sk_buff local_ip4",
1449 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1450 offsetof(struct __sk_buff, local_ip4)),
1453 .errstr = "invalid bpf_context access",
1457 "invalid access __sk_buff remote_ip6",
1459 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1460 offsetof(struct __sk_buff, remote_ip6)),
1463 .errstr = "invalid bpf_context access",
1467 "invalid access __sk_buff local_ip6",
1469 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1470 offsetof(struct __sk_buff, local_ip6)),
1473 .errstr = "invalid bpf_context access",
1477 "invalid access __sk_buff remote_port",
1479 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1480 offsetof(struct __sk_buff, remote_port)),
1483 .errstr = "invalid bpf_context access",
1487 "invalid access __sk_buff remote_port",
1489 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1490 offsetof(struct __sk_buff, local_port)),
1493 .errstr = "invalid bpf_context access",
1497 "valid access __sk_buff family",
1499 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1500 offsetof(struct __sk_buff, family)),
1504 .prog_type = BPF_PROG_TYPE_SK_SKB,
1507 "valid access __sk_buff remote_ip4",
1509 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1510 offsetof(struct __sk_buff, remote_ip4)),
1514 .prog_type = BPF_PROG_TYPE_SK_SKB,
1517 "valid access __sk_buff local_ip4",
1519 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1520 offsetof(struct __sk_buff, local_ip4)),
1524 .prog_type = BPF_PROG_TYPE_SK_SKB,
1527 "valid access __sk_buff remote_ip6",
1529 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1530 offsetof(struct __sk_buff, remote_ip6[0])),
1531 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1532 offsetof(struct __sk_buff, remote_ip6[1])),
1533 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1534 offsetof(struct __sk_buff, remote_ip6[2])),
1535 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1536 offsetof(struct __sk_buff, remote_ip6[3])),
1540 .prog_type = BPF_PROG_TYPE_SK_SKB,
1543 "valid access __sk_buff local_ip6",
1545 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1546 offsetof(struct __sk_buff, local_ip6[0])),
1547 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1548 offsetof(struct __sk_buff, local_ip6[1])),
1549 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1550 offsetof(struct __sk_buff, local_ip6[2])),
1551 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1552 offsetof(struct __sk_buff, local_ip6[3])),
1556 .prog_type = BPF_PROG_TYPE_SK_SKB,
1559 "valid access __sk_buff remote_port",
1561 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1562 offsetof(struct __sk_buff, remote_port)),
1566 .prog_type = BPF_PROG_TYPE_SK_SKB,
1569 "valid access __sk_buff remote_port",
1571 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572 offsetof(struct __sk_buff, local_port)),
1576 .prog_type = BPF_PROG_TYPE_SK_SKB,
1579 "invalid access of tc_classid for SK_SKB",
1581 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1582 offsetof(struct __sk_buff, tc_classid)),
1586 .prog_type = BPF_PROG_TYPE_SK_SKB,
1587 .errstr = "invalid bpf_context access",
1590 "invalid access of skb->mark for SK_SKB",
1592 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1593 offsetof(struct __sk_buff, mark)),
1597 .prog_type = BPF_PROG_TYPE_SK_SKB,
1598 .errstr = "invalid bpf_context access",
1601 "check skb->mark is not writeable by SK_SKB",
1603 BPF_MOV64_IMM(BPF_REG_0, 0),
1604 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1605 offsetof(struct __sk_buff, mark)),
1609 .prog_type = BPF_PROG_TYPE_SK_SKB,
1610 .errstr = "invalid bpf_context access",
1613 "check skb->tc_index is writeable by SK_SKB",
1615 BPF_MOV64_IMM(BPF_REG_0, 0),
1616 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1617 offsetof(struct __sk_buff, tc_index)),
1621 .prog_type = BPF_PROG_TYPE_SK_SKB,
1624 "check skb->priority is writeable by SK_SKB",
1626 BPF_MOV64_IMM(BPF_REG_0, 0),
1627 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1628 offsetof(struct __sk_buff, priority)),
1632 .prog_type = BPF_PROG_TYPE_SK_SKB,
1635 "direct packet read for SK_SKB",
1637 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1638 offsetof(struct __sk_buff, data)),
1639 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1640 offsetof(struct __sk_buff, data_end)),
1641 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1642 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1643 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1644 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1645 BPF_MOV64_IMM(BPF_REG_0, 0),
1649 .prog_type = BPF_PROG_TYPE_SK_SKB,
1652 "direct packet write for SK_SKB",
1654 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1655 offsetof(struct __sk_buff, data)),
1656 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1657 offsetof(struct __sk_buff, data_end)),
1658 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1660 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1661 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1662 BPF_MOV64_IMM(BPF_REG_0, 0),
1666 .prog_type = BPF_PROG_TYPE_SK_SKB,
1669 "overlapping checks for direct packet access SK_SKB",
1671 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1672 offsetof(struct __sk_buff, data)),
1673 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1674 offsetof(struct __sk_buff, data_end)),
1675 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1677 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1678 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1679 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1680 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1681 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1682 BPF_MOV64_IMM(BPF_REG_0, 0),
1686 .prog_type = BPF_PROG_TYPE_SK_SKB,
1689 "valid access family in SK_MSG",
1691 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1692 offsetof(struct sk_msg_md, family)),
1696 .prog_type = BPF_PROG_TYPE_SK_MSG,
1699 "valid access remote_ip4 in SK_MSG",
1701 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1702 offsetof(struct sk_msg_md, remote_ip4)),
1706 .prog_type = BPF_PROG_TYPE_SK_MSG,
1709 "valid access local_ip4 in SK_MSG",
1711 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1712 offsetof(struct sk_msg_md, local_ip4)),
1716 .prog_type = BPF_PROG_TYPE_SK_MSG,
1719 "valid access remote_port in SK_MSG",
1721 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1722 offsetof(struct sk_msg_md, remote_port)),
1726 .prog_type = BPF_PROG_TYPE_SK_MSG,
1729 "valid access local_port in SK_MSG",
1731 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1732 offsetof(struct sk_msg_md, local_port)),
1736 .prog_type = BPF_PROG_TYPE_SK_MSG,
1739 "valid access remote_ip6 in SK_MSG",
1741 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1742 offsetof(struct sk_msg_md, remote_ip6[0])),
1743 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1744 offsetof(struct sk_msg_md, remote_ip6[1])),
1745 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746 offsetof(struct sk_msg_md, remote_ip6[2])),
1747 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1748 offsetof(struct sk_msg_md, remote_ip6[3])),
1752 .prog_type = BPF_PROG_TYPE_SK_SKB,
1755 "valid access local_ip6 in SK_MSG",
1757 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1758 offsetof(struct sk_msg_md, local_ip6[0])),
1759 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1760 offsetof(struct sk_msg_md, local_ip6[1])),
1761 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1762 offsetof(struct sk_msg_md, local_ip6[2])),
1763 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1764 offsetof(struct sk_msg_md, local_ip6[3])),
1768 .prog_type = BPF_PROG_TYPE_SK_SKB,
1771 "invalid 64B read of family in SK_MSG",
1773 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1774 offsetof(struct sk_msg_md, family)),
1777 .errstr = "invalid bpf_context access",
1779 .prog_type = BPF_PROG_TYPE_SK_MSG,
1782 "invalid read past end of SK_MSG",
1784 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1785 offsetof(struct sk_msg_md, local_port) + 4),
1788 .errstr = "R0 !read_ok",
1790 .prog_type = BPF_PROG_TYPE_SK_MSG,
1793 "invalid read offset in SK_MSG",
1795 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1796 offsetof(struct sk_msg_md, family) + 1),
1799 .errstr = "invalid bpf_context access",
1801 .prog_type = BPF_PROG_TYPE_SK_MSG,
1804 "direct packet read for SK_MSG",
1806 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1807 offsetof(struct sk_msg_md, data)),
1808 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1809 offsetof(struct sk_msg_md, data_end)),
1810 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1812 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1813 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1814 BPF_MOV64_IMM(BPF_REG_0, 0),
1818 .prog_type = BPF_PROG_TYPE_SK_MSG,
1821 "direct packet write for SK_MSG",
1823 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1824 offsetof(struct sk_msg_md, data)),
1825 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1826 offsetof(struct sk_msg_md, data_end)),
1827 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1829 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1830 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1831 BPF_MOV64_IMM(BPF_REG_0, 0),
1835 .prog_type = BPF_PROG_TYPE_SK_MSG,
1838 "overlapping checks for direct packet access SK_MSG",
1840 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1841 offsetof(struct sk_msg_md, data)),
1842 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1843 offsetof(struct sk_msg_md, data_end)),
1844 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1846 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1847 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1849 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1850 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1851 BPF_MOV64_IMM(BPF_REG_0, 0),
1855 .prog_type = BPF_PROG_TYPE_SK_MSG,
1858 "check skb->mark is not writeable by sockets",
1860 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1861 offsetof(struct __sk_buff, mark)),
1864 .errstr = "invalid bpf_context access",
1865 .errstr_unpriv = "R1 leaks addr",
1869 "check skb->tc_index is not writeable by sockets",
1871 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1872 offsetof(struct __sk_buff, tc_index)),
1875 .errstr = "invalid bpf_context access",
1876 .errstr_unpriv = "R1 leaks addr",
1880 "check cb access: byte",
1882 BPF_MOV64_IMM(BPF_REG_0, 0),
1883 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1884 offsetof(struct __sk_buff, cb[0])),
1885 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1886 offsetof(struct __sk_buff, cb[0]) + 1),
1887 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1888 offsetof(struct __sk_buff, cb[0]) + 2),
1889 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1890 offsetof(struct __sk_buff, cb[0]) + 3),
1891 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1892 offsetof(struct __sk_buff, cb[1])),
1893 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1894 offsetof(struct __sk_buff, cb[1]) + 1),
1895 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1896 offsetof(struct __sk_buff, cb[1]) + 2),
1897 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1898 offsetof(struct __sk_buff, cb[1]) + 3),
1899 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1900 offsetof(struct __sk_buff, cb[2])),
1901 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1902 offsetof(struct __sk_buff, cb[2]) + 1),
1903 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1904 offsetof(struct __sk_buff, cb[2]) + 2),
1905 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1906 offsetof(struct __sk_buff, cb[2]) + 3),
1907 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1908 offsetof(struct __sk_buff, cb[3])),
1909 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1910 offsetof(struct __sk_buff, cb[3]) + 1),
1911 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1912 offsetof(struct __sk_buff, cb[3]) + 2),
1913 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1914 offsetof(struct __sk_buff, cb[3]) + 3),
1915 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1916 offsetof(struct __sk_buff, cb[4])),
1917 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1918 offsetof(struct __sk_buff, cb[4]) + 1),
1919 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1920 offsetof(struct __sk_buff, cb[4]) + 2),
1921 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1922 offsetof(struct __sk_buff, cb[4]) + 3),
1923 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1924 offsetof(struct __sk_buff, cb[0])),
1925 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1926 offsetof(struct __sk_buff, cb[0]) + 1),
1927 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1928 offsetof(struct __sk_buff, cb[0]) + 2),
1929 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1930 offsetof(struct __sk_buff, cb[0]) + 3),
1931 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1932 offsetof(struct __sk_buff, cb[1])),
1933 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1934 offsetof(struct __sk_buff, cb[1]) + 1),
1935 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1936 offsetof(struct __sk_buff, cb[1]) + 2),
1937 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1938 offsetof(struct __sk_buff, cb[1]) + 3),
1939 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1940 offsetof(struct __sk_buff, cb[2])),
1941 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1942 offsetof(struct __sk_buff, cb[2]) + 1),
1943 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1944 offsetof(struct __sk_buff, cb[2]) + 2),
1945 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1946 offsetof(struct __sk_buff, cb[2]) + 3),
1947 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1948 offsetof(struct __sk_buff, cb[3])),
1949 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1950 offsetof(struct __sk_buff, cb[3]) + 1),
1951 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1952 offsetof(struct __sk_buff, cb[3]) + 2),
1953 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1954 offsetof(struct __sk_buff, cb[3]) + 3),
1955 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1956 offsetof(struct __sk_buff, cb[4])),
1957 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1958 offsetof(struct __sk_buff, cb[4]) + 1),
1959 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1960 offsetof(struct __sk_buff, cb[4]) + 2),
1961 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1962 offsetof(struct __sk_buff, cb[4]) + 3),
1968 "__sk_buff->hash, offset 0, byte store not permitted",
1970 BPF_MOV64_IMM(BPF_REG_0, 0),
1971 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1972 offsetof(struct __sk_buff, hash)),
1975 .errstr = "invalid bpf_context access",
1979 "__sk_buff->tc_index, offset 3, byte store not permitted",
1981 BPF_MOV64_IMM(BPF_REG_0, 0),
1982 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1983 offsetof(struct __sk_buff, tc_index) + 3),
1986 .errstr = "invalid bpf_context access",
1990 "check skb->hash byte load permitted",
1992 BPF_MOV64_IMM(BPF_REG_0, 0),
1993 #if __BYTE_ORDER == __LITTLE_ENDIAN
1994 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1995 offsetof(struct __sk_buff, hash)),
1997 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1998 offsetof(struct __sk_buff, hash) + 3),
2005 "check skb->hash byte load permitted 1",
2007 BPF_MOV64_IMM(BPF_REG_0, 0),
2008 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2009 offsetof(struct __sk_buff, hash) + 1),
2015 "check skb->hash byte load permitted 2",
2017 BPF_MOV64_IMM(BPF_REG_0, 0),
2018 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2019 offsetof(struct __sk_buff, hash) + 2),
2025 "check skb->hash byte load permitted 3",
2027 BPF_MOV64_IMM(BPF_REG_0, 0),
2028 #if __BYTE_ORDER == __LITTLE_ENDIAN
2029 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2030 offsetof(struct __sk_buff, hash) + 3),
2032 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2033 offsetof(struct __sk_buff, hash)),
2040 "check cb access: byte, wrong type",
2042 BPF_MOV64_IMM(BPF_REG_0, 0),
2043 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2044 offsetof(struct __sk_buff, cb[0])),
2047 .errstr = "invalid bpf_context access",
2049 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2052 "check cb access: half",
2054 BPF_MOV64_IMM(BPF_REG_0, 0),
2055 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2056 offsetof(struct __sk_buff, cb[0])),
2057 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2058 offsetof(struct __sk_buff, cb[0]) + 2),
2059 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2060 offsetof(struct __sk_buff, cb[1])),
2061 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2062 offsetof(struct __sk_buff, cb[1]) + 2),
2063 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2064 offsetof(struct __sk_buff, cb[2])),
2065 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2066 offsetof(struct __sk_buff, cb[2]) + 2),
2067 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2068 offsetof(struct __sk_buff, cb[3])),
2069 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2070 offsetof(struct __sk_buff, cb[3]) + 2),
2071 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2072 offsetof(struct __sk_buff, cb[4])),
2073 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2074 offsetof(struct __sk_buff, cb[4]) + 2),
2075 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2076 offsetof(struct __sk_buff, cb[0])),
2077 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2078 offsetof(struct __sk_buff, cb[0]) + 2),
2079 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2080 offsetof(struct __sk_buff, cb[1])),
2081 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2082 offsetof(struct __sk_buff, cb[1]) + 2),
2083 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2084 offsetof(struct __sk_buff, cb[2])),
2085 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2086 offsetof(struct __sk_buff, cb[2]) + 2),
2087 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2088 offsetof(struct __sk_buff, cb[3])),
2089 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2090 offsetof(struct __sk_buff, cb[3]) + 2),
2091 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2092 offsetof(struct __sk_buff, cb[4])),
2093 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2094 offsetof(struct __sk_buff, cb[4]) + 2),
2100 "check cb access: half, unaligned",
2102 BPF_MOV64_IMM(BPF_REG_0, 0),
2103 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2104 offsetof(struct __sk_buff, cb[0]) + 1),
2107 .errstr = "misaligned context access",
2109 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2112 "check __sk_buff->hash, offset 0, half store not permitted",
2114 BPF_MOV64_IMM(BPF_REG_0, 0),
2115 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2116 offsetof(struct __sk_buff, hash)),
2119 .errstr = "invalid bpf_context access",
2123 "check __sk_buff->tc_index, offset 2, half store not permitted",
2125 BPF_MOV64_IMM(BPF_REG_0, 0),
2126 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2127 offsetof(struct __sk_buff, tc_index) + 2),
2130 .errstr = "invalid bpf_context access",
2134 "check skb->hash half load permitted",
2136 BPF_MOV64_IMM(BPF_REG_0, 0),
2137 #if __BYTE_ORDER == __LITTLE_ENDIAN
2138 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2139 offsetof(struct __sk_buff, hash)),
2141 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2142 offsetof(struct __sk_buff, hash) + 2),
2149 "check skb->hash half load permitted 2",
2151 BPF_MOV64_IMM(BPF_REG_0, 0),
2152 #if __BYTE_ORDER == __LITTLE_ENDIAN
2153 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2154 offsetof(struct __sk_buff, hash) + 2),
2156 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2157 offsetof(struct __sk_buff, hash)),
2164 "check skb->hash half load not permitted, unaligned 1",
2166 BPF_MOV64_IMM(BPF_REG_0, 0),
2167 #if __BYTE_ORDER == __LITTLE_ENDIAN
2168 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2169 offsetof(struct __sk_buff, hash) + 1),
2171 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2172 offsetof(struct __sk_buff, hash) + 3),
2176 .errstr = "invalid bpf_context access",
2180 "check skb->hash half load not permitted, unaligned 3",
2182 BPF_MOV64_IMM(BPF_REG_0, 0),
2183 #if __BYTE_ORDER == __LITTLE_ENDIAN
2184 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2185 offsetof(struct __sk_buff, hash) + 3),
2187 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2188 offsetof(struct __sk_buff, hash) + 1),
2192 .errstr = "invalid bpf_context access",
2196 "check cb access: half, wrong type",
2198 BPF_MOV64_IMM(BPF_REG_0, 0),
2199 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2200 offsetof(struct __sk_buff, cb[0])),
2203 .errstr = "invalid bpf_context access",
2205 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2208 "check cb access: word",
2210 BPF_MOV64_IMM(BPF_REG_0, 0),
2211 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2212 offsetof(struct __sk_buff, cb[0])),
2213 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2214 offsetof(struct __sk_buff, cb[1])),
2215 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2216 offsetof(struct __sk_buff, cb[2])),
2217 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2218 offsetof(struct __sk_buff, cb[3])),
2219 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2220 offsetof(struct __sk_buff, cb[4])),
2221 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2222 offsetof(struct __sk_buff, cb[0])),
2223 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2224 offsetof(struct __sk_buff, cb[1])),
2225 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2226 offsetof(struct __sk_buff, cb[2])),
2227 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2228 offsetof(struct __sk_buff, cb[3])),
2229 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2230 offsetof(struct __sk_buff, cb[4])),
2236 "check cb access: word, unaligned 1",
2238 BPF_MOV64_IMM(BPF_REG_0, 0),
2239 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2240 offsetof(struct __sk_buff, cb[0]) + 2),
2243 .errstr = "misaligned context access",
2245 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2248 "check cb access: word, unaligned 2",
2250 BPF_MOV64_IMM(BPF_REG_0, 0),
2251 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2252 offsetof(struct __sk_buff, cb[4]) + 1),
2255 .errstr = "misaligned context access",
2257 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2260 "check cb access: word, unaligned 3",
2262 BPF_MOV64_IMM(BPF_REG_0, 0),
2263 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2264 offsetof(struct __sk_buff, cb[4]) + 2),
2267 .errstr = "misaligned context access",
2269 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2272 "check cb access: word, unaligned 4",
2274 BPF_MOV64_IMM(BPF_REG_0, 0),
2275 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2276 offsetof(struct __sk_buff, cb[4]) + 3),
2279 .errstr = "misaligned context access",
2281 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2284 "check cb access: double",
2286 BPF_MOV64_IMM(BPF_REG_0, 0),
2287 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2288 offsetof(struct __sk_buff, cb[0])),
2289 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2290 offsetof(struct __sk_buff, cb[2])),
2291 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2292 offsetof(struct __sk_buff, cb[0])),
2293 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2294 offsetof(struct __sk_buff, cb[2])),
2300 "check cb access: double, unaligned 1",
2302 BPF_MOV64_IMM(BPF_REG_0, 0),
2303 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2304 offsetof(struct __sk_buff, cb[1])),
2307 .errstr = "misaligned context access",
2309 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2312 "check cb access: double, unaligned 2",
2314 BPF_MOV64_IMM(BPF_REG_0, 0),
2315 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2316 offsetof(struct __sk_buff, cb[3])),
2319 .errstr = "misaligned context access",
2321 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2324 "check cb access: double, oob 1",
2326 BPF_MOV64_IMM(BPF_REG_0, 0),
2327 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2328 offsetof(struct __sk_buff, cb[4])),
2331 .errstr = "invalid bpf_context access",
2335 "check cb access: double, oob 2",
2337 BPF_MOV64_IMM(BPF_REG_0, 0),
2338 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2339 offsetof(struct __sk_buff, cb[4])),
2342 .errstr = "invalid bpf_context access",
2346 "check __sk_buff->ifindex dw store not permitted",
2348 BPF_MOV64_IMM(BPF_REG_0, 0),
2349 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2350 offsetof(struct __sk_buff, ifindex)),
2353 .errstr = "invalid bpf_context access",
2357 "check __sk_buff->ifindex dw load not permitted",
2359 BPF_MOV64_IMM(BPF_REG_0, 0),
2360 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2361 offsetof(struct __sk_buff, ifindex)),
2364 .errstr = "invalid bpf_context access",
2368 "check cb access: double, wrong type",
2370 BPF_MOV64_IMM(BPF_REG_0, 0),
2371 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2372 offsetof(struct __sk_buff, cb[0])),
2375 .errstr = "invalid bpf_context access",
2377 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2380 "check out of range skb->cb access",
2382 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2383 offsetof(struct __sk_buff, cb[0]) + 256),
2386 .errstr = "invalid bpf_context access",
2387 .errstr_unpriv = "",
2389 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2392 "write skb fields from socket prog",
2394 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2395 offsetof(struct __sk_buff, cb[4])),
2396 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2397 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2398 offsetof(struct __sk_buff, mark)),
2399 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2400 offsetof(struct __sk_buff, tc_index)),
2401 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2402 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2403 offsetof(struct __sk_buff, cb[0])),
2404 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2405 offsetof(struct __sk_buff, cb[2])),
2409 .errstr_unpriv = "R1 leaks addr",
2410 .result_unpriv = REJECT,
2413 "write skb fields from tc_cls_act prog",
2415 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2416 offsetof(struct __sk_buff, cb[0])),
2417 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2418 offsetof(struct __sk_buff, mark)),
2419 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2420 offsetof(struct __sk_buff, tc_index)),
2421 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2422 offsetof(struct __sk_buff, tc_index)),
2423 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2424 offsetof(struct __sk_buff, cb[3])),
2427 .errstr_unpriv = "",
2428 .result_unpriv = REJECT,
2430 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2433 "PTR_TO_STACK store/load",
2435 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2436 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2437 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2438 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2442 .retval = 0xfaceb00c,
2445 "PTR_TO_STACK store/load - bad alignment on off",
2447 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2449 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2450 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2454 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2457 "PTR_TO_STACK store/load - bad alignment on reg",
2459 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2461 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2462 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2466 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2469 "PTR_TO_STACK store/load - out of bounds low",
2471 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2472 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2473 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2474 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2478 .errstr = "invalid stack off=-79992 size=8",
2479 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
2482 "PTR_TO_STACK store/load - out of bounds high",
2484 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2485 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2486 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2487 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2491 .errstr = "invalid stack off=0 size=8",
2494 "unpriv: return pointer",
2496 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2500 .result_unpriv = REJECT,
2501 .errstr_unpriv = "R0 leaks addr",
2502 .retval = POINTER_VALUE,
2505 "unpriv: add const to pointer",
2507 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2508 BPF_MOV64_IMM(BPF_REG_0, 0),
2514 "unpriv: add pointer to pointer",
2516 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2517 BPF_MOV64_IMM(BPF_REG_0, 0),
2521 .errstr = "R1 pointer += pointer",
2524 "unpriv: neg pointer",
2526 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2527 BPF_MOV64_IMM(BPF_REG_0, 0),
2531 .result_unpriv = REJECT,
2532 .errstr_unpriv = "R1 pointer arithmetic",
2535 "unpriv: cmp pointer with const",
2537 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2538 BPF_MOV64_IMM(BPF_REG_0, 0),
2542 .result_unpriv = REJECT,
2543 .errstr_unpriv = "R1 pointer comparison",
2546 "unpriv: cmp pointer with pointer",
2548 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2549 BPF_MOV64_IMM(BPF_REG_0, 0),
2553 .result_unpriv = REJECT,
2554 .errstr_unpriv = "R10 pointer comparison",
2557 "unpriv: check that printk is disallowed",
2559 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2560 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2561 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2562 BPF_MOV64_IMM(BPF_REG_2, 8),
2563 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2564 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2565 BPF_FUNC_trace_printk),
2566 BPF_MOV64_IMM(BPF_REG_0, 0),
2569 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2570 .result_unpriv = REJECT,
2574 "unpriv: pass pointer to helper function",
2576 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2577 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2578 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2579 BPF_LD_MAP_FD(BPF_REG_1, 0),
2580 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2581 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2582 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2583 BPF_FUNC_map_update_elem),
2584 BPF_MOV64_IMM(BPF_REG_0, 0),
2587 .fixup_map1 = { 3 },
2588 .errstr_unpriv = "R4 leaks addr",
2589 .result_unpriv = REJECT,
2593 "unpriv: indirectly pass pointer on stack to helper function",
2595 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2596 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2597 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2598 BPF_LD_MAP_FD(BPF_REG_1, 0),
2599 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2600 BPF_FUNC_map_lookup_elem),
2601 BPF_MOV64_IMM(BPF_REG_0, 0),
2604 .fixup_map1 = { 3 },
2605 .errstr = "invalid indirect read from stack off -8+0 size 8",
2609 "unpriv: mangle pointer on stack 1",
2611 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2612 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2613 BPF_MOV64_IMM(BPF_REG_0, 0),
2616 .errstr_unpriv = "attempt to corrupt spilled",
2617 .result_unpriv = REJECT,
2621 "unpriv: mangle pointer on stack 2",
2623 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2624 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2625 BPF_MOV64_IMM(BPF_REG_0, 0),
2628 .errstr_unpriv = "attempt to corrupt spilled",
2629 .result_unpriv = REJECT,
2633 "unpriv: read pointer from stack in small chunks",
2635 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2636 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2637 BPF_MOV64_IMM(BPF_REG_0, 0),
2640 .errstr = "invalid size",
2644 "unpriv: write pointer into ctx",
2646 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2647 BPF_MOV64_IMM(BPF_REG_0, 0),
2650 .errstr_unpriv = "R1 leaks addr",
2651 .result_unpriv = REJECT,
2652 .errstr = "invalid bpf_context access",
2656 "unpriv: spill/fill of ctx",
2658 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2660 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2661 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2662 BPF_MOV64_IMM(BPF_REG_0, 0),
2668 "unpriv: spill/fill of ctx 2",
2670 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2671 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2672 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2673 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2674 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2675 BPF_FUNC_get_hash_recalc),
2676 BPF_MOV64_IMM(BPF_REG_0, 0),
2680 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2683 "unpriv: spill/fill of ctx 3",
2685 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2687 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2688 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2689 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2690 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2691 BPF_FUNC_get_hash_recalc),
2695 .errstr = "R1 type=fp expected=ctx",
2696 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2699 "unpriv: spill/fill of ctx 4",
2701 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2702 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2703 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2704 BPF_MOV64_IMM(BPF_REG_0, 1),
2705 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2707 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2708 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2709 BPF_FUNC_get_hash_recalc),
2713 .errstr = "R1 type=inv expected=ctx",
2714 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2717 "unpriv: spill/fill of different pointers stx",
2719 BPF_MOV64_IMM(BPF_REG_3, 42),
2720 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2721 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2722 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2723 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2725 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2726 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2727 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2728 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2729 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2730 offsetof(struct __sk_buff, mark)),
2731 BPF_MOV64_IMM(BPF_REG_0, 0),
2735 .errstr = "same insn cannot be used with different pointers",
2736 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2739 "unpriv: spill/fill of different pointers ldx",
2741 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2743 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2744 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2745 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2746 -(__s32)offsetof(struct bpf_perf_event_data,
2747 sample_period) - 8),
2748 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2749 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2750 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2751 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2752 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2753 offsetof(struct bpf_perf_event_data,
2755 BPF_MOV64_IMM(BPF_REG_0, 0),
2759 .errstr = "same insn cannot be used with different pointers",
2760 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2763 "unpriv: write pointer into map elem value",
2765 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2766 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2767 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2768 BPF_LD_MAP_FD(BPF_REG_1, 0),
2769 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2770 BPF_FUNC_map_lookup_elem),
2771 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2772 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2775 .fixup_map1 = { 3 },
2776 .errstr_unpriv = "R0 leaks addr",
2777 .result_unpriv = REJECT,
2781 "alu32: mov u32 const",
2783 BPF_MOV32_IMM(BPF_REG_7, 0),
2784 BPF_ALU32_IMM(BPF_AND, BPF_REG_7, 1),
2785 BPF_MOV32_REG(BPF_REG_0, BPF_REG_7),
2786 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2787 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
2794 "unpriv: partial copy of pointer",
2796 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2797 BPF_MOV64_IMM(BPF_REG_0, 0),
2800 .errstr_unpriv = "R10 partial copy",
2801 .result_unpriv = REJECT,
2805 "unpriv: pass pointer to tail_call",
2807 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2808 BPF_LD_MAP_FD(BPF_REG_2, 0),
2809 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2810 BPF_FUNC_tail_call),
2811 BPF_MOV64_IMM(BPF_REG_0, 0),
2814 .fixup_prog1 = { 1 },
2815 .errstr_unpriv = "R3 leaks addr into helper",
2816 .result_unpriv = REJECT,
2820 "unpriv: cmp map pointer with zero",
2822 BPF_MOV64_IMM(BPF_REG_1, 0),
2823 BPF_LD_MAP_FD(BPF_REG_1, 0),
2824 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2825 BPF_MOV64_IMM(BPF_REG_0, 0),
2828 .fixup_map1 = { 1 },
2829 .errstr_unpriv = "R1 pointer comparison",
2830 .result_unpriv = REJECT,
2834 "unpriv: write into frame pointer",
2836 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2837 BPF_MOV64_IMM(BPF_REG_0, 0),
2840 .errstr = "frame pointer is read only",
2844 "unpriv: spill/fill frame pointer",
2846 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2848 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2849 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2850 BPF_MOV64_IMM(BPF_REG_0, 0),
2853 .errstr = "frame pointer is read only",
2857 "unpriv: cmp of frame pointer",
2859 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2860 BPF_MOV64_IMM(BPF_REG_0, 0),
2863 .errstr_unpriv = "R10 pointer comparison",
2864 .result_unpriv = REJECT,
2868 "unpriv: adding of fp, reg",
2870 BPF_MOV64_IMM(BPF_REG_0, 0),
2871 BPF_MOV64_IMM(BPF_REG_1, 0),
2872 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2873 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2876 .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types",
2877 .result_unpriv = REJECT,
2881 "unpriv: adding of fp, imm",
2883 BPF_MOV64_IMM(BPF_REG_0, 0),
2884 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2885 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
2886 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2889 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
2890 .result_unpriv = REJECT,
2894 "unpriv: cmp of stack pointer",
2896 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2898 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2899 BPF_MOV64_IMM(BPF_REG_0, 0),
2902 .errstr_unpriv = "R2 pointer comparison",
2903 .result_unpriv = REJECT,
2907 "runtime/jit: tail_call within bounds, prog once",
2909 BPF_MOV64_IMM(BPF_REG_3, 0),
2910 BPF_LD_MAP_FD(BPF_REG_2, 0),
2911 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2912 BPF_FUNC_tail_call),
2913 BPF_MOV64_IMM(BPF_REG_0, 1),
2916 .fixup_prog1 = { 1 },
2921 "runtime/jit: tail_call within bounds, prog loop",
2923 BPF_MOV64_IMM(BPF_REG_3, 1),
2924 BPF_LD_MAP_FD(BPF_REG_2, 0),
2925 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2926 BPF_FUNC_tail_call),
2927 BPF_MOV64_IMM(BPF_REG_0, 1),
2930 .fixup_prog1 = { 1 },
2935 "runtime/jit: tail_call within bounds, no prog",
2937 BPF_MOV64_IMM(BPF_REG_3, 2),
2938 BPF_LD_MAP_FD(BPF_REG_2, 0),
2939 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2940 BPF_FUNC_tail_call),
2941 BPF_MOV64_IMM(BPF_REG_0, 1),
2944 .fixup_prog1 = { 1 },
2949 "runtime/jit: tail_call out of bounds",
2951 BPF_MOV64_IMM(BPF_REG_3, 256),
2952 BPF_LD_MAP_FD(BPF_REG_2, 0),
2953 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2954 BPF_FUNC_tail_call),
2955 BPF_MOV64_IMM(BPF_REG_0, 2),
2958 .fixup_prog1 = { 1 },
2963 "runtime/jit: pass negative index to tail_call",
2965 BPF_MOV64_IMM(BPF_REG_3, -1),
2966 BPF_LD_MAP_FD(BPF_REG_2, 0),
2967 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2968 BPF_FUNC_tail_call),
2969 BPF_MOV64_IMM(BPF_REG_0, 2),
2972 .fixup_prog1 = { 1 },
2977 "runtime/jit: pass > 32bit index to tail_call",
2979 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2980 BPF_LD_MAP_FD(BPF_REG_2, 0),
2981 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2982 BPF_FUNC_tail_call),
2983 BPF_MOV64_IMM(BPF_REG_0, 2),
2986 .fixup_prog1 = { 2 },
2991 "stack pointer arithmetic",
2993 BPF_MOV64_IMM(BPF_REG_1, 4),
2994 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2995 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2996 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2997 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2998 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2999 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
3000 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3001 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3003 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3004 BPF_MOV64_IMM(BPF_REG_0, 0),
3010 "raw_stack: no skb_load_bytes",
3012 BPF_MOV64_IMM(BPF_REG_2, 4),
3013 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3014 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3015 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3016 BPF_MOV64_IMM(BPF_REG_4, 8),
3017 /* Call to skb_load_bytes() omitted. */
3018 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3022 .errstr = "invalid read from stack off -8+0 size 8",
3023 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3026 "raw_stack: skb_load_bytes, negative len",
3028 BPF_MOV64_IMM(BPF_REG_2, 4),
3029 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3030 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3031 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3032 BPF_MOV64_IMM(BPF_REG_4, -8),
3033 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3034 BPF_FUNC_skb_load_bytes),
3035 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3039 .errstr = "R4 min value is negative",
3040 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3043 "raw_stack: skb_load_bytes, negative len 2",
3045 BPF_MOV64_IMM(BPF_REG_2, 4),
3046 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3047 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3048 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3049 BPF_MOV64_IMM(BPF_REG_4, ~0),
3050 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3051 BPF_FUNC_skb_load_bytes),
3052 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3056 .errstr = "R4 min value is negative",
3057 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3060 "raw_stack: skb_load_bytes, zero len",
3062 BPF_MOV64_IMM(BPF_REG_2, 4),
3063 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3064 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3065 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3066 BPF_MOV64_IMM(BPF_REG_4, 0),
3067 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3068 BPF_FUNC_skb_load_bytes),
3069 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3073 .errstr = "invalid stack type R3",
3074 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3077 "raw_stack: skb_load_bytes, no init",
3079 BPF_MOV64_IMM(BPF_REG_2, 4),
3080 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3081 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3082 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3083 BPF_MOV64_IMM(BPF_REG_4, 8),
3084 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3085 BPF_FUNC_skb_load_bytes),
3086 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3090 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3093 "raw_stack: skb_load_bytes, init",
3095 BPF_MOV64_IMM(BPF_REG_2, 4),
3096 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3098 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3099 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3100 BPF_MOV64_IMM(BPF_REG_4, 8),
3101 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3102 BPF_FUNC_skb_load_bytes),
3103 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3107 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3110 "raw_stack: skb_load_bytes, spilled regs around bounds",
3112 BPF_MOV64_IMM(BPF_REG_2, 4),
3113 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3115 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3116 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3117 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3118 BPF_MOV64_IMM(BPF_REG_4, 8),
3119 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3120 BPF_FUNC_skb_load_bytes),
3121 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3122 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3123 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3124 offsetof(struct __sk_buff, mark)),
3125 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3126 offsetof(struct __sk_buff, priority)),
3127 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3131 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3134 "raw_stack: skb_load_bytes, spilled regs corruption",
3136 BPF_MOV64_IMM(BPF_REG_2, 4),
3137 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3139 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3140 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3141 BPF_MOV64_IMM(BPF_REG_4, 8),
3142 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3143 BPF_FUNC_skb_load_bytes),
3144 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3145 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3146 offsetof(struct __sk_buff, mark)),
3150 .errstr = "R0 invalid mem access 'inv'",
3151 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3154 "raw_stack: skb_load_bytes, spilled regs corruption 2",
3156 BPF_MOV64_IMM(BPF_REG_2, 4),
3157 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3158 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3159 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3160 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3161 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3162 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3163 BPF_MOV64_IMM(BPF_REG_4, 8),
