2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5 * Copyright (c) 2017 Facebook
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of version 2 of the GNU General Public
9 * License as published by the Free Software Foundation.
13 #include <asm/types.h>
14 #include <linux/types.h>
26 #include <sys/capability.h>
28 #include <linux/unistd.h>
29 #include <linux/filter.h>
30 #include <linux/bpf_perf_event.h>
31 #include <linux/bpf.h>
32 #include <linux/if_ether.h>
37 # include "autoconf.h"
39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
40 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
43 #include "bpf_rlimit.h"
44 #include "../../../include/linux/filter.h"
47 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
53 #define POINTER_VALUE 0xcafe4all
54 #define TEST_DATA_LEN 64
56 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
57 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
59 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
60 static bool unpriv_disabled = false;
64 struct bpf_insn insns[MAX_INSNS];
65 int fixup_map1[MAX_FIXUPS];
66 int fixup_map2[MAX_FIXUPS];
67 int fixup_prog[MAX_FIXUPS];
68 int fixup_map_in_map[MAX_FIXUPS];
70 const char *errstr_unpriv;
76 } result, result_unpriv;
77 enum bpf_prog_type prog_type;
81 /* Note we want this to be 64 bit aligned so that the end of our array is
82 * actually the end of the structure.
84 #define MAX_ENTRIES 11
91 static struct bpf_test tests[] = {
95 BPF_MOV64_IMM(BPF_REG_1, 1),
96 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
97 BPF_MOV64_IMM(BPF_REG_2, 3),
98 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
99 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
100 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
101 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
108 "DIV32 by 0, zero check 1",
110 BPF_MOV32_IMM(BPF_REG_0, 42),
111 BPF_MOV32_IMM(BPF_REG_1, 0),
112 BPF_MOV32_IMM(BPF_REG_2, 1),
113 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
120 "DIV32 by 0, zero check 2",
122 BPF_MOV32_IMM(BPF_REG_0, 42),
123 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
124 BPF_MOV32_IMM(BPF_REG_2, 1),
125 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
132 "DIV64 by 0, zero check",
134 BPF_MOV32_IMM(BPF_REG_0, 42),
135 BPF_MOV32_IMM(BPF_REG_1, 0),
136 BPF_MOV32_IMM(BPF_REG_2, 1),
137 BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
144 "MOD32 by 0, zero check 1",
146 BPF_MOV32_IMM(BPF_REG_0, 42),
147 BPF_MOV32_IMM(BPF_REG_1, 0),
148 BPF_MOV32_IMM(BPF_REG_2, 1),
149 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
156 "MOD32 by 0, zero check 2",
158 BPF_MOV32_IMM(BPF_REG_0, 42),
159 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
160 BPF_MOV32_IMM(BPF_REG_2, 1),
161 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
168 "MOD64 by 0, zero check",
170 BPF_MOV32_IMM(BPF_REG_0, 42),
171 BPF_MOV32_IMM(BPF_REG_1, 0),
172 BPF_MOV32_IMM(BPF_REG_2, 1),
173 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
180 "DIV32 by 0, zero check ok, cls",
182 BPF_MOV32_IMM(BPF_REG_0, 42),
183 BPF_MOV32_IMM(BPF_REG_1, 2),
184 BPF_MOV32_IMM(BPF_REG_2, 16),
185 BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
186 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
189 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
194 "DIV32 by 0, zero check 1, cls",
196 BPF_MOV32_IMM(BPF_REG_1, 0),
197 BPF_MOV32_IMM(BPF_REG_0, 1),
198 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
201 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
206 "DIV32 by 0, zero check 2, cls",
208 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
209 BPF_MOV32_IMM(BPF_REG_0, 1),
210 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
213 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
218 "DIV64 by 0, zero check, cls",
220 BPF_MOV32_IMM(BPF_REG_1, 0),
221 BPF_MOV32_IMM(BPF_REG_0, 1),
222 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
225 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
230 "MOD32 by 0, zero check ok, cls",
232 BPF_MOV32_IMM(BPF_REG_0, 42),
233 BPF_MOV32_IMM(BPF_REG_1, 3),
234 BPF_MOV32_IMM(BPF_REG_2, 5),
235 BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
236 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
239 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
244 "MOD32 by 0, zero check 1, cls",
246 BPF_MOV32_IMM(BPF_REG_1, 0),
247 BPF_MOV32_IMM(BPF_REG_0, 1),
248 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
251 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
256 "MOD32 by 0, zero check 2, cls",
258 BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
259 BPF_MOV32_IMM(BPF_REG_0, 1),
260 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
263 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
268 "MOD64 by 0, zero check 1, cls",
270 BPF_MOV32_IMM(BPF_REG_1, 0),
271 BPF_MOV32_IMM(BPF_REG_0, 2),
272 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
275 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
280 "MOD64 by 0, zero check 2, cls",
282 BPF_MOV32_IMM(BPF_REG_1, 0),
283 BPF_MOV32_IMM(BPF_REG_0, -1),
284 BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
287 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
291 /* Just make sure that JITs used udiv/umod as otherwise we get
292 * an exception from INT_MIN/-1 overflow similarly as with div
296 "DIV32 overflow, check 1",
298 BPF_MOV32_IMM(BPF_REG_1, -1),
299 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
300 BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
303 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
308 "DIV32 overflow, check 2",
310 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
311 BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
314 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
319 "DIV64 overflow, check 1",
321 BPF_MOV64_IMM(BPF_REG_1, -1),
322 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
323 BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
326 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
331 "DIV64 overflow, check 2",
333 BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
334 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
337 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
342 "MOD32 overflow, check 1",
344 BPF_MOV32_IMM(BPF_REG_1, -1),
345 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
346 BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
349 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
354 "MOD32 overflow, check 2",
356 BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
357 BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
360 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
365 "MOD64 overflow, check 1",
367 BPF_MOV64_IMM(BPF_REG_1, -1),
368 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
369 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
370 BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
371 BPF_MOV32_IMM(BPF_REG_0, 0),
372 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
373 BPF_MOV32_IMM(BPF_REG_0, 1),
376 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
381 "MOD64 overflow, check 2",
383 BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
384 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
385 BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
386 BPF_MOV32_IMM(BPF_REG_0, 0),
387 BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
388 BPF_MOV32_IMM(BPF_REG_0, 1),
391 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
396 "xor32 zero extend check",
398 BPF_MOV32_IMM(BPF_REG_2, -1),
399 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
400 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
401 BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
402 BPF_MOV32_IMM(BPF_REG_0, 2),
403 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
404 BPF_MOV32_IMM(BPF_REG_0, 1),
407 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
415 .errstr = "unknown opcode 00",
423 .errstr = "R0 !read_ok",
432 .errstr = "unreachable",
438 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
439 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
442 .errstr = "unreachable",
448 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
451 .errstr = "jump out of range",
455 "out of range jump2",
457 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
460 .errstr = "jump out of range",
466 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
467 BPF_LD_IMM64(BPF_REG_0, 0),
468 BPF_LD_IMM64(BPF_REG_0, 0),
469 BPF_LD_IMM64(BPF_REG_0, 1),
470 BPF_LD_IMM64(BPF_REG_0, 1),
471 BPF_MOV64_IMM(BPF_REG_0, 2),
474 .errstr = "invalid BPF_LD_IMM insn",
475 .errstr_unpriv = "R1 pointer comparison",
481 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
482 BPF_LD_IMM64(BPF_REG_0, 0),
483 BPF_LD_IMM64(BPF_REG_0, 0),
484 BPF_LD_IMM64(BPF_REG_0, 1),
485 BPF_LD_IMM64(BPF_REG_0, 1),
488 .errstr = "invalid BPF_LD_IMM insn",
489 .errstr_unpriv = "R1 pointer comparison",
495 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
496 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
497 BPF_LD_IMM64(BPF_REG_0, 0),
498 BPF_LD_IMM64(BPF_REG_0, 0),
499 BPF_LD_IMM64(BPF_REG_0, 1),
500 BPF_LD_IMM64(BPF_REG_0, 1),
503 .errstr = "invalid bpf_ld_imm64 insn",
509 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
512 .errstr = "invalid bpf_ld_imm64 insn",
518 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
520 .errstr = "invalid bpf_ld_imm64 insn",
526 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
527 BPF_RAW_INSN(0, 0, 0, 0, 0),
535 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
536 BPF_RAW_INSN(0, 0, 0, 0, 1),
545 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
546 BPF_RAW_INSN(0, 0, 0, 0, 1),
549 .errstr = "uses reserved fields",
555 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
556 BPF_RAW_INSN(0, 0, 0, 1, 1),
559 .errstr = "invalid bpf_ld_imm64 insn",
565 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
566 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
569 .errstr = "invalid bpf_ld_imm64 insn",
575 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
576 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
579 .errstr = "invalid bpf_ld_imm64 insn",
585 BPF_MOV64_IMM(BPF_REG_1, 0),
586 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
587 BPF_RAW_INSN(0, 0, 0, 0, 1),
590 .errstr = "not pointing to valid bpf_map",
596 BPF_MOV64_IMM(BPF_REG_1, 0),
597 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
598 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
601 .errstr = "invalid bpf_ld_imm64 insn",
607 BPF_MOV64_IMM(BPF_REG_0, 1),
608 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
612 .errstr = "unknown opcode c4",
617 BPF_MOV64_IMM(BPF_REG_0, 1),
618 BPF_MOV64_IMM(BPF_REG_1, 5),
619 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
623 .errstr = "unknown opcode cc",
628 BPF_MOV64_IMM(BPF_REG_0, 1),
629 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
637 BPF_MOV64_IMM(BPF_REG_0, 1),
638 BPF_MOV64_IMM(BPF_REG_1, 5),
639 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
647 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
649 .errstr = "not an exit",
655 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
658 .errstr = "back-edge",
664 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
665 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
666 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
667 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
670 .errstr = "back-edge",
676 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
677 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
678 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
679 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
682 .errstr = "back-edge",
686 "read uninitialized register",
688 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
691 .errstr = "R2 !read_ok",
695 "read invalid register",
697 BPF_MOV64_REG(BPF_REG_0, -1),
700 .errstr = "R15 is invalid",
704 "program doesn't init R0 before exit",
706 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
709 .errstr = "R0 !read_ok",
713 "program doesn't init R0 before exit in all branches",
715 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
716 BPF_MOV64_IMM(BPF_REG_0, 1),
717 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
720 .errstr = "R0 !read_ok",
721 .errstr_unpriv = "R1 pointer comparison",
725 "stack out of bounds",
727 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
730 .errstr = "invalid stack",
734 "invalid call insn1",
736 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
739 .errstr = "unknown opcode 8d",
743 "invalid call insn2",
745 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
748 .errstr = "BPF_CALL uses reserved",
752 "invalid function call",
754 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
757 .errstr = "invalid func unknown#1234567",
761 "uninitialized stack1",
763 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
764 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
765 BPF_LD_MAP_FD(BPF_REG_1, 0),
766 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
767 BPF_FUNC_map_lookup_elem),
771 .errstr = "invalid indirect read from stack",
775 "uninitialized stack2",
777 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
778 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
781 .errstr = "invalid read from stack",
785 "invalid fp arithmetic",
786 /* If this gets ever changed, make sure JITs can deal with it. */
788 BPF_MOV64_IMM(BPF_REG_0, 0),
789 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
790 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
791 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
794 .errstr = "R1 subtraction from stack pointer",
798 "non-invalid fp arithmetic",
800 BPF_MOV64_IMM(BPF_REG_0, 0),
801 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
807 "invalid argument register",
809 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
810 BPF_FUNC_get_cgroup_classid),
811 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
812 BPF_FUNC_get_cgroup_classid),
815 .errstr = "R1 !read_ok",
817 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
820 "non-invalid argument register",
822 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
823 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
824 BPF_FUNC_get_cgroup_classid),
825 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
826 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
827 BPF_FUNC_get_cgroup_classid),
831 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
834 "check valid spill/fill",
836 /* spill R1(ctx) into stack */
837 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
838 /* fill it back into R2 */
839 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
840 /* should be able to access R0 = *(R2 + 8) */
841 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
842 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
845 .errstr_unpriv = "R0 leaks addr",
847 .result_unpriv = REJECT,
848 .retval = POINTER_VALUE,
851 "check valid spill/fill, skb mark",
853 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
854 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
855 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
856 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
857 offsetof(struct __sk_buff, mark)),
861 .result_unpriv = ACCEPT,
864 "check corrupted spill/fill",
866 /* spill R1(ctx) into stack */
867 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
868 /* mess up with R1 pointer on stack */
869 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
870 /* fill back into R0 should fail */
871 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
874 .errstr_unpriv = "attempt to corrupt spilled",
875 .errstr = "corrupted spill",
879 "invalid src register in STX",
881 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
884 .errstr = "R15 is invalid",
888 "invalid dst register in STX",
890 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
893 .errstr = "R14 is invalid",
897 "invalid dst register in ST",
899 BPF_ST_MEM(BPF_B, 14, -1, -1),
902 .errstr = "R14 is invalid",
906 "invalid src register in LDX",
908 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
911 .errstr = "R12 is invalid",
915 "invalid dst register in LDX",
917 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
920 .errstr = "R11 is invalid",
926 BPF_RAW_INSN(0, 0, 0, 0, 0),
929 .errstr = "unknown opcode 00",
935 BPF_RAW_INSN(1, 0, 0, 0, 0),
938 .errstr = "BPF_LDX uses reserved fields",
944 BPF_RAW_INSN(-1, 0, 0, 0, 0),
947 .errstr = "unknown opcode ff",
953 BPF_RAW_INSN(-1, -1, -1, -1, -1),
956 .errstr = "unknown opcode ff",
962 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
965 .errstr = "BPF_ALU uses reserved fields",
969 "misaligned read from stack",
971 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
972 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
975 .errstr = "misaligned stack access",
979 "invalid map_fd for function call",
981 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
982 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
984 BPF_LD_MAP_FD(BPF_REG_1, 0),
985 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
986 BPF_FUNC_map_delete_elem),
989 .errstr = "fd 0 is not pointing to valid bpf_map",
993 "don't check return value before access",
995 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
996 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
997 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
998 BPF_LD_MAP_FD(BPF_REG_1, 0),
999 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1000 BPF_FUNC_map_lookup_elem),
1001 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1004 .fixup_map1 = { 3 },
1005 .errstr = "R0 invalid mem access 'map_value_or_null'",
1009 "access memory with incorrect alignment",
1011 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1012 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1014 BPF_LD_MAP_FD(BPF_REG_1, 0),
1015 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1016 BPF_FUNC_map_lookup_elem),
1017 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1018 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1021 .fixup_map1 = { 3 },
1022 .errstr = "misaligned value access",
1024 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1027 "sometimes access memory with incorrect alignment",
1029 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1030 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1032 BPF_LD_MAP_FD(BPF_REG_1, 0),
1033 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1034 BPF_FUNC_map_lookup_elem),
1035 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1036 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1038 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1041 .fixup_map1 = { 3 },
1042 .errstr = "R0 invalid mem access",
1043 .errstr_unpriv = "R0 leaks addr",
1045 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1050 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1051 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1052 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1053 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1054 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1055 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1056 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1057 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1058 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1059 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1060 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1061 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1062 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1063 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1064 BPF_MOV64_IMM(BPF_REG_0, 0),
1067 .errstr_unpriv = "R1 pointer comparison",
1068 .result_unpriv = REJECT,
1074 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1075 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1076 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1077 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1078 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1079 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1080 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1081 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1082 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1083 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1084 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1085 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1086 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1087 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1088 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1089 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1090 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1091 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1092 BPF_MOV64_IMM(BPF_REG_0, 0),
1095 .errstr_unpriv = "R1 pointer comparison",
1096 .result_unpriv = REJECT,
1102 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1103 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1104 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1105 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1106 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1107 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1108 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1109 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1110 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1111 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1112 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1114 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1115 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1116 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1118 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1119 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1120 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1122 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1123 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1124 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1125 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1126 BPF_LD_MAP_FD(BPF_REG_1, 0),
1127 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1128 BPF_FUNC_map_delete_elem),
1131 .fixup_map1 = { 24 },
1132 .errstr_unpriv = "R1 pointer comparison",
1133 .result_unpriv = REJECT,
1140 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1141 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1142 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1143 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1144 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1145 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1146 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1147 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1148 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1149 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1150 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1151 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1152 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1154 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1155 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1156 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1157 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1158 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1159 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1160 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1161 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1162 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1163 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1164 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1165 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1166 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1168 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1169 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1170 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1171 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1172 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1174 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1175 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1176 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1177 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1178 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1179 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1180 BPF_MOV64_IMM(BPF_REG_0, 0),
1183 .errstr_unpriv = "R1 pointer comparison",
1184 .result_unpriv = REJECT,
1190 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1191 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1192 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1193 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1194 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1195 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1196 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1197 BPF_MOV64_IMM(BPF_REG_0, 0),
1198 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1199 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1200 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1201 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1202 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1203 BPF_MOV64_IMM(BPF_REG_0, 0),
1204 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1205 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1206 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1207 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1208 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1209 BPF_MOV64_IMM(BPF_REG_0, 0),
1210 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1211 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1212 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1213 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1214 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1215 BPF_MOV64_IMM(BPF_REG_0, 0),
1216 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1217 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1218 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1219 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1220 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1221 BPF_MOV64_IMM(BPF_REG_0, 0),
1224 .errstr_unpriv = "R1 pointer comparison",
1225 .result_unpriv = REJECT,
1229 "access skb fields ok",
1231 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1232 offsetof(struct __sk_buff, len)),
1233 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1234 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1235 offsetof(struct __sk_buff, mark)),
1236 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1237 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1238 offsetof(struct __sk_buff, pkt_type)),
1239 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1240 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1241 offsetof(struct __sk_buff, queue_mapping)),
1242 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1243 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1244 offsetof(struct __sk_buff, protocol)),
1245 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1246 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1247 offsetof(struct __sk_buff, vlan_present)),
1248 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1249 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1250 offsetof(struct __sk_buff, vlan_tci)),
1251 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1252 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1253 offsetof(struct __sk_buff, napi_id)),
1254 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1260 "access skb fields bad1",
1262 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1265 .errstr = "invalid bpf_context access",
1269 "access skb fields bad2",
1271 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1272 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1273 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1275 BPF_LD_MAP_FD(BPF_REG_1, 0),
1276 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1277 BPF_FUNC_map_lookup_elem),
1278 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1281 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1282 offsetof(struct __sk_buff, pkt_type)),
1285 .fixup_map1 = { 4 },
1286 .errstr = "different pointers",
1287 .errstr_unpriv = "R1 pointer comparison",
1291 "access skb fields bad3",
1293 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1294 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1295 offsetof(struct __sk_buff, pkt_type)),
1297 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1298 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1299 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1300 BPF_LD_MAP_FD(BPF_REG_1, 0),
1301 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1302 BPF_FUNC_map_lookup_elem),
1303 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1305 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1306 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1308 .fixup_map1 = { 6 },
1309 .errstr = "different pointers",
1310 .errstr_unpriv = "R1 pointer comparison",
1314 "access skb fields bad4",
1316 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1317 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1318 offsetof(struct __sk_buff, len)),
1319 BPF_MOV64_IMM(BPF_REG_0, 0),
1321 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1322 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1323 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1324 BPF_LD_MAP_FD(BPF_REG_1, 0),
1325 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1326 BPF_FUNC_map_lookup_elem),