3164 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3165 BPF_FUNC_skb_load_bytes),
3166 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3167 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3168 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3169 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3170 offsetof(struct __sk_buff, mark)),
3171 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3172 offsetof(struct __sk_buff, priority)),
3173 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3174 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3175 offsetof(struct __sk_buff, pkt_type)),
3176 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3180 .errstr = "R3 invalid mem access 'inv'",
3181 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3184 "raw_stack: skb_load_bytes, spilled regs + data",
3186 BPF_MOV64_IMM(BPF_REG_2, 4),
3187 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3189 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3190 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3191 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
3192 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3193 BPF_MOV64_IMM(BPF_REG_4, 8),
3194 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3195 BPF_FUNC_skb_load_bytes),
3196 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3197 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
3198 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
3199 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3200 offsetof(struct __sk_buff, mark)),
3201 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3202 offsetof(struct __sk_buff, priority)),
3203 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3204 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3208 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3211 "raw_stack: skb_load_bytes, invalid access 1",
3213 BPF_MOV64_IMM(BPF_REG_2, 4),
3214 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3215 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3216 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3217 BPF_MOV64_IMM(BPF_REG_4, 8),
3218 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3219 BPF_FUNC_skb_load_bytes),
3220 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3224 .errstr = "invalid stack type R3 off=-513 access_size=8",
3225 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3228 "raw_stack: skb_load_bytes, invalid access 2",
3230 BPF_MOV64_IMM(BPF_REG_2, 4),
3231 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3232 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3233 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3234 BPF_MOV64_IMM(BPF_REG_4, 8),
3235 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3236 BPF_FUNC_skb_load_bytes),
3237 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3241 .errstr = "invalid stack type R3 off=-1 access_size=8",
3242 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3245 "raw_stack: skb_load_bytes, invalid access 3",
3247 BPF_MOV64_IMM(BPF_REG_2, 4),
3248 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3250 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3251 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3252 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3253 BPF_FUNC_skb_load_bytes),
3254 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3258 .errstr = "R4 min value is negative",
3259 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3262 "raw_stack: skb_load_bytes, invalid access 4",
3264 BPF_MOV64_IMM(BPF_REG_2, 4),
3265 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3266 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3267 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3268 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3269 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3270 BPF_FUNC_skb_load_bytes),
3271 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3275 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3276 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3279 "raw_stack: skb_load_bytes, invalid access 5",
3281 BPF_MOV64_IMM(BPF_REG_2, 4),
3282 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3283 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3284 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3285 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3286 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3287 BPF_FUNC_skb_load_bytes),
3288 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3292 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3293 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3296 "raw_stack: skb_load_bytes, invalid access 6",
3298 BPF_MOV64_IMM(BPF_REG_2, 4),
3299 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3300 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3301 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3302 BPF_MOV64_IMM(BPF_REG_4, 0),
3303 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3304 BPF_FUNC_skb_load_bytes),
3305 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3309 .errstr = "invalid stack type R3 off=-512 access_size=0",
3310 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3313 "raw_stack: skb_load_bytes, large access",
3315 BPF_MOV64_IMM(BPF_REG_2, 4),
3316 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3318 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3319 BPF_MOV64_IMM(BPF_REG_4, 512),
3320 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3321 BPF_FUNC_skb_load_bytes),
3322 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3326 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3329 "context stores via ST",
3331 BPF_MOV64_IMM(BPF_REG_0, 0),
3332 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3335 .errstr = "BPF_ST stores into R1 context is not allowed",
3337 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3340 "context stores via XADD",
3342 BPF_MOV64_IMM(BPF_REG_0, 0),
3343 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3344 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3347 .errstr = "BPF_XADD stores into R1 context is not allowed",
3349 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3352 "direct packet access: test1",
3354 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3355 offsetof(struct __sk_buff, data)),
3356 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3357 offsetof(struct __sk_buff, data_end)),
3358 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3360 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3361 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3362 BPF_MOV64_IMM(BPF_REG_0, 0),
3366 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3369 "direct packet access: test2",
3371 BPF_MOV64_IMM(BPF_REG_0, 1),
3372 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3373 offsetof(struct __sk_buff, data_end)),
3374 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3375 offsetof(struct __sk_buff, data)),
3376 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3377 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3378 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3379 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3380 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3381 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3382 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3383 offsetof(struct __sk_buff, data)),
3384 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3385 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3386 offsetof(struct __sk_buff, len)),
3387 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3388 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3389 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3390 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3392 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3393 offsetof(struct __sk_buff, data_end)),
3394 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3395 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3396 BPF_MOV64_IMM(BPF_REG_0, 0),
3400 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3403 "direct packet access: test3",
3405 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3406 offsetof(struct __sk_buff, data)),
3407 BPF_MOV64_IMM(BPF_REG_0, 0),
3410 .errstr = "invalid bpf_context access off=76",
3412 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3415 "direct packet access: test4 (write)",
3417 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3418 offsetof(struct __sk_buff, data)),
3419 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3420 offsetof(struct __sk_buff, data_end)),
3421 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3422 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3423 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3424 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3425 BPF_MOV64_IMM(BPF_REG_0, 0),
3429 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3432 "direct packet access: test5 (pkt_end >= reg, good access)",
3434 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3435 offsetof(struct __sk_buff, data)),
3436 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3437 offsetof(struct __sk_buff, data_end)),
3438 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3440 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3441 BPF_MOV64_IMM(BPF_REG_0, 1),
3443 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3444 BPF_MOV64_IMM(BPF_REG_0, 0),
3448 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3451 "direct packet access: test6 (pkt_end >= reg, bad access)",
3453 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3454 offsetof(struct __sk_buff, data)),
3455 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3456 offsetof(struct __sk_buff, data_end)),
3457 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3459 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3460 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3461 BPF_MOV64_IMM(BPF_REG_0, 1),
3463 BPF_MOV64_IMM(BPF_REG_0, 0),
3466 .errstr = "invalid access to packet",
3468 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3471 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3473 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3474 offsetof(struct __sk_buff, data)),
3475 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3476 offsetof(struct __sk_buff, data_end)),
3477 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3479 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3480 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3481 BPF_MOV64_IMM(BPF_REG_0, 1),
3483 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3484 BPF_MOV64_IMM(BPF_REG_0, 0),
3487 .errstr = "invalid access to packet",
3489 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3492 "direct packet access: test8 (double test, variant 1)",
3494 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3495 offsetof(struct __sk_buff, data)),
3496 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3497 offsetof(struct __sk_buff, data_end)),
3498 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3499 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3500 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3501 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3502 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3503 BPF_MOV64_IMM(BPF_REG_0, 1),
3505 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3506 BPF_MOV64_IMM(BPF_REG_0, 0),
3510 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3513 "direct packet access: test9 (double test, variant 2)",
3515 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3516 offsetof(struct __sk_buff, data)),
3517 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3518 offsetof(struct __sk_buff, data_end)),
3519 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3521 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3522 BPF_MOV64_IMM(BPF_REG_0, 1),
3524 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3525 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3526 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3527 BPF_MOV64_IMM(BPF_REG_0, 0),
3531 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3534 "direct packet access: test10 (write invalid)",
3536 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3537 offsetof(struct __sk_buff, data)),
3538 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3539 offsetof(struct __sk_buff, data_end)),
3540 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3541 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3542 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3543 BPF_MOV64_IMM(BPF_REG_0, 0),
3545 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3546 BPF_MOV64_IMM(BPF_REG_0, 0),
3549 .errstr = "invalid access to packet",
3551 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3554 "direct packet access: test11 (shift, good access)",
3556 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3557 offsetof(struct __sk_buff, data)),
3558 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3559 offsetof(struct __sk_buff, data_end)),
3560 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3561 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3562 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3563 BPF_MOV64_IMM(BPF_REG_3, 144),
3564 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3565 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3566 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3567 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3568 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3569 BPF_MOV64_IMM(BPF_REG_0, 1),
3571 BPF_MOV64_IMM(BPF_REG_0, 0),
3575 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3579 "direct packet access: test12 (and, good access)",
3581 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3582 offsetof(struct __sk_buff, data)),
3583 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3584 offsetof(struct __sk_buff, data_end)),
3585 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3586 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3587 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3588 BPF_MOV64_IMM(BPF_REG_3, 144),
3589 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3591 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3592 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3593 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3594 BPF_MOV64_IMM(BPF_REG_0, 1),
3596 BPF_MOV64_IMM(BPF_REG_0, 0),
3600 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3604 "direct packet access: test13 (branches, good access)",
3606 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3607 offsetof(struct __sk_buff, data)),
3608 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3609 offsetof(struct __sk_buff, data_end)),
3610 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3611 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3612 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3613 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3614 offsetof(struct __sk_buff, mark)),
3615 BPF_MOV64_IMM(BPF_REG_4, 1),
3616 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3617 BPF_MOV64_IMM(BPF_REG_3, 14),
3618 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3619 BPF_MOV64_IMM(BPF_REG_3, 24),
3620 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3621 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3622 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3623 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3624 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3625 BPF_MOV64_IMM(BPF_REG_0, 1),
3627 BPF_MOV64_IMM(BPF_REG_0, 0),
3631 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3635 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3637 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3638 offsetof(struct __sk_buff, data)),
3639 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3640 offsetof(struct __sk_buff, data_end)),
3641 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3642 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3643 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3644 BPF_MOV64_IMM(BPF_REG_5, 12),
3645 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3646 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3647 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3648 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3649 BPF_MOV64_IMM(BPF_REG_0, 1),
3651 BPF_MOV64_IMM(BPF_REG_0, 0),
3655 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3659 "direct packet access: test15 (spill with xadd)",
3661 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3662 offsetof(struct __sk_buff, data)),
3663 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3664 offsetof(struct __sk_buff, data_end)),
3665 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3666 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3667 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3668 BPF_MOV64_IMM(BPF_REG_5, 4096),
3669 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3670 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3671 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3672 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3673 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3674 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3675 BPF_MOV64_IMM(BPF_REG_0, 0),
3678 .errstr = "R2 invalid mem access 'inv'",
3680 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3683 "direct packet access: test16 (arith on data_end)",
3685 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3686 offsetof(struct __sk_buff, data)),
3687 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3688 offsetof(struct __sk_buff, data_end)),
3689 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3690 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3691 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3692 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3693 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3694 BPF_MOV64_IMM(BPF_REG_0, 0),
3697 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3699 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3702 "direct packet access: test17 (pruning, alignment)",
3704 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3705 offsetof(struct __sk_buff, data)),
3706 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3707 offsetof(struct __sk_buff, data_end)),
3708 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3709 offsetof(struct __sk_buff, mark)),
3710 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3711 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3712 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3713 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3714 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3715 BPF_MOV64_IMM(BPF_REG_0, 0),
3717 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3720 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3722 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3723 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3726 "direct packet access: test18 (imm += pkt_ptr, 1)",
3728 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3729 offsetof(struct __sk_buff, data)),
3730 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3731 offsetof(struct __sk_buff, data_end)),
3732 BPF_MOV64_IMM(BPF_REG_0, 8),
3733 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3734 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3735 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3736 BPF_MOV64_IMM(BPF_REG_0, 0),
3740 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3743 "direct packet access: test19 (imm += pkt_ptr, 2)",
3745 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3746 offsetof(struct __sk_buff, data)),
3747 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3748 offsetof(struct __sk_buff, data_end)),
3749 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3751 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3752 BPF_MOV64_IMM(BPF_REG_4, 4),
3753 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3754 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3755 BPF_MOV64_IMM(BPF_REG_0, 0),
3759 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3762 "direct packet access: test20 (x += pkt_ptr, 1)",
3764 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3765 offsetof(struct __sk_buff, data)),
3766 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3767 offsetof(struct __sk_buff, data_end)),
3768 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3769 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3770 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3771 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3772 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3773 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3774 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3775 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3776 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3777 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3778 BPF_MOV64_IMM(BPF_REG_0, 0),
3781 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3785 "direct packet access: test21 (x += pkt_ptr, 2)",
3787 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3788 offsetof(struct __sk_buff, data)),
3789 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3790 offsetof(struct __sk_buff, data_end)),
3791 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3792 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3793 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3794 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3795 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3796 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3797 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3798 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3799 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3800 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3801 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3802 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3803 BPF_MOV64_IMM(BPF_REG_0, 0),
3806 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3810 "direct packet access: test22 (x += pkt_ptr, 3)",
3812 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3813 offsetof(struct __sk_buff, data)),
3814 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3815 offsetof(struct __sk_buff, data_end)),
3816 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3817 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3818 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3819 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3820 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3821 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3822 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3823 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3824 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3825 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3826 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3827 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3828 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3829 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3830 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3831 BPF_MOV64_IMM(BPF_REG_2, 1),
3832 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3833 BPF_MOV64_IMM(BPF_REG_0, 0),
3836 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3840 "direct packet access: test23 (x += pkt_ptr, 4)",
3842 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3843 offsetof(struct __sk_buff, data)),
3844 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3845 offsetof(struct __sk_buff, data_end)),
3846 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3847 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3848 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3849 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3850 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3851 BPF_MOV64_IMM(BPF_REG_0, 31),
3852 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3853 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3854 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3855 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3856 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3857 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3858 BPF_MOV64_IMM(BPF_REG_0, 0),
3861 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3863 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3866 "direct packet access: test24 (x += pkt_ptr, 5)",
3868 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3869 offsetof(struct __sk_buff, data)),
3870 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3871 offsetof(struct __sk_buff, data_end)),
3872 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3873 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3874 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3875 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3876 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3877 BPF_MOV64_IMM(BPF_REG_0, 64),
3878 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3879 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3880 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3881 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3882 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3883 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3884 BPF_MOV64_IMM(BPF_REG_0, 0),
3887 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3891 "direct packet access: test25 (marking on <, good access)",
3893 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3894 offsetof(struct __sk_buff, data)),
3895 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3896 offsetof(struct __sk_buff, data_end)),
3897 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3898 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3899 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3900 BPF_MOV64_IMM(BPF_REG_0, 0),
3902 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3903 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3906 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3909 "direct packet access: test26 (marking on <, bad access)",
3911 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3912 offsetof(struct __sk_buff, data)),
3913 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3914 offsetof(struct __sk_buff, data_end)),
3915 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3917 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3918 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3919 BPF_MOV64_IMM(BPF_REG_0, 0),
3921 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3924 .errstr = "invalid access to packet",
3925 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3928 "direct packet access: test27 (marking on <=, good access)",
3930 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3931 offsetof(struct __sk_buff, data)),
3932 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3933 offsetof(struct __sk_buff, data_end)),
3934 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3935 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3936 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3937 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3938 BPF_MOV64_IMM(BPF_REG_0, 1),
3942 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3946 "direct packet access: test28 (marking on <=, bad access)",
3948 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3949 offsetof(struct __sk_buff, data)),
3950 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3951 offsetof(struct __sk_buff, data_end)),
3952 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3953 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3954 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3955 BPF_MOV64_IMM(BPF_REG_0, 1),
3957 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3958 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3961 .errstr = "invalid access to packet",
3962 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3965 "helper access to packet: test1, valid packet_ptr range",
3967 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3968 offsetof(struct xdp_md, data)),
3969 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3970 offsetof(struct xdp_md, data_end)),
3971 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3972 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3973 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3974 BPF_LD_MAP_FD(BPF_REG_1, 0),
3975 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3976 BPF_MOV64_IMM(BPF_REG_4, 0),
3977 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3978 BPF_FUNC_map_update_elem),
3979 BPF_MOV64_IMM(BPF_REG_0, 0),
3982 .fixup_map1 = { 5 },
3983 .result_unpriv = ACCEPT,
3985 .prog_type = BPF_PROG_TYPE_XDP,
3988 "helper access to packet: test2, unchecked packet_ptr",
3990 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3991 offsetof(struct xdp_md, data)),
3992 BPF_LD_MAP_FD(BPF_REG_1, 0),
3993 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3994 BPF_FUNC_map_lookup_elem),
3995 BPF_MOV64_IMM(BPF_REG_0, 0),
3998 .fixup_map1 = { 1 },
4000 .errstr = "invalid access to packet",
4001 .prog_type = BPF_PROG_TYPE_XDP,
4004 "helper access to packet: test3, variable add",
4006 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4007 offsetof(struct xdp_md, data)),
4008 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4009 offsetof(struct xdp_md, data_end)),
4010 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4012 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4013 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4014 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4015 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4016 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4018 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4019 BPF_LD_MAP_FD(BPF_REG_1, 0),
4020 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4021 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4022 BPF_FUNC_map_lookup_elem),
4023 BPF_MOV64_IMM(BPF_REG_0, 0),
4026 .fixup_map1 = { 11 },
4028 .prog_type = BPF_PROG_TYPE_XDP,
4031 "helper access to packet: test4, packet_ptr with bad range",
4033 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4034 offsetof(struct xdp_md, data)),
4035 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4036 offsetof(struct xdp_md, data_end)),
4037 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4038 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4039 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4040 BPF_MOV64_IMM(BPF_REG_0, 0),
4042 BPF_LD_MAP_FD(BPF_REG_1, 0),
4043 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4044 BPF_FUNC_map_lookup_elem),
4045 BPF_MOV64_IMM(BPF_REG_0, 0),
4048 .fixup_map1 = { 7 },
4050 .errstr = "invalid access to packet",
4051 .prog_type = BPF_PROG_TYPE_XDP,
4054 "helper access to packet: test5, packet_ptr with too short range",
4056 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4057 offsetof(struct xdp_md, data)),
4058 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4059 offsetof(struct xdp_md, data_end)),
4060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4061 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4062 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4063 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4064 BPF_LD_MAP_FD(BPF_REG_1, 0),
4065 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4066 BPF_FUNC_map_lookup_elem),
4067 BPF_MOV64_IMM(BPF_REG_0, 0),
4070 .fixup_map1 = { 6 },
4072 .errstr = "invalid access to packet",
4073 .prog_type = BPF_PROG_TYPE_XDP,
4076 "helper access to packet: test6, cls valid packet_ptr range",
4078 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4079 offsetof(struct __sk_buff, data)),
4080 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4081 offsetof(struct __sk_buff, data_end)),
4082 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4084 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4085 BPF_LD_MAP_FD(BPF_REG_1, 0),
4086 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4087 BPF_MOV64_IMM(BPF_REG_4, 0),
4088 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4089 BPF_FUNC_map_update_elem),
4090 BPF_MOV64_IMM(BPF_REG_0, 0),
4093 .fixup_map1 = { 5 },
4095 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4098 "helper access to packet: test7, cls unchecked packet_ptr",
4100 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4101 offsetof(struct __sk_buff, data)),
4102 BPF_LD_MAP_FD(BPF_REG_1, 0),
4103 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4104 BPF_FUNC_map_lookup_elem),
4105 BPF_MOV64_IMM(BPF_REG_0, 0),
4108 .fixup_map1 = { 1 },
4110 .errstr = "invalid access to packet",
4111 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4114 "helper access to packet: test8, cls variable add",
4116 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4117 offsetof(struct __sk_buff, data)),
4118 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4119 offsetof(struct __sk_buff, data_end)),
4120 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4122 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4123 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4124 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4125 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4126 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4127 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4128 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4129 BPF_LD_MAP_FD(BPF_REG_1, 0),
4130 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4132 BPF_FUNC_map_lookup_elem),
4133 BPF_MOV64_IMM(BPF_REG_0, 0),
4136 .fixup_map1 = { 11 },
4138 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4141 "helper access to packet: test9, cls packet_ptr with bad range",
4143 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4144 offsetof(struct __sk_buff, data)),
4145 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4146 offsetof(struct __sk_buff, data_end)),
4147 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4148 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4149 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4150 BPF_MOV64_IMM(BPF_REG_0, 0),
4152 BPF_LD_MAP_FD(BPF_REG_1, 0),
4153 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4154 BPF_FUNC_map_lookup_elem),
4155 BPF_MOV64_IMM(BPF_REG_0, 0),
4158 .fixup_map1 = { 7 },
4160 .errstr = "invalid access to packet",
4161 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4164 "helper access to packet: test10, cls packet_ptr with too short range",
4166 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4167 offsetof(struct __sk_buff, data)),
4168 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4169 offsetof(struct __sk_buff, data_end)),
4170 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4171 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4172 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4173 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4174 BPF_LD_MAP_FD(BPF_REG_1, 0),
4175 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4176 BPF_FUNC_map_lookup_elem),
4177 BPF_MOV64_IMM(BPF_REG_0, 0),
4180 .fixup_map1 = { 6 },
4182 .errstr = "invalid access to packet",
4183 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4186 "helper access to packet: test11, cls unsuitable helper 1",
4188 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4189 offsetof(struct __sk_buff, data)),
4190 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4191 offsetof(struct __sk_buff, data_end)),
4192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4193 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4195 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4196 BPF_MOV64_IMM(BPF_REG_2, 0),
4197 BPF_MOV64_IMM(BPF_REG_4, 42),
4198 BPF_MOV64_IMM(BPF_REG_5, 0),
4199 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4200 BPF_FUNC_skb_store_bytes),
4201 BPF_MOV64_IMM(BPF_REG_0, 0),
4205 .errstr = "helper access to the packet",
4206 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4209 "helper access to packet: test12, cls unsuitable helper 2",
4211 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4212 offsetof(struct __sk_buff, data)),
4213 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4214 offsetof(struct __sk_buff, data_end)),
4215 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4216 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4217 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4218 BPF_MOV64_IMM(BPF_REG_2, 0),
4219 BPF_MOV64_IMM(BPF_REG_4, 4),
4220 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4221 BPF_FUNC_skb_load_bytes),
4222 BPF_MOV64_IMM(BPF_REG_0, 0),
4226 .errstr = "helper access to the packet",
4227 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4230 "helper access to packet: test13, cls helper ok",
4232 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4233 offsetof(struct __sk_buff, data)),
4234 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4235 offsetof(struct __sk_buff, data_end)),
4236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4237 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4239 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4240 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4241 BPF_MOV64_IMM(BPF_REG_2, 4),
4242 BPF_MOV64_IMM(BPF_REG_3, 0),
4243 BPF_MOV64_IMM(BPF_REG_4, 0),
4244 BPF_MOV64_IMM(BPF_REG_5, 0),
4245 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4246 BPF_FUNC_csum_diff),
4247 BPF_MOV64_IMM(BPF_REG_0, 0),
4251 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4254 "helper access to packet: test14, cls helper ok sub",
4256 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4257 offsetof(struct __sk_buff, data)),
4258 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4259 offsetof(struct __sk_buff, data_end)),
4260 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4261 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4263 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4264 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4265 BPF_MOV64_IMM(BPF_REG_2, 4),
4266 BPF_MOV64_IMM(BPF_REG_3, 0),
4267 BPF_MOV64_IMM(BPF_REG_4, 0),
4268 BPF_MOV64_IMM(BPF_REG_5, 0),
4269 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4270 BPF_FUNC_csum_diff),
4271 BPF_MOV64_IMM(BPF_REG_0, 0),
4275 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4278 "helper access to packet: test15, cls helper fail sub",
4280 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4281 offsetof(struct __sk_buff, data)),
4282 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4283 offsetof(struct __sk_buff, data_end)),
4284 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4285 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4287 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4288 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4289 BPF_MOV64_IMM(BPF_REG_2, 4),
4290 BPF_MOV64_IMM(BPF_REG_3, 0),
4291 BPF_MOV64_IMM(BPF_REG_4, 0),
4292 BPF_MOV64_IMM(BPF_REG_5, 0),
4293 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4294 BPF_FUNC_csum_diff),
4295 BPF_MOV64_IMM(BPF_REG_0, 0),
4299 .errstr = "invalid access to packet",
4300 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4303 "helper access to packet: test16, cls helper fail range 1",
4305 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4306 offsetof(struct __sk_buff, data)),
4307 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4308 offsetof(struct __sk_buff, data_end)),
4309 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4310 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4312 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4313 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4314 BPF_MOV64_IMM(BPF_REG_2, 8),
4315 BPF_MOV64_IMM(BPF_REG_3, 0),
4316 BPF_MOV64_IMM(BPF_REG_4, 0),
4317 BPF_MOV64_IMM(BPF_REG_5, 0),
4318 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4319 BPF_FUNC_csum_diff),
4320 BPF_MOV64_IMM(BPF_REG_0, 0),
4324 .errstr = "invalid access to packet",
4325 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4328 "helper access to packet: test17, cls helper fail range 2",
4330 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4331 offsetof(struct __sk_buff, data)),
4332 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4333 offsetof(struct __sk_buff, data_end)),
4334 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4335 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4337 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4339 BPF_MOV64_IMM(BPF_REG_2, -9),
4340 BPF_MOV64_IMM(BPF_REG_3, 0),
4341 BPF_MOV64_IMM(BPF_REG_4, 0),
4342 BPF_MOV64_IMM(BPF_REG_5, 0),
4343 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4344 BPF_FUNC_csum_diff),
4345 BPF_MOV64_IMM(BPF_REG_0, 0),
4349 .errstr = "R2 min value is negative",
4350 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4353 "helper access to packet: test18, cls helper fail range 3",
4355 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4356 offsetof(struct __sk_buff, data)),
4357 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4358 offsetof(struct __sk_buff, data_end)),
4359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4360 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4362 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4363 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4364 BPF_MOV64_IMM(BPF_REG_2, ~0),
4365 BPF_MOV64_IMM(BPF_REG_3, 0),
4366 BPF_MOV64_IMM(BPF_REG_4, 0),
4367 BPF_MOV64_IMM(BPF_REG_5, 0),
4368 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4369 BPF_FUNC_csum_diff),
4370 BPF_MOV64_IMM(BPF_REG_0, 0),
4374 .errstr = "R2 min value is negative",
4375 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4378 "helper access to packet: test19, cls helper range zero",
4380 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4381 offsetof(struct __sk_buff, data)),
4382 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4383 offsetof(struct __sk_buff, data_end)),
4384 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4385 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4387 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4388 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4389 BPF_MOV64_IMM(BPF_REG_2, 0),
4390 BPF_MOV64_IMM(BPF_REG_3, 0),
4391 BPF_MOV64_IMM(BPF_REG_4, 0),
4392 BPF_MOV64_IMM(BPF_REG_5, 0),
4393 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4394 BPF_FUNC_csum_diff),
4395 BPF_MOV64_IMM(BPF_REG_0, 0),
4399 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4402 "helper access to packet: test20, pkt end as input",
4404 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4405 offsetof(struct __sk_buff, data)),
4406 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4407 offsetof(struct __sk_buff, data_end)),
4408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4409 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4410 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4411 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4412 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4413 BPF_MOV64_IMM(BPF_REG_2, 4),
4414 BPF_MOV64_IMM(BPF_REG_3, 0),
4415 BPF_MOV64_IMM(BPF_REG_4, 0),
4416 BPF_MOV64_IMM(BPF_REG_5, 0),
4417 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4418 BPF_FUNC_csum_diff),
4419 BPF_MOV64_IMM(BPF_REG_0, 0),
4423 .errstr = "R1 type=pkt_end expected=fp",
4424 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4427 "helper access to packet: test21, wrong reg",
4429 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4430 offsetof(struct __sk_buff, data)),
4431 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4432 offsetof(struct __sk_buff, data_end)),
4433 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4434 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4436 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4437 BPF_MOV64_IMM(BPF_REG_2, 4),
4438 BPF_MOV64_IMM(BPF_REG_3, 0),
4439 BPF_MOV64_IMM(BPF_REG_4, 0),
4440 BPF_MOV64_IMM(BPF_REG_5, 0),
4441 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4442 BPF_FUNC_csum_diff),
4443 BPF_MOV64_IMM(BPF_REG_0, 0),
4447 .errstr = "invalid access to packet",
4448 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4451 "valid map access into an array with a constant",
4453 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4454 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4455 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4456 BPF_LD_MAP_FD(BPF_REG_1, 0),
4457 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4458 BPF_FUNC_map_lookup_elem),
4459 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4460 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4461 offsetof(struct test_val, foo)),
4464 .fixup_map2 = { 3 },
4465 .errstr_unpriv = "R0 leaks addr",
4466 .result_unpriv = REJECT,
4470 "valid map access into an array with a register",
4472 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4473 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4474 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4475 BPF_LD_MAP_FD(BPF_REG_1, 0),
4476 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4477 BPF_FUNC_map_lookup_elem),
4478 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4479 BPF_MOV64_IMM(BPF_REG_1, 4),
4480 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4481 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4482 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4483 offsetof(struct test_val, foo)),
4486 .fixup_map2 = { 3 },
4487 .errstr_unpriv = "R0 leaks addr",
4488 .result_unpriv = REJECT,
4490 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4493 "valid map access into an array with a variable",
4495 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4496 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4497 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4498 BPF_LD_MAP_FD(BPF_REG_1, 0),
4499 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4500 BPF_FUNC_map_lookup_elem),
4501 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4502 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4503 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4504 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4505 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4506 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4507 offsetof(struct test_val, foo)),
4510 .fixup_map2 = { 3 },
4511 .errstr_unpriv = "R0 leaks addr",
4512 .result_unpriv = REJECT,
4514 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4517 "valid map access into an array with a signed variable",
4519 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4520 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4522 BPF_LD_MAP_FD(BPF_REG_1, 0),
4523 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4524 BPF_FUNC_map_lookup_elem),
4525 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4526 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4527 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4528 BPF_MOV32_IMM(BPF_REG_1, 0),
4529 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4530 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4531 BPF_MOV32_IMM(BPF_REG_1, 0),
4532 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4533 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4534 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4535 offsetof(struct test_val, foo)),
4538 .fixup_map2 = { 3 },
4539 .errstr_unpriv = "R0 leaks addr",
4540 .result_unpriv = REJECT,
4542 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4545 "invalid map access into an array with a constant",
4547 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4548 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4549 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4550 BPF_LD_MAP_FD(BPF_REG_1, 0),
4551 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4552 BPF_FUNC_map_lookup_elem),
4553 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4554 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4555 offsetof(struct test_val, foo)),
4558 .fixup_map2 = { 3 },
4559 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4563 "invalid map access into an array with a register",
4565 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4566 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4567 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4568 BPF_LD_MAP_FD(BPF_REG_1, 0),
4569 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4570 BPF_FUNC_map_lookup_elem),
4571 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4572 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4573 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4574 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4575 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4576 offsetof(struct test_val, foo)),
4579 .fixup_map2 = { 3 },
4580 .errstr = "R0 min value is outside of the array range",
4582 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4585 "invalid map access into an array with a variable",
4587 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4588 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4589 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4590 BPF_LD_MAP_FD(BPF_REG_1, 0),
4591 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4592 BPF_FUNC_map_lookup_elem),
4593 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4594 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4595 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4596 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4597 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4598 offsetof(struct test_val, foo)),
4601 .fixup_map2 = { 3 },
4602 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4604 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4607 "invalid map access into an array with no floor check",
4609 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4610 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4611 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4612 BPF_LD_MAP_FD(BPF_REG_1, 0),
4613 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4614 BPF_FUNC_map_lookup_elem),
4615 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4616 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4617 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4618 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4619 BPF_MOV32_IMM(BPF_REG_1, 0),
4620 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4621 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4622 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4623 offsetof(struct test_val, foo)),
4626 .fixup_map2 = { 3 },
4627 .errstr_unpriv = "R0 leaks addr",
4628 .errstr = "R0 unbounded memory access",
4629 .result_unpriv = REJECT,
4631 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4634 "invalid map access into an array with a invalid max check",
4636 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4637 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4638 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4639 BPF_LD_MAP_FD(BPF_REG_1, 0),
4640 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4641 BPF_FUNC_map_lookup_elem),
4642 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4643 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4644 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4645 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4646 BPF_MOV32_IMM(BPF_REG_1, 0),
4647 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4648 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4649 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4650 offsetof(struct test_val, foo)),
4653 .fixup_map2 = { 3 },
4654 .errstr_unpriv = "R0 leaks addr",
4655 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
4656 .result_unpriv = REJECT,
4658 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4661 "invalid map access into an array with a invalid max check",
4663 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4664 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4665 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4666 BPF_LD_MAP_FD(BPF_REG_1, 0),
4667 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4668 BPF_FUNC_map_lookup_elem),
4669 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4670 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4671 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4672 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4674 BPF_LD_MAP_FD(BPF_REG_1, 0),
4675 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4676 BPF_FUNC_map_lookup_elem),
4677 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4678 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4679 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4680 offsetof(struct test_val, foo)),
4683 .fixup_map2 = { 3, 11 },
4684 .errstr = "R0 pointer += pointer",
4686 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4689 "valid cgroup storage access",
4691 BPF_MOV64_IMM(BPF_REG_2, 0),
4692 BPF_LD_MAP_FD(BPF_REG_1, 0),
4693 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4694 BPF_FUNC_get_local_storage),
4695 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4696 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4697 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4700 .fixup_cgroup_storage = { 1 },
4702 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4705 "invalid cgroup storage access 1",
4707 BPF_MOV64_IMM(BPF_REG_2, 0),
4708 BPF_LD_MAP_FD(BPF_REG_1, 0),
4709 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4710 BPF_FUNC_get_local_storage),
4711 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4712 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4713 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4716 .fixup_map1 = { 1 },
4718 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
4719 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4722 "invalid cgroup storage access 2",
4724 BPF_MOV64_IMM(BPF_REG_2, 0),
4725 BPF_LD_MAP_FD(BPF_REG_1, 1),
4726 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4727 BPF_FUNC_get_local_storage),
4728 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4732 .errstr = "fd 1 is not pointing to valid bpf_map",
4733 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4736 "invalid per-cgroup storage access 3",
4738 BPF_MOV64_IMM(BPF_REG_2, 0),
4739 BPF_LD_MAP_FD(BPF_REG_1, 0),
4740 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4741 BPF_FUNC_get_local_storage),
4742 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
4743 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4744 BPF_MOV64_IMM(BPF_REG_0, 0),
4747 .fixup_cgroup_storage = { 1 },
4749 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
4750 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4753 "invalid cgroup storage access 4",
4755 BPF_MOV64_IMM(BPF_REG_2, 0),
4756 BPF_LD_MAP_FD(BPF_REG_1, 0),
4757 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4758 BPF_FUNC_get_local_storage),
4759 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
4760 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4764 .fixup_cgroup_storage = { 1 },
4766 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
4767 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4770 "invalid cgroup storage access 5",
4772 BPF_MOV64_IMM(BPF_REG_2, 7),
4773 BPF_LD_MAP_FD(BPF_REG_1, 0),
4774 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4775 BPF_FUNC_get_local_storage),
4776 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4777 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4778 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4781 .fixup_cgroup_storage = { 1 },
4783 .errstr = "get_local_storage() doesn't support non-zero flags",
4784 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4787 "invalid cgroup storage access 6",
4789 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
4790 BPF_LD_MAP_FD(BPF_REG_1, 0),
4791 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4792 BPF_FUNC_get_local_storage),
4793 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4794 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4795 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4798 .fixup_cgroup_storage = { 1 },
4800 .errstr = "get_local_storage() doesn't support non-zero flags",
4801 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4804 "multiple registers share map_lookup_elem result",
4806 BPF_MOV64_IMM(BPF_REG_1, 10),
4807 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4808 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4809 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4810 BPF_LD_MAP_FD(BPF_REG_1, 0),
4811 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4812 BPF_FUNC_map_lookup_elem),
4813 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4814 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4815 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4818 .fixup_map1 = { 4 },
4820 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4823 "alu ops on ptr_to_map_value_or_null, 1",
4825 BPF_MOV64_IMM(BPF_REG_1, 10),
4826 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4827 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4829 BPF_LD_MAP_FD(BPF_REG_1, 0),
4830 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4831 BPF_FUNC_map_lookup_elem),
4832 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4833 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4834 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4835 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4836 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4839 .fixup_map1 = { 4 },
4840 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4842 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4845 "alu ops on ptr_to_map_value_or_null, 2",
4847 BPF_MOV64_IMM(BPF_REG_1, 10),
4848 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4849 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4851 BPF_LD_MAP_FD(BPF_REG_1, 0),
4852 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4853 BPF_FUNC_map_lookup_elem),
4854 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4855 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4856 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4857 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4860 .fixup_map1 = { 4 },
4861 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4863 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4866 "alu ops on ptr_to_map_value_or_null, 3",
4868 BPF_MOV64_IMM(BPF_REG_1, 10),
4869 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4870 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4871 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4872 BPF_LD_MAP_FD(BPF_REG_1, 0),
4873 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4874 BPF_FUNC_map_lookup_elem),
4875 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4876 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4877 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4878 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4881 .fixup_map1 = { 4 },
4882 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4884 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4887 "invalid memory access with multiple map_lookup_elem calls",
4889 BPF_MOV64_IMM(BPF_REG_1, 10),
4890 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4891 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4892 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4893 BPF_LD_MAP_FD(BPF_REG_1, 0),
4894 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4895 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4896 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4897 BPF_FUNC_map_lookup_elem),
4898 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4899 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4900 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4901 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4902 BPF_FUNC_map_lookup_elem),
4903 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4904 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4907 .fixup_map1 = { 4 },
4909 .errstr = "R4 !read_ok",
4910 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4913 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4915 BPF_MOV64_IMM(BPF_REG_1, 10),
4916 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4917 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4919 BPF_LD_MAP_FD(BPF_REG_1, 0),
4920 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4921 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4922 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4923 BPF_FUNC_map_lookup_elem),
4924 BPF_MOV64_IMM(BPF_REG_2, 10),
4925 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4926 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4927 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4928 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4929 BPF_FUNC_map_lookup_elem),
4930 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4931 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4932 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4935 .fixup_map1 = { 4 },
4937 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4940 "invalid map access from else condition",
4942 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4943 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4944 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4945 BPF_LD_MAP_FD(BPF_REG_1, 0),
4946 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4947 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4948 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4949 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4950 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4951 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4952 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4953 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4956 .fixup_map2 = { 3 },
4957 .errstr = "R0 unbounded memory access",
4959 .errstr_unpriv = "R0 leaks addr",
4960 .result_unpriv = REJECT,
4961 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4964 "constant register |= constant should keep constant type",
4966 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4968 BPF_MOV64_IMM(BPF_REG_2, 34),
4969 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4970 BPF_MOV64_IMM(BPF_REG_3, 0),
4971 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4975 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4978 "constant register |= constant should not bypass stack boundary checks",
4980 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4982 BPF_MOV64_IMM(BPF_REG_2, 34),
4983 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4984 BPF_MOV64_IMM(BPF_REG_3, 0),
4985 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4988 .errstr = "invalid stack type R1 off=-48 access_size=58",
4990 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4993 "constant register |= constant register should keep constant type",
4995 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4996 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4997 BPF_MOV64_IMM(BPF_REG_2, 34),
4998 BPF_MOV64_IMM(BPF_REG_4, 13),
4999 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5000 BPF_MOV64_IMM(BPF_REG_3, 0),
5001 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5005 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5008 "constant register |= constant register should not bypass stack boundary checks",
5010 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5012 BPF_MOV64_IMM(BPF_REG_2, 34),
5013 BPF_MOV64_IMM(BPF_REG_4, 24),
5014 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5015 BPF_MOV64_IMM(BPF_REG_3, 0),
5016 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5019 .errstr = "invalid stack type R1 off=-48 access_size=58",
5021 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5024 "invalid direct packet write for LWT_IN",
5026 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5027 offsetof(struct __sk_buff, data)),
5028 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5029 offsetof(struct __sk_buff, data_end)),
5030 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5032 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5033 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5034 BPF_MOV64_IMM(BPF_REG_0, 0),
5037 .errstr = "cannot write into packet",
5039 .prog_type = BPF_PROG_TYPE_LWT_IN,
5042 "invalid direct packet write for LWT_OUT",
5044 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5045 offsetof(struct __sk_buff, data)),
5046 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5047 offsetof(struct __sk_buff, data_end)),
5048 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5049 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5050 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5051 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5052 BPF_MOV64_IMM(BPF_REG_0, 0),
5055 .errstr = "cannot write into packet",
5057 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5060 "direct packet write for LWT_XMIT",
5062 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5063 offsetof(struct __sk_buff, data)),
5064 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5065 offsetof(struct __sk_buff, data_end)),
5066 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5067 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5068 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5069 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5070 BPF_MOV64_IMM(BPF_REG_0, 0),
5074 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5077 "direct packet read for LWT_IN",
5079 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5080 offsetof(struct __sk_buff, data)),
5081 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5082 offsetof(struct __sk_buff, data_end)),
5083 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5085 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5086 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5087 BPF_MOV64_IMM(BPF_REG_0, 0),
5091 .prog_type = BPF_PROG_TYPE_LWT_IN,
5094 "direct packet read for LWT_OUT",
5096 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5097 offsetof(struct __sk_buff, data)),
5098 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5099 offsetof(struct __sk_buff, data_end)),
5100 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5102 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5103 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5104 BPF_MOV64_IMM(BPF_REG_0, 0),
5108 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5111 "direct packet read for LWT_XMIT",
5113 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5114 offsetof(struct __sk_buff, data)),
5115 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5116 offsetof(struct __sk_buff, data_end)),
5117 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5118 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5119 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5120 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5121 BPF_MOV64_IMM(BPF_REG_0, 0),
5125 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5128 "overlapping checks for direct packet access",
5130 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5131 offsetof(struct __sk_buff, data)),
5132 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5133 offsetof(struct __sk_buff, data_end)),
5134 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5135 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5136 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
5137 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
5138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
5139 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
5140 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
5141 BPF_MOV64_IMM(BPF_REG_0, 0),
5145 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5148 "make headroom for LWT_XMIT",
5150 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5151 BPF_MOV64_IMM(BPF_REG_2, 34),
5152 BPF_MOV64_IMM(BPF_REG_3, 0),
5153 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5154 /* split for s390 to succeed */
5155 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5156 BPF_MOV64_IMM(BPF_REG_2, 42),
5157 BPF_MOV64_IMM(BPF_REG_3, 0),
5158 BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5159 BPF_MOV64_IMM(BPF_REG_0, 0),
5163 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5166 "invalid access of tc_classid for LWT_IN",
5168 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5169 offsetof(struct __sk_buff, tc_classid)),
5173 .errstr = "invalid bpf_context access",
5176 "invalid access of tc_classid for LWT_OUT",
5178 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5179 offsetof(struct __sk_buff, tc_classid)),
5183 .errstr = "invalid bpf_context access",
5186 "invalid access of tc_classid for LWT_XMIT",
5188 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5189 offsetof(struct __sk_buff, tc_classid)),
5193 .errstr = "invalid bpf_context access",
5196 "leak pointer into ctx 1",
5198 BPF_MOV64_IMM(BPF_REG_0, 0),
5199 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5200 offsetof(struct __sk_buff, cb[0])),
5201 BPF_LD_MAP_FD(BPF_REG_2, 0),
5202 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
5203 offsetof(struct __sk_buff, cb[0])),
5206 .fixup_map1 = { 2 },
5207 .errstr_unpriv = "R2 leaks addr into mem",
5208 .result_unpriv = REJECT,
5210 .errstr = "BPF_XADD stores into R1 context is not allowed",
5213 "leak pointer into ctx 2",
5215 BPF_MOV64_IMM(BPF_REG_0, 0),
5216 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5217 offsetof(struct __sk_buff, cb[0])),
5218 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
5219 offsetof(struct __sk_buff, cb[0])),
5222 .errstr_unpriv = "R10 leaks addr into mem",
5223 .result_unpriv = REJECT,
5225 .errstr = "BPF_XADD stores into R1 context is not allowed",
5228 "leak pointer into ctx 3",
5230 BPF_MOV64_IMM(BPF_REG_0, 0),
5231 BPF_LD_MAP_FD(BPF_REG_2, 0),
5232 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
5233 offsetof(struct __sk_buff, cb[0])),
5236 .fixup_map1 = { 1 },
5237 .errstr_unpriv = "R2 leaks addr into ctx",
5238 .result_unpriv = REJECT,
5242 "leak pointer into map val",
5244 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5245 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5246 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5248 BPF_LD_MAP_FD(BPF_REG_1, 0),
5249 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5250 BPF_FUNC_map_lookup_elem),
5251 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5252 BPF_MOV64_IMM(BPF_REG_3, 0),
5253 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
5254 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
5255 BPF_MOV64_IMM(BPF_REG_0, 0),
5258 .fixup_map1 = { 4 },
5259 .errstr_unpriv = "R6 leaks addr into mem",
5260 .result_unpriv = REJECT,
5264 "helper access to map: full range",
5266 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5267 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5268 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5269 BPF_LD_MAP_FD(BPF_REG_1, 0),
5270 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5271 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5272 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5273 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5274 BPF_MOV64_IMM(BPF_REG_3, 0),
5275 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5278 .fixup_map2 = { 3 },
5280 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5283 "helper access to map: partial range",
5285 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5287 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5288 BPF_LD_MAP_FD(BPF_REG_1, 0),
5289 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5290 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5291 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5292 BPF_MOV64_IMM(BPF_REG_2, 8),
5293 BPF_MOV64_IMM(BPF_REG_3, 0),
5294 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5297 .fixup_map2 = { 3 },
5299 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5302 "helper access to map: empty range",
5304 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5305 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5306 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5307 BPF_LD_MAP_FD(BPF_REG_1, 0),
5308 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5309 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5310 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5311 BPF_MOV64_IMM(BPF_REG_2, 0),
5312 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5315 .fixup_map2 = { 3 },
5316 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
5318 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5321 "helper access to map: out-of-bound range",
5323 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5324 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5325 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5326 BPF_LD_MAP_FD(BPF_REG_1, 0),
5327 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5328 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5329 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5330 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5331 BPF_MOV64_IMM(BPF_REG_3, 0),
5332 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5335 .fixup_map2 = { 3 },
5336 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
5338 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5341 "helper access to map: negative range",
5343 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5344 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5345 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5346 BPF_LD_MAP_FD(BPF_REG_1, 0),
5347 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5348 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5349 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5350 BPF_MOV64_IMM(BPF_REG_2, -8),
5351 BPF_MOV64_IMM(BPF_REG_3, 0),
5352 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5355 .fixup_map2 = { 3 },
5356 .errstr = "R2 min value is negative",
5358 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5361 "helper access to adjusted map (via const imm): full range",
5363 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5365 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5366 BPF_LD_MAP_FD(BPF_REG_1, 0),
5367 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5368 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5369 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5370 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5371 offsetof(struct test_val, foo)),
5372 BPF_MOV64_IMM(BPF_REG_2,
5373 sizeof(struct test_val) -
5374 offsetof(struct test_val, foo)),
5375 BPF_MOV64_IMM(BPF_REG_3, 0),
5376 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5379 .fixup_map2 = { 3 },
5381 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5384 "helper access to adjusted map (via const imm): partial range",
5386 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5388 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5389 BPF_LD_MAP_FD(BPF_REG_1, 0),
5390 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5391 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5392 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5393 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5394 offsetof(struct test_val, foo)),
5395 BPF_MOV64_IMM(BPF_REG_2, 8),
5396 BPF_MOV64_IMM(BPF_REG_3, 0),
5397 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5400 .fixup_map2 = { 3 },
5402 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5405 "helper access to adjusted map (via const imm): empty range",
5407 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5409 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5410 BPF_LD_MAP_FD(BPF_REG_1, 0),
5411 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5412 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5413 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5414 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5415 offsetof(struct test_val, foo)),
5416 BPF_MOV64_IMM(BPF_REG_2, 0),
5417 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5420 .fixup_map2 = { 3 },
5421 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5423 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5426 "helper access to adjusted map (via const imm): out-of-bound range",
5428 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5429 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5430 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5431 BPF_LD_MAP_FD(BPF_REG_1, 0),
5432 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5433 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5434 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5436 offsetof(struct test_val, foo)),
5437 BPF_MOV64_IMM(BPF_REG_2,
5438 sizeof(struct test_val) -
5439 offsetof(struct test_val, foo) + 8),
5440 BPF_MOV64_IMM(BPF_REG_3, 0),
5441 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5444 .fixup_map2 = { 3 },
5445 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5447 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5450 "helper access to adjusted map (via const imm): negative range (> adjustment)",
5452 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5454 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5455 BPF_LD_MAP_FD(BPF_REG_1, 0),
5456 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5457 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5458 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5460 offsetof(struct test_val, foo)),
5461 BPF_MOV64_IMM(BPF_REG_2, -8),
5462 BPF_MOV64_IMM(BPF_REG_3, 0),
5463 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5466 .fixup_map2 = { 3 },
5467 .errstr = "R2 min value is negative",
5469 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5472 "helper access to adjusted map (via const imm): negative range (< adjustment)",
5474 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5475 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5476 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5477 BPF_LD_MAP_FD(BPF_REG_1, 0),
5478 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5479 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5480 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5481 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5482 offsetof(struct test_val, foo)),
5483 BPF_MOV64_IMM(BPF_REG_2, -1),
5484 BPF_MOV64_IMM(BPF_REG_3, 0),
5485 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5488 .fixup_map2 = { 3 },
5489 .errstr = "R2 min value is negative",
5491 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5494 "helper access to adjusted map (via const reg): full range",
5496 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5497 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5498 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5499 BPF_LD_MAP_FD(BPF_REG_1, 0),
5500 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5501 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5502 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5503 BPF_MOV64_IMM(BPF_REG_3,
5504 offsetof(struct test_val, foo)),
5505 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5506 BPF_MOV64_IMM(BPF_REG_2,
5507 sizeof(struct test_val) -
5508 offsetof(struct test_val, foo)),
5509 BPF_MOV64_IMM(BPF_REG_3, 0),
5510 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5513 .fixup_map2 = { 3 },
5515 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5518 "helper access to adjusted map (via const reg): partial range",
5520 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5522 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5523 BPF_LD_MAP_FD(BPF_REG_1, 0),
5524 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5525 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5526 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5527 BPF_MOV64_IMM(BPF_REG_3,
5528 offsetof(struct test_val, foo)),
5529 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5530 BPF_MOV64_IMM(BPF_REG_2, 8),
5531 BPF_MOV64_IMM(BPF_REG_3, 0),
5532 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5535 .fixup_map2 = { 3 },
5537 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5540 "helper access to adjusted map (via const reg): empty range",
5542 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5543 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5544 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5545 BPF_LD_MAP_FD(BPF_REG_1, 0),
5546 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5547 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5548 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5549 BPF_MOV64_IMM(BPF_REG_3, 0),
5550 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5551 BPF_MOV64_IMM(BPF_REG_2, 0),
5552 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5555 .fixup_map2 = { 3 },
5556 .errstr = "R1 min value is outside of the array range",
5558 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5561 "helper access to adjusted map (via const reg): out-of-bound range",
5563 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5564 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5565 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5566 BPF_LD_MAP_FD(BPF_REG_1, 0),
5567 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5568 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5569 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5570 BPF_MOV64_IMM(BPF_REG_3,
5571 offsetof(struct test_val, foo)),
5572 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5573 BPF_MOV64_IMM(BPF_REG_2,
5574 sizeof(struct test_val) -
5575 offsetof(struct test_val, foo) + 8),
5576 BPF_MOV64_IMM(BPF_REG_3, 0),
5577 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5580 .fixup_map2 = { 3 },
5581 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5583 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5586 "helper access to adjusted map (via const reg): negative range (> adjustment)",
5588 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5589 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5590 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5591 BPF_LD_MAP_FD(BPF_REG_1, 0),
5592 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5593 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5594 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5595 BPF_MOV64_IMM(BPF_REG_3,
5596 offsetof(struct test_val, foo)),
5597 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5598 BPF_MOV64_IMM(BPF_REG_2, -8),
5599 BPF_MOV64_IMM(BPF_REG_3, 0),
5600 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5603 .fixup_map2 = { 3 },
5604 .errstr = "R2 min value is negative",
5606 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5609 "helper access to adjusted map (via const reg): negative range (< adjustment)",
5611 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5612 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5613 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5614 BPF_LD_MAP_FD(BPF_REG_1, 0),
5615 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5616 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5617 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5618 BPF_MOV64_IMM(BPF_REG_3,
5619 offsetof(struct test_val, foo)),
5620 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5621 BPF_MOV64_IMM(BPF_REG_2, -1),
5622 BPF_MOV64_IMM(BPF_REG_3, 0),
5623 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5626 .fixup_map2 = { 3 },
5627 .errstr = "R2 min value is negative",
5629 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5632 "helper access to adjusted map (via variable): full range",
5634 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5635 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5636 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5637 BPF_LD_MAP_FD(BPF_REG_1, 0),
5638 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5639 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5640 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5641 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5642 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5643 offsetof(struct test_val, foo), 4),
5644 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5645 BPF_MOV64_IMM(BPF_REG_2,
5646 sizeof(struct test_val) -
5647 offsetof(struct test_val, foo)),
5648 BPF_MOV64_IMM(BPF_REG_3, 0),
5649 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5652 .fixup_map2 = { 3 },
5654 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5657 "helper access to adjusted map (via variable): partial range",
5659 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5661 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5662 BPF_LD_MAP_FD(BPF_REG_1, 0),
5663 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5664 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5665 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5666 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5667 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5668 offsetof(struct test_val, foo), 4),
5669 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5670 BPF_MOV64_IMM(BPF_REG_2, 8),
5671 BPF_MOV64_IMM(BPF_REG_3, 0),
5672 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5675 .fixup_map2 = { 3 },
5677 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5680 "helper access to adjusted map (via variable): empty range",
5682 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5683 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5684 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5685 BPF_LD_MAP_FD(BPF_REG_1, 0),
5686 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5688 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5689 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5690 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5691 offsetof(struct test_val, foo), 3),
5692 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5693 BPF_MOV64_IMM(BPF_REG_2, 0),
5694 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5697 .fixup_map2 = { 3 },
5698 .errstr = "R1 min value is outside of the array range",
5700 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5703 "helper access to adjusted map (via variable): no max check",
5705 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5706 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5707 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5708 BPF_LD_MAP_FD(BPF_REG_1, 0),
5709 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5710 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5711 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5712 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5713 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5714 BPF_MOV64_IMM(BPF_REG_2, 1),
5715 BPF_MOV64_IMM(BPF_REG_3, 0),
5716 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5719 .fixup_map2 = { 3 },
5720 .errstr = "R1 unbounded memory access",
5722 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5725 "helper access to adjusted map (via variable): wrong max check",
5727 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5728 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5729 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5730 BPF_LD_MAP_FD(BPF_REG_1, 0),
5731 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5732 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5733 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5734 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5735 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5736 offsetof(struct test_val, foo), 4),
5737 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5738 BPF_MOV64_IMM(BPF_REG_2,
5739 sizeof(struct test_val) -
5740 offsetof(struct test_val, foo) + 1),
5741 BPF_MOV64_IMM(BPF_REG_3, 0),
5742 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5745 .fixup_map2 = { 3 },
5746 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
5748 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5751 "helper access to map: bounds check using <, good access",
5753 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5755 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5756 BPF_LD_MAP_FD(BPF_REG_1, 0),
5757 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5758 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5759 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5760 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5761 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5762 BPF_MOV64_IMM(BPF_REG_0, 0),
5764 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5765 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5766 BPF_MOV64_IMM(BPF_REG_0, 0),
5769 .fixup_map2 = { 3 },
5771 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5774 "helper access to map: bounds check using <, bad access",
5776 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5778 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5779 BPF_LD_MAP_FD(BPF_REG_1, 0),
5780 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5782 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5783 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5784 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5785 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5786 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5787 BPF_MOV64_IMM(BPF_REG_0, 0),
5789 BPF_MOV64_IMM(BPF_REG_0, 0),
5792 .fixup_map2 = { 3 },
5794 .errstr = "R1 unbounded memory access",
5795 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5798 "helper access to map: bounds check using <=, good access",
5800 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5801 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5802 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5803 BPF_LD_MAP_FD(BPF_REG_1, 0),
5804 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5805 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5806 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5807 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5808 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5809 BPF_MOV64_IMM(BPF_REG_0, 0),
5811 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5812 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5813 BPF_MOV64_IMM(BPF_REG_0, 0),
5816 .fixup_map2 = { 3 },
5818 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5821 "helper access to map: bounds check using <=, bad access",
5823 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5824 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5825 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5826 BPF_LD_MAP_FD(BPF_REG_1, 0),
5827 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5828 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5829 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5830 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5831 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5832 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5833 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5834 BPF_MOV64_IMM(BPF_REG_0, 0),
5836 BPF_MOV64_IMM(BPF_REG_0, 0),
5839 .fixup_map2 = { 3 },
5841 .errstr = "R1 unbounded memory access",
5842 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5845 "helper access to map: bounds check using s<, good access",
5847 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5849 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5850 BPF_LD_MAP_FD(BPF_REG_1, 0),
5851 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5852 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5853 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5854 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5855 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5856 BPF_MOV64_IMM(BPF_REG_0, 0),