1327 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1329 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1330 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1332 .fixup_map1 = { 7 },
1333 .errstr = "different pointers",
1334 .errstr_unpriv = "R1 pointer comparison",
1338 "invalid access __sk_buff family",
1340 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1341 offsetof(struct __sk_buff, family)),
1344 .errstr = "invalid bpf_context access",
1348 "invalid access __sk_buff remote_ip4",
1350 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1351 offsetof(struct __sk_buff, remote_ip4)),
1354 .errstr = "invalid bpf_context access",
1358 "invalid access __sk_buff local_ip4",
1360 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1361 offsetof(struct __sk_buff, local_ip4)),
1364 .errstr = "invalid bpf_context access",
1368 "invalid access __sk_buff remote_ip6",
1370 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1371 offsetof(struct __sk_buff, remote_ip6)),
1374 .errstr = "invalid bpf_context access",
1378 "invalid access __sk_buff local_ip6",
1380 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1381 offsetof(struct __sk_buff, local_ip6)),
1384 .errstr = "invalid bpf_context access",
1388 "invalid access __sk_buff remote_port",
1390 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1391 offsetof(struct __sk_buff, remote_port)),
1394 .errstr = "invalid bpf_context access",
1398 "invalid access __sk_buff remote_port",
1400 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1401 offsetof(struct __sk_buff, local_port)),
1404 .errstr = "invalid bpf_context access",
1408 "valid access __sk_buff family",
1410 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1411 offsetof(struct __sk_buff, family)),
1415 .prog_type = BPF_PROG_TYPE_SK_SKB,
1418 "valid access __sk_buff remote_ip4",
1420 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1421 offsetof(struct __sk_buff, remote_ip4)),
1425 .prog_type = BPF_PROG_TYPE_SK_SKB,
1428 "valid access __sk_buff local_ip4",
1430 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1431 offsetof(struct __sk_buff, local_ip4)),
1435 .prog_type = BPF_PROG_TYPE_SK_SKB,
1438 "valid access __sk_buff remote_ip6",
1440 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1441 offsetof(struct __sk_buff, remote_ip6[0])),
1442 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1443 offsetof(struct __sk_buff, remote_ip6[1])),
1444 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1445 offsetof(struct __sk_buff, remote_ip6[2])),
1446 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1447 offsetof(struct __sk_buff, remote_ip6[3])),
1451 .prog_type = BPF_PROG_TYPE_SK_SKB,
1454 "valid access __sk_buff local_ip6",
1456 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1457 offsetof(struct __sk_buff, local_ip6[0])),
1458 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1459 offsetof(struct __sk_buff, local_ip6[1])),
1460 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1461 offsetof(struct __sk_buff, local_ip6[2])),
1462 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1463 offsetof(struct __sk_buff, local_ip6[3])),
1467 .prog_type = BPF_PROG_TYPE_SK_SKB,
1470 "valid access __sk_buff remote_port",
1472 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1473 offsetof(struct __sk_buff, remote_port)),
1477 .prog_type = BPF_PROG_TYPE_SK_SKB,
1480 "valid access __sk_buff remote_port",
1482 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1483 offsetof(struct __sk_buff, local_port)),
1487 .prog_type = BPF_PROG_TYPE_SK_SKB,
1490 "invalid access of tc_classid for SK_SKB",
1492 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1493 offsetof(struct __sk_buff, tc_classid)),
1497 .prog_type = BPF_PROG_TYPE_SK_SKB,
1498 .errstr = "invalid bpf_context access",
1501 "invalid access of skb->mark for SK_SKB",
1503 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1504 offsetof(struct __sk_buff, mark)),
1508 .prog_type = BPF_PROG_TYPE_SK_SKB,
1509 .errstr = "invalid bpf_context access",
1512 "check skb->mark is not writeable by SK_SKB",
1514 BPF_MOV64_IMM(BPF_REG_0, 0),
1515 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1516 offsetof(struct __sk_buff, mark)),
1520 .prog_type = BPF_PROG_TYPE_SK_SKB,
1521 .errstr = "invalid bpf_context access",
1524 "check skb->tc_index is writeable by SK_SKB",
1526 BPF_MOV64_IMM(BPF_REG_0, 0),
1527 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1528 offsetof(struct __sk_buff, tc_index)),
1532 .prog_type = BPF_PROG_TYPE_SK_SKB,
1535 "check skb->priority is writeable by SK_SKB",
1537 BPF_MOV64_IMM(BPF_REG_0, 0),
1538 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1539 offsetof(struct __sk_buff, priority)),
1543 .prog_type = BPF_PROG_TYPE_SK_SKB,
1546 "direct packet read for SK_SKB",
1548 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1549 offsetof(struct __sk_buff, data)),
1550 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1551 offsetof(struct __sk_buff, data_end)),
1552 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1553 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1554 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1555 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1556 BPF_MOV64_IMM(BPF_REG_0, 0),
1560 .prog_type = BPF_PROG_TYPE_SK_SKB,
1563 "direct packet write for SK_SKB",
1565 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1566 offsetof(struct __sk_buff, data)),
1567 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1568 offsetof(struct __sk_buff, data_end)),
1569 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1570 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1571 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1572 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1573 BPF_MOV64_IMM(BPF_REG_0, 0),
1577 .prog_type = BPF_PROG_TYPE_SK_SKB,
1580 "overlapping checks for direct packet access SK_SKB",
1582 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1583 offsetof(struct __sk_buff, data)),
1584 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1585 offsetof(struct __sk_buff, data_end)),
1586 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1588 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1589 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1591 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1592 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1593 BPF_MOV64_IMM(BPF_REG_0, 0),
1597 .prog_type = BPF_PROG_TYPE_SK_SKB,
1600 "check skb->mark is not writeable by sockets",
1602 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1603 offsetof(struct __sk_buff, mark)),
1606 .errstr = "invalid bpf_context access",
1607 .errstr_unpriv = "R1 leaks addr",
1611 "check skb->tc_index is not writeable by sockets",
1613 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1614 offsetof(struct __sk_buff, tc_index)),
1617 .errstr = "invalid bpf_context access",
1618 .errstr_unpriv = "R1 leaks addr",
1622 "check cb access: byte",
1624 BPF_MOV64_IMM(BPF_REG_0, 0),
1625 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1626 offsetof(struct __sk_buff, cb[0])),
1627 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1628 offsetof(struct __sk_buff, cb[0]) + 1),
1629 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1630 offsetof(struct __sk_buff, cb[0]) + 2),
1631 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1632 offsetof(struct __sk_buff, cb[0]) + 3),
1633 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1634 offsetof(struct __sk_buff, cb[1])),
1635 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1636 offsetof(struct __sk_buff, cb[1]) + 1),
1637 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1638 offsetof(struct __sk_buff, cb[1]) + 2),
1639 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1640 offsetof(struct __sk_buff, cb[1]) + 3),
1641 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1642 offsetof(struct __sk_buff, cb[2])),
1643 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1644 offsetof(struct __sk_buff, cb[2]) + 1),
1645 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1646 offsetof(struct __sk_buff, cb[2]) + 2),
1647 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1648 offsetof(struct __sk_buff, cb[2]) + 3),
1649 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1650 offsetof(struct __sk_buff, cb[3])),
1651 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1652 offsetof(struct __sk_buff, cb[3]) + 1),
1653 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1654 offsetof(struct __sk_buff, cb[3]) + 2),
1655 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1656 offsetof(struct __sk_buff, cb[3]) + 3),
1657 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1658 offsetof(struct __sk_buff, cb[4])),
1659 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1660 offsetof(struct __sk_buff, cb[4]) + 1),
1661 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1662 offsetof(struct __sk_buff, cb[4]) + 2),
1663 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1664 offsetof(struct __sk_buff, cb[4]) + 3),
1665 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1666 offsetof(struct __sk_buff, cb[0])),
1667 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1668 offsetof(struct __sk_buff, cb[0]) + 1),
1669 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1670 offsetof(struct __sk_buff, cb[0]) + 2),
1671 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1672 offsetof(struct __sk_buff, cb[0]) + 3),
1673 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1674 offsetof(struct __sk_buff, cb[1])),
1675 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1676 offsetof(struct __sk_buff, cb[1]) + 1),
1677 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1678 offsetof(struct __sk_buff, cb[1]) + 2),
1679 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1680 offsetof(struct __sk_buff, cb[1]) + 3),
1681 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1682 offsetof(struct __sk_buff, cb[2])),
1683 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1684 offsetof(struct __sk_buff, cb[2]) + 1),
1685 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1686 offsetof(struct __sk_buff, cb[2]) + 2),
1687 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1688 offsetof(struct __sk_buff, cb[2]) + 3),
1689 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1690 offsetof(struct __sk_buff, cb[3])),
1691 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1692 offsetof(struct __sk_buff, cb[3]) + 1),
1693 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1694 offsetof(struct __sk_buff, cb[3]) + 2),
1695 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1696 offsetof(struct __sk_buff, cb[3]) + 3),
1697 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1698 offsetof(struct __sk_buff, cb[4])),
1699 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1700 offsetof(struct __sk_buff, cb[4]) + 1),
1701 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1702 offsetof(struct __sk_buff, cb[4]) + 2),
1703 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1704 offsetof(struct __sk_buff, cb[4]) + 3),
1710 "__sk_buff->hash, offset 0, byte store not permitted",
1712 BPF_MOV64_IMM(BPF_REG_0, 0),
1713 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1714 offsetof(struct __sk_buff, hash)),
1717 .errstr = "invalid bpf_context access",
1721 "__sk_buff->tc_index, offset 3, byte store not permitted",
1723 BPF_MOV64_IMM(BPF_REG_0, 0),
1724 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1725 offsetof(struct __sk_buff, tc_index) + 3),
1728 .errstr = "invalid bpf_context access",
1732 "check skb->hash byte load permitted",
1734 BPF_MOV64_IMM(BPF_REG_0, 0),
1735 #if __BYTE_ORDER == __LITTLE_ENDIAN
1736 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1737 offsetof(struct __sk_buff, hash)),
1739 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1740 offsetof(struct __sk_buff, hash) + 3),
1747 "check skb->hash byte load not permitted 1",
1749 BPF_MOV64_IMM(BPF_REG_0, 0),
1750 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1751 offsetof(struct __sk_buff, hash) + 1),
1754 .errstr = "invalid bpf_context access",
1758 "check skb->hash byte load not permitted 2",
1760 BPF_MOV64_IMM(BPF_REG_0, 0),
1761 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1762 offsetof(struct __sk_buff, hash) + 2),
1765 .errstr = "invalid bpf_context access",
1769 "check skb->hash byte load not permitted 3",
1771 BPF_MOV64_IMM(BPF_REG_0, 0),
1772 #if __BYTE_ORDER == __LITTLE_ENDIAN
1773 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1774 offsetof(struct __sk_buff, hash) + 3),
1776 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1777 offsetof(struct __sk_buff, hash)),
1781 .errstr = "invalid bpf_context access",
1785 "check cb access: byte, wrong type",
1787 BPF_MOV64_IMM(BPF_REG_0, 0),
1788 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1789 offsetof(struct __sk_buff, cb[0])),
1792 .errstr = "invalid bpf_context access",
1794 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1797 "check cb access: half",
1799 BPF_MOV64_IMM(BPF_REG_0, 0),
1800 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1801 offsetof(struct __sk_buff, cb[0])),
1802 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1803 offsetof(struct __sk_buff, cb[0]) + 2),
1804 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1805 offsetof(struct __sk_buff, cb[1])),
1806 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1807 offsetof(struct __sk_buff, cb[1]) + 2),
1808 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1809 offsetof(struct __sk_buff, cb[2])),
1810 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1811 offsetof(struct __sk_buff, cb[2]) + 2),
1812 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1813 offsetof(struct __sk_buff, cb[3])),
1814 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1815 offsetof(struct __sk_buff, cb[3]) + 2),
1816 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1817 offsetof(struct __sk_buff, cb[4])),
1818 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1819 offsetof(struct __sk_buff, cb[4]) + 2),
1820 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1821 offsetof(struct __sk_buff, cb[0])),
1822 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1823 offsetof(struct __sk_buff, cb[0]) + 2),
1824 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1825 offsetof(struct __sk_buff, cb[1])),
1826 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1827 offsetof(struct __sk_buff, cb[1]) + 2),
1828 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1829 offsetof(struct __sk_buff, cb[2])),
1830 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1831 offsetof(struct __sk_buff, cb[2]) + 2),
1832 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1833 offsetof(struct __sk_buff, cb[3])),
1834 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1835 offsetof(struct __sk_buff, cb[3]) + 2),