5858 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5859 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5860 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5861 BPF_MOV64_IMM(BPF_REG_0, 0),
5864 .fixup_map2 = { 3 },
5866 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5869 "helper access to map: bounds check using s<, good access 2",
5871 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5873 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5874 BPF_LD_MAP_FD(BPF_REG_1, 0),
5875 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5876 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5877 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5878 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5879 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5880 BPF_MOV64_IMM(BPF_REG_0, 0),
5882 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5883 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5884 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5885 BPF_MOV64_IMM(BPF_REG_0, 0),
5888 .fixup_map2 = { 3 },
5890 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5893 "helper access to map: bounds check using s<, bad access",
5895 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5897 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5898 BPF_LD_MAP_FD(BPF_REG_1, 0),
5899 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5900 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5901 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5902 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5903 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5904 BPF_MOV64_IMM(BPF_REG_0, 0),
5906 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5907 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5908 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5909 BPF_MOV64_IMM(BPF_REG_0, 0),
5912 .fixup_map2 = { 3 },
5914 .errstr = "R1 min value is negative",
5915 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5918 "helper access to map: bounds check using s<=, good access",
5920 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5921 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5922 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5923 BPF_LD_MAP_FD(BPF_REG_1, 0),
5924 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5925 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5926 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5927 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5928 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5929 BPF_MOV64_IMM(BPF_REG_0, 0),
5931 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5932 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5933 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5934 BPF_MOV64_IMM(BPF_REG_0, 0),
5937 .fixup_map2 = { 3 },
5939 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5942 "helper access to map: bounds check using s<=, good access 2",
5944 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5945 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5946 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5947 BPF_LD_MAP_FD(BPF_REG_1, 0),
5948 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5949 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5950 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5951 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5952 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5953 BPF_MOV64_IMM(BPF_REG_0, 0),
5955 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5956 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5957 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5958 BPF_MOV64_IMM(BPF_REG_0, 0),
5961 .fixup_map2 = { 3 },
5963 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5966 "helper access to map: bounds check using s<=, bad access",
5968 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5969 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5970 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5971 BPF_LD_MAP_FD(BPF_REG_1, 0),
5972 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5973 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5974 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5975 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5976 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5977 BPF_MOV64_IMM(BPF_REG_0, 0),
5979 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5980 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5981 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5982 BPF_MOV64_IMM(BPF_REG_0, 0),
5985 .fixup_map2 = { 3 },
5987 .errstr = "R1 min value is negative",
5988 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5991 "map lookup helper access to map",
5993 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5994 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5995 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5996 BPF_LD_MAP_FD(BPF_REG_1, 0),
5997 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5998 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6000 BPF_LD_MAP_FD(BPF_REG_1, 0),
6001 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6004 .fixup_map3 = { 3, 8 },
6006 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6009 "map update helper access to map",
6011 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6012 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6013 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6014 BPF_LD_MAP_FD(BPF_REG_1, 0),
6015 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6016 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6017 BPF_MOV64_IMM(BPF_REG_4, 0),
6018 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
6019 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6020 BPF_LD_MAP_FD(BPF_REG_1, 0),
6021 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
6024 .fixup_map3 = { 3, 10 },
6026 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6029 "map update helper access to map: wrong size",
6031 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6032 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6033 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6034 BPF_LD_MAP_FD(BPF_REG_1, 0),
6035 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6036 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6037 BPF_MOV64_IMM(BPF_REG_4, 0),
6038 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
6039 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6040 BPF_LD_MAP_FD(BPF_REG_1, 0),
6041 BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
6044 .fixup_map1 = { 3 },
6045 .fixup_map3 = { 10 },
6047 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
6048 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6051 "map helper access to adjusted map (via const imm)",
6053 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6054 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6055 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6056 BPF_LD_MAP_FD(BPF_REG_1, 0),
6057 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6058 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6059 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6061 offsetof(struct other_val, bar)),
6062 BPF_LD_MAP_FD(BPF_REG_1, 0),
6063 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6066 .fixup_map3 = { 3, 9 },
6068 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6071 "map helper access to adjusted map (via const imm): out-of-bound 1",
6073 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6074 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6075 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6076 BPF_LD_MAP_FD(BPF_REG_1, 0),
6077 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6078 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6079 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6081 sizeof(struct other_val) - 4),
6082 BPF_LD_MAP_FD(BPF_REG_1, 0),
6083 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6086 .fixup_map3 = { 3, 9 },
6088 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6089 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6092 "map helper access to adjusted map (via const imm): out-of-bound 2",
6094 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6096 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6097 BPF_LD_MAP_FD(BPF_REG_1, 0),
6098 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6099 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6100 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6102 BPF_LD_MAP_FD(BPF_REG_1, 0),
6103 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6106 .fixup_map3 = { 3, 9 },
6108 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6109 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6112 "map helper access to adjusted map (via const reg)",
6114 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6116 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6117 BPF_LD_MAP_FD(BPF_REG_1, 0),
6118 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6119 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6120 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6121 BPF_MOV64_IMM(BPF_REG_3,
6122 offsetof(struct other_val, bar)),
6123 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6124 BPF_LD_MAP_FD(BPF_REG_1, 0),
6125 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6128 .fixup_map3 = { 3, 10 },
6130 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6133 "map helper access to adjusted map (via const reg): out-of-bound 1",
6135 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6136 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6137 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6138 BPF_LD_MAP_FD(BPF_REG_1, 0),
6139 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6140 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6141 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6142 BPF_MOV64_IMM(BPF_REG_3,
6143 sizeof(struct other_val) - 4),
6144 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6145 BPF_LD_MAP_FD(BPF_REG_1, 0),
6146 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6149 .fixup_map3 = { 3, 10 },
6151 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6152 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6155 "map helper access to adjusted map (via const reg): out-of-bound 2",
6157 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6158 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6159 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6160 BPF_LD_MAP_FD(BPF_REG_1, 0),
6161 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6162 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6164 BPF_MOV64_IMM(BPF_REG_3, -4),
6165 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6166 BPF_LD_MAP_FD(BPF_REG_1, 0),
6167 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6170 .fixup_map3 = { 3, 10 },
6172 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6173 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6176 "map helper access to adjusted map (via variable)",
6178 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6180 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6181 BPF_LD_MAP_FD(BPF_REG_1, 0),
6182 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6183 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6184 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6185 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6186 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6187 offsetof(struct other_val, bar), 4),
6188 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6189 BPF_LD_MAP_FD(BPF_REG_1, 0),
6190 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6193 .fixup_map3 = { 3, 11 },
6195 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6198 "map helper access to adjusted map (via variable): no max check",
6200 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6201 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6202 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6203 BPF_LD_MAP_FD(BPF_REG_1, 0),
6204 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6205 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6206 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6207 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6208 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6209 BPF_LD_MAP_FD(BPF_REG_1, 0),
6210 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6213 .fixup_map3 = { 3, 10 },
6215 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
6216 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6219 "map helper access to adjusted map (via variable): wrong max check",
6221 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6223 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6224 BPF_LD_MAP_FD(BPF_REG_1, 0),
6225 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6226 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6227 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6228 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6229 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6230 offsetof(struct other_val, bar) + 1, 4),
6231 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6232 BPF_LD_MAP_FD(BPF_REG_1, 0),
6233 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6236 .fixup_map3 = { 3, 11 },
6238 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
6239 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6242 "map element value is preserved across register spilling",
6244 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6245 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6246 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6247 BPF_LD_MAP_FD(BPF_REG_1, 0),
6248 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6250 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6251 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6253 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6254 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6255 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6258 .fixup_map2 = { 3 },
6259 .errstr_unpriv = "R0 leaks addr",
6261 .result_unpriv = REJECT,
6264 "map element value or null is marked on register spilling",
6266 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6267 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6268 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6269 BPF_LD_MAP_FD(BPF_REG_1, 0),
6270 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6271 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6272 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
6273 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6274 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6275 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6276 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6279 .fixup_map2 = { 3 },
6280 .errstr_unpriv = "R0 leaks addr",
6282 .result_unpriv = REJECT,
6285 "map element value store of cleared call register",
6287 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6288 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6289 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6290 BPF_LD_MAP_FD(BPF_REG_1, 0),
6291 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6292 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
6293 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
6296 .fixup_map2 = { 3 },
6297 .errstr_unpriv = "R1 !read_ok",
6298 .errstr = "R1 !read_ok",
6300 .result_unpriv = REJECT,
6303 "map element value with unaligned store",
6305 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6306 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6307 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6308 BPF_LD_MAP_FD(BPF_REG_1, 0),
6309 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6310 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
6311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6312 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6313 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
6314 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
6315 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6316 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
6317 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
6318 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
6319 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
6320 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
6321 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
6322 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
6323 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
6324 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
6325 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
6326 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
6327 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
6330 .fixup_map2 = { 3 },
6331 .errstr_unpriv = "R0 leaks addr",
6333 .result_unpriv = REJECT,
6334 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6337 "map element value with unaligned load",
6339 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6340 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6341 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6342 BPF_LD_MAP_FD(BPF_REG_1, 0),
6343 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6344 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6345 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6346 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
6347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6348 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6349 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
6350 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6351 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
6352 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
6353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
6354 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6355 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
6358 .fixup_map2 = { 3 },
6359 .errstr_unpriv = "R0 leaks addr",
6361 .result_unpriv = REJECT,
6362 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6365 "map element value illegal alu op, 1",
6367 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6368 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6369 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6370 BPF_LD_MAP_FD(BPF_REG_1, 0),
6371 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6372 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6373 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
6374 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6377 .fixup_map2 = { 3 },
6378 .errstr = "R0 bitwise operator &= on pointer",
6382 "map element value illegal alu op, 2",
6384 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6386 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6387 BPF_LD_MAP_FD(BPF_REG_1, 0),
6388 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6389 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6390 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
6391 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6394 .fixup_map2 = { 3 },
6395 .errstr = "R0 32-bit pointer arithmetic prohibited",
6399 "map element value illegal alu op, 3",
6401 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6403 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6404 BPF_LD_MAP_FD(BPF_REG_1, 0),
6405 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6406 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6407 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
6408 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6411 .fixup_map2 = { 3 },
6412 .errstr = "R0 pointer arithmetic with /= operator",
6416 "map element value illegal alu op, 4",
6418 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6420 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6421 BPF_LD_MAP_FD(BPF_REG_1, 0),
6422 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6423 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6424 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
6425 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6428 .fixup_map2 = { 3 },
6429 .errstr_unpriv = "R0 pointer arithmetic prohibited",
6430 .errstr = "invalid mem access 'inv'",
6432 .result_unpriv = REJECT,
6435 "map element value illegal alu op, 5",
6437 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6439 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6440 BPF_LD_MAP_FD(BPF_REG_1, 0),
6441 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6442 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6443 BPF_MOV64_IMM(BPF_REG_3, 4096),
6444 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6445 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6446 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6447 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
6448 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
6449 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6452 .fixup_map2 = { 3 },
6453 .errstr = "R0 invalid mem access 'inv'",
6457 "map element value is preserved across register spilling",
6459 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6461 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6462 BPF_LD_MAP_FD(BPF_REG_1, 0),
6463 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6464 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6465 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
6466 offsetof(struct test_val, foo)),
6467 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6468 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6469 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6470 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6471 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6472 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6475 .fixup_map2 = { 3 },
6476 .errstr_unpriv = "R0 leaks addr",
6478 .result_unpriv = REJECT,
6479 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6482 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
6484 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6485 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6486 BPF_MOV64_IMM(BPF_REG_0, 0),
6487 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6488 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6489 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6490 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6491 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6492 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6493 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6494 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6495 BPF_MOV64_IMM(BPF_REG_2, 16),
6496 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6497 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6498 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6499 BPF_MOV64_IMM(BPF_REG_4, 0),
6500 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6501 BPF_MOV64_IMM(BPF_REG_3, 0),
6502 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6503 BPF_MOV64_IMM(BPF_REG_0, 0),
6507 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6510 "helper access to variable memory: stack, bitwise AND, zero included",
6512 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6514 BPF_MOV64_IMM(BPF_REG_2, 16),
6515 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6516 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6517 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6518 BPF_MOV64_IMM(BPF_REG_3, 0),
6519 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6522 .errstr = "invalid indirect read from stack off -64+0 size 64",
6524 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6527 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
6529 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6530 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6531 BPF_MOV64_IMM(BPF_REG_2, 16),
6532 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6533 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6534 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
6535 BPF_MOV64_IMM(BPF_REG_4, 0),
6536 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6537 BPF_MOV64_IMM(BPF_REG_3, 0),
6538 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6539 BPF_MOV64_IMM(BPF_REG_0, 0),
6542 .errstr = "invalid stack type R1 off=-64 access_size=65",
6544 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6547 "helper access to variable memory: stack, JMP, correct bounds",
6549 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6550 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6551 BPF_MOV64_IMM(BPF_REG_0, 0),
6552 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6553 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6554 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6555 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6556 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6557 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6558 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6559 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6560 BPF_MOV64_IMM(BPF_REG_2, 16),
6561 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6562 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6563 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
6564 BPF_MOV64_IMM(BPF_REG_4, 0),
6565 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6566 BPF_MOV64_IMM(BPF_REG_3, 0),
6567 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6568 BPF_MOV64_IMM(BPF_REG_0, 0),
6572 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6575 "helper access to variable memory: stack, JMP (signed), correct bounds",
6577 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6578 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6579 BPF_MOV64_IMM(BPF_REG_0, 0),
6580 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6581 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6582 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6583 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6584 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6585 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6586 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6587 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6588 BPF_MOV64_IMM(BPF_REG_2, 16),
6589 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6590 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6591 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
6592 BPF_MOV64_IMM(BPF_REG_4, 0),
6593 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6594 BPF_MOV64_IMM(BPF_REG_3, 0),
6595 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6596 BPF_MOV64_IMM(BPF_REG_0, 0),
6600 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6603 "helper access to variable memory: stack, JMP, bounds + offset",
6605 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6606 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6607 BPF_MOV64_IMM(BPF_REG_2, 16),
6608 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6609 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6610 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
6611 BPF_MOV64_IMM(BPF_REG_4, 0),
6612 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
6613 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6614 BPF_MOV64_IMM(BPF_REG_3, 0),
6615 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6616 BPF_MOV64_IMM(BPF_REG_0, 0),
6619 .errstr = "invalid stack type R1 off=-64 access_size=65",
6621 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6624 "helper access to variable memory: stack, JMP, wrong max",
6626 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6627 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6628 BPF_MOV64_IMM(BPF_REG_2, 16),
6629 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6630 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6631 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
6632 BPF_MOV64_IMM(BPF_REG_4, 0),
6633 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6634 BPF_MOV64_IMM(BPF_REG_3, 0),
6635 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6636 BPF_MOV64_IMM(BPF_REG_0, 0),
6639 .errstr = "invalid stack type R1 off=-64 access_size=65",
6641 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6644 "helper access to variable memory: stack, JMP, no max check",
6646 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6647 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6648 BPF_MOV64_IMM(BPF_REG_2, 16),
6649 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6650 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6651 BPF_MOV64_IMM(BPF_REG_4, 0),
6652 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6653 BPF_MOV64_IMM(BPF_REG_3, 0),
6654 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6655 BPF_MOV64_IMM(BPF_REG_0, 0),
6658 /* because max wasn't checked, signed min is negative */
6659 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
6661 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6664 "helper access to variable memory: stack, JMP, no min check",
6666 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6668 BPF_MOV64_IMM(BPF_REG_2, 16),
6669 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6670 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6671 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
6672 BPF_MOV64_IMM(BPF_REG_3, 0),
6673 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6674 BPF_MOV64_IMM(BPF_REG_0, 0),
6677 .errstr = "invalid indirect read from stack off -64+0 size 64",
6679 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6682 "helper access to variable memory: stack, JMP (signed), no min check",
6684 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6685 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6686 BPF_MOV64_IMM(BPF_REG_2, 16),
6687 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6688 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6689 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
6690 BPF_MOV64_IMM(BPF_REG_3, 0),
6691 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6692 BPF_MOV64_IMM(BPF_REG_0, 0),
6695 .errstr = "R2 min value is negative",
6697 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6700 "helper access to variable memory: map, JMP, correct bounds",
6702 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6704 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6705 BPF_LD_MAP_FD(BPF_REG_1, 0),
6706 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6707 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6708 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6709 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6710 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6711 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6712 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6713 sizeof(struct test_val), 4),
6714 BPF_MOV64_IMM(BPF_REG_4, 0),
6715 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6716 BPF_MOV64_IMM(BPF_REG_3, 0),
6717 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6718 BPF_MOV64_IMM(BPF_REG_0, 0),
6721 .fixup_map2 = { 3 },
6723 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6726 "helper access to variable memory: map, JMP, wrong max",
6728 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6730 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6731 BPF_LD_MAP_FD(BPF_REG_1, 0),
6732 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6733 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6734 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6735 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6736 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6737 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6738 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6739 sizeof(struct test_val) + 1, 4),
6740 BPF_MOV64_IMM(BPF_REG_4, 0),
6741 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6742 BPF_MOV64_IMM(BPF_REG_3, 0),
6743 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6744 BPF_MOV64_IMM(BPF_REG_0, 0),
6747 .fixup_map2 = { 3 },
6748 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
6750 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6753 "helper access to variable memory: map adjusted, JMP, correct bounds",
6755 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6756 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6757 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6758 BPF_LD_MAP_FD(BPF_REG_1, 0),
6759 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6760 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6761 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6762 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6763 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6764 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6765 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6766 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6767 sizeof(struct test_val) - 20, 4),
6768 BPF_MOV64_IMM(BPF_REG_4, 0),
6769 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6770 BPF_MOV64_IMM(BPF_REG_3, 0),
6771 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6772 BPF_MOV64_IMM(BPF_REG_0, 0),
6775 .fixup_map2 = { 3 },
6777 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6780 "helper access to variable memory: map adjusted, JMP, wrong max",
6782 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6783 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6784 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6785 BPF_LD_MAP_FD(BPF_REG_1, 0),
6786 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6788 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6789 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6790 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6791 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6792 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6793 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6794 sizeof(struct test_val) - 19, 4),
6795 BPF_MOV64_IMM(BPF_REG_4, 0),
6796 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6797 BPF_MOV64_IMM(BPF_REG_3, 0),
6798 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6799 BPF_MOV64_IMM(BPF_REG_0, 0),
6802 .fixup_map2 = { 3 },
6803 .errstr = "R1 min value is outside of the array range",
6805 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6808 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6810 BPF_MOV64_IMM(BPF_REG_1, 0),
6811 BPF_MOV64_IMM(BPF_REG_2, 0),
6812 BPF_MOV64_IMM(BPF_REG_3, 0),
6813 BPF_MOV64_IMM(BPF_REG_4, 0),
6814 BPF_MOV64_IMM(BPF_REG_5, 0),
6815 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6819 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6822 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6824 BPF_MOV64_IMM(BPF_REG_1, 0),
6825 BPF_MOV64_IMM(BPF_REG_2, 1),
6826 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6827 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6828 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6829 BPF_MOV64_IMM(BPF_REG_3, 0),
6830 BPF_MOV64_IMM(BPF_REG_4, 0),
6831 BPF_MOV64_IMM(BPF_REG_5, 0),
6832 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6835 .errstr = "R1 type=inv expected=fp",
6837 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6840 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6842 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6844 BPF_MOV64_IMM(BPF_REG_2, 0),
6845 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6846 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
6847 BPF_MOV64_IMM(BPF_REG_3, 0),
6848 BPF_MOV64_IMM(BPF_REG_4, 0),
6849 BPF_MOV64_IMM(BPF_REG_5, 0),
6850 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6854 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6857 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6859 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6860 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6861 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6862 BPF_LD_MAP_FD(BPF_REG_1, 0),
6863 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6864 BPF_FUNC_map_lookup_elem),
6865 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6866 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6867 BPF_MOV64_IMM(BPF_REG_2, 0),
6868 BPF_MOV64_IMM(BPF_REG_3, 0),
6869 BPF_MOV64_IMM(BPF_REG_4, 0),
6870 BPF_MOV64_IMM(BPF_REG_5, 0),
6871 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6874 .fixup_map1 = { 3 },
6876 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6879 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6881 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6882 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6884 BPF_LD_MAP_FD(BPF_REG_1, 0),
6885 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6886 BPF_FUNC_map_lookup_elem),
6887 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6888 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6889 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
6890 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6891 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6892 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6893 BPF_MOV64_IMM(BPF_REG_3, 0),
6894 BPF_MOV64_IMM(BPF_REG_4, 0),
6895 BPF_MOV64_IMM(BPF_REG_5, 0),
6896 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6899 .fixup_map1 = { 3 },
6901 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6904 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6906 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6907 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6908 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6909 BPF_LD_MAP_FD(BPF_REG_1, 0),
6910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6911 BPF_FUNC_map_lookup_elem),
6912 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6913 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6914 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6915 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6916 BPF_MOV64_IMM(BPF_REG_3, 0),
6917 BPF_MOV64_IMM(BPF_REG_4, 0),
6918 BPF_MOV64_IMM(BPF_REG_5, 0),
6919 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6922 .fixup_map1 = { 3 },
6924 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6927 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
6929 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6930 offsetof(struct __sk_buff, data)),
6931 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6932 offsetof(struct __sk_buff, data_end)),
6933 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
6934 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6935 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
6936 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6937 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
6938 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6939 BPF_MOV64_IMM(BPF_REG_3, 0),
6940 BPF_MOV64_IMM(BPF_REG_4, 0),
6941 BPF_MOV64_IMM(BPF_REG_5, 0),
6942 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6946 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6947 .retval = 0 /* csum_diff of 64-byte packet */,
6950 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6952 BPF_MOV64_IMM(BPF_REG_1, 0),
6953 BPF_MOV64_IMM(BPF_REG_2, 0),
6954 BPF_MOV64_IMM(BPF_REG_3, 0),
6955 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6958 .errstr = "R1 type=inv expected=fp",
6960 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6963 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6965 BPF_MOV64_IMM(BPF_REG_1, 0),
6966 BPF_MOV64_IMM(BPF_REG_2, 1),
6967 BPF_MOV64_IMM(BPF_REG_3, 0),
6968 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6971 .errstr = "R1 type=inv expected=fp",
6973 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6976 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6978 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6979 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6980 BPF_MOV64_IMM(BPF_REG_2, 0),
6981 BPF_MOV64_IMM(BPF_REG_3, 0),
6982 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6986 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6989 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6991 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6992 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6994 BPF_LD_MAP_FD(BPF_REG_1, 0),
6995 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6996 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6997 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6998 BPF_MOV64_IMM(BPF_REG_2, 0),
6999 BPF_MOV64_IMM(BPF_REG_3, 0),
7000 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7003 .fixup_map1 = { 3 },
7005 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7008 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7010 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7011 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7012 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7013 BPF_LD_MAP_FD(BPF_REG_1, 0),
7014 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7015 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7016 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7017 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7018 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7019 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7020 BPF_MOV64_IMM(BPF_REG_3, 0),
7021 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7024 .fixup_map1 = { 3 },
7026 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7029 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7031 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7032 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7034 BPF_LD_MAP_FD(BPF_REG_1, 0),
7035 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7036 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7037 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7038 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7039 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
7040 BPF_MOV64_IMM(BPF_REG_3, 0),
7041 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7044 .fixup_map1 = { 3 },
7046 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7049 "helper access to variable memory: 8 bytes leak",
7051 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7052 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7053 BPF_MOV64_IMM(BPF_REG_0, 0),
7054 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7055 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7056 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7057 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7058 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7059 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7060 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7061 BPF_MOV64_IMM(BPF_REG_2, 1),
7062 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7063 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7064 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
7065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7066 BPF_MOV64_IMM(BPF_REG_3, 0),
7067 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7068 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7071 .errstr = "invalid indirect read from stack off -64+32 size 64",
7073 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7076 "helper access to variable memory: 8 bytes no leak (init memory)",
7078 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7079 BPF_MOV64_IMM(BPF_REG_0, 0),
7080 BPF_MOV64_IMM(BPF_REG_0, 0),
7081 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7082 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7083 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7084 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7085 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7086 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7087 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7088 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7089 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7090 BPF_MOV64_IMM(BPF_REG_2, 0),
7091 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
7092 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
7093 BPF_MOV64_IMM(BPF_REG_3, 0),
7094 BPF_EMIT_CALL(BPF_FUNC_probe_read),
7095 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7099 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
7102 "invalid and of negative number",
7104 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7105 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7106 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7107 BPF_LD_MAP_FD(BPF_REG_1, 0),
7108 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7109 BPF_FUNC_map_lookup_elem),
7110 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7111 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7112 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
7113 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
7114 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7115 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7116 offsetof(struct test_val, foo)),
7119 .fixup_map2 = { 3 },
7120 .errstr = "R0 max value is outside of the array range",
7122 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7125 "invalid range check",
7127 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7128 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7130 BPF_LD_MAP_FD(BPF_REG_1, 0),
7131 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7132 BPF_FUNC_map_lookup_elem),
7133 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
7134 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7135 BPF_MOV64_IMM(BPF_REG_9, 1),
7136 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
7137 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
7138 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
7139 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
7140 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
7141 BPF_MOV32_IMM(BPF_REG_3, 1),
7142 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
7143 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
7144 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
7145 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
7146 BPF_MOV64_REG(BPF_REG_0, 0),
7149 .fixup_map2 = { 3 },
7150 .errstr = "R0 max value is outside of the array range",
7152 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7155 "map in map access",
7157 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7158 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7159 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7160 BPF_LD_MAP_FD(BPF_REG_1, 0),
7161 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7162 BPF_FUNC_map_lookup_elem),
7163 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7164 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7165 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7166 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7167 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7168 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7169 BPF_FUNC_map_lookup_elem),
7170 BPF_MOV64_IMM(BPF_REG_0, 0),
7173 .fixup_map_in_map = { 3 },
7177 "invalid inner map pointer",
7179 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7180 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7182 BPF_LD_MAP_FD(BPF_REG_1, 0),
7183 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7184 BPF_FUNC_map_lookup_elem),
7185 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7186 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7187 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7189 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7190 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7191 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7192 BPF_FUNC_map_lookup_elem),
7193 BPF_MOV64_IMM(BPF_REG_0, 0),
7196 .fixup_map_in_map = { 3 },
7197 .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
7201 "forgot null checking on the inner map pointer",
7203 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7204 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7206 BPF_LD_MAP_FD(BPF_REG_1, 0),
7207 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7208 BPF_FUNC_map_lookup_elem),
7209 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7210 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7212 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7213 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7214 BPF_FUNC_map_lookup_elem),
7215 BPF_MOV64_IMM(BPF_REG_0, 0),
7218 .fixup_map_in_map = { 3 },
7219 .errstr = "R1 type=map_value_or_null expected=map_ptr",
7223 "ld_abs: check calling conv, r1",
7225 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7226 BPF_MOV64_IMM(BPF_REG_1, 0),
7227 BPF_LD_ABS(BPF_W, -0x200000),
7228 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7231 .errstr = "R1 !read_ok",
7235 "ld_abs: check calling conv, r2",
7237 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7238 BPF_MOV64_IMM(BPF_REG_2, 0),
7239 BPF_LD_ABS(BPF_W, -0x200000),
7240 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7243 .errstr = "R2 !read_ok",
7247 "ld_abs: check calling conv, r3",
7249 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7250 BPF_MOV64_IMM(BPF_REG_3, 0),
7251 BPF_LD_ABS(BPF_W, -0x200000),
7252 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7255 .errstr = "R3 !read_ok",
7259 "ld_abs: check calling conv, r4",
7261 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7262 BPF_MOV64_IMM(BPF_REG_4, 0),
7263 BPF_LD_ABS(BPF_W, -0x200000),
7264 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7267 .errstr = "R4 !read_ok",
7271 "ld_abs: check calling conv, r5",
7273 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7274 BPF_MOV64_IMM(BPF_REG_5, 0),
7275 BPF_LD_ABS(BPF_W, -0x200000),
7276 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7279 .errstr = "R5 !read_ok",
7283 "ld_abs: check calling conv, r7",
7285 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7286 BPF_MOV64_IMM(BPF_REG_7, 0),
7287 BPF_LD_ABS(BPF_W, -0x200000),
7288 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7294 "ld_abs: tests on r6 and skb data reload helper",
7296 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7297 BPF_LD_ABS(BPF_B, 0),
7298 BPF_LD_ABS(BPF_H, 0),
7299 BPF_LD_ABS(BPF_W, 0),
7300 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
7301 BPF_MOV64_IMM(BPF_REG_6, 0),
7302 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
7303 BPF_MOV64_IMM(BPF_REG_2, 1),
7304 BPF_MOV64_IMM(BPF_REG_3, 2),
7305 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7306 BPF_FUNC_skb_vlan_push),
7307 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
7308 BPF_LD_ABS(BPF_B, 0),
7309 BPF_LD_ABS(BPF_H, 0),
7310 BPF_LD_ABS(BPF_W, 0),
7311 BPF_MOV64_IMM(BPF_REG_0, 42),
7314 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7316 .retval = 42 /* ultimate return value */,
7319 "ld_ind: check calling conv, r1",
7321 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7322 BPF_MOV64_IMM(BPF_REG_1, 1),
7323 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
7324 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7327 .errstr = "R1 !read_ok",
7331 "ld_ind: check calling conv, r2",
7333 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7334 BPF_MOV64_IMM(BPF_REG_2, 1),
7335 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
7336 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7339 .errstr = "R2 !read_ok",
7343 "ld_ind: check calling conv, r3",
7345 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7346 BPF_MOV64_IMM(BPF_REG_3, 1),
7347 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
7348 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7351 .errstr = "R3 !read_ok",
7355 "ld_ind: check calling conv, r4",
7357 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7358 BPF_MOV64_IMM(BPF_REG_4, 1),
7359 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
7360 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7363 .errstr = "R4 !read_ok",
7367 "ld_ind: check calling conv, r5",
7369 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7370 BPF_MOV64_IMM(BPF_REG_5, 1),
7371 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
7372 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7375 .errstr = "R5 !read_ok",
7379 "ld_ind: check calling conv, r7",
7381 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7382 BPF_MOV64_IMM(BPF_REG_7, 1),
7383 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
7384 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7391 "check bpf_perf_event_data->sample_period byte load permitted",
7393 BPF_MOV64_IMM(BPF_REG_0, 0),
7394 #if __BYTE_ORDER == __LITTLE_ENDIAN
7395 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7396 offsetof(struct bpf_perf_event_data, sample_period)),
7398 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7399 offsetof(struct bpf_perf_event_data, sample_period) + 7),
7404 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7407 "check bpf_perf_event_data->sample_period half load permitted",
7409 BPF_MOV64_IMM(BPF_REG_0, 0),
7410 #if __BYTE_ORDER == __LITTLE_ENDIAN
7411 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7412 offsetof(struct bpf_perf_event_data, sample_period)),
7414 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7415 offsetof(struct bpf_perf_event_data, sample_period) + 6),
7420 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7423 "check bpf_perf_event_data->sample_period word load permitted",
7425 BPF_MOV64_IMM(BPF_REG_0, 0),
7426 #if __BYTE_ORDER == __LITTLE_ENDIAN
7427 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7428 offsetof(struct bpf_perf_event_data, sample_period)),
7430 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7431 offsetof(struct bpf_perf_event_data, sample_period) + 4),
7436 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7439 "check bpf_perf_event_data->sample_period dword load permitted",
7441 BPF_MOV64_IMM(BPF_REG_0, 0),
7442 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
7443 offsetof(struct bpf_perf_event_data, sample_period)),
7447 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
7450 "check skb->data half load not permitted",
7452 BPF_MOV64_IMM(BPF_REG_0, 0),
7453 #if __BYTE_ORDER == __LITTLE_ENDIAN
7454 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7455 offsetof(struct __sk_buff, data)),
7457 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7458 offsetof(struct __sk_buff, data) + 2),
7463 .errstr = "invalid bpf_context access",
7466 "check skb->tc_classid half load not permitted for lwt prog",
7468 BPF_MOV64_IMM(BPF_REG_0, 0),
7469 #if __BYTE_ORDER == __LITTLE_ENDIAN
7470 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7471 offsetof(struct __sk_buff, tc_classid)),
7473 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7474 offsetof(struct __sk_buff, tc_classid) + 2),
7479 .errstr = "invalid bpf_context access",
7480 .prog_type = BPF_PROG_TYPE_LWT_IN,
7483 "bounds checks mixing signed and unsigned, positive bounds",
7485 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7486 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7487 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7488 BPF_LD_MAP_FD(BPF_REG_1, 0),
7489 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7490 BPF_FUNC_map_lookup_elem),
7491 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7492 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7493 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7494 BPF_MOV64_IMM(BPF_REG_2, 2),
7495 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
7496 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
7497 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7498 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7499 BPF_MOV64_IMM(BPF_REG_0, 0),
7502 .fixup_map1 = { 3 },
7503 .errstr = "unbounded min value",
7504 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
7508 "bounds checks mixing signed and unsigned",
7510 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7511 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7512 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7513 BPF_LD_MAP_FD(BPF_REG_1, 0),
7514 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7515 BPF_FUNC_map_lookup_elem),
7516 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7517 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7518 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7519 BPF_MOV64_IMM(BPF_REG_2, -1),
7520 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7521 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7522 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7523 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7524 BPF_MOV64_IMM(BPF_REG_0, 0),
7527 .fixup_map1 = { 3 },
7528 .errstr = "unbounded min value",
7529 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
7533 "bounds checks mixing signed and unsigned, variant 2",
7535 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7536 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7537 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7538 BPF_LD_MAP_FD(BPF_REG_1, 0),
7539 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7540 BPF_FUNC_map_lookup_elem),
7541 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7542 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7543 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7544 BPF_MOV64_IMM(BPF_REG_2, -1),
7545 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7546 BPF_MOV64_IMM(BPF_REG_8, 0),
7547 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
7548 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7549 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7550 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7551 BPF_MOV64_IMM(BPF_REG_0, 0),
7554 .fixup_map1 = { 3 },
7555 .errstr = "unbounded min value",
7556 .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
7560 "bounds checks mixing signed and unsigned, variant 3",
7562 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7563 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7564 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7565 BPF_LD_MAP_FD(BPF_REG_1, 0),
7566 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7567 BPF_FUNC_map_lookup_elem),
7568 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7569 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7570 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7571 BPF_MOV64_IMM(BPF_REG_2, -1),
7572 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
7573 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
7574 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7575 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7576 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7577 BPF_MOV64_IMM(BPF_REG_0, 0),
7580 .fixup_map1 = { 3 },
7581 .errstr = "unbounded min value",
7582 .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
7586 "bounds checks mixing signed and unsigned, variant 4",
7588 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7589 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7591 BPF_LD_MAP_FD(BPF_REG_1, 0),
7592 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7593 BPF_FUNC_map_lookup_elem),
7594 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7595 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7596 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7597 BPF_MOV64_IMM(BPF_REG_2, 1),
7598 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
7599 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7600 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7601 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7602 BPF_MOV64_IMM(BPF_REG_0, 0),
7605 .fixup_map1 = { 3 },
7609 "bounds checks mixing signed and unsigned, variant 5",
7611 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7612 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7613 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7614 BPF_LD_MAP_FD(BPF_REG_1, 0),
7615 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7616 BPF_FUNC_map_lookup_elem),
7617 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7618 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7619 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7620 BPF_MOV64_IMM(BPF_REG_2, -1),
7621 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7622 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
7623 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
7624 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7625 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7626 BPF_MOV64_IMM(BPF_REG_0, 0),
7629 .fixup_map1 = { 3 },
7630 .errstr = "unbounded min value",
7631 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
7635 "bounds checks mixing signed and unsigned, variant 6",
7637 BPF_MOV64_IMM(BPF_REG_2, 0),
7638 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
7639 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
7640 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7641 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
7642 BPF_MOV64_IMM(BPF_REG_6, -1),
7643 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
7644 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
7645 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7646 BPF_MOV64_IMM(BPF_REG_5, 0),
7647 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
7648 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7649 BPF_FUNC_skb_load_bytes),
7650 BPF_MOV64_IMM(BPF_REG_0, 0),
7653 .errstr = "R4 min value is negative, either use unsigned",
7657 "bounds checks mixing signed and unsigned, variant 7",
7659 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7660 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7661 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7662 BPF_LD_MAP_FD(BPF_REG_1, 0),
7663 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7664 BPF_FUNC_map_lookup_elem),
7665 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7666 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7667 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7668 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
7669 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7670 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7671 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7672 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7673 BPF_MOV64_IMM(BPF_REG_0, 0),
7676 .fixup_map1 = { 3 },
7680 "bounds checks mixing signed and unsigned, variant 8",
7682 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7683 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7684 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7685 BPF_LD_MAP_FD(BPF_REG_1, 0),
7686 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7687 BPF_FUNC_map_lookup_elem),
7688 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7689 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7690 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7691 BPF_MOV64_IMM(BPF_REG_2, -1),
7692 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7693 BPF_MOV64_IMM(BPF_REG_0, 0),
7695 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7696 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7697 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7698 BPF_MOV64_IMM(BPF_REG_0, 0),
7701 .fixup_map1 = { 3 },
7702 .errstr = "unbounded min value",
7703 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
7707 "bounds checks mixing signed and unsigned, variant 9",
7709 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7710 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7711 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7712 BPF_LD_MAP_FD(BPF_REG_1, 0),
7713 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7714 BPF_FUNC_map_lookup_elem),
7715 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7716 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7717 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7718 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
7719 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7720 BPF_MOV64_IMM(BPF_REG_0, 0),
7722 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7723 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7724 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7725 BPF_MOV64_IMM(BPF_REG_0, 0),
7728 .fixup_map1 = { 3 },
7732 "bounds checks mixing signed and unsigned, variant 10",
7734 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7735 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7737 BPF_LD_MAP_FD(BPF_REG_1, 0),
7738 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7739 BPF_FUNC_map_lookup_elem),
7740 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7741 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7742 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7743 BPF_MOV64_IMM(BPF_REG_2, 0),
7744 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7745 BPF_MOV64_IMM(BPF_REG_0, 0),
7747 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7748 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7749 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7750 BPF_MOV64_IMM(BPF_REG_0, 0),
7753 .fixup_map1 = { 3 },
7754 .errstr = "unbounded min value",
7755 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
7759 "bounds checks mixing signed and unsigned, variant 11",
7761 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7762 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7763 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7764 BPF_LD_MAP_FD(BPF_REG_1, 0),
7765 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7766 BPF_FUNC_map_lookup_elem),
7767 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7768 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7769 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7770 BPF_MOV64_IMM(BPF_REG_2, -1),
7771 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7773 BPF_MOV64_IMM(BPF_REG_0, 0),
7775 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7776 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7777 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7778 BPF_MOV64_IMM(BPF_REG_0, 0),
7781 .fixup_map1 = { 3 },
7782 .errstr = "unbounded min value",
7783 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
7787 "bounds checks mixing signed and unsigned, variant 12",
7789 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7790 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7792 BPF_LD_MAP_FD(BPF_REG_1, 0),
7793 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7794 BPF_FUNC_map_lookup_elem),
7795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7796 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7797 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7798 BPF_MOV64_IMM(BPF_REG_2, -6),
7799 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7800 BPF_MOV64_IMM(BPF_REG_0, 0),
7802 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7803 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7804 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7805 BPF_MOV64_IMM(BPF_REG_0, 0),
7808 .fixup_map1 = { 3 },
7809 .errstr = "unbounded min value",
7810 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
7814 "bounds checks mixing signed and unsigned, variant 13",
7816 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7819 BPF_LD_MAP_FD(BPF_REG_1, 0),
7820 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7821 BPF_FUNC_map_lookup_elem),
7822 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7823 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7824 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7825 BPF_MOV64_IMM(BPF_REG_2, 2),
7826 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7827 BPF_MOV64_IMM(BPF_REG_7, 1),
7828 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
7829 BPF_MOV64_IMM(BPF_REG_0, 0),
7831 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
7832 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
7833 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
7834 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7835 BPF_MOV64_IMM(BPF_REG_0, 0),
7838 .fixup_map1 = { 3 },
7839 .errstr = "unbounded min value",
7840 .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds",
7844 "bounds checks mixing signed and unsigned, variant 14",
7846 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
7847 offsetof(struct __sk_buff, mark)),
7848 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7849 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7851 BPF_LD_MAP_FD(BPF_REG_1, 0),
7852 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7853 BPF_FUNC_map_lookup_elem),
7854 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7855 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7856 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7857 BPF_MOV64_IMM(BPF_REG_2, -1),
7858 BPF_MOV64_IMM(BPF_REG_8, 2),
7859 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
7860 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
7861 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7862 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7863 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7864 BPF_MOV64_IMM(BPF_REG_0, 0),
7866 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
7867 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
7869 .fixup_map1 = { 4 },
7870 .errstr = "unbounded min value",
7871 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
7875 "bounds checks mixing signed and unsigned, variant 15",
7877 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7878 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7879 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7880 BPF_LD_MAP_FD(BPF_REG_1, 0),
7881 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7882 BPF_FUNC_map_lookup_elem),
7883 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7884 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7885 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7886 BPF_MOV64_IMM(BPF_REG_2, -6),
7887 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7888 BPF_MOV64_IMM(BPF_REG_0, 0),
7890 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7891 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
7892 BPF_MOV64_IMM(BPF_REG_0, 0),
7894 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7895 BPF_MOV64_IMM(BPF_REG_0, 0),
7898 .fixup_map1 = { 3 },
7899 .errstr = "unbounded min value",
7900 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
7902 .result_unpriv = REJECT,
7905 "subtraction bounds (map value) variant 1",
7907 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7908 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7909 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7910 BPF_LD_MAP_FD(BPF_REG_1, 0),
7911 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7912 BPF_FUNC_map_lookup_elem),
7913 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7914 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7915 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
7916 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7917 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
7918 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7919 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
7920 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7921 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7923 BPF_MOV64_IMM(BPF_REG_0, 0),
7926 .fixup_map1 = { 3 },
7927 .errstr = "R0 max value is outside of the array range",
7931 "subtraction bounds (map value) variant 2",
7933 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7934 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7935 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7936 BPF_LD_MAP_FD(BPF_REG_1, 0),
7937 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7938 BPF_FUNC_map_lookup_elem),
7939 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7940 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7941 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
7942 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7943 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
7944 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7945 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7946 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7948 BPF_MOV64_IMM(BPF_REG_0, 0),
7951 .fixup_map1 = { 3 },
7952 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
7953 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
7957 "bounds check based on zero-extended MOV",
7959 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7960 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7961 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7962 BPF_LD_MAP_FD(BPF_REG_1, 0),
7963 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7964 BPF_FUNC_map_lookup_elem),
7965 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7966 /* r2 = 0x0000'0000'ffff'ffff */
7967 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
7969 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7971 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7972 /* access at offset 0 */
7973 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7975 BPF_MOV64_IMM(BPF_REG_0, 0),
7978 .fixup_map1 = { 3 },
7982 "bounds check based on sign-extended MOV. test1",
7984 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7985 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7986 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7987 BPF_LD_MAP_FD(BPF_REG_1, 0),
7988 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7989 BPF_FUNC_map_lookup_elem),
7990 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7991 /* r2 = 0xffff'ffff'ffff'ffff */
7992 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7993 /* r2 = 0xffff'ffff */
7994 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7995 /* r0 = <oob pointer> */
7996 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7997 /* access to OOB pointer */
7998 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8000 BPF_MOV64_IMM(BPF_REG_0, 0),
8003 .fixup_map1 = { 3 },
8004 .errstr = "map_value pointer and 4294967295",
8008 "bounds check based on sign-extended MOV. test2",
8010 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8011 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8012 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8013 BPF_LD_MAP_FD(BPF_REG_1, 0),
8014 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8015 BPF_FUNC_map_lookup_elem),
8016 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8017 /* r2 = 0xffff'ffff'ffff'ffff */
8018 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
8019 /* r2 = 0xfff'ffff */
8020 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
8021 /* r0 = <oob pointer> */
8022 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8023 /* access to OOB pointer */
8024 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8026 BPF_MOV64_IMM(BPF_REG_0, 0),
8029 .fixup_map1 = { 3 },
8030 .errstr = "R0 min value is outside of the array range",
8034 "bounds check based on reg_off + var_off + insn_off. test1",
8036 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8037 offsetof(struct __sk_buff, mark)),
8038 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8039 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8041 BPF_LD_MAP_FD(BPF_REG_1, 0),
8042 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8043 BPF_FUNC_map_lookup_elem),
8044 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8045 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8046 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
8047 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8048 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8049 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8050 BPF_MOV64_IMM(BPF_REG_0, 0),
8053 .fixup_map1 = { 4 },
8054 .errstr = "value_size=8 off=1073741825",
8056 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8059 "bounds check based on reg_off + var_off + insn_off. test2",
8061 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8062 offsetof(struct __sk_buff, mark)),
8063 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8064 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8066 BPF_LD_MAP_FD(BPF_REG_1, 0),
8067 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8068 BPF_FUNC_map_lookup_elem),
8069 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8070 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8071 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
8072 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8073 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8074 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8075 BPF_MOV64_IMM(BPF_REG_0, 0),
8078 .fixup_map1 = { 4 },
8079 .errstr = "value 1073741823",
8081 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8084 "bounds check after truncation of non-boundary-crossing range",
8086 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8087 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8088 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8089 BPF_LD_MAP_FD(BPF_REG_1, 0),
8090 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8091 BPF_FUNC_map_lookup_elem),
8092 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8093 /* r1 = [0x00, 0xff] */
8094 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8095 BPF_MOV64_IMM(BPF_REG_2, 1),
8096 /* r2 = 0x10'0000'0000 */
8097 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
8098 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
8099 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8100 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
8101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8102 /* r1 = [0x00, 0xff] */
8103 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
8105 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8107 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8108 /* access at offset 0 */
8109 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8111 BPF_MOV64_IMM(BPF_REG_0, 0),
8114 .fixup_map1 = { 3 },
8118 "bounds check after truncation of boundary-crossing range (1)",
8120 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8121 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8122 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8123 BPF_LD_MAP_FD(BPF_REG_1, 0),
8124 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8125 BPF_FUNC_map_lookup_elem),
8126 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8127 /* r1 = [0x00, 0xff] */
8128 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8129 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8130 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8132 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8133 * [0x0000'0000, 0x0000'007f]
8135 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
8136 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8137 /* r1 = [0x00, 0xff] or
8138 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8140 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8142 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8144 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8145 /* no-op or OOB pointer computation */
8146 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8147 /* potentially OOB access */
8148 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8150 BPF_MOV64_IMM(BPF_REG_0, 0),
8153 .fixup_map1 = { 3 },
8154 /* not actually fully unbounded, but the bound is very high */
8155 .errstr = "R0 unbounded memory access",
8159 "bounds check after truncation of boundary-crossing range (2)",
8161 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8162 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8163 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8164 BPF_LD_MAP_FD(BPF_REG_1, 0),
8165 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8166 BPF_FUNC_map_lookup_elem),
8167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8168 /* r1 = [0x00, 0xff] */
8169 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8170 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8171 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
8172 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8173 /* r1 = [0xffff'ff80, 0xffff'ffff] or
8174 * [0x0000'0000, 0x0000'007f]
8175 * difference to previous test: truncation via MOV32
8178 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
8179 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8180 /* r1 = [0x00, 0xff] or
8181 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8183 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8185 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8187 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8188 /* no-op or OOB pointer computation */
8189 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8190 /* potentially OOB access */
8191 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8193 BPF_MOV64_IMM(BPF_REG_0, 0),
8196 .fixup_map1 = { 3 },
8197 /* not actually fully unbounded, but the bound is very high */
8198 .errstr = "R0 unbounded memory access",
8202 "bounds check after wrapping 32-bit addition",
8204 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8207 BPF_LD_MAP_FD(BPF_REG_1, 0),
8208 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8209 BPF_FUNC_map_lookup_elem),
8210 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8211 /* r1 = 0x7fff'ffff */
8212 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
8213 /* r1 = 0xffff'fffe */
8214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8216 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
8218 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8219 /* access at offset 0 */
8220 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8222 BPF_MOV64_IMM(BPF_REG_0, 0),
8225 .fixup_map1 = { 3 },
8229 "bounds check after shift with oversized count operand",
8231 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8232 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8233 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8234 BPF_LD_MAP_FD(BPF_REG_1, 0),
8235 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8236 BPF_FUNC_map_lookup_elem),
8237 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8238 BPF_MOV64_IMM(BPF_REG_2, 32),
8239 BPF_MOV64_IMM(BPF_REG_1, 1),
8240 /* r1 = (u32)1 << (u32)32 = ? */
8241 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
8242 /* r1 = [0x0000, 0xffff] */
8243 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
8244 /* computes unknown pointer, potentially OOB */
8245 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8246 /* potentially OOB access */
8247 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8249 BPF_MOV64_IMM(BPF_REG_0, 0),
8252 .fixup_map1 = { 3 },
8253 .errstr = "R0 max value is outside of the array range",
8257 "bounds check after right shift of maybe-negative number",
8259 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8260 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8261 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8262 BPF_LD_MAP_FD(BPF_REG_1, 0),
8263 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8264 BPF_FUNC_map_lookup_elem),
8265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8266 /* r1 = [0x00, 0xff] */
8267 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8268 /* r1 = [-0x01, 0xfe] */
8269 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
8270 /* r1 = 0 or 0xff'ffff'ffff'ffff */
8271 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8272 /* r1 = 0 or 0xffff'ffff'ffff */
8273 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8274 /* computes unknown pointer, potentially OOB */
8275 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8276 /* potentially OOB access */
8277 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8279 BPF_MOV64_IMM(BPF_REG_0, 0),
8282 .fixup_map1 = { 3 },
8283 .errstr = "R0 unbounded memory access",
8287 "bounds check map access with off+size signed 32bit overflow. test1",
8289 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8290 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8292 BPF_LD_MAP_FD(BPF_REG_1, 0),
8293 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8294 BPF_FUNC_map_lookup_elem),
8295 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
8298 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8302 .fixup_map1 = { 3 },
8303 .errstr = "map_value pointer and 2147483646",
8307 "bounds check map access with off+size signed 32bit overflow. test2",
8309 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8310 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8312 BPF_LD_MAP_FD(BPF_REG_1, 0),
8313 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8314 BPF_FUNC_map_lookup_elem),
8315 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8318 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8319 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8320 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8324 .fixup_map1 = { 3 },
8325 .errstr = "pointer offset 1073741822",
8326 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
8330 "bounds check map access with off+size signed 32bit overflow. test3",
8332 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8333 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8334 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8335 BPF_LD_MAP_FD(BPF_REG_1, 0),
8336 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8337 BPF_FUNC_map_lookup_elem),
8338 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8340 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8341 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8342 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8346 .fixup_map1 = { 3 },
8347 .errstr = "pointer offset -1073741822",
8348 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
8352 "bounds check map access with off+size signed 32bit overflow. test4",
8354 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8355 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8356 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8357 BPF_LD_MAP_FD(BPF_REG_1, 0),
8358 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8359 BPF_FUNC_map_lookup_elem),
8360 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8362 BPF_MOV64_IMM(BPF_REG_1, 1000000),
8363 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
8364 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8365 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8369 .fixup_map1 = { 3 },
8370 .errstr = "map_value pointer and 1000000000000",
8374 "pointer/scalar confusion in state equality check (way 1)",
8376 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8377 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8379 BPF_LD_MAP_FD(BPF_REG_1, 0),
8380 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8381 BPF_FUNC_map_lookup_elem),
8382 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8383 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8385 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8389 .fixup_map1 = { 3 },
8391 .retval = POINTER_VALUE,
8392 .result_unpriv = REJECT,
8393 .errstr_unpriv = "R0 leaks addr as return value"
8396 "pointer/scalar confusion in state equality check (way 2)",
8398 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8399 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8401 BPF_LD_MAP_FD(BPF_REG_1, 0),
8402 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8403 BPF_FUNC_map_lookup_elem),
8404 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
8405 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8407 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8410 .fixup_map1 = { 3 },
8412 .retval = POINTER_VALUE,
8413 .result_unpriv = REJECT,
8414 .errstr_unpriv = "R0 leaks addr as return value"
8417 "variable-offset ctx access",
8419 /* Get an unknown value */
8420 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8421 /* Make it small and 4-byte aligned */
8422 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8423 /* add it to skb. We now have either &skb->len or
8424 * &skb->pkt_type, but we don't know which
8426 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8427 /* dereference it */
8428 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8431 .errstr = "variable ctx access var_off=(0x0; 0x4)",
8433 .prog_type = BPF_PROG_TYPE_LWT_IN,
8436 "variable-offset stack access",
8438 /* Fill the top 8 bytes of the stack */
8439 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8440 /* Get an unknown value */
8441 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8442 /* Make it small and 4-byte aligned */
8443 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8444 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8445 /* add it to fp. We now have either fp-4 or fp-8, but
8446 * we don't know which
8448 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8449 /* dereference it */
8450 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
8453 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
8455 .prog_type = BPF_PROG_TYPE_LWT_IN,
8458 "indirect variable-offset stack access",
8460 /* Fill the top 8 bytes of the stack */
8461 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8462 /* Get an unknown value */
8463 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8464 /* Make it small and 4-byte aligned */
8465 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8466 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8467 /* add it to fp. We now have either fp-4 or fp-8, but
8468 * we don't know which
8470 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8471 /* dereference it indirectly */
8472 BPF_LD_MAP_FD(BPF_REG_1, 0),
8473 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8474 BPF_FUNC_map_lookup_elem),
8475 BPF_MOV64_IMM(BPF_REG_0, 0),
8478 .fixup_map1 = { 5 },
8479 .errstr = "variable stack read R2",
8481 .prog_type = BPF_PROG_TYPE_LWT_IN,
8484 "direct stack access with 32-bit wraparound. test1",
8486 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8487 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8488 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8489 BPF_MOV32_IMM(BPF_REG_0, 0),
8490 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8493 .errstr = "fp pointer and 2147483647",
8497 "direct stack access with 32-bit wraparound. test2",
8499 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8501 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8502 BPF_MOV32_IMM(BPF_REG_0, 0),
8503 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8506 .errstr = "fp pointer and 1073741823",
8510 "direct stack access with 32-bit wraparound. test3",
8512 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8514 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8515 BPF_MOV32_IMM(BPF_REG_0, 0),
8516 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8519 .errstr = "fp pointer offset 1073741822",
8520 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
8524 "liveness pruning and write screening",
8526 /* Get an unknown value */
8527 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8528 /* branch conditions teach us nothing about R2 */
8529 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8530 BPF_MOV64_IMM(BPF_REG_0, 0),
8531 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8532 BPF_MOV64_IMM(BPF_REG_0, 0),
8535 .errstr = "R0 !read_ok",
8537 .prog_type = BPF_PROG_TYPE_LWT_IN,
8540 "varlen_map_value_access pruning",
8542 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8543 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8544 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8545 BPF_LD_MAP_FD(BPF_REG_1, 0),
8546 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8547 BPF_FUNC_map_lookup_elem),
8548 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8549 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
8550 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
8551 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
8552 BPF_MOV32_IMM(BPF_REG_1, 0),
8553 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