1836 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1837 offsetof(struct __sk_buff, cb[4])),
1838 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1839 offsetof(struct __sk_buff, cb[4]) + 2),
1845 "check cb access: half, unaligned",
1847 BPF_MOV64_IMM(BPF_REG_0, 0),
1848 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1849 offsetof(struct __sk_buff, cb[0]) + 1),
1852 .errstr = "misaligned context access",
1854 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1857 "check __sk_buff->hash, offset 0, half store not permitted",
1859 BPF_MOV64_IMM(BPF_REG_0, 0),
1860 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1861 offsetof(struct __sk_buff, hash)),
1864 .errstr = "invalid bpf_context access",
1868 "check __sk_buff->tc_index, offset 2, half store not permitted",
1870 BPF_MOV64_IMM(BPF_REG_0, 0),
1871 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1872 offsetof(struct __sk_buff, tc_index) + 2),
1875 .errstr = "invalid bpf_context access",
1879 "check skb->hash half load permitted",
1881 BPF_MOV64_IMM(BPF_REG_0, 0),
1882 #if __BYTE_ORDER == __LITTLE_ENDIAN
1883 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1884 offsetof(struct __sk_buff, hash)),
1886 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1887 offsetof(struct __sk_buff, hash) + 2),
1894 "check skb->hash half load not permitted",
1896 BPF_MOV64_IMM(BPF_REG_0, 0),
1897 #if __BYTE_ORDER == __LITTLE_ENDIAN
1898 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1899 offsetof(struct __sk_buff, hash) + 2),
1901 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1902 offsetof(struct __sk_buff, hash)),
1906 .errstr = "invalid bpf_context access",
1910 "check cb access: half, wrong type",
1912 BPF_MOV64_IMM(BPF_REG_0, 0),
1913 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1914 offsetof(struct __sk_buff, cb[0])),
1917 .errstr = "invalid bpf_context access",
1919 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1922 "check cb access: word",
1924 BPF_MOV64_IMM(BPF_REG_0, 0),
1925 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1926 offsetof(struct __sk_buff, cb[0])),
1927 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1928 offsetof(struct __sk_buff, cb[1])),
1929 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1930 offsetof(struct __sk_buff, cb[2])),
1931 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1932 offsetof(struct __sk_buff, cb[3])),
1933 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1934 offsetof(struct __sk_buff, cb[4])),
1935 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1936 offsetof(struct __sk_buff, cb[0])),
1937 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1938 offsetof(struct __sk_buff, cb[1])),
1939 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1940 offsetof(struct __sk_buff, cb[2])),
1941 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1942 offsetof(struct __sk_buff, cb[3])),
1943 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1944 offsetof(struct __sk_buff, cb[4])),
1950 "check cb access: word, unaligned 1",
1952 BPF_MOV64_IMM(BPF_REG_0, 0),
1953 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1954 offsetof(struct __sk_buff, cb[0]) + 2),
1957 .errstr = "misaligned context access",
1959 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1962 "check cb access: word, unaligned 2",
1964 BPF_MOV64_IMM(BPF_REG_0, 0),
1965 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1966 offsetof(struct __sk_buff, cb[4]) + 1),
1969 .errstr = "misaligned context access",
1971 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1974 "check cb access: word, unaligned 3",
1976 BPF_MOV64_IMM(BPF_REG_0, 0),
1977 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1978 offsetof(struct __sk_buff, cb[4]) + 2),
1981 .errstr = "misaligned context access",
1983 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1986 "check cb access: word, unaligned 4",
1988 BPF_MOV64_IMM(BPF_REG_0, 0),
1989 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1990 offsetof(struct __sk_buff, cb[4]) + 3),
1993 .errstr = "misaligned context access",
1995 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1998 "check cb access: double",
2000 BPF_MOV64_IMM(BPF_REG_0, 0),
2001 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2002 offsetof(struct __sk_buff, cb[0])),
2003 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2004 offsetof(struct __sk_buff, cb[2])),
2005 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2006 offsetof(struct __sk_buff, cb[0])),
2007 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2008 offsetof(struct __sk_buff, cb[2])),
2014 "check cb access: double, unaligned 1",
2016 BPF_MOV64_IMM(BPF_REG_0, 0),
2017 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2018 offsetof(struct __sk_buff, cb[1])),
2021 .errstr = "misaligned context access",
2023 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2026 "check cb access: double, unaligned 2",
2028 BPF_MOV64_IMM(BPF_REG_0, 0),
2029 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2030 offsetof(struct __sk_buff, cb[3])),
2033 .errstr = "misaligned context access",
2035 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2038 "check cb access: double, oob 1",
2040 BPF_MOV64_IMM(BPF_REG_0, 0),
2041 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2042 offsetof(struct __sk_buff, cb[4])),
2045 .errstr = "invalid bpf_context access",
2049 "check cb access: double, oob 2",
2051 BPF_MOV64_IMM(BPF_REG_0, 0),
2052 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2053 offsetof(struct __sk_buff, cb[4])),
2056 .errstr = "invalid bpf_context access",
2060 "check __sk_buff->ifindex dw store not permitted",
2062 BPF_MOV64_IMM(BPF_REG_0, 0),
2063 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2064 offsetof(struct __sk_buff, ifindex)),
2067 .errstr = "invalid bpf_context access",
2071 "check __sk_buff->ifindex dw load not permitted",
2073 BPF_MOV64_IMM(BPF_REG_0, 0),
2074 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2075 offsetof(struct __sk_buff, ifindex)),
2078 .errstr = "invalid bpf_context access",
2082 "check cb access: double, wrong type",
2084 BPF_MOV64_IMM(BPF_REG_0, 0),
2085 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2086 offsetof(struct __sk_buff, cb[0])),
2089 .errstr = "invalid bpf_context access",
2091 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2094 "check out of range skb->cb access",
2096 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2097 offsetof(struct __sk_buff, cb[0]) + 256),
2100 .errstr = "invalid bpf_context access",
2101 .errstr_unpriv = "",
2103 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2106 "write skb fields from socket prog",
2108 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2109 offsetof(struct __sk_buff, cb[4])),
2110 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2111 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2112 offsetof(struct __sk_buff, mark)),
2113 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2114 offsetof(struct __sk_buff, tc_index)),
2115 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2116 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2117 offsetof(struct __sk_buff, cb[0])),
2118 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2119 offsetof(struct __sk_buff, cb[2])),
2123 .errstr_unpriv = "R1 leaks addr",
2124 .result_unpriv = REJECT,
2127 "write skb fields from tc_cls_act prog",
2129 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2130 offsetof(struct __sk_buff, cb[0])),
2131 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2132 offsetof(struct __sk_buff, mark)),
2133 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2134 offsetof(struct __sk_buff, tc_index)),
2135 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2136 offsetof(struct __sk_buff, tc_index)),
2137 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2138 offsetof(struct __sk_buff, cb[3])),
2141 .errstr_unpriv = "",
2142 .result_unpriv = REJECT,
2144 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2147 "PTR_TO_STACK store/load",
2149 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2150 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2151 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2152 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2156 .retval = 0xfaceb00c,
2159 "PTR_TO_STACK store/load - bad alignment on off",
2161 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2162 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2163 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2164 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2168 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2171 "PTR_TO_STACK store/load - bad alignment on reg",
2173 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2174 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2175 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2176 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2180 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2183 "PTR_TO_STACK store/load - out of bounds low",
2185 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2186 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2187 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2188 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2192 .errstr = "invalid stack off=-79992 size=8",
2195 "PTR_TO_STACK store/load - out of bounds high",
2197 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2199 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2200 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2204 .errstr = "invalid stack off=0 size=8",
2207 "unpriv: return pointer",
2209 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2213 .result_unpriv = REJECT,
2214 .errstr_unpriv = "R0 leaks addr",
2215 .retval = POINTER_VALUE,
2218 "unpriv: add const to pointer",
2220 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2221 BPF_MOV64_IMM(BPF_REG_0, 0),
2227 "unpriv: add pointer to pointer",
2229 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2230 BPF_MOV64_IMM(BPF_REG_0, 0),
2234 .errstr = "R1 pointer += pointer",
2237 "unpriv: neg pointer",
2239 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2240 BPF_MOV64_IMM(BPF_REG_0, 0),
2244 .result_unpriv = REJECT,
2245 .errstr_unpriv = "R1 pointer arithmetic",
2248 "unpriv: cmp pointer with const",
2250 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2251 BPF_MOV64_IMM(BPF_REG_0, 0),
2255 .result_unpriv = REJECT,
2256 .errstr_unpriv = "R1 pointer comparison",
2259 "unpriv: cmp pointer with pointer",
2261 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2262 BPF_MOV64_IMM(BPF_REG_0, 0),
2266 .result_unpriv = REJECT,
2267 .errstr_unpriv = "R10 pointer comparison",
2270 "unpriv: check that printk is disallowed",
2272 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2273 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2275 BPF_MOV64_IMM(BPF_REG_2, 8),
2276 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2277 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2278 BPF_FUNC_trace_printk),
2279 BPF_MOV64_IMM(BPF_REG_0, 0),
2282 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2283 .result_unpriv = REJECT,
2287 "unpriv: pass pointer to helper function",
2289 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2290 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2292 BPF_LD_MAP_FD(BPF_REG_1, 0),
2293 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2294 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2295 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2296 BPF_FUNC_map_update_elem),
2297 BPF_MOV64_IMM(BPF_REG_0, 0),
2300 .fixup_map1 = { 3 },
2301 .errstr_unpriv = "R4 leaks addr",
2302 .result_unpriv = REJECT,
2306 "unpriv: indirectly pass pointer on stack to helper function",
2308 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2309 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2310 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2311 BPF_LD_MAP_FD(BPF_REG_1, 0),
2312 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2313 BPF_FUNC_map_lookup_elem),
2314 BPF_MOV64_IMM(BPF_REG_0, 0),
2317 .fixup_map1 = { 3 },
2318 .errstr = "invalid indirect read from stack off -8+0 size 8",
2322 "unpriv: mangle pointer on stack 1",
2324 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2325 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2326 BPF_MOV64_IMM(BPF_REG_0, 0),
2329 .errstr_unpriv = "attempt to corrupt spilled",
2330 .result_unpriv = REJECT,
2334 "unpriv: mangle pointer on stack 2",
2336 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2337 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2338 BPF_MOV64_IMM(BPF_REG_0, 0),
2341 .errstr_unpriv = "attempt to corrupt spilled",
2342 .result_unpriv = REJECT,
2346 "unpriv: read pointer from stack in small chunks",
2348 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2349 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2350 BPF_MOV64_IMM(BPF_REG_0, 0),
2353 .errstr = "invalid size",
2357 "unpriv: write pointer into ctx",
2359 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2360 BPF_MOV64_IMM(BPF_REG_0, 0),
2363 .errstr_unpriv = "R1 leaks addr",
2364 .result_unpriv = REJECT,
2365 .errstr = "invalid bpf_context access",
2369 "unpriv: spill/fill of ctx",
2371 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2372 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2373 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2374 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2375 BPF_MOV64_IMM(BPF_REG_0, 0),
2381 "unpriv: spill/fill of ctx 2",
2383 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2384 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2385 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2386 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2387 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2388 BPF_FUNC_get_hash_recalc),
2389 BPF_MOV64_IMM(BPF_REG_0, 0),
2393 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2396 "unpriv: spill/fill of ctx 3",
2398 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2399 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2400 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2401 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2402 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2403 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2404 BPF_FUNC_get_hash_recalc),
2408 .errstr = "R1 type=fp expected=ctx",
2409 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2412 "unpriv: spill/fill of ctx 4",
2414 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2416 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2417 BPF_MOV64_IMM(BPF_REG_0, 1),
2418 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2420 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2421 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2422 BPF_FUNC_get_hash_recalc),
2426 .errstr = "R1 type=inv expected=ctx",