8554 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8555 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
8556 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
8557 offsetof(struct test_val, foo)),
8560 .fixup_map2 = { 3 },
8561 .errstr_unpriv = "R0 leaks addr",
8562 .errstr = "R0 unbounded memory access",
8563 .result_unpriv = REJECT,
8565 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8568 "invalid 64-bit BPF_END",
8570 BPF_MOV32_IMM(BPF_REG_0, 0),
8572 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
8573 .dst_reg = BPF_REG_0,
8580 .errstr = "unknown opcode d7",
8584 "XDP, using ifindex from netdev",
8586 BPF_MOV64_IMM(BPF_REG_0, 0),
8587 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8588 offsetof(struct xdp_md, ingress_ifindex)),
8589 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
8590 BPF_MOV64_IMM(BPF_REG_0, 1),
8594 .prog_type = BPF_PROG_TYPE_XDP,
8598 "meta access, test1",
8600 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8601 offsetof(struct xdp_md, data_meta)),
8602 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8603 offsetof(struct xdp_md, data)),
8604 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8606 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8607 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8608 BPF_MOV64_IMM(BPF_REG_0, 0),
8612 .prog_type = BPF_PROG_TYPE_XDP,
8615 "meta access, test2",
8617 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8618 offsetof(struct xdp_md, data_meta)),
8619 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8620 offsetof(struct xdp_md, data)),
8621 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8622 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
8623 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8624 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8625 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8626 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8627 BPF_MOV64_IMM(BPF_REG_0, 0),
8631 .errstr = "invalid access to packet, off=-8",
8632 .prog_type = BPF_PROG_TYPE_XDP,
8635 "meta access, test3",
8637 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8638 offsetof(struct xdp_md, data_meta)),
8639 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8640 offsetof(struct xdp_md, data_end)),
8641 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8642 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8643 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8644 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8645 BPF_MOV64_IMM(BPF_REG_0, 0),
8649 .errstr = "invalid access to packet",
8650 .prog_type = BPF_PROG_TYPE_XDP,
8653 "meta access, test4",
8655 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8656 offsetof(struct xdp_md, data_meta)),
8657 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8658 offsetof(struct xdp_md, data_end)),
8659 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8660 offsetof(struct xdp_md, data)),
8661 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8662 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8663 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8664 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8665 BPF_MOV64_IMM(BPF_REG_0, 0),
8669 .errstr = "invalid access to packet",
8670 .prog_type = BPF_PROG_TYPE_XDP,
8673 "meta access, test5",
8675 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8676 offsetof(struct xdp_md, data_meta)),
8677 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8678 offsetof(struct xdp_md, data)),
8679 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8680 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8681 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
8682 BPF_MOV64_IMM(BPF_REG_2, -8),
8683 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8684 BPF_FUNC_xdp_adjust_meta),
8685 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8686 BPF_MOV64_IMM(BPF_REG_0, 0),
8690 .errstr = "R3 !read_ok",
8691 .prog_type = BPF_PROG_TYPE_XDP,
8694 "meta access, test6",
8696 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8697 offsetof(struct xdp_md, data_meta)),
8698 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8699 offsetof(struct xdp_md, data)),
8700 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8702 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8704 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
8705 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8706 BPF_MOV64_IMM(BPF_REG_0, 0),
8710 .errstr = "invalid access to packet",
8711 .prog_type = BPF_PROG_TYPE_XDP,
8714 "meta access, test7",
8716 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8717 offsetof(struct xdp_md, data_meta)),
8718 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8719 offsetof(struct xdp_md, data)),
8720 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8721 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8722 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8723 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8724 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8725 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8726 BPF_MOV64_IMM(BPF_REG_0, 0),
8730 .prog_type = BPF_PROG_TYPE_XDP,
8733 "meta access, test8",
8735 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8736 offsetof(struct xdp_md, data_meta)),
8737 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8738 offsetof(struct xdp_md, data)),
8739 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8740 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8741 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8742 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8743 BPF_MOV64_IMM(BPF_REG_0, 0),
8747 .prog_type = BPF_PROG_TYPE_XDP,
8750 "meta access, test9",
8752 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8753 offsetof(struct xdp_md, data_meta)),
8754 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8755 offsetof(struct xdp_md, data)),
8756 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8757 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8758 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8759 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8760 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8761 BPF_MOV64_IMM(BPF_REG_0, 0),
8765 .errstr = "invalid access to packet",
8766 .prog_type = BPF_PROG_TYPE_XDP,
8769 "meta access, test10",
8771 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8772 offsetof(struct xdp_md, data_meta)),
8773 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8774 offsetof(struct xdp_md, data)),
8775 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8776 offsetof(struct xdp_md, data_end)),
8777 BPF_MOV64_IMM(BPF_REG_5, 42),
8778 BPF_MOV64_IMM(BPF_REG_6, 24),
8779 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8780 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8781 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8782 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8783 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
8784 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8785 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8786 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8787 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
8788 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
8789 BPF_MOV64_IMM(BPF_REG_0, 0),
8793 .errstr = "invalid access to packet",
8794 .prog_type = BPF_PROG_TYPE_XDP,
8797 "meta access, test11",
8799 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8800 offsetof(struct xdp_md, data_meta)),
8801 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8802 offsetof(struct xdp_md, data)),
8803 BPF_MOV64_IMM(BPF_REG_5, 42),
8804 BPF_MOV64_IMM(BPF_REG_6, 24),
8805 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8806 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8807 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8808 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8809 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
8810 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8811 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8812 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8813 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
8814 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
8815 BPF_MOV64_IMM(BPF_REG_0, 0),
8819 .prog_type = BPF_PROG_TYPE_XDP,
8822 "meta access, test12",
8824 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8825 offsetof(struct xdp_md, data_meta)),
8826 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8827 offsetof(struct xdp_md, data)),
8828 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8829 offsetof(struct xdp_md, data_end)),
8830 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8832 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
8833 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8834 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8835 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8836 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
8837 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8838 BPF_MOV64_IMM(BPF_REG_0, 0),
8842 .prog_type = BPF_PROG_TYPE_XDP,
8845 "arithmetic ops make PTR_TO_CTX unusable",
8847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
8848 offsetof(struct __sk_buff, data) -
8849 offsetof(struct __sk_buff, mark)),
8850 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8851 offsetof(struct __sk_buff, mark)),
8854 .errstr = "dereference of modified ctx ptr",
8856 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8859 "pkt_end - pkt_start is allowed",
8861 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8862 offsetof(struct __sk_buff, data_end)),
8863 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8864 offsetof(struct __sk_buff, data)),
8865 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
8869 .retval = TEST_DATA_LEN,
8870 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8873 "XDP pkt read, pkt_end mangling, bad access 1",
8875 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8876 offsetof(struct xdp_md, data)),
8877 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8878 offsetof(struct xdp_md, data_end)),
8879 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8880 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8881 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
8882 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8883 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8884 BPF_MOV64_IMM(BPF_REG_0, 0),
8887 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8889 .prog_type = BPF_PROG_TYPE_XDP,
8892 "XDP pkt read, pkt_end mangling, bad access 2",
8894 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8895 offsetof(struct xdp_md, data)),
8896 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8897 offsetof(struct xdp_md, data_end)),
8898 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8899 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8900 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
8901 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8902 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8903 BPF_MOV64_IMM(BPF_REG_0, 0),
8906 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8908 .prog_type = BPF_PROG_TYPE_XDP,
8911 "XDP pkt read, pkt_data' > pkt_end, good access",
8913 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8914 offsetof(struct xdp_md, data)),
8915 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8916 offsetof(struct xdp_md, data_end)),
8917 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8919 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8920 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8921 BPF_MOV64_IMM(BPF_REG_0, 0),
8925 .prog_type = BPF_PROG_TYPE_XDP,
8928 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
8930 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8931 offsetof(struct xdp_md, data)),
8932 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8933 offsetof(struct xdp_md, data_end)),
8934 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8935 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8936 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8937 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8938 BPF_MOV64_IMM(BPF_REG_0, 0),
8941 .errstr = "R1 offset is outside of the packet",
8943 .prog_type = BPF_PROG_TYPE_XDP,
8944 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8947 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
8949 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8950 offsetof(struct xdp_md, data)),
8951 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8952 offsetof(struct xdp_md, data_end)),
8953 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8954 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8955 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8956 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8957 BPF_MOV64_IMM(BPF_REG_0, 0),
8960 .errstr = "R1 offset is outside of the packet",
8962 .prog_type = BPF_PROG_TYPE_XDP,
8965 "XDP pkt read, pkt_end > pkt_data', good access",
8967 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8968 offsetof(struct xdp_md, data)),
8969 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8970 offsetof(struct xdp_md, data_end)),
8971 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8972 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8973 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8974 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8975 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8976 BPF_MOV64_IMM(BPF_REG_0, 0),
8980 .prog_type = BPF_PROG_TYPE_XDP,
8981 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8984 "XDP pkt read, pkt_end > pkt_data', bad access 1",
8986 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8987 offsetof(struct xdp_md, data)),
8988 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8989 offsetof(struct xdp_md, data_end)),
8990 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8992 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8993 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8994 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8995 BPF_MOV64_IMM(BPF_REG_0, 0),
8998 .errstr = "R1 offset is outside of the packet",
9000 .prog_type = BPF_PROG_TYPE_XDP,
9003 "XDP pkt read, pkt_end > pkt_data', bad access 2",
9005 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9006 offsetof(struct xdp_md, data)),
9007 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9008 offsetof(struct xdp_md, data_end)),
9009 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9010 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9011 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9012 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9013 BPF_MOV64_IMM(BPF_REG_0, 0),
9016 .errstr = "R1 offset is outside of the packet",
9018 .prog_type = BPF_PROG_TYPE_XDP,
9021 "XDP pkt read, pkt_data' < pkt_end, good access",
9023 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9024 offsetof(struct xdp_md, data)),
9025 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9026 offsetof(struct xdp_md, data_end)),
9027 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9028 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9029 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9030 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9031 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9032 BPF_MOV64_IMM(BPF_REG_0, 0),
9036 .prog_type = BPF_PROG_TYPE_XDP,
9037 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9040 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
9042 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9043 offsetof(struct xdp_md, data)),
9044 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9045 offsetof(struct xdp_md, data_end)),
9046 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9047 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9048 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9049 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9050 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9051 BPF_MOV64_IMM(BPF_REG_0, 0),
9054 .errstr = "R1 offset is outside of the packet",
9056 .prog_type = BPF_PROG_TYPE_XDP,
9059 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
9061 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9062 offsetof(struct xdp_md, data)),
9063 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9064 offsetof(struct xdp_md, data_end)),
9065 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9067 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9068 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9069 BPF_MOV64_IMM(BPF_REG_0, 0),
9072 .errstr = "R1 offset is outside of the packet",
9074 .prog_type = BPF_PROG_TYPE_XDP,
9077 "XDP pkt read, pkt_end < pkt_data', good access",
9079 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9080 offsetof(struct xdp_md, data)),
9081 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9082 offsetof(struct xdp_md, data_end)),
9083 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9085 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9086 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9087 BPF_MOV64_IMM(BPF_REG_0, 0),
9091 .prog_type = BPF_PROG_TYPE_XDP,
9094 "XDP pkt read, pkt_end < pkt_data', bad access 1",
9096 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9097 offsetof(struct xdp_md, data)),
9098 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9099 offsetof(struct xdp_md, data_end)),
9100 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9102 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9103 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9104 BPF_MOV64_IMM(BPF_REG_0, 0),
9107 .errstr = "R1 offset is outside of the packet",
9109 .prog_type = BPF_PROG_TYPE_XDP,
9110 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9113 "XDP pkt read, pkt_end < pkt_data', bad access 2",
9115 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9116 offsetof(struct xdp_md, data)),
9117 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9118 offsetof(struct xdp_md, data_end)),
9119 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9120 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9121 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9122 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9123 BPF_MOV64_IMM(BPF_REG_0, 0),
9126 .errstr = "R1 offset is outside of the packet",
9128 .prog_type = BPF_PROG_TYPE_XDP,
9131 "XDP pkt read, pkt_data' >= pkt_end, good access",
9133 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9134 offsetof(struct xdp_md, data)),
9135 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9136 offsetof(struct xdp_md, data_end)),
9137 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9138 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9139 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9140 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9141 BPF_MOV64_IMM(BPF_REG_0, 0),
9145 .prog_type = BPF_PROG_TYPE_XDP,
9146 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9149 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
9151 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9152 offsetof(struct xdp_md, data)),
9153 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9154 offsetof(struct xdp_md, data_end)),
9155 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9156 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9157 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9158 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9159 BPF_MOV64_IMM(BPF_REG_0, 0),
9162 .errstr = "R1 offset is outside of the packet",
9164 .prog_type = BPF_PROG_TYPE_XDP,
9167 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
9169 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9170 offsetof(struct xdp_md, data)),
9171 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9172 offsetof(struct xdp_md, data_end)),
9173 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9174 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9175 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9176 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9177 BPF_MOV64_IMM(BPF_REG_0, 0),
9180 .errstr = "R1 offset is outside of the packet",
9182 .prog_type = BPF_PROG_TYPE_XDP,
9183 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9186 "XDP pkt read, pkt_end >= pkt_data', good access",
9188 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9189 offsetof(struct xdp_md, data)),
9190 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9191 offsetof(struct xdp_md, data_end)),
9192 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9193 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9194 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9195 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9196 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9197 BPF_MOV64_IMM(BPF_REG_0, 0),
9201 .prog_type = BPF_PROG_TYPE_XDP,
9204 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
9206 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9207 offsetof(struct xdp_md, data)),
9208 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9209 offsetof(struct xdp_md, data_end)),
9210 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9211 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9212 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9213 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9214 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9215 BPF_MOV64_IMM(BPF_REG_0, 0),
9218 .errstr = "R1 offset is outside of the packet",
9220 .prog_type = BPF_PROG_TYPE_XDP,
9221 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9224 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
9226 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9227 offsetof(struct xdp_md, data)),
9228 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9229 offsetof(struct xdp_md, data_end)),
9230 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9231 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9232 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9233 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9234 BPF_MOV64_IMM(BPF_REG_0, 0),
9237 .errstr = "R1 offset is outside of the packet",
9239 .prog_type = BPF_PROG_TYPE_XDP,
9242 "XDP pkt read, pkt_data' <= pkt_end, good access",
9244 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9245 offsetof(struct xdp_md, data)),
9246 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9247 offsetof(struct xdp_md, data_end)),
9248 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9250 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9251 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9252 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9253 BPF_MOV64_IMM(BPF_REG_0, 0),
9257 .prog_type = BPF_PROG_TYPE_XDP,
9260 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
9262 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9263 offsetof(struct xdp_md, data)),
9264 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9265 offsetof(struct xdp_md, data_end)),
9266 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9267 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9268 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9269 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9270 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9271 BPF_MOV64_IMM(BPF_REG_0, 0),
9274 .errstr = "R1 offset is outside of the packet",
9276 .prog_type = BPF_PROG_TYPE_XDP,
9277 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9280 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
9282 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9283 offsetof(struct xdp_md, data)),
9284 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9285 offsetof(struct xdp_md, data_end)),
9286 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9287 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9288 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9289 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9290 BPF_MOV64_IMM(BPF_REG_0, 0),
9293 .errstr = "R1 offset is outside of the packet",
9295 .prog_type = BPF_PROG_TYPE_XDP,
9298 "XDP pkt read, pkt_end <= pkt_data', good access",
9300 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9301 offsetof(struct xdp_md, data)),
9302 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9303 offsetof(struct xdp_md, data_end)),
9304 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9305 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9306 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9307 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9308 BPF_MOV64_IMM(BPF_REG_0, 0),
9312 .prog_type = BPF_PROG_TYPE_XDP,
9313 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9316 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
9318 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9319 offsetof(struct xdp_md, data)),
9320 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9321 offsetof(struct xdp_md, data_end)),
9322 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9323 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9324 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9325 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9326 BPF_MOV64_IMM(BPF_REG_0, 0),
9329 .errstr = "R1 offset is outside of the packet",
9331 .prog_type = BPF_PROG_TYPE_XDP,
9334 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
9336 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9337 offsetof(struct xdp_md, data)),
9338 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9339 offsetof(struct xdp_md, data_end)),
9340 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9341 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9342 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9343 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9344 BPF_MOV64_IMM(BPF_REG_0, 0),
9347 .errstr = "R1 offset is outside of the packet",
9349 .prog_type = BPF_PROG_TYPE_XDP,
9350 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9353 "XDP pkt read, pkt_meta' > pkt_data, good access",
9355 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9356 offsetof(struct xdp_md, data_meta)),
9357 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9358 offsetof(struct xdp_md, data)),
9359 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9360 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9361 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9362 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9363 BPF_MOV64_IMM(BPF_REG_0, 0),
9367 .prog_type = BPF_PROG_TYPE_XDP,
9370 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
9372 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9373 offsetof(struct xdp_md, data_meta)),
9374 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9375 offsetof(struct xdp_md, data)),
9376 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9377 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9378 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9379 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9380 BPF_MOV64_IMM(BPF_REG_0, 0),
9383 .errstr = "R1 offset is outside of the packet",
9385 .prog_type = BPF_PROG_TYPE_XDP,
9386 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9389 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
9391 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9392 offsetof(struct xdp_md, data_meta)),
9393 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9394 offsetof(struct xdp_md, data)),
9395 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9396 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9397 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9398 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9399 BPF_MOV64_IMM(BPF_REG_0, 0),
9402 .errstr = "R1 offset is outside of the packet",
9404 .prog_type = BPF_PROG_TYPE_XDP,
9407 "XDP pkt read, pkt_data > pkt_meta', good access",
9409 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9410 offsetof(struct xdp_md, data_meta)),
9411 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9412 offsetof(struct xdp_md, data)),
9413 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9414 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9415 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9416 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9417 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9418 BPF_MOV64_IMM(BPF_REG_0, 0),
9422 .prog_type = BPF_PROG_TYPE_XDP,
9423 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9426 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
9428 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9429 offsetof(struct xdp_md, data_meta)),
9430 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9431 offsetof(struct xdp_md, data)),
9432 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9433 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9434 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9435 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9436 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9437 BPF_MOV64_IMM(BPF_REG_0, 0),
9440 .errstr = "R1 offset is outside of the packet",
9442 .prog_type = BPF_PROG_TYPE_XDP,
9445 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
9447 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9448 offsetof(struct xdp_md, data_meta)),
9449 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9450 offsetof(struct xdp_md, data)),
9451 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9452 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9453 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9454 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9455 BPF_MOV64_IMM(BPF_REG_0, 0),
9458 .errstr = "R1 offset is outside of the packet",
9460 .prog_type = BPF_PROG_TYPE_XDP,
9463 "XDP pkt read, pkt_meta' < pkt_data, good access",
9465 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9466 offsetof(struct xdp_md, data_meta)),
9467 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9468 offsetof(struct xdp_md, data)),
9469 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9470 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9471 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9472 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9473 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9474 BPF_MOV64_IMM(BPF_REG_0, 0),
9478 .prog_type = BPF_PROG_TYPE_XDP,
9479 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9482 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
9484 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9485 offsetof(struct xdp_md, data_meta)),
9486 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9487 offsetof(struct xdp_md, data)),
9488 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9489 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9490 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9491 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9492 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9493 BPF_MOV64_IMM(BPF_REG_0, 0),
9496 .errstr = "R1 offset is outside of the packet",
9498 .prog_type = BPF_PROG_TYPE_XDP,
9501 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
9503 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9504 offsetof(struct xdp_md, data_meta)),
9505 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9506 offsetof(struct xdp_md, data)),
9507 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9508 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9509 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9510 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9511 BPF_MOV64_IMM(BPF_REG_0, 0),
9514 .errstr = "R1 offset is outside of the packet",
9516 .prog_type = BPF_PROG_TYPE_XDP,
9519 "XDP pkt read, pkt_data < pkt_meta', good access",
9521 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9522 offsetof(struct xdp_md, data_meta)),
9523 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9524 offsetof(struct xdp_md, data)),
9525 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9526 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9527 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9528 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9529 BPF_MOV64_IMM(BPF_REG_0, 0),
9533 .prog_type = BPF_PROG_TYPE_XDP,
9536 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
9538 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9539 offsetof(struct xdp_md, data_meta)),
9540 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9541 offsetof(struct xdp_md, data)),
9542 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9543 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9544 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9545 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9546 BPF_MOV64_IMM(BPF_REG_0, 0),
9549 .errstr = "R1 offset is outside of the packet",
9551 .prog_type = BPF_PROG_TYPE_XDP,
9552 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9555 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
9557 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9558 offsetof(struct xdp_md, data_meta)),
9559 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9560 offsetof(struct xdp_md, data)),
9561 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9562 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9563 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9564 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9565 BPF_MOV64_IMM(BPF_REG_0, 0),
9568 .errstr = "R1 offset is outside of the packet",
9570 .prog_type = BPF_PROG_TYPE_XDP,
9573 "XDP pkt read, pkt_meta' >= pkt_data, good access",
9575 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9576 offsetof(struct xdp_md, data_meta)),
9577 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9578 offsetof(struct xdp_md, data)),
9579 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9580 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9581 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9582 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9583 BPF_MOV64_IMM(BPF_REG_0, 0),
9587 .prog_type = BPF_PROG_TYPE_XDP,
9588 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9591 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
9593 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9594 offsetof(struct xdp_md, data_meta)),
9595 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9596 offsetof(struct xdp_md, data)),
9597 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9598 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9599 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9600 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9601 BPF_MOV64_IMM(BPF_REG_0, 0),
9604 .errstr = "R1 offset is outside of the packet",
9606 .prog_type = BPF_PROG_TYPE_XDP,
9609 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
9611 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9612 offsetof(struct xdp_md, data_meta)),
9613 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9614 offsetof(struct xdp_md, data)),
9615 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9616 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9617 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9618 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9619 BPF_MOV64_IMM(BPF_REG_0, 0),
9622 .errstr = "R1 offset is outside of the packet",
9624 .prog_type = BPF_PROG_TYPE_XDP,
9625 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9628 "XDP pkt read, pkt_data >= pkt_meta', good access",
9630 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9631 offsetof(struct xdp_md, data_meta)),
9632 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9633 offsetof(struct xdp_md, data)),
9634 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9635 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9636 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9637 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9638 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9639 BPF_MOV64_IMM(BPF_REG_0, 0),
9643 .prog_type = BPF_PROG_TYPE_XDP,
9646 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
9648 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9649 offsetof(struct xdp_md, data_meta)),
9650 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9651 offsetof(struct xdp_md, data)),
9652 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9653 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9654 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9655 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9656 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9657 BPF_MOV64_IMM(BPF_REG_0, 0),
9660 .errstr = "R1 offset is outside of the packet",
9662 .prog_type = BPF_PROG_TYPE_XDP,
9663 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9666 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
9668 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9669 offsetof(struct xdp_md, data_meta)),
9670 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9671 offsetof(struct xdp_md, data)),
9672 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9674 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9675 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9676 BPF_MOV64_IMM(BPF_REG_0, 0),
9679 .errstr = "R1 offset is outside of the packet",
9681 .prog_type = BPF_PROG_TYPE_XDP,
9684 "XDP pkt read, pkt_meta' <= pkt_data, good access",
9686 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9687 offsetof(struct xdp_md, data_meta)),
9688 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9689 offsetof(struct xdp_md, data)),
9690 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9691 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9692 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9693 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9694 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9695 BPF_MOV64_IMM(BPF_REG_0, 0),
9699 .prog_type = BPF_PROG_TYPE_XDP,
9702 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
9704 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9705 offsetof(struct xdp_md, data_meta)),
9706 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9707 offsetof(struct xdp_md, data)),
9708 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9709 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9710 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9711 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9712 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9713 BPF_MOV64_IMM(BPF_REG_0, 0),
9716 .errstr = "R1 offset is outside of the packet",
9718 .prog_type = BPF_PROG_TYPE_XDP,
9719 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9722 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
9724 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9725 offsetof(struct xdp_md, data_meta)),
9726 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9727 offsetof(struct xdp_md, data)),
9728 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9730 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9731 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9732 BPF_MOV64_IMM(BPF_REG_0, 0),
9735 .errstr = "R1 offset is outside of the packet",
9737 .prog_type = BPF_PROG_TYPE_XDP,
9740 "XDP pkt read, pkt_data <= pkt_meta', good access",
9742 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9743 offsetof(struct xdp_md, data_meta)),
9744 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9745 offsetof(struct xdp_md, data)),
9746 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9747 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9748 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9749 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9750 BPF_MOV64_IMM(BPF_REG_0, 0),
9754 .prog_type = BPF_PROG_TYPE_XDP,
9755 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9758 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
9760 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9761 offsetof(struct xdp_md, data_meta)),
9762 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9763 offsetof(struct xdp_md, data)),
9764 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9765 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9766 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9767 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9768 BPF_MOV64_IMM(BPF_REG_0, 0),
9771 .errstr = "R1 offset is outside of the packet",
9773 .prog_type = BPF_PROG_TYPE_XDP,
9776 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
9778 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9779 offsetof(struct xdp_md, data_meta)),
9780 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9781 offsetof(struct xdp_md, data)),
9782 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9783 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9784 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9785 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9786 BPF_MOV64_IMM(BPF_REG_0, 0),
9789 .errstr = "R1 offset is outside of the packet",
9791 .prog_type = BPF_PROG_TYPE_XDP,
9792 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9795 "check deducing bounds from const, 1",
9797 BPF_MOV64_IMM(BPF_REG_0, 1),
9798 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
9799 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9802 .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types",
9803 .errstr = "R0 tried to subtract pointer from scalar",
9807 "check deducing bounds from const, 2",
9809 BPF_MOV64_IMM(BPF_REG_0, 1),
9810 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
9812 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
9814 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9817 .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types",
9818 .result_unpriv = REJECT,
9823 "check deducing bounds from const, 3",
9825 BPF_MOV64_IMM(BPF_REG_0, 0),
9826 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9827 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9830 .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types",
9831 .errstr = "R0 tried to subtract pointer from scalar",
9835 "check deducing bounds from const, 4",
9837 BPF_MOV64_IMM(BPF_REG_0, 0),
9838 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
9840 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9842 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9845 .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types",
9846 .result_unpriv = REJECT,
9850 "check deducing bounds from const, 5",
9852 BPF_MOV64_IMM(BPF_REG_0, 0),
9853 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
9854 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9857 .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types",
9858 .errstr = "R0 tried to subtract pointer from scalar",
9862 "check deducing bounds from const, 6",
9864 BPF_MOV64_IMM(BPF_REG_0, 0),
9865 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9867 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9870 .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types",
9871 .errstr = "R0 tried to subtract pointer from scalar",
9875 "check deducing bounds from const, 7",
9877 BPF_MOV64_IMM(BPF_REG_0, ~0),
9878 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9879 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9880 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9881 offsetof(struct __sk_buff, mark)),
9884 .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types",
9885 .errstr = "dereference of modified ctx ptr",
9889 "check deducing bounds from const, 8",
9891 BPF_MOV64_IMM(BPF_REG_0, ~0),
9892 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9893 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
9894 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9895 offsetof(struct __sk_buff, mark)),
9898 .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types",
9899 .errstr = "dereference of modified ctx ptr",
9903 "check deducing bounds from const, 9",
9905 BPF_MOV64_IMM(BPF_REG_0, 0),
9906 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9907 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9910 .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types",
9911 .errstr = "R0 tried to subtract pointer from scalar",
9915 "check deducing bounds from const, 10",
9917 BPF_MOV64_IMM(BPF_REG_0, 0),
9918 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9919 /* Marks reg as unknown. */
9920 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
9921 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9924 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
9928 "bpf_exit with invalid return code. test1",
9930 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9933 .errstr = "R0 has value (0x0; 0xffffffff)",
9935 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9938 "bpf_exit with invalid return code. test2",
9940 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9941 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
9945 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9948 "bpf_exit with invalid return code. test3",
9950 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9951 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
9954 .errstr = "R0 has value (0x0; 0x3)",
9956 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9959 "bpf_exit with invalid return code. test4",
9961 BPF_MOV64_IMM(BPF_REG_0, 1),
9965 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9968 "bpf_exit with invalid return code. test5",
9970 BPF_MOV64_IMM(BPF_REG_0, 2),
9973 .errstr = "R0 has value (0x2; 0x0)",
9975 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9978 "bpf_exit with invalid return code. test6",
9980 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9983 .errstr = "R0 is not a known value (ctx)",
9985 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9988 "bpf_exit with invalid return code. test7",
9990 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9991 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
9992 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
9995 .errstr = "R0 has unknown scalar value",
9997 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10000 "calls: basic sanity",
10002 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10003 BPF_MOV64_IMM(BPF_REG_0, 1),
10005 BPF_MOV64_IMM(BPF_REG_0, 2),
10008 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10012 "calls: not on unpriviledged",
10014 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10015 BPF_MOV64_IMM(BPF_REG_0, 1),
10017 BPF_MOV64_IMM(BPF_REG_0, 2),
10020 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
10021 .result_unpriv = REJECT,
10026 "calls: div by 0 in subprog",
10028 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10029 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10030 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10031 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10032 offsetof(struct __sk_buff, data_end)),
10033 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10035 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10036 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10037 BPF_MOV64_IMM(BPF_REG_0, 1),
10039 BPF_MOV32_IMM(BPF_REG_2, 0),
10040 BPF_MOV32_IMM(BPF_REG_3, 1),
10041 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
10042 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10043 offsetof(struct __sk_buff, data)),
10046 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10051 "calls: multiple ret types in subprog 1",
10053 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10054 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10055 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10056 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10057 offsetof(struct __sk_buff, data_end)),
10058 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10059 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10060 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10061 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10062 BPF_MOV64_IMM(BPF_REG_0, 1),
10064 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10065 offsetof(struct __sk_buff, data)),
10066 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10067 BPF_MOV32_IMM(BPF_REG_0, 42),
10070 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10072 .errstr = "R0 invalid mem access 'inv'",
10075 "calls: multiple ret types in subprog 2",
10077 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10078 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10079 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10080 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10081 offsetof(struct __sk_buff, data_end)),
10082 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10084 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10085 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10086 BPF_MOV64_IMM(BPF_REG_0, 1),
10088 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10089 offsetof(struct __sk_buff, data)),
10090 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10091 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
10092 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10093 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10094 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10095 BPF_LD_MAP_FD(BPF_REG_1, 0),
10096 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10097 BPF_FUNC_map_lookup_elem),
10098 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10099 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
10100 offsetof(struct __sk_buff, data)),
10101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
10104 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10105 .fixup_map1 = { 16 },
10107 .errstr = "R0 min value is outside of the array range",
10110 "calls: overlapping caller/callee",
10112 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
10113 BPF_MOV64_IMM(BPF_REG_0, 1),
10116 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10117 .errstr = "last insn is not an exit or jmp",
10121 "calls: wrong recursive calls",
10123 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10124 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10125 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10126 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10127 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10128 BPF_MOV64_IMM(BPF_REG_0, 1),
10131 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10132 .errstr = "jump out of range",
10136 "calls: wrong src reg",
10138 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
10139 BPF_MOV64_IMM(BPF_REG_0, 1),
10142 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10143 .errstr = "BPF_CALL uses reserved fields",
10147 "calls: wrong off value",
10149 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
10150 BPF_MOV64_IMM(BPF_REG_0, 1),
10152 BPF_MOV64_IMM(BPF_REG_0, 2),
10155 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10156 .errstr = "BPF_CALL uses reserved fields",
10160 "calls: jump back loop",
10162 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10163 BPF_MOV64_IMM(BPF_REG_0, 1),
10166 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10167 .errstr = "back-edge from insn 0 to 0",
10171 "calls: conditional call",
10173 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10174 offsetof(struct __sk_buff, mark)),
10175 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10176 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10177 BPF_MOV64_IMM(BPF_REG_0, 1),
10179 BPF_MOV64_IMM(BPF_REG_0, 2),
10182 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10183 .errstr = "jump out of range",
10187 "calls: conditional call 2",
10189 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10190 offsetof(struct __sk_buff, mark)),
10191 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10192 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10193 BPF_MOV64_IMM(BPF_REG_0, 1),
10195 BPF_MOV64_IMM(BPF_REG_0, 2),
10197 BPF_MOV64_IMM(BPF_REG_0, 3),
10200 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10204 "calls: conditional call 3",
10206 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10207 offsetof(struct __sk_buff, mark)),
10208 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10209 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10210 BPF_MOV64_IMM(BPF_REG_0, 1),
10212 BPF_MOV64_IMM(BPF_REG_0, 1),
10213 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10214 BPF_MOV64_IMM(BPF_REG_0, 3),
10215 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10217 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10218 .errstr = "back-edge from insn",
10222 "calls: conditional call 4",
10224 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10225 offsetof(struct __sk_buff, mark)),
10226 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10227 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10228 BPF_MOV64_IMM(BPF_REG_0, 1),
10230 BPF_MOV64_IMM(BPF_REG_0, 1),
10231 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
10232 BPF_MOV64_IMM(BPF_REG_0, 3),
10235 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10239 "calls: conditional call 5",
10241 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10242 offsetof(struct __sk_buff, mark)),
10243 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10244 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10245 BPF_MOV64_IMM(BPF_REG_0, 1),
10247 BPF_MOV64_IMM(BPF_REG_0, 1),
10248 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10249 BPF_MOV64_IMM(BPF_REG_0, 3),
10252 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10253 .errstr = "back-edge from insn",
10257 "calls: conditional call 6",
10259 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10260 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
10262 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10263 offsetof(struct __sk_buff, mark)),
10266 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10267 .errstr = "back-edge from insn",
10271 "calls: using r0 returned by callee",
10273 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10275 BPF_MOV64_IMM(BPF_REG_0, 2),
10278 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10282 "calls: using uninit r0 from callee",
10284 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10288 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10289 .errstr = "!read_ok",
10293 "calls: callee is using r1",
10295 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10297 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10298 offsetof(struct __sk_buff, len)),
10301 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
10303 .retval = TEST_DATA_LEN,
10306 "calls: callee using args1",
10308 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10310 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10313 .errstr_unpriv = "allowed for root only",
10314 .result_unpriv = REJECT,
10316 .retval = POINTER_VALUE,
10319 "calls: callee using wrong args2",
10321 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10323 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10326 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10327 .errstr = "R2 !read_ok",
10331 "calls: callee using two args",
10333 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10334 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
10335 offsetof(struct __sk_buff, len)),
10336 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
10337 offsetof(struct __sk_buff, len)),
10338 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10340 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10341 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
10344 .errstr_unpriv = "allowed for root only",
10345 .result_unpriv = REJECT,
10347 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
10350 "calls: callee changing pkt pointers",
10352 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
10353 offsetof(struct xdp_md, data)),
10354 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
10355 offsetof(struct xdp_md, data_end)),
10356 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
10357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
10358 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
10359 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10360 /* clear_all_pkt_pointers() has to walk all frames
10361 * to make sure that pkt pointers in the caller
10362 * are cleared when callee is calling a helper that
10363 * adjusts packet size
10365 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10366 BPF_MOV32_IMM(BPF_REG_0, 0),
10368 BPF_MOV64_IMM(BPF_REG_2, 0),
10369 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10370 BPF_FUNC_xdp_adjust_head),
10374 .errstr = "R6 invalid mem access 'inv'",
10375 .prog_type = BPF_PROG_TYPE_XDP,
10378 "calls: two calls with args",
10380 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10382 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10383 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10384 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10385 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10386 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10387 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10388 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10390 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10391 offsetof(struct __sk_buff, len)),
10394 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10396 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
10399 "calls: calls with stack arith",
10401 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10403 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10405 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10406 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10409 BPF_MOV64_IMM(BPF_REG_0, 42),
10410 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10413 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10418 "calls: calls with misaligned stack access",
10420 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10421 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10422 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
10425 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10427 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10428 BPF_MOV64_IMM(BPF_REG_0, 42),
10429 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10432 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10433 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
10434 .errstr = "misaligned stack access",
10438 "calls: calls control flow, jump test",
10440 BPF_MOV64_IMM(BPF_REG_0, 42),
10441 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10442 BPF_MOV64_IMM(BPF_REG_0, 43),
10443 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10444 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10447 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10452 "calls: calls control flow, jump test 2",
10454 BPF_MOV64_IMM(BPF_REG_0, 42),
10455 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10456 BPF_MOV64_IMM(BPF_REG_0, 43),
10457 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10458 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10461 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10462 .errstr = "jump out of range from insn 1 to 4",
10466 "calls: two calls with bad jump",
10468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10470 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10471 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10472 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10473 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10474 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10475 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10476 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10478 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10479 offsetof(struct __sk_buff, len)),
10480 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
10483 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10484 .errstr = "jump out of range from insn 11 to 9",
10488 "calls: recursive call. test1",
10490 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10492 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10495 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10496 .errstr = "back-edge",
10500 "calls: recursive call. test2",
10502 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10504 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10507 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10508 .errstr = "back-edge",
10512 "calls: unreachable code",
10514 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10516 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10518 BPF_MOV64_IMM(BPF_REG_0, 0),
10520 BPF_MOV64_IMM(BPF_REG_0, 0),
10523 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10524 .errstr = "unreachable insn 6",
10528 "calls: invalid call",
10530 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10532 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
10535 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10536 .errstr = "invalid destination",
10540 "calls: invalid call 2",
10542 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10544 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
10547 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10548 .errstr = "invalid destination",
10552 "calls: jumping across function bodies. test1",
10554 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10555 BPF_MOV64_IMM(BPF_REG_0, 0),
10557 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
10560 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10561 .errstr = "jump out of range",
10565 "calls: jumping across function bodies. test2",
10567 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
10568 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10569 BPF_MOV64_IMM(BPF_REG_0, 0),
10573 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10574 .errstr = "jump out of range",
10578 "calls: call without exit",
10580 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10582 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10584 BPF_MOV64_IMM(BPF_REG_0, 0),
10585 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
10587 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10588 .errstr = "not an exit",
10592 "calls: call into middle of ld_imm64",
10594 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10595 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10596 BPF_MOV64_IMM(BPF_REG_0, 0),
10598 BPF_LD_IMM64(BPF_REG_0, 0),
10601 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10602 .errstr = "last insn",
10606 "calls: call into middle of other call",
10608 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10609 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10610 BPF_MOV64_IMM(BPF_REG_0, 0),
10612 BPF_MOV64_IMM(BPF_REG_0, 0),
10613 BPF_MOV64_IMM(BPF_REG_0, 0),
10616 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10617 .errstr = "last insn",
10621 "calls: ld_abs with changing ctx data in callee",
10623 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10624 BPF_LD_ABS(BPF_B, 0),
10625 BPF_LD_ABS(BPF_H, 0),
10626 BPF_LD_ABS(BPF_W, 0),
10627 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
10628 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10629 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
10630 BPF_LD_ABS(BPF_B, 0),
10631 BPF_LD_ABS(BPF_H, 0),
10632 BPF_LD_ABS(BPF_W, 0),
10634 BPF_MOV64_IMM(BPF_REG_2, 1),
10635 BPF_MOV64_IMM(BPF_REG_3, 2),
10636 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10637 BPF_FUNC_skb_vlan_push),
10640 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10641 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
10645 "calls: two calls with bad fallthrough",
10647 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10649 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10650 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10651 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10652 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10653 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10654 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10655 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10656 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
10657 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10658 offsetof(struct __sk_buff, len)),
10661 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
10662 .errstr = "not an exit",
10666 "calls: two calls with stack read",
10668 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10669 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10670 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10671 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10673 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10674 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10675 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10676 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10677 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10678 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10679 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10681 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10684 .prog_type = BPF_PROG_TYPE_XDP,
10688 "calls: two calls with stack write",
10691 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10692 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10693 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10694 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10696 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10697 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10701 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10702 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
10704 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
10705 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10706 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10707 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
10708 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
10709 /* write into stack frame of main prog */
10710 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10714 /* read from stack frame of main prog */
10715 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10718 .prog_type = BPF_PROG_TYPE_XDP,
10722 "calls: stack overflow using two frames (pre-call access)",
10725 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10726 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
10730 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10731 BPF_MOV64_IMM(BPF_REG_0, 0),
10734 .prog_type = BPF_PROG_TYPE_XDP,
10735 .errstr = "combined stack size",
10739 "calls: stack overflow using two frames (post-call access)",
10742 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
10743 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10747 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10748 BPF_MOV64_IMM(BPF_REG_0, 0),
10751 .prog_type = BPF_PROG_TYPE_XDP,
10752 .errstr = "combined stack size",
10756 "calls: stack depth check using three frames. test1",
10759 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10760 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10761 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10762 BPF_MOV64_IMM(BPF_REG_0, 0),
10765 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10768 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10769 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10772 .prog_type = BPF_PROG_TYPE_XDP,
10773 /* stack_main=32, stack_A=256, stack_B=64
10774 * and max(main+A, main+A+B) < 512
10779 "calls: stack depth check using three frames. test2",
10782 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10783 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10784 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10785 BPF_MOV64_IMM(BPF_REG_0, 0),
10788 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10791 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10792 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10795 .prog_type = BPF_PROG_TYPE_XDP,
10796 /* stack_main=32, stack_A=64, stack_B=256
10797 * and max(main+A, main+A+B) < 512
10802 "calls: stack depth check using three frames. test3",
10805 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10806 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10807 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10808 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
10809 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
10810 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10811 BPF_MOV64_IMM(BPF_REG_0, 0),
10814 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
10816 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
10817 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10819 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
10820 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
10821 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10824 .prog_type = BPF_PROG_TYPE_XDP,
10825 /* stack_main=64, stack_A=224, stack_B=256
10826 * and max(main+A, main+A+B) > 512
10828 .errstr = "combined stack",
10832 "calls: stack depth check using three frames. test4",
10833 /* void main(void) {
10838 * void func1(int alloc_or_recurse) {
10839 * if (alloc_or_recurse) {
10840 * frame_pointer[-300] = 1;
10842 * func2(alloc_or_recurse);
10845 * void func2(int alloc_or_recurse) {
10846 * if (alloc_or_recurse) {
10847 * frame_pointer[-300] = 1;
10853 BPF_MOV64_IMM(BPF_REG_1, 0),
10854 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10855 BPF_MOV64_IMM(BPF_REG_1, 1),
10856 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10857 BPF_MOV64_IMM(BPF_REG_1, 1),
10858 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
10859 BPF_MOV64_IMM(BPF_REG_0, 0),
10862 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
10863 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10865 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10868 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10869 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10872 .prog_type = BPF_PROG_TYPE_XDP,
10874 .errstr = "combined stack",
10877 "calls: stack depth check using three frames. test5",
10880 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
10883 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10886 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
10889 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
10892 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
10895 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
10898 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
10901 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
10904 BPF_MOV64_IMM(BPF_REG_0, 0),
10907 .prog_type = BPF_PROG_TYPE_XDP,
10908 .errstr = "call stack",
10912 "calls: spill into caller stack frame",
10914 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10915 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10917 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10919 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
10920 BPF_MOV64_IMM(BPF_REG_0, 0),
10923 .prog_type = BPF_PROG_TYPE_XDP,
10924 .errstr = "cannot spill",
10928 "calls: write into caller stack frame",
10930 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10932 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10933 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10934 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10936 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
10937 BPF_MOV64_IMM(BPF_REG_0, 0),
10940 .prog_type = BPF_PROG_TYPE_XDP,
10945 "calls: write into callee stack frame",
10947 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10948 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
10950 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10951 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
10954 .prog_type = BPF_PROG_TYPE_XDP,
10955 .errstr = "cannot return stack pointer",
10959 "calls: two calls with stack write and void return",
10962 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10963 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10964 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10965 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10966 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10967 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10968 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10972 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10973 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10974 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10975 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10976 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10980 /* write into stack frame of main prog */
10981 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
10982 BPF_EXIT_INSN(), /* void return */
10984 .prog_type = BPF_PROG_TYPE_XDP,
10988 "calls: ambiguous return value",
10990 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10991 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10992 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10993 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10994 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10995 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10997 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10998 BPF_MOV64_IMM(BPF_REG_0, 0),
11001 .errstr_unpriv = "allowed for root only",
11002 .result_unpriv = REJECT,
11003 .errstr = "R0 !read_ok",
11007 "calls: two calls that return map_value",
11010 /* pass fp-16, fp-8 into a function */
11011 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11012 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11013 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11014 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11015 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11017 /* fetch map_value_ptr from the stack of this function */
11018 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11019 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11020 /* write into map value */
11021 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11022 /* fetch secound map_value_ptr from the stack */
11023 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11024 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11025 /* write into map value */
11026 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11027 BPF_MOV64_IMM(BPF_REG_0, 0),
11031 /* call 3rd function twice */
11032 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11033 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11034 /* first time with fp-8 */
11035 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11036 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11037 /* second time with fp-16 */
11038 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11042 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11043 /* lookup from map */
11044 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11045 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11046 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11047 BPF_LD_MAP_FD(BPF_REG_1, 0),
11048 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11049 BPF_FUNC_map_lookup_elem),
11050 /* write map_value_ptr into stack frame of main prog */
11051 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11052 BPF_MOV64_IMM(BPF_REG_0, 0),
11053 BPF_EXIT_INSN(), /* return 0 */
11055 .prog_type = BPF_PROG_TYPE_XDP,
11056 .fixup_map1 = { 23 },
11060 "calls: two calls that return map_value with bool condition",
11063 /* pass fp-16, fp-8 into a function */
11064 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11066 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11067 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11068 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11069 BPF_MOV64_IMM(BPF_REG_0, 0),
11073 /* call 3rd function twice */
11074 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11075 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11076 /* first time with fp-8 */
11077 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11078 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11079 /* fetch map_value_ptr from the stack of this function */
11080 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11081 /* write into map value */
11082 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11083 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11084 /* second time with fp-16 */
11085 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11086 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11087 /* fetch secound map_value_ptr from the stack */
11088 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11089 /* write into map value */
11090 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11094 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11095 /* lookup from map */
11096 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11097 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11098 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11099 BPF_LD_MAP_FD(BPF_REG_1, 0),
11100 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11101 BPF_FUNC_map_lookup_elem),
11102 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11103 BPF_MOV64_IMM(BPF_REG_0, 0),
11104 BPF_EXIT_INSN(), /* return 0 */
11105 /* write map_value_ptr into stack frame of main prog */
11106 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11107 BPF_MOV64_IMM(BPF_REG_0, 1),
11108 BPF_EXIT_INSN(), /* return 1 */
11110 .prog_type = BPF_PROG_TYPE_XDP,
11111 .fixup_map1 = { 23 },
11115 "calls: two calls that return map_value with incorrect bool check",
11118 /* pass fp-16, fp-8 into a function */
11119 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11120 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11121 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11122 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11123 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11124 BPF_MOV64_IMM(BPF_REG_0, 0),
11128 /* call 3rd function twice */
11129 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11130 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11131 /* first time with fp-8 */
11132 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11133 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11134 /* fetch map_value_ptr from the stack of this function */
11135 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11136 /* write into map value */
11137 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11138 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11139 /* second time with fp-16 */
11140 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11141 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11142 /* fetch secound map_value_ptr from the stack */
11143 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11144 /* write into map value */
11145 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11149 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11150 /* lookup from map */
11151 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11152 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11153 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11154 BPF_LD_MAP_FD(BPF_REG_1, 0),
11155 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11156 BPF_FUNC_map_lookup_elem),
11157 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11158 BPF_MOV64_IMM(BPF_REG_0, 0),
11159 BPF_EXIT_INSN(), /* return 0 */
11160 /* write map_value_ptr into stack frame of main prog */
11161 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11162 BPF_MOV64_IMM(BPF_REG_0, 1),
11163 BPF_EXIT_INSN(), /* return 1 */
11165 .prog_type = BPF_PROG_TYPE_XDP,
11166 .fixup_map1 = { 23 },
11168 .errstr = "invalid read from stack off -16+0 size 8",
11171 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
11174 /* pass fp-16, fp-8 into a function */
11175 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11177 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11178 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11179 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11180 BPF_MOV64_IMM(BPF_REG_0, 0),
11184 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11185 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11186 /* 1st lookup from map */
11187 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11188 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11189 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11190 BPF_LD_MAP_FD(BPF_REG_1, 0),
11191 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11192 BPF_FUNC_map_lookup_elem),
11193 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11194 BPF_MOV64_IMM(BPF_REG_8, 0),
11195 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11196 /* write map_value_ptr into stack frame of main prog at fp-8 */
11197 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11198 BPF_MOV64_IMM(BPF_REG_8, 1),
11200 /* 2nd lookup from map */
11201 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11203 BPF_LD_MAP_FD(BPF_REG_1, 0),
11204 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11205 BPF_FUNC_map_lookup_elem),
11206 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11207 BPF_MOV64_IMM(BPF_REG_9, 0),
11208 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11209 /* write map_value_ptr into stack frame of main prog at fp-16 */
11210 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11211 BPF_MOV64_IMM(BPF_REG_9, 1),
11213 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11214 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11215 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11216 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11217 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11218 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11222 /* if arg2 == 1 do *arg1 = 0 */
11223 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11224 /* fetch map_value_ptr from the stack of this function */
11225 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11226 /* write into map value */
11227 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11229 /* if arg4 == 1 do *arg3 = 0 */
11230 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11231 /* fetch map_value_ptr from the stack of this function */
11232 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11233 /* write into map value */
11234 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11237 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11238 .fixup_map1 = { 12, 22 },
11240 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11243 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
11246 /* pass fp-16, fp-8 into a function */
11247 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11248 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11249 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11251 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11252 BPF_MOV64_IMM(BPF_REG_0, 0),
11256 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11257 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11258 /* 1st lookup from map */
11259 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11260 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11261 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11262 BPF_LD_MAP_FD(BPF_REG_1, 0),
11263 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11264 BPF_FUNC_map_lookup_elem),
11265 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11266 BPF_MOV64_IMM(BPF_REG_8, 0),
11267 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11268 /* write map_value_ptr into stack frame of main prog at fp-8 */
11269 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11270 BPF_MOV64_IMM(BPF_REG_8, 1),
11272 /* 2nd lookup from map */
11273 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11275 BPF_LD_MAP_FD(BPF_REG_1, 0),
11276 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11277 BPF_FUNC_map_lookup_elem),
11278 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11279 BPF_MOV64_IMM(BPF_REG_9, 0),
11280 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11281 /* write map_value_ptr into stack frame of main prog at fp-16 */
11282 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11283 BPF_MOV64_IMM(BPF_REG_9, 1),
11285 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11286 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11287 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11288 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11289 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11290 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
11294 /* if arg2 == 1 do *arg1 = 0 */
11295 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11296 /* fetch map_value_ptr from the stack of this function */
11297 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11298 /* write into map value */
11299 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11301 /* if arg4 == 1 do *arg3 = 0 */
11302 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11303 /* fetch map_value_ptr from the stack of this function */
11304 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11305 /* write into map value */
11306 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11309 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11310 .fixup_map1 = { 12, 22 },
11314 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
11317 /* pass fp-16, fp-8 into a function */
11318 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11319 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11320 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11321 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11322 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11323 BPF_MOV64_IMM(BPF_REG_0, 0),
11327 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11328 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11329 /* 1st lookup from map */
11330 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
11331 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11333 BPF_LD_MAP_FD(BPF_REG_1, 0),
11334 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11335 BPF_FUNC_map_lookup_elem),
11336 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11337 BPF_MOV64_IMM(BPF_REG_8, 0),
11338 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11339 /* write map_value_ptr into stack frame of main prog at fp-8 */
11340 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11341 BPF_MOV64_IMM(BPF_REG_8, 1),
11343 /* 2nd lookup from map */
11344 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11345 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11346 BPF_LD_MAP_FD(BPF_REG_1, 0),
11347 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11348 BPF_FUNC_map_lookup_elem),
11349 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11350 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
11351 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11352 /* write map_value_ptr into stack frame of main prog at fp-16 */
11353 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11354 BPF_MOV64_IMM(BPF_REG_9, 1),
11356 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11357 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
11358 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11359 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11360 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11361 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
11362 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
11365 /* if arg2 == 1 do *arg1 = 0 */
11366 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11367 /* fetch map_value_ptr from the stack of this function */
11368 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11369 /* write into map value */
11370 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11372 /* if arg4 == 1 do *arg3 = 0 */
11373 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11374 /* fetch map_value_ptr from the stack of this function */
11375 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11376 /* write into map value */
11377 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11378 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
11380 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11381 .fixup_map1 = { 12, 22 },
11383 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
11386 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
11389 /* pass fp-16, fp-8 into a function */
11390 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11392 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11393 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11394 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11395 BPF_MOV64_IMM(BPF_REG_0, 0),
11399 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11400 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11401 /* 1st lookup from map */
11402 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11403 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11405 BPF_LD_MAP_FD(BPF_REG_1, 0),
11406 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11407 BPF_FUNC_map_lookup_elem),
11408 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11409 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11410 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11411 BPF_MOV64_IMM(BPF_REG_8, 0),
11412 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11413 BPF_MOV64_IMM(BPF_REG_8, 1),
11415 /* 2nd lookup from map */
11416 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11417 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11418 BPF_LD_MAP_FD(BPF_REG_1, 0),
11419 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11420 BPF_FUNC_map_lookup_elem),
11421 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11422 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11423 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11424 BPF_MOV64_IMM(BPF_REG_9, 0),
11425 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11426 BPF_MOV64_IMM(BPF_REG_9, 1),
11428 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11429 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11430 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11431 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11432 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11433 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11437 /* if arg2 == 1 do *arg1 = 0 */
11438 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11439 /* fetch map_value_ptr from the stack of this function */
11440 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11441 /* write into map value */
11442 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11444 /* if arg4 == 1 do *arg3 = 0 */
11445 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11446 /* fetch map_value_ptr from the stack of this function */
11447 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11448 /* write into map value */
11449 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11452 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11453 .fixup_map1 = { 12, 22 },
11457 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
11460 /* pass fp-16, fp-8 into a function */
11461 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11462 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11463 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11465 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11466 BPF_MOV64_IMM(BPF_REG_0, 0),
11470 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11471 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11472 /* 1st lookup from map */
11473 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11474 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11475 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11476 BPF_LD_MAP_FD(BPF_REG_1, 0),
11477 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11478 BPF_FUNC_map_lookup_elem),
11479 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11480 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11481 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11482 BPF_MOV64_IMM(BPF_REG_8, 0),