2427 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2430 "unpriv: spill/fill of different pointers stx",
2432 BPF_MOV64_IMM(BPF_REG_3, 42),
2433 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2435 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2436 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2437 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2438 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2439 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2440 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2441 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2442 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2443 offsetof(struct __sk_buff, mark)),
2444 BPF_MOV64_IMM(BPF_REG_0, 0),
2448 .errstr = "same insn cannot be used with different pointers",
2449 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2452 "unpriv: spill/fill of different pointers ldx",
2454 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2455 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2456 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2457 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2459 -(__s32)offsetof(struct bpf_perf_event_data,
2460 sample_period) - 8),
2461 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2462 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2463 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2464 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2465 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2466 offsetof(struct bpf_perf_event_data,
2468 BPF_MOV64_IMM(BPF_REG_0, 0),
2472 .errstr = "same insn cannot be used with different pointers",
2473 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2476 "unpriv: write pointer into map elem value",
2478 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2479 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2480 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2481 BPF_LD_MAP_FD(BPF_REG_1, 0),
2482 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2483 BPF_FUNC_map_lookup_elem),
2484 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2485 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2488 .fixup_map1 = { 3 },
2489 .errstr_unpriv = "R0 leaks addr",
2490 .result_unpriv = REJECT,
2494 "unpriv: partial copy of pointer",
2496 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2497 BPF_MOV64_IMM(BPF_REG_0, 0),
2500 .errstr_unpriv = "R10 partial copy",
2501 .result_unpriv = REJECT,
2505 "unpriv: pass pointer to tail_call",
2507 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2508 BPF_LD_MAP_FD(BPF_REG_2, 0),
2509 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2510 BPF_FUNC_tail_call),
2511 BPF_MOV64_IMM(BPF_REG_0, 0),
2514 .fixup_prog = { 1 },
2515 .errstr_unpriv = "R3 leaks addr into helper",
2516 .result_unpriv = REJECT,
2520 "unpriv: cmp map pointer with zero",
2522 BPF_MOV64_IMM(BPF_REG_1, 0),
2523 BPF_LD_MAP_FD(BPF_REG_1, 0),
2524 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2525 BPF_MOV64_IMM(BPF_REG_0, 0),
2528 .fixup_map1 = { 1 },
2529 .errstr_unpriv = "R1 pointer comparison",
2530 .result_unpriv = REJECT,
2534 "unpriv: write into frame pointer",
2536 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2537 BPF_MOV64_IMM(BPF_REG_0, 0),
2540 .errstr = "frame pointer is read only",
2544 "unpriv: spill/fill frame pointer",
2546 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2547 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2548 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2549 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2550 BPF_MOV64_IMM(BPF_REG_0, 0),
2553 .errstr = "frame pointer is read only",
2557 "unpriv: cmp of frame pointer",
2559 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2560 BPF_MOV64_IMM(BPF_REG_0, 0),
2563 .errstr_unpriv = "R10 pointer comparison",
2564 .result_unpriv = REJECT,
2568 "unpriv: adding of fp",
2570 BPF_MOV64_IMM(BPF_REG_0, 0),
2571 BPF_MOV64_IMM(BPF_REG_1, 0),
2572 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2573 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2579 "unpriv: cmp of stack pointer",
2581 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2583 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2584 BPF_MOV64_IMM(BPF_REG_0, 0),
2587 .errstr_unpriv = "R2 pointer comparison",
2588 .result_unpriv = REJECT,
2592 "runtime/jit: tail_call within bounds, prog once",
2594 BPF_MOV64_IMM(BPF_REG_3, 0),
2595 BPF_LD_MAP_FD(BPF_REG_2, 0),
2596 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2597 BPF_FUNC_tail_call),
2598 BPF_MOV64_IMM(BPF_REG_0, 1),
2601 .fixup_prog = { 1 },
2606 "runtime/jit: tail_call within bounds, prog loop",
2608 BPF_MOV64_IMM(BPF_REG_3, 1),
2609 BPF_LD_MAP_FD(BPF_REG_2, 0),
2610 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2611 BPF_FUNC_tail_call),
2612 BPF_MOV64_IMM(BPF_REG_0, 1),
2615 .fixup_prog = { 1 },
2620 "runtime/jit: tail_call within bounds, no prog",
2622 BPF_MOV64_IMM(BPF_REG_3, 2),
2623 BPF_LD_MAP_FD(BPF_REG_2, 0),
2624 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2625 BPF_FUNC_tail_call),
2626 BPF_MOV64_IMM(BPF_REG_0, 1),
2629 .fixup_prog = { 1 },
2634 "runtime/jit: tail_call out of bounds",
2636 BPF_MOV64_IMM(BPF_REG_3, 256),
2637 BPF_LD_MAP_FD(BPF_REG_2, 0),
2638 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2639 BPF_FUNC_tail_call),
2640 BPF_MOV64_IMM(BPF_REG_0, 2),
2643 .fixup_prog = { 1 },
2648 "runtime/jit: pass negative index to tail_call",
2650 BPF_MOV64_IMM(BPF_REG_3, -1),
2651 BPF_LD_MAP_FD(BPF_REG_2, 0),
2652 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2653 BPF_FUNC_tail_call),
2654 BPF_MOV64_IMM(BPF_REG_0, 2),
2657 .fixup_prog = { 1 },
2662 "runtime/jit: pass > 32bit index to tail_call",
2664 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2665 BPF_LD_MAP_FD(BPF_REG_2, 0),
2666 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2667 BPF_FUNC_tail_call),
2668 BPF_MOV64_IMM(BPF_REG_0, 2),
2671 .fixup_prog = { 2 },
2676 "stack pointer arithmetic",
2678 BPF_MOV64_IMM(BPF_REG_1, 4),
2679 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2680 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2681 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2682 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2683 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2684 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2685 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2686 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2688 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2689 BPF_MOV64_IMM(BPF_REG_0, 0),
2695 "raw_stack: no skb_load_bytes",
2697 BPF_MOV64_IMM(BPF_REG_2, 4),
2698 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2700 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2701 BPF_MOV64_IMM(BPF_REG_4, 8),
2702 /* Call to skb_load_bytes() omitted. */
2703 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2707 .errstr = "invalid read from stack off -8+0 size 8",
2708 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2711 "raw_stack: skb_load_bytes, negative len",
2713 BPF_MOV64_IMM(BPF_REG_2, 4),
2714 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2715 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2716 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2717 BPF_MOV64_IMM(BPF_REG_4, -8),
2718 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2719 BPF_FUNC_skb_load_bytes),
2720 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2724 .errstr = "R4 min value is negative",
2725 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2728 "raw_stack: skb_load_bytes, negative len 2",
2730 BPF_MOV64_IMM(BPF_REG_2, 4),
2731 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2732 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2733 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2734 BPF_MOV64_IMM(BPF_REG_4, ~0),
2735 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2736 BPF_FUNC_skb_load_bytes),
2737 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2741 .errstr = "R4 min value is negative",
2742 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2745 "raw_stack: skb_load_bytes, zero len",
2747 BPF_MOV64_IMM(BPF_REG_2, 4),
2748 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2749 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2750 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2751 BPF_MOV64_IMM(BPF_REG_4, 0),
2752 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2753 BPF_FUNC_skb_load_bytes),
2754 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2758 .errstr = "invalid stack type R3",
2759 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2762 "raw_stack: skb_load_bytes, no init",
2764 BPF_MOV64_IMM(BPF_REG_2, 4),
2765 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2766 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2767 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2768 BPF_MOV64_IMM(BPF_REG_4, 8),
2769 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2770 BPF_FUNC_skb_load_bytes),
2771 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2775 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2778 "raw_stack: skb_load_bytes, init",
2780 BPF_MOV64_IMM(BPF_REG_2, 4),
2781 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2782 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2783 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2784 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2785 BPF_MOV64_IMM(BPF_REG_4, 8),
2786 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2787 BPF_FUNC_skb_load_bytes),
2788 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2792 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2795 "raw_stack: skb_load_bytes, spilled regs around bounds",
2797 BPF_MOV64_IMM(BPF_REG_2, 4),
2798 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2800 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2801 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2802 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2803 BPF_MOV64_IMM(BPF_REG_4, 8),
2804 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2805 BPF_FUNC_skb_load_bytes),
2806 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2807 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2808 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2809 offsetof(struct __sk_buff, mark)),
2810 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2811 offsetof(struct __sk_buff, priority)),
2812 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2816 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2819 "raw_stack: skb_load_bytes, spilled regs corruption",
2821 BPF_MOV64_IMM(BPF_REG_2, 4),
2822 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2824 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2825 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2826 BPF_MOV64_IMM(BPF_REG_4, 8),
2827 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2828 BPF_FUNC_skb_load_bytes),
2829 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2830 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2831 offsetof(struct __sk_buff, mark)),
2835 .errstr = "R0 invalid mem access 'inv'",
2836 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2839 "raw_stack: skb_load_bytes, spilled regs corruption 2",
2841 BPF_MOV64_IMM(BPF_REG_2, 4),
2842 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2843 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2844 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2845 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2846 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2847 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2848 BPF_MOV64_IMM(BPF_REG_4, 8),
2849 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2850 BPF_FUNC_skb_load_bytes),
2851 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2852 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2853 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
2854 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2855 offsetof(struct __sk_buff, mark)),
2856 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2857 offsetof(struct __sk_buff, priority)),
2858 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2859 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
2860 offsetof(struct __sk_buff, pkt_type)),
2861 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2865 .errstr = "R3 invalid mem access 'inv'",
2866 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2869 "raw_stack: skb_load_bytes, spilled regs + data",
2871 BPF_MOV64_IMM(BPF_REG_2, 4),
2872 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2873 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2874 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2875 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2876 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2877 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2878 BPF_MOV64_IMM(BPF_REG_4, 8),
2879 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2880 BPF_FUNC_skb_load_bytes),
2881 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2882 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2883 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
2884 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2885 offsetof(struct __sk_buff, mark)),
2886 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2887 offsetof(struct __sk_buff, priority)),
2888 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2889 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2893 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2896 "raw_stack: skb_load_bytes, invalid access 1",
2898 BPF_MOV64_IMM(BPF_REG_2, 4),
2899 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2901 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2902 BPF_MOV64_IMM(BPF_REG_4, 8),
2903 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2904 BPF_FUNC_skb_load_bytes),
2905 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2909 .errstr = "invalid stack type R3 off=-513 access_size=8",
2910 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2913 "raw_stack: skb_load_bytes, invalid access 2",
2915 BPF_MOV64_IMM(BPF_REG_2, 4),
2916 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2918 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2919 BPF_MOV64_IMM(BPF_REG_4, 8),
2920 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2921 BPF_FUNC_skb_load_bytes),
2922 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2926 .errstr = "invalid stack type R3 off=-1 access_size=8",
2927 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2930 "raw_stack: skb_load_bytes, invalid access 3",
2932 BPF_MOV64_IMM(BPF_REG_2, 4),
2933 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2934 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2935 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2936 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2937 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2938 BPF_FUNC_skb_load_bytes),