11483 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11484 BPF_MOV64_IMM(BPF_REG_8, 1),
11486 /* 2nd lookup from map */
11487 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11488 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11489 BPF_LD_MAP_FD(BPF_REG_1, 0),
11490 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11491 BPF_FUNC_map_lookup_elem),
11492 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11493 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11494 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11495 BPF_MOV64_IMM(BPF_REG_9, 0),
11496 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11497 BPF_MOV64_IMM(BPF_REG_9, 1),
11499 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11500 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11501 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11502 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11503 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11504 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11508 /* if arg2 == 1 do *arg1 = 0 */
11509 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11510 /* fetch map_value_ptr from the stack of this function */
11511 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11512 /* write into map value */
11513 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11515 /* if arg4 == 0 do *arg3 = 0 */
11516 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
11517 /* fetch map_value_ptr from the stack of this function */
11518 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11519 /* write into map value */
11520 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11523 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11524 .fixup_map1 = { 12, 22 },
11526 .errstr = "R0 invalid mem access 'inv'",
11529 "calls: pkt_ptr spill into caller stack",
11531 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11532 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11533 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11537 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11538 offsetof(struct __sk_buff, data)),
11539 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11540 offsetof(struct __sk_buff, data_end)),
11541 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11543 /* spill unchecked pkt_ptr into stack of caller */
11544 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11545 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11546 /* now the pkt range is verified, read pkt_ptr from stack */
11547 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11548 /* write 4 bytes into packet */
11549 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11553 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11554 .retval = POINTER_VALUE,
11557 "calls: pkt_ptr spill into caller stack 2",
11559 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11560 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11561 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11562 /* Marking is still kept, but not in all cases safe. */
11563 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11564 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11568 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11569 offsetof(struct __sk_buff, data)),
11570 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11571 offsetof(struct __sk_buff, data_end)),
11572 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11573 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11574 /* spill unchecked pkt_ptr into stack of caller */
11575 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11576 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11577 /* now the pkt range is verified, read pkt_ptr from stack */
11578 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11579 /* write 4 bytes into packet */
11580 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11583 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11584 .errstr = "invalid access to packet",
11588 "calls: pkt_ptr spill into caller stack 3",
11590 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11591 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11592 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11593 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11594 /* Marking is still kept and safe here. */
11595 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11596 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11600 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11601 offsetof(struct __sk_buff, data)),
11602 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11603 offsetof(struct __sk_buff, data_end)),
11604 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11606 /* spill unchecked pkt_ptr into stack of caller */
11607 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11608 BPF_MOV64_IMM(BPF_REG_5, 0),
11609 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11610 BPF_MOV64_IMM(BPF_REG_5, 1),
11611 /* now the pkt range is verified, read pkt_ptr from stack */
11612 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11613 /* write 4 bytes into packet */
11614 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11615 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11618 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11623 "calls: pkt_ptr spill into caller stack 4",
11625 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11627 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11628 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11629 /* Check marking propagated. */
11630 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11631 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11635 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11636 offsetof(struct __sk_buff, data)),
11637 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11638 offsetof(struct __sk_buff, data_end)),
11639 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11641 /* spill unchecked pkt_ptr into stack of caller */
11642 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11643 BPF_MOV64_IMM(BPF_REG_5, 0),
11644 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11645 BPF_MOV64_IMM(BPF_REG_5, 1),
11646 /* don't read back pkt_ptr from stack here */
11647 /* write 4 bytes into packet */
11648 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11649 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11652 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11657 "calls: pkt_ptr spill into caller stack 5",
11659 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11661 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
11662 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11663 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11664 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11668 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11669 offsetof(struct __sk_buff, data)),
11670 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11671 offsetof(struct __sk_buff, data_end)),
11672 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11674 BPF_MOV64_IMM(BPF_REG_5, 0),
11675 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11676 /* spill checked pkt_ptr into stack of caller */
11677 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11678 BPF_MOV64_IMM(BPF_REG_5, 1),
11679 /* don't read back pkt_ptr from stack here */
11680 /* write 4 bytes into packet */
11681 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11682 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11685 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11686 .errstr = "same insn cannot be used with different",
11690 "calls: pkt_ptr spill into caller stack 6",
11692 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11693 offsetof(struct __sk_buff, data_end)),
11694 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11696 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11697 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11698 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11699 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11703 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11704 offsetof(struct __sk_buff, data)),
11705 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11706 offsetof(struct __sk_buff, data_end)),
11707 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11709 BPF_MOV64_IMM(BPF_REG_5, 0),
11710 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11711 /* spill checked pkt_ptr into stack of caller */
11712 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11713 BPF_MOV64_IMM(BPF_REG_5, 1),
11714 /* don't read back pkt_ptr from stack here */
11715 /* write 4 bytes into packet */
11716 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11717 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11720 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11721 .errstr = "R4 invalid mem access",
11725 "calls: pkt_ptr spill into caller stack 7",
11727 BPF_MOV64_IMM(BPF_REG_2, 0),
11728 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11730 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11731 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11732 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11733 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11737 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11738 offsetof(struct __sk_buff, data)),
11739 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11740 offsetof(struct __sk_buff, data_end)),
11741 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11743 BPF_MOV64_IMM(BPF_REG_5, 0),
11744 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11745 /* spill checked pkt_ptr into stack of caller */
11746 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11747 BPF_MOV64_IMM(BPF_REG_5, 1),
11748 /* don't read back pkt_ptr from stack here */
11749 /* write 4 bytes into packet */
11750 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11751 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11754 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11755 .errstr = "R4 invalid mem access",
11759 "calls: pkt_ptr spill into caller stack 8",
11761 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11762 offsetof(struct __sk_buff, data)),
11763 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11764 offsetof(struct __sk_buff, data_end)),
11765 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11766 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11767 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11769 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11771 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11772 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11773 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11774 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11778 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11779 offsetof(struct __sk_buff, data)),
11780 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11781 offsetof(struct __sk_buff, data_end)),
11782 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11783 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11784 BPF_MOV64_IMM(BPF_REG_5, 0),
11785 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11786 /* spill checked pkt_ptr into stack of caller */
11787 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11788 BPF_MOV64_IMM(BPF_REG_5, 1),
11789 /* don't read back pkt_ptr from stack here */
11790 /* write 4 bytes into packet */
11791 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11792 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11795 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11799 "calls: pkt_ptr spill into caller stack 9",
11801 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11802 offsetof(struct __sk_buff, data)),
11803 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11804 offsetof(struct __sk_buff, data_end)),
11805 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11807 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11809 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11810 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11811 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11812 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11813 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11814 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11818 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11819 offsetof(struct __sk_buff, data)),
11820 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11821 offsetof(struct __sk_buff, data_end)),
11822 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11824 BPF_MOV64_IMM(BPF_REG_5, 0),
11825 /* spill unchecked pkt_ptr into stack of caller */
11826 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11827 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11828 BPF_MOV64_IMM(BPF_REG_5, 1),
11829 /* don't read back pkt_ptr from stack here */
11830 /* write 4 bytes into packet */
11831 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11832 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11835 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11836 .errstr = "invalid access to packet",
11840 "calls: caller stack init to zero or map_value_or_null",
11842 BPF_MOV64_IMM(BPF_REG_0, 0),
11843 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11844 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11845 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11846 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11847 /* fetch map_value_or_null or const_zero from stack */
11848 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11849 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11850 /* store into map_value */
11851 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
11855 /* if (ctx == 0) return; */
11856 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
11857 /* else bpf_map_lookup() and *(fp - 8) = r0 */
11858 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
11859 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11860 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11861 BPF_LD_MAP_FD(BPF_REG_1, 0),
11862 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11863 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11864 BPF_FUNC_map_lookup_elem),
11865 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11866 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11869 .fixup_map1 = { 13 },
11871 .prog_type = BPF_PROG_TYPE_XDP,
11874 "calls: stack init to zero and pruning",
11876 /* first make allocated_stack 16 byte */
11877 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
11878 /* now fork the execution such that the false branch
11879 * of JGT insn will be verified second and it skisp zero
11880 * init of fp-8 stack slot. If stack liveness marking
11881 * is missing live_read marks from call map_lookup
11882 * processing then pruning will incorrectly assume
11883 * that fp-8 stack slot was unused in the fall-through
11884 * branch and will accept the program incorrectly
11886 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
11887 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11888 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
11889 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11891 BPF_LD_MAP_FD(BPF_REG_1, 0),
11892 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11893 BPF_FUNC_map_lookup_elem),
11896 .fixup_map2 = { 6 },
11897 .errstr = "invalid indirect read from stack off -8+0 size 8",
11899 .prog_type = BPF_PROG_TYPE_XDP,
11902 "calls: two calls returning different map pointers for lookup (hash, array)",
11905 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11907 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11909 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11910 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11911 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11912 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11913 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11914 BPF_FUNC_map_lookup_elem),
11915 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11916 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11917 offsetof(struct test_val, foo)),
11918 BPF_MOV64_IMM(BPF_REG_0, 1),
11921 BPF_LD_MAP_FD(BPF_REG_0, 0),
11924 BPF_LD_MAP_FD(BPF_REG_0, 0),
11927 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11928 .fixup_map2 = { 13 },
11929 .fixup_map4 = { 16 },
11934 "calls: two calls returning different map pointers for lookup (hash, map in map)",
11937 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11939 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11941 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11942 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11943 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11944 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11945 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11946 BPF_FUNC_map_lookup_elem),
11947 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11948 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11949 offsetof(struct test_val, foo)),
11950 BPF_MOV64_IMM(BPF_REG_0, 1),
11953 BPF_LD_MAP_FD(BPF_REG_0, 0),
11956 BPF_LD_MAP_FD(BPF_REG_0, 0),
11959 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11960 .fixup_map_in_map = { 16 },
11961 .fixup_map4 = { 13 },
11963 .errstr = "R0 invalid mem access 'map_ptr'",
11966 "cond: two branches returning different map pointers for lookup (tail, tail)",
11968 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11969 offsetof(struct __sk_buff, mark)),
11970 BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
11971 BPF_LD_MAP_FD(BPF_REG_2, 0),
11972 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11973 BPF_LD_MAP_FD(BPF_REG_2, 0),
11974 BPF_MOV64_IMM(BPF_REG_3, 7),
11975 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11976 BPF_FUNC_tail_call),
11977 BPF_MOV64_IMM(BPF_REG_0, 1),
11980 .fixup_prog1 = { 5 },
11981 .fixup_prog2 = { 2 },
11982 .result_unpriv = REJECT,
11983 .errstr_unpriv = "tail_call abusing map_ptr",
11988 "cond: two branches returning same map pointers for lookup (tail, tail)",
11990 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11991 offsetof(struct __sk_buff, mark)),
11992 BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
11993 BPF_LD_MAP_FD(BPF_REG_2, 0),
11994 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11995 BPF_LD_MAP_FD(BPF_REG_2, 0),
11996 BPF_MOV64_IMM(BPF_REG_3, 7),
11997 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11998 BPF_FUNC_tail_call),
11999 BPF_MOV64_IMM(BPF_REG_0, 1),
12002 .fixup_prog2 = { 2, 5 },
12003 .result_unpriv = ACCEPT,
12008 "search pruning: all branches should be verified (nop operation)",
12010 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12012 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
12013 BPF_LD_MAP_FD(BPF_REG_1, 0),
12014 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
12015 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
12016 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
12017 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
12018 BPF_MOV64_IMM(BPF_REG_4, 0),
12020 BPF_MOV64_IMM(BPF_REG_4, 1),
12021 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
12022 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
12023 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
12024 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
12025 BPF_MOV64_IMM(BPF_REG_6, 0),
12026 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
12029 .fixup_map1 = { 3 },
12030 .errstr = "R6 invalid mem access 'inv'",
12032 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12035 "search pruning: all branches should be verified (invalid stack access)",
12037 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12038 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12039 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
12040 BPF_LD_MAP_FD(BPF_REG_1, 0),
12041 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
12042 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
12043 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
12044 BPF_MOV64_IMM(BPF_REG_4, 0),
12045 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
12046 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
12048 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
12049 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
12050 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
12053 .fixup_map1 = { 3 },
12054 .errstr = "invalid read from stack off -16+0 size 8",
12056 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12059 "jit: lsh, rsh, arsh by 1",
12061 BPF_MOV64_IMM(BPF_REG_0, 1),
12062 BPF_MOV64_IMM(BPF_REG_1, 0xff),
12063 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
12064 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
12065 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
12067 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
12068 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
12069 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
12071 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
12072 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
12074 BPF_MOV64_IMM(BPF_REG_0, 2),
12081 "jit: mov32 for ldimm64, 1",
12083 BPF_MOV64_IMM(BPF_REG_0, 2),
12084 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
12085 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
12086 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
12087 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12088 BPF_MOV64_IMM(BPF_REG_0, 1),
12095 "jit: mov32 for ldimm64, 2",
12097 BPF_MOV64_IMM(BPF_REG_0, 1),
12098 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
12099 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
12100 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12101 BPF_MOV64_IMM(BPF_REG_0, 2),
12108 "jit: various mul tests",
12110 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12111 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12112 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
12113 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12114 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12115 BPF_MOV64_IMM(BPF_REG_0, 1),
12117 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12118 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12119 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12120 BPF_MOV64_IMM(BPF_REG_0, 1),
12122 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
12123 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12124 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12125 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12126 BPF_MOV64_IMM(BPF_REG_0, 1),
12128 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12129 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12130 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12131 BPF_MOV64_IMM(BPF_REG_0, 1),
12133 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
12134 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
12135 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12136 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
12137 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
12138 BPF_MOV64_IMM(BPF_REG_0, 1),
12140 BPF_MOV64_IMM(BPF_REG_0, 2),
12147 "xadd/w check unaligned stack",
12149 BPF_MOV64_IMM(BPF_REG_0, 1),
12150 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12151 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
12152 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12156 .errstr = "misaligned stack access off",
12157 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12160 "xadd/w check unaligned map",
12162 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12164 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12165 BPF_LD_MAP_FD(BPF_REG_1, 0),
12166 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12167 BPF_FUNC_map_lookup_elem),
12168 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
12170 BPF_MOV64_IMM(BPF_REG_1, 1),
12171 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
12172 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
12175 .fixup_map1 = { 3 },
12177 .errstr = "misaligned value access off",
12178 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12181 "xadd/w check unaligned pkt",
12183 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12184 offsetof(struct xdp_md, data)),
12185 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12186 offsetof(struct xdp_md, data_end)),
12187 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
12188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
12189 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
12190 BPF_MOV64_IMM(BPF_REG_0, 99),
12191 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
12192 BPF_MOV64_IMM(BPF_REG_0, 1),
12193 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12194 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
12195 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
12196 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
12197 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
12201 .errstr = "BPF_XADD stores into R2 packet",
12202 .prog_type = BPF_PROG_TYPE_XDP,
12205 "xadd/w check whether src/dst got mangled, 1",
12207 BPF_MOV64_IMM(BPF_REG_0, 1),
12208 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12209 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12210 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12211 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12212 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12213 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12214 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12215 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12217 BPF_MOV64_IMM(BPF_REG_0, 42),
12221 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12225 "xadd/w check whether src/dst got mangled, 2",
12227 BPF_MOV64_IMM(BPF_REG_0, 1),
12228 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12229 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12230 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12231 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12232 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12233 BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12234 BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12235 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
12237 BPF_MOV64_IMM(BPF_REG_0, 42),
12241 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12245 "bpf_get_stack return R0 within range",
12247 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12248 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12249 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12251 BPF_LD_MAP_FD(BPF_REG_1, 0),
12252 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12253 BPF_FUNC_map_lookup_elem),
12254 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
12255 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12256 BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)/2),
12257 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12258 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12259 BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)/2),
12260 BPF_MOV64_IMM(BPF_REG_4, 256),
12261 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12262 BPF_MOV64_IMM(BPF_REG_1, 0),
12263 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
12264 BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
12265 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
12266 BPF_JMP_REG(BPF_JSLT, BPF_REG_8, BPF_REG_1, 16),
12267 BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
12268 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12269 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
12270 BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
12271 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
12272 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
12273 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
12274 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
12275 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12276 BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)/2),
12277 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
12278 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
12279 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12280 BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
12281 BPF_MOV64_IMM(BPF_REG_4, 0),
12282 BPF_EMIT_CALL(BPF_FUNC_get_stack),
12285 .fixup_map2 = { 4 },
12287 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
12290 "ld_abs: invalid op 1",
12292 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12293 BPF_LD_ABS(BPF_DW, 0),
12296 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12298 .errstr = "unknown opcode",
12301 "ld_abs: invalid op 2",
12303 BPF_MOV32_IMM(BPF_REG_0, 256),
12304 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12305 BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
12308 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12310 .errstr = "unknown opcode",
12313 "ld_abs: nmap reduced",
12315 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12316 BPF_LD_ABS(BPF_H, 12),
12317 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
12318 BPF_LD_ABS(BPF_H, 12),
12319 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
12320 BPF_MOV32_IMM(BPF_REG_0, 18),
12321 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
12322 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
12323 BPF_LD_IND(BPF_W, BPF_REG_7, 14),
12324 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
12325 BPF_MOV32_IMM(BPF_REG_0, 280971478),
12326 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12327 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12328 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
12329 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12330 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
12331 BPF_LD_ABS(BPF_H, 12),
12332 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
12333 BPF_MOV32_IMM(BPF_REG_0, 22),
12334 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12335 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12336 BPF_LD_IND(BPF_H, BPF_REG_7, 14),
12337 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
12338 BPF_MOV32_IMM(BPF_REG_0, 17366),
12339 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
12340 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
12341 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
12342 BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12343 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12344 BPF_MOV32_IMM(BPF_REG_0, 256),
12346 BPF_MOV32_IMM(BPF_REG_0, 0),
12350 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
12351 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
12352 0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
12354 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12359 "ld_abs: div + abs, test 1",
12361 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12362 BPF_LD_ABS(BPF_B, 3),
12363 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12364 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12365 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12366 BPF_LD_ABS(BPF_B, 4),
12367 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12368 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12372 10, 20, 30, 40, 50,
12374 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12379 "ld_abs: div + abs, test 2",
12381 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12382 BPF_LD_ABS(BPF_B, 3),
12383 BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12384 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12385 BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12386 BPF_LD_ABS(BPF_B, 128),
12387 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12388 BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12392 10, 20, 30, 40, 50,
12394 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12399 "ld_abs: div + abs, test 3",
12401 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12402 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12403 BPF_LD_ABS(BPF_B, 3),
12404 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12408 10, 20, 30, 40, 50,
12410 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12415 "ld_abs: div + abs, test 4",
12417 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12418 BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12419 BPF_LD_ABS(BPF_B, 256),
12420 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12424 10, 20, 30, 40, 50,
12426 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12431 "ld_abs: vlan + abs, test 1",
12436 .fill_helper = bpf_fill_ld_abs_vlan_push_pop,
12437 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12442 "ld_abs: vlan + abs, test 2",
12444 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12445 BPF_LD_ABS(BPF_B, 0),
12446 BPF_LD_ABS(BPF_H, 0),
12447 BPF_LD_ABS(BPF_W, 0),
12448 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
12449 BPF_MOV64_IMM(BPF_REG_6, 0),
12450 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12451 BPF_MOV64_IMM(BPF_REG_2, 1),
12452 BPF_MOV64_IMM(BPF_REG_3, 2),
12453 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12454 BPF_FUNC_skb_vlan_push),
12455 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
12456 BPF_LD_ABS(BPF_B, 0),
12457 BPF_LD_ABS(BPF_H, 0),
12458 BPF_LD_ABS(BPF_W, 0),
12459 BPF_MOV64_IMM(BPF_REG_0, 42),
12465 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12470 "ld_abs: jump around ld_abs",
12475 .fill_helper = bpf_fill_jump_around_ld_abs,
12476 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12481 "ld_dw: xor semi-random 64 bit imms, test 1",
12484 .fill_helper = bpf_fill_rand_ld_dw,
12485 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12490 "ld_dw: xor semi-random 64 bit imms, test 2",
12493 .fill_helper = bpf_fill_rand_ld_dw,
12494 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12499 "ld_dw: xor semi-random 64 bit imms, test 3",
12502 .fill_helper = bpf_fill_rand_ld_dw,
12503 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12508 "ld_dw: xor semi-random 64 bit imms, test 4",
12511 .fill_helper = bpf_fill_rand_ld_dw,
12512 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12517 "pass unmodified ctx pointer to helper",
12519 BPF_MOV64_IMM(BPF_REG_2, 0),
12520 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12521 BPF_FUNC_csum_update),
12522 BPF_MOV64_IMM(BPF_REG_0, 0),
12525 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12529 "pass modified ctx pointer to helper, 1",
12531 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
12532 BPF_MOV64_IMM(BPF_REG_2, 0),
12533 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12534 BPF_FUNC_csum_update),
12535 BPF_MOV64_IMM(BPF_REG_0, 0),
12538 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12540 .errstr = "dereference of modified ctx ptr",
12543 "pass modified ctx pointer to helper, 2",
12545 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
12546 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12547 BPF_FUNC_get_socket_cookie),
12548 BPF_MOV64_IMM(BPF_REG_0, 0),
12551 .result_unpriv = REJECT,
12553 .errstr_unpriv = "dereference of modified ctx ptr",
12554 .errstr = "dereference of modified ctx ptr",
12557 "pass modified ctx pointer to helper, 3",
12559 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
12560 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
12561 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
12562 BPF_MOV64_IMM(BPF_REG_2, 0),
12563 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12564 BPF_FUNC_csum_update),
12565 BPF_MOV64_IMM(BPF_REG_0, 0),
12568 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12570 .errstr = "variable ctx access var_off=(0x0; 0x4)",
12573 "mov64 src == dst",
12575 BPF_MOV64_IMM(BPF_REG_2, 0),
12576 BPF_MOV64_REG(BPF_REG_2, BPF_REG_2),
12577 // Check bounds are OK
12578 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
12579 BPF_MOV64_IMM(BPF_REG_0, 0),
12582 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12586 "mov64 src != dst",
12588 BPF_MOV64_IMM(BPF_REG_3, 0),
12589 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
12590 // Check bounds are OK
12591 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
12592 BPF_MOV64_IMM(BPF_REG_0, 0),
12595 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
12599 "calls: ctx read at start of subprog",
12601 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12602 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
12603 BPF_JMP_REG(BPF_JSGT, BPF_REG_0, BPF_REG_0, 0),
12604 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12605 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12606 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12608 BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
12609 BPF_MOV64_IMM(BPF_REG_0, 0),
12612 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
12613 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
12614 .result_unpriv = REJECT,
12619 static int probe_filter_length(const struct bpf_insn *fp)
12623 for (len = MAX_INSNS - 1; len > 0; --len)
12624 if (fp[len].code != 0 || fp[len].imm != 0)
12629 static int create_map(uint32_t type, uint32_t size_key,
12630 uint32_t size_value, uint32_t max_elem)
12634 fd = bpf_create_map(type, size_key, size_value, max_elem,
12635 type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
12637 printf("Failed to create hash map '%s'!\n", strerror(errno));
12642 static int create_prog_dummy1(void)
12644 struct bpf_insn prog[] = {
12645 BPF_MOV64_IMM(BPF_REG_0, 42),
12649 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12650 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12653 static int create_prog_dummy2(int mfd, int idx)
12655 struct bpf_insn prog[] = {
12656 BPF_MOV64_IMM(BPF_REG_3, idx),
12657 BPF_LD_MAP_FD(BPF_REG_2, mfd),
12658 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12659 BPF_FUNC_tail_call),
12660 BPF_MOV64_IMM(BPF_REG_0, 41),
12664 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12665 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12668 static int create_prog_array(uint32_t max_elem, int p1key)
12671 int mfd, p1fd, p2fd;
12673 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
12674 sizeof(int), max_elem, 0);
12676 printf("Failed to create prog array '%s'!\n", strerror(errno));
12680 p1fd = create_prog_dummy1();
12681 p2fd = create_prog_dummy2(mfd, p2key);
12682 if (p1fd < 0 || p2fd < 0)
12684 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
12686 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
12699 static int create_map_in_map(void)
12701 int inner_map_fd, outer_map_fd;
12703 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12704 sizeof(int), 1, 0);
12705 if (inner_map_fd < 0) {
12706 printf("Failed to create array '%s'!\n", strerror(errno));
12707 return inner_map_fd;
12710 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
12711 sizeof(int), inner_map_fd, 1, 0);
12712 if (outer_map_fd < 0)
12713 printf("Failed to create array of maps '%s'!\n",
12716 close(inner_map_fd);
12718 return outer_map_fd;
12721 static int create_cgroup_storage(void)
12725 fd = bpf_create_map(BPF_MAP_TYPE_CGROUP_STORAGE,
12726 sizeof(struct bpf_cgroup_storage_key),
12727 TEST_DATA_LEN, 0, 0);
12729 printf("Failed to create array '%s'!\n", strerror(errno));
12734 static char bpf_vlog[UINT_MAX >> 8];
12736 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
12739 int *fixup_map1 = test->fixup_map1;
12740 int *fixup_map2 = test->fixup_map2;
12741 int *fixup_map3 = test->fixup_map3;
12742 int *fixup_map4 = test->fixup_map4;
12743 int *fixup_prog1 = test->fixup_prog1;
12744 int *fixup_prog2 = test->fixup_prog2;
12745 int *fixup_map_in_map = test->fixup_map_in_map;
12746 int *fixup_cgroup_storage = test->fixup_cgroup_storage;
12748 if (test->fill_helper)
12749 test->fill_helper(test);
12751 /* Allocating HTs with 1 elem is fine here, since we only test
12752 * for verifier and not do a runtime lookup, so the only thing
12753 * that really matters is value size in this case.
12756 map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12757 sizeof(long long), 1);
12759 prog[*fixup_map1].imm = map_fds[0];
12761 } while (*fixup_map1);
12765 map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12766 sizeof(struct test_val), 1);
12768 prog[*fixup_map2].imm = map_fds[1];
12770 } while (*fixup_map2);
12774 map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12775 sizeof(struct other_val), 1);
12777 prog[*fixup_map3].imm = map_fds[2];
12779 } while (*fixup_map3);
12783 map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12784 sizeof(struct test_val), 1);
12786 prog[*fixup_map4].imm = map_fds[3];
12788 } while (*fixup_map4);
12791 if (*fixup_prog1) {
12792 map_fds[4] = create_prog_array(4, 0);
12794 prog[*fixup_prog1].imm = map_fds[4];
12796 } while (*fixup_prog1);
12799 if (*fixup_prog2) {
12800 map_fds[5] = create_prog_array(8, 7);
12802 prog[*fixup_prog2].imm = map_fds[5];
12804 } while (*fixup_prog2);
12807 if (*fixup_map_in_map) {
12808 map_fds[6] = create_map_in_map();
12810 prog[*fixup_map_in_map].imm = map_fds[6];
12811 fixup_map_in_map++;
12812 } while (*fixup_map_in_map);
12815 if (*fixup_cgroup_storage) {
12816 map_fds[7] = create_cgroup_storage();
12818 prog[*fixup_cgroup_storage].imm = map_fds[7];
12819 fixup_cgroup_storage++;
12820 } while (*fixup_cgroup_storage);
12824 static void do_test_single(struct bpf_test *test, bool unpriv,
12825 int *passes, int *errors)
12827 int fd_prog, expected_ret, reject_from_alignment;
12828 int prog_len, prog_type = test->prog_type;
12829 struct bpf_insn *prog = test->insns;
12830 int map_fds[MAX_NR_MAPS];
12831 const char *expected_err;
12835 for (i = 0; i < MAX_NR_MAPS; i++)
12838 do_test_fixup(test, prog, map_fds);
12839 prog_len = probe_filter_length(prog);
12841 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
12842 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
12843 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
12845 expected_ret = unpriv && test->result_unpriv != UNDEF ?
12846 test->result_unpriv : test->result;
12847 expected_err = unpriv && test->errstr_unpriv ?
12848 test->errstr_unpriv : test->errstr;
12850 reject_from_alignment = fd_prog < 0 &&
12851 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
12852 strstr(bpf_vlog, "misaligned");
12853 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
12854 if (reject_from_alignment) {
12855 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
12860 if (expected_ret == ACCEPT) {
12861 if (fd_prog < 0 && !reject_from_alignment) {
12862 printf("FAIL\nFailed to load prog '%s'!\n",
12867 if (fd_prog >= 0) {
12868 printf("FAIL\nUnexpected success to load!\n");
12871 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
12872 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
12873 expected_err, bpf_vlog);
12878 if (fd_prog >= 0) {
12879 __u8 tmp[TEST_DATA_LEN << 2];
12880 __u32 size_tmp = sizeof(tmp);
12882 err = bpf_prog_test_run(fd_prog, 1, test->data,
12883 sizeof(test->data), tmp, &size_tmp,
12885 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
12886 printf("Unexpected bpf_prog_test_run error\n");
12889 if (!err && retval != test->retval &&
12890 test->retval != POINTER_VALUE) {
12891 printf("FAIL retval %d != %d\n", retval, test->retval);
12896 printf("OK%s\n", reject_from_alignment ?
12897 " (NOTE: reject due to unknown alignment)" : "");
12900 for (i = 0; i < MAX_NR_MAPS; i++)
12906 printf("%s", bpf_vlog);
12910 static bool is_admin(void)
12913 cap_flag_value_t sysadmin = CAP_CLEAR;
12914 const cap_value_t cap_val = CAP_SYS_ADMIN;
12916 #ifdef CAP_IS_SUPPORTED
12917 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
12918 perror("cap_get_flag");
12922 caps = cap_get_proc();
12924 perror("cap_get_proc");
12927 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
12928 perror("cap_get_flag");
12929 if (cap_free(caps))
12930 perror("cap_free");
12931 return (sysadmin == CAP_SET);
12934 static int set_admin(bool admin)
12937 const cap_value_t cap_val = CAP_SYS_ADMIN;
12940 caps = cap_get_proc();
12942 perror("cap_get_proc");
12945 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
12946 admin ? CAP_SET : CAP_CLEAR)) {
12947 perror("cap_set_flag");
12950 if (cap_set_proc(caps)) {
12951 perror("cap_set_proc");
12956 if (cap_free(caps))
12957 perror("cap_free");
12961 static void get_unpriv_disabled()
12966 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
12968 perror("fopen /proc/sys/"UNPRIV_SYSCTL);
12969 unpriv_disabled = true;
12972 if (fgets(buf, 2, fd) == buf && atoi(buf))
12973 unpriv_disabled = true;
12977 static int do_test(bool unpriv, unsigned int from, unsigned int to)
12979 int i, passes = 0, errors = 0, skips = 0;
12981 for (i = from; i < to; i++) {
12982 struct bpf_test *test = &tests[i];
12984 /* Program types that are not supported by non-root we
12987 if (!test->prog_type && unpriv_disabled) {
12988 printf("#%d/u %s SKIP\n", i, test->descr);
12990 } else if (!test->prog_type) {
12993 printf("#%d/u %s ", i, test->descr);
12994 do_test_single(test, true, &passes, &errors);
13000 printf("#%d/p %s SKIP\n", i, test->descr);
13003 printf("#%d/p %s ", i, test->descr);
13004 do_test_single(test, false, &passes, &errors);
13008 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
13010 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
13013 int main(int argc, char **argv)
13015 unsigned int from = 0, to = ARRAY_SIZE(tests);
13016 bool unpriv = !is_admin();
13019 unsigned int l = atoi(argv[argc - 2]);
13020 unsigned int u = atoi(argv[argc - 1]);
13022 if (l < to && u < to) {
13026 } else if (argc == 2) {
13027 unsigned int t = atoi(argv[argc - 1]);
13035 get_unpriv_disabled();
13036 if (unpriv && unpriv_disabled) {
13037 printf("Cannot run as unprivileged user with sysctl %s.\n",
13039 return EXIT_FAILURE;
13042 bpf_semi_rand_init();
13043 return do_test(unpriv, from, to);
OSDN Git Service