2939 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2943 .errstr = "R4 min value is negative",
2944 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2947 "raw_stack: skb_load_bytes, invalid access 4",
2949 BPF_MOV64_IMM(BPF_REG_2, 4),
2950 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2951 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2952 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2953 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2954 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2955 BPF_FUNC_skb_load_bytes),
2956 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2960 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
2961 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2964 "raw_stack: skb_load_bytes, invalid access 5",
2966 BPF_MOV64_IMM(BPF_REG_2, 4),
2967 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2968 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2969 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2970 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2971 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2972 BPF_FUNC_skb_load_bytes),
2973 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2977 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
2978 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2981 "raw_stack: skb_load_bytes, invalid access 6",
2983 BPF_MOV64_IMM(BPF_REG_2, 4),
2984 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2985 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2986 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2987 BPF_MOV64_IMM(BPF_REG_4, 0),
2988 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2989 BPF_FUNC_skb_load_bytes),
2990 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2994 .errstr = "invalid stack type R3 off=-512 access_size=0",
2995 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2998 "raw_stack: skb_load_bytes, large access",
3000 BPF_MOV64_IMM(BPF_REG_2, 4),
3001 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3002 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3003 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3004 BPF_MOV64_IMM(BPF_REG_4, 512),
3005 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3006 BPF_FUNC_skb_load_bytes),
3007 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3011 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3014 "context stores via ST",
3016 BPF_MOV64_IMM(BPF_REG_0, 0),
3017 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3020 .errstr = "BPF_ST stores into R1 context is not allowed",
3022 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3025 "context stores via XADD",
3027 BPF_MOV64_IMM(BPF_REG_0, 0),
3028 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3029 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3032 .errstr = "BPF_XADD stores into R1 context is not allowed",
3034 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3037 "direct packet access: test1",
3039 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3040 offsetof(struct __sk_buff, data)),
3041 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3042 offsetof(struct __sk_buff, data_end)),
3043 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3044 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3045 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3046 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3047 BPF_MOV64_IMM(BPF_REG_0, 0),
3051 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3054 "direct packet access: test2",
3056 BPF_MOV64_IMM(BPF_REG_0, 1),
3057 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3058 offsetof(struct __sk_buff, data_end)),
3059 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3060 offsetof(struct __sk_buff, data)),
3061 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3062 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3063 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3064 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3065 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3066 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3067 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3068 offsetof(struct __sk_buff, data)),
3069 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3070 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3071 offsetof(struct __sk_buff, len)),
3072 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3073 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3074 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3075 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3076 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3077 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3078 offsetof(struct __sk_buff, data_end)),
3079 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3080 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3081 BPF_MOV64_IMM(BPF_REG_0, 0),
3085 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3088 "direct packet access: test3",
3090 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3091 offsetof(struct __sk_buff, data)),
3092 BPF_MOV64_IMM(BPF_REG_0, 0),
3095 .errstr = "invalid bpf_context access off=76",
3097 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3100 "direct packet access: test4 (write)",
3102 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3103 offsetof(struct __sk_buff, data)),
3104 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3105 offsetof(struct __sk_buff, data_end)),
3106 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3107 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3108 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3109 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3110 BPF_MOV64_IMM(BPF_REG_0, 0),
3114 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3117 "direct packet access: test5 (pkt_end >= reg, good access)",
3119 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3120 offsetof(struct __sk_buff, data)),
3121 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3122 offsetof(struct __sk_buff, data_end)),
3123 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3124 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3125 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3126 BPF_MOV64_IMM(BPF_REG_0, 1),
3128 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3129 BPF_MOV64_IMM(BPF_REG_0, 0),
3133 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3136 "direct packet access: test6 (pkt_end >= reg, bad access)",
3138 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3139 offsetof(struct __sk_buff, data)),
3140 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3141 offsetof(struct __sk_buff, data_end)),
3142 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3143 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3144 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3145 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3146 BPF_MOV64_IMM(BPF_REG_0, 1),
3148 BPF_MOV64_IMM(BPF_REG_0, 0),
3151 .errstr = "invalid access to packet",
3153 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3156 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3158 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3159 offsetof(struct __sk_buff, data)),
3160 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3161 offsetof(struct __sk_buff, data_end)),
3162 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3163 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3164 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3165 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3166 BPF_MOV64_IMM(BPF_REG_0, 1),
3168 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3169 BPF_MOV64_IMM(BPF_REG_0, 0),
3172 .errstr = "invalid access to packet",
3174 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3177 "direct packet access: test8 (double test, variant 1)",
3179 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3180 offsetof(struct __sk_buff, data)),
3181 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3182 offsetof(struct __sk_buff, data_end)),
3183 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3184 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3185 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3186 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3187 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3188 BPF_MOV64_IMM(BPF_REG_0, 1),
3190 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3191 BPF_MOV64_IMM(BPF_REG_0, 0),
3195 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3198 "direct packet access: test9 (double test, variant 2)",
3200 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3201 offsetof(struct __sk_buff, data)),
3202 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3203 offsetof(struct __sk_buff, data_end)),
3204 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3206 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3207 BPF_MOV64_IMM(BPF_REG_0, 1),
3209 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3210 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3211 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3212 BPF_MOV64_IMM(BPF_REG_0, 0),
3216 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3219 "direct packet access: test10 (write invalid)",
3221 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3222 offsetof(struct __sk_buff, data)),
3223 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3224 offsetof(struct __sk_buff, data_end)),
3225 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3227 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3228 BPF_MOV64_IMM(BPF_REG_0, 0),
3230 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3231 BPF_MOV64_IMM(BPF_REG_0, 0),
3234 .errstr = "invalid access to packet",
3236 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3239 "direct packet access: test11 (shift, good access)",
3241 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3242 offsetof(struct __sk_buff, data)),
3243 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3244 offsetof(struct __sk_buff, data_end)),
3245 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3246 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3247 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3248 BPF_MOV64_IMM(BPF_REG_3, 144),
3249 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3250 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3251 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3252 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3253 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3254 BPF_MOV64_IMM(BPF_REG_0, 1),
3256 BPF_MOV64_IMM(BPF_REG_0, 0),
3260 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3264 "direct packet access: test12 (and, good access)",
3266 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3267 offsetof(struct __sk_buff, data)),
3268 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3269 offsetof(struct __sk_buff, data_end)),
3270 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3271 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3272 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3273 BPF_MOV64_IMM(BPF_REG_3, 144),
3274 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3275 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3276 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3277 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3278 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3279 BPF_MOV64_IMM(BPF_REG_0, 1),
3281 BPF_MOV64_IMM(BPF_REG_0, 0),
3285 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3289 "direct packet access: test13 (branches, good access)",
3291 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3292 offsetof(struct __sk_buff, data)),
3293 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3294 offsetof(struct __sk_buff, data_end)),
3295 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3296 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3297 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3298 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3299 offsetof(struct __sk_buff, mark)),
3300 BPF_MOV64_IMM(BPF_REG_4, 1),
3301 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3302 BPF_MOV64_IMM(BPF_REG_3, 14),
3303 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3304 BPF_MOV64_IMM(BPF_REG_3, 24),
3305 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3306 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3307 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3308 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3309 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3310 BPF_MOV64_IMM(BPF_REG_0, 1),
3312 BPF_MOV64_IMM(BPF_REG_0, 0),
3316 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3320 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3322 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3323 offsetof(struct __sk_buff, data)),
3324 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3325 offsetof(struct __sk_buff, data_end)),
3326 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3327 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3328 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3329 BPF_MOV64_IMM(BPF_REG_5, 12),
3330 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3331 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3332 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3333 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3334 BPF_MOV64_IMM(BPF_REG_0, 1),
3336 BPF_MOV64_IMM(BPF_REG_0, 0),
3340 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3344 "direct packet access: test15 (spill with xadd)",
3346 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3347 offsetof(struct __sk_buff, data)),
3348 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3349 offsetof(struct __sk_buff, data_end)),
3350 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3351 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3352 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3353 BPF_MOV64_IMM(BPF_REG_5, 4096),
3354 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3355 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3356 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3357 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3358 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3359 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3360 BPF_MOV64_IMM(BPF_REG_0, 0),
3363 .errstr = "R2 invalid mem access 'inv'",
3365 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3368 "direct packet access: test16 (arith on data_end)",
3370 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3371 offsetof(struct __sk_buff, data)),
3372 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3373 offsetof(struct __sk_buff, data_end)),
3374 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3375 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3377 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3378 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3379 BPF_MOV64_IMM(BPF_REG_0, 0),
3382 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3384 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3387 "direct packet access: test17 (pruning, alignment)",
3389 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3390 offsetof(struct __sk_buff, data)),
3391 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3392 offsetof(struct __sk_buff, data_end)),
3393 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3394 offsetof(struct __sk_buff, mark)),
3395 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3396 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3397 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3398 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3399 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3400 BPF_MOV64_IMM(BPF_REG_0, 0),
3402 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3405 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3407 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3408 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3411 "direct packet access: test18 (imm += pkt_ptr, 1)",
3413 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3414 offsetof(struct __sk_buff, data)),
3415 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3416 offsetof(struct __sk_buff, data_end)),
3417 BPF_MOV64_IMM(BPF_REG_0, 8),
3418 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3419 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3420 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3421 BPF_MOV64_IMM(BPF_REG_0, 0),
3425 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3428 "direct packet access: test19 (imm += pkt_ptr, 2)",
3430 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3431 offsetof(struct __sk_buff, data)),
3432 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3433 offsetof(struct __sk_buff, data_end)),
3434 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3436 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3437 BPF_MOV64_IMM(BPF_REG_4, 4),
3438 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3439 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3440 BPF_MOV64_IMM(BPF_REG_0, 0),
3444 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3447 "direct packet access: test20 (x += pkt_ptr, 1)",
3449 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3450 offsetof(struct __sk_buff, data)),
3451 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3452 offsetof(struct __sk_buff, data_end)),
3453 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3454 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3455 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3456 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3457 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3458 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3459 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3461 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3462 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3463 BPF_MOV64_IMM(BPF_REG_0, 0),
3466 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3470 "direct packet access: test21 (x += pkt_ptr, 2)",
3472 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3473 offsetof(struct __sk_buff, data)),
3474 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3475 offsetof(struct __sk_buff, data_end)),
3476 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3477 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3478 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3479 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3480 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3481 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3482 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3483 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3484 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3485 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3486 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3487 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3488 BPF_MOV64_IMM(BPF_REG_0, 0),
3491 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3495 "direct packet access: test22 (x += pkt_ptr, 3)",
3497 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3498 offsetof(struct __sk_buff, data)),
3499 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3500 offsetof(struct __sk_buff, data_end)),
3501 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3503 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3504 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3505 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3506 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3507 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3508 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3509 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3510 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3511 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3512 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3513 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3514 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3515 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3516 BPF_MOV64_IMM(BPF_REG_2, 1),
3517 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3518 BPF_MOV64_IMM(BPF_REG_0, 0),
3521 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3525 "direct packet access: test23 (x += pkt_ptr, 4)",
3527 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3528 offsetof(struct __sk_buff, data)),
3529 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3530 offsetof(struct __sk_buff, data_end)),
3531 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3532 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3533 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3534 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3535 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3536 BPF_MOV64_IMM(BPF_REG_0, 31),
3537 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3538 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3539 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3541 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3542 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3543 BPF_MOV64_IMM(BPF_REG_0, 0),
3546 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3548 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3551 "direct packet access: test24 (x += pkt_ptr, 5)",
3553 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3554 offsetof(struct __sk_buff, data)),
3555 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3556 offsetof(struct __sk_buff, data_end)),
3557 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3558 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3559 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3560 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3561 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3562 BPF_MOV64_IMM(BPF_REG_0, 64),
3563 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3564 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3565 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3566 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3567 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3568 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3569 BPF_MOV64_IMM(BPF_REG_0, 0),
3572 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3576 "direct packet access: test25 (marking on <, good access)",
3578 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3579 offsetof(struct __sk_buff, data)),
3580 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3581 offsetof(struct __sk_buff, data_end)),
3582 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3584 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3585 BPF_MOV64_IMM(BPF_REG_0, 0),
3587 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3588 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3591 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3594 "direct packet access: test26 (marking on <, bad access)",
3596 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3597 offsetof(struct __sk_buff, data)),
3598 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3599 offsetof(struct __sk_buff, data_end)),
3600 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3601 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3602 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3603 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3604 BPF_MOV64_IMM(BPF_REG_0, 0),
3606 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3609 .errstr = "invalid access to packet",
3610 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3613 "direct packet access: test27 (marking on <=, good access)",
3615 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3616 offsetof(struct __sk_buff, data)),
3617 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3618 offsetof(struct __sk_buff, data_end)),
3619 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3620 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3621 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3622 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3623 BPF_MOV64_IMM(BPF_REG_0, 1),
3627 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3631 "direct packet access: test28 (marking on <=, bad access)",
3633 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3634 offsetof(struct __sk_buff, data)),
3635 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3636 offsetof(struct __sk_buff, data_end)),
3637 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3638 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3639 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3640 BPF_MOV64_IMM(BPF_REG_0, 1),
3642 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3643 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3646 .errstr = "invalid access to packet",
3647 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3650 "helper access to packet: test1, valid packet_ptr range",
3652 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3653 offsetof(struct xdp_md, data)),
3654 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3655 offsetof(struct xdp_md, data_end)),
3656 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3657 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3658 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3659 BPF_LD_MAP_FD(BPF_REG_1, 0),
3660 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3661 BPF_MOV64_IMM(BPF_REG_4, 0),
3662 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3663 BPF_FUNC_map_update_elem),
3664 BPF_MOV64_IMM(BPF_REG_0, 0),
3667 .fixup_map1 = { 5 },
3668 .result_unpriv = ACCEPT,
3670 .prog_type = BPF_PROG_TYPE_XDP,
3673 "helper access to packet: test2, unchecked packet_ptr",
3675 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3676 offsetof(struct xdp_md, data)),
3677 BPF_LD_MAP_FD(BPF_REG_1, 0),
3678 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3679 BPF_FUNC_map_lookup_elem),
3680 BPF_MOV64_IMM(BPF_REG_0, 0),
3683 .fixup_map1 = { 1 },
3685 .errstr = "invalid access to packet",
3686 .prog_type = BPF_PROG_TYPE_XDP,
3689 "helper access to packet: test3, variable add",
3691 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3692 offsetof(struct xdp_md, data)),
3693 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3694 offsetof(struct xdp_md, data_end)),
3695 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3696 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3697 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3698 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3699 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3700 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3701 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3702 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3703 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3704 BPF_LD_MAP_FD(BPF_REG_1, 0),
3705 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3706 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3707 BPF_FUNC_map_lookup_elem),
3708 BPF_MOV64_IMM(BPF_REG_0, 0),
3711 .fixup_map1 = { 11 },
3713 .prog_type = BPF_PROG_TYPE_XDP,
3716 "helper access to packet: test4, packet_ptr with bad range",
3718 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3719 offsetof(struct xdp_md, data)),
3720 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3721 offsetof(struct xdp_md, data_end)),
3722 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3723 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3724 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3725 BPF_MOV64_IMM(BPF_REG_0, 0),
3727 BPF_LD_MAP_FD(BPF_REG_1, 0),
3728 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3729 BPF_FUNC_map_lookup_elem),
3730 BPF_MOV64_IMM(BPF_REG_0, 0),
3733 .fixup_map1 = { 7 },
3735 .errstr = "invalid access to packet",
3736 .prog_type = BPF_PROG_TYPE_XDP,
3739 "helper access to packet: test5, packet_ptr with too short range",
3741 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3742 offsetof(struct xdp_md, data)),
3743 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3744 offsetof(struct xdp_md, data_end)),
3745 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3746 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3747 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3748 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3749 BPF_LD_MAP_FD(BPF_REG_1, 0),
3750 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3751 BPF_FUNC_map_lookup_elem),
3752 BPF_MOV64_IMM(BPF_REG_0, 0),
3755 .fixup_map1 = { 6 },
3757 .errstr = "invalid access to packet",
3758 .prog_type = BPF_PROG_TYPE_XDP,
3761 "helper access to packet: test6, cls valid packet_ptr range",
3763 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3764 offsetof(struct __sk_buff, data)),
3765 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3766 offsetof(struct __sk_buff, data_end)),
3767 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3768 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3769 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3770 BPF_LD_MAP_FD(BPF_REG_1, 0),
3771 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3772 BPF_MOV64_IMM(BPF_REG_4, 0),
3773 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3774 BPF_FUNC_map_update_elem),
3775 BPF_MOV64_IMM(BPF_REG_0, 0),
3778 .fixup_map1 = { 5 },
3780 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3783 "helper access to packet: test7, cls unchecked packet_ptr",
3785 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3786 offsetof(struct __sk_buff, data)),
3787 BPF_LD_MAP_FD(BPF_REG_1, 0),
3788 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3789 BPF_FUNC_map_lookup_elem),
3790 BPF_MOV64_IMM(BPF_REG_0, 0),
3793 .fixup_map1 = { 1 },
3795 .errstr = "invalid access to packet",
3796 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3799 "helper access to packet: test8, cls variable add",
3801 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3802 offsetof(struct __sk_buff, data)),
3803 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3804 offsetof(struct __sk_buff, data_end)),
3805 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3807 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3808 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3809 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3810 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3811 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3812 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3813 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3814 BPF_LD_MAP_FD(BPF_REG_1, 0),
3815 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3816 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3817 BPF_FUNC_map_lookup_elem),
3818 BPF_MOV64_IMM(BPF_REG_0, 0),
3821 .fixup_map1 = { 11 },
3823 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3826 "helper access to packet: test9, cls packet_ptr with bad range",
3828 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3829 offsetof(struct __sk_buff, data)),
3830 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3831 offsetof(struct __sk_buff, data_end)),
3832 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3833 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3834 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3835 BPF_MOV64_IMM(BPF_REG_0, 0),
3837 BPF_LD_MAP_FD(BPF_REG_1, 0),
3838 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3839 BPF_FUNC_map_lookup_elem),
3840 BPF_MOV64_IMM(BPF_REG_0, 0),
3843 .fixup_map1 = { 7 },
3845 .errstr = "invalid access to packet",
3846 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3849 "helper access to packet: test10, cls packet_ptr with too short range",
3851 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3852 offsetof(struct __sk_buff, data)),
3853 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3854 offsetof(struct __sk_buff, data_end)),
3855 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3856 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3857 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3858 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3859 BPF_LD_MAP_FD(BPF_REG_1, 0),
3860 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3861 BPF_FUNC_map_lookup_elem),
3862 BPF_MOV64_IMM(BPF_REG_0, 0),
3865 .fixup_map1 = { 6 },
3867 .errstr = "invalid access to packet",
3868 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3871 "helper access to packet: test11, cls unsuitable helper 1",
3873 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3874 offsetof(struct __sk_buff, data)),
3875 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3876 offsetof(struct __sk_buff, data_end)),
3877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3878 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3879 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
3880 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
3881 BPF_MOV64_IMM(BPF_REG_2, 0),
3882 BPF_MOV64_IMM(BPF_REG_4, 42),
3883 BPF_MOV64_IMM(BPF_REG_5, 0),
3884 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3885 BPF_FUNC_skb_store_bytes),
3886 BPF_MOV64_IMM(BPF_REG_0, 0),
3890 .errstr = "helper access to the packet",
3891 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3894 "helper access to packet: test12, cls unsuitable helper 2",
3896 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3897 offsetof(struct __sk_buff, data)),
3898 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3899 offsetof(struct __sk_buff, data_end)),
3900 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3901 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
3902 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
3903 BPF_MOV64_IMM(BPF_REG_2, 0),
3904 BPF_MOV64_IMM(BPF_REG_4, 4),
3905 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3906 BPF_FUNC_skb_load_bytes),
3907 BPF_MOV64_IMM(BPF_REG_0, 0),
3911 .errstr = "helper access to the packet",
3912 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3915 "helper access to packet: test13, cls helper ok",
3917 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3918 offsetof(struct __sk_buff, data)),
3919 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3920 offsetof(struct __sk_buff, data_end)),
3921 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3922 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3923 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3924 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3925 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3926 BPF_MOV64_IMM(BPF_REG_2, 4),
3927 BPF_MOV64_IMM(BPF_REG_3, 0),
3928 BPF_MOV64_IMM(BPF_REG_4, 0),
3929 BPF_MOV64_IMM(BPF_REG_5, 0),
3930 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3931 BPF_FUNC_csum_diff),
3932 BPF_MOV64_IMM(BPF_REG_0, 0),
3936 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3939 "helper access to packet: test14, cls helper ok sub",
3941 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3942 offsetof(struct __sk_buff, data)),
3943 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3944 offsetof(struct __sk_buff, data_end)),
3945 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3946 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3947 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3948 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3949 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
3950 BPF_MOV64_IMM(BPF_REG_2, 4),
3951 BPF_MOV64_IMM(BPF_REG_3, 0),
3952 BPF_MOV64_IMM(BPF_REG_4, 0),
3953 BPF_MOV64_IMM(BPF_REG_5, 0),
3954 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3955 BPF_FUNC_csum_diff),
3956 BPF_MOV64_IMM(BPF_REG_0, 0),
3960 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3963 "helper access to packet: test15, cls helper fail sub",
3965 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3966 offsetof(struct __sk_buff, data)),
3967 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3968 offsetof(struct __sk_buff, data_end)),
3969 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3970 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3971 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3972 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3973 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
3974 BPF_MOV64_IMM(BPF_REG_2, 4),
3975 BPF_MOV64_IMM(BPF_REG_3, 0),
3976 BPF_MOV64_IMM(BPF_REG_4, 0),
3977 BPF_MOV64_IMM(BPF_REG_5, 0),
3978 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3979 BPF_FUNC_csum_diff),
3980 BPF_MOV64_IMM(BPF_REG_0, 0),
3984 .errstr = "invalid access to packet",
3985 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3988 "helper access to packet: test16, cls helper fail range 1",
3990 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3991 offsetof(struct __sk_buff, data)),
3992 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3993 offsetof(struct __sk_buff, data_end)),
3994 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3995 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3996 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3997 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3998 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3999 BPF_MOV64_IMM(BPF_REG_2, 8),
4000 BPF_MOV64_IMM(BPF_REG_3, 0),
4001 BPF_MOV64_IMM(BPF_REG_4, 0),
4002 BPF_MOV64_IMM(BPF_REG_5, 0),
4003 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4004 BPF_FUNC_csum_diff),
4005 BPF_MOV64_IMM(BPF_REG_0, 0),
4009 .errstr = "invalid access to packet",
4010 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4013 "helper access to packet: test17, cls helper fail range 2",
4015 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4016 offsetof(struct __sk_buff, data)),
4017 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4018 offsetof(struct __sk_buff, data_end)),
4019 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4020 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4021 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4022 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4023 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4024 BPF_MOV64_IMM(BPF_REG_2, -9),
4025 BPF_MOV64_IMM(BPF_REG_3, 0),
4026 BPF_MOV64_IMM(BPF_REG_4, 0),
4027 BPF_MOV64_IMM(BPF_REG_5, 0),
4028 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4029 BPF_FUNC_csum_diff),
4030 BPF_MOV64_IMM(BPF_REG_0, 0),
4034 .errstr = "R2 min value is negative",
4035 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4038 "helper access to packet: test18, cls helper fail range 3",
4040 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4041 offsetof(struct __sk_buff, data)),
4042 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4043 offsetof(struct __sk_buff, data_end)),
4044 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4045 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4046 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4047 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4048 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4049 BPF_MOV64_IMM(BPF_REG_2, ~0),
4050 BPF_MOV64_IMM(BPF_REG_3, 0),
4051 BPF_MOV64_IMM(BPF_REG_4, 0),
4052 BPF_MOV64_IMM(BPF_REG_5, 0),
4053 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4054 BPF_FUNC_csum_diff),
4055 BPF_MOV64_IMM(BPF_REG_0, 0),
4059 .errstr = "R2 min value is negative",
4060 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4063 "helper access to packet: test19, cls helper range zero",
4065 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4066 offsetof(struct __sk_buff, data)),
4067 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4068 offsetof(struct __sk_buff, data_end)),
4069 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4070 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4071 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4072 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4073 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4074 BPF_MOV64_IMM(BPF_REG_2, 0),
4075 BPF_MOV64_IMM(BPF_REG_3, 0),
4076 BPF_MOV64_IMM(BPF_REG_4, 0),
4077 BPF_MOV64_IMM(BPF_REG_5, 0),
4078 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4079 BPF_FUNC_csum_diff),
4080 BPF_MOV64_IMM(BPF_REG_0, 0),
4084 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4087 "helper access to packet: test20, pkt end as input",
4089 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4090 offsetof(struct __sk_buff, data)),
4091 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4092 offsetof(struct __sk_buff, data_end)),
4093 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4094 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4096 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4097 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4098 BPF_MOV64_IMM(BPF_REG_2, 4),
4099 BPF_MOV64_IMM(BPF_REG_3, 0),
4100 BPF_MOV64_IMM(BPF_REG_4, 0),
4101 BPF_MOV64_IMM(BPF_REG_5, 0),
4102 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4103 BPF_FUNC_csum_diff),
4104 BPF_MOV64_IMM(BPF_REG_0, 0),
4108 .errstr = "R1 type=pkt_end expected=fp",
4109 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4112 "helper access to packet: test21, wrong reg",
4114 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4115 offsetof(struct __sk_buff, data)),
4116 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4117 offsetof(struct __sk_buff, data_end)),
4118 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4119 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4120 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4121 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4122 BPF_MOV64_IMM(BPF_REG_2, 4),
4123 BPF_MOV64_IMM(BPF_REG_3, 0),
4124 BPF_MOV64_IMM(BPF_REG_4, 0),
4125 BPF_MOV64_IMM(BPF_REG_5, 0),
4126 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4127 BPF_FUNC_csum_diff),
4128 BPF_MOV64_IMM(BPF_REG_0, 0),
4132 .errstr = "invalid access to packet",
4133 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4136 "valid map access into an array with a constant",
4138 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4139 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4140 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4141 BPF_LD_MAP_FD(BPF_REG_1, 0),
4142 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4143 BPF_FUNC_map_lookup_elem),
4144 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4145 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4146 offsetof(struct test_val, foo)),
4149 .fixup_map2 = { 3 },
4150 .errstr_unpriv = "R0 leaks addr",
4151 .result_unpriv = REJECT,
4155 "valid map access into an array with a register",
4157 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4158 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4159 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4160 BPF_LD_MAP_FD(BPF_REG_1, 0),
4161 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4162 BPF_FUNC_map_lookup_elem),
4163 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4164 BPF_MOV64_IMM(BPF_REG_1, 4),
4165 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4166 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4167 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4168 offsetof(struct test_val, foo)),
4171 .fixup_map2 = { 3 },
4172 .errstr_unpriv = "R0 leaks addr",
4173 .result_unpriv = REJECT,
4175 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4178 "valid map access into an array with a variable",
4180 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4181 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4183 BPF_LD_MAP_FD(BPF_REG_1, 0),
4184 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4185 BPF_FUNC_map_lookup_elem),
4186 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4187 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4188 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4189 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4190 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4191 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4192 offsetof(struct test_val, foo)),
4195 .fixup_map2 = { 3 },
4196 .errstr_unpriv = "R0 leaks addr",
4197 .result_unpriv = REJECT,
4199 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4202 "valid map access into an array with a signed variable",
4204 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4207 BPF_LD_MAP_FD(BPF_REG_1, 0),
4208 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4209 BPF_FUNC_map_lookup_elem),
4210 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4211 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4212 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4213 BPF_MOV32_IMM(BPF_REG_1, 0),
4214 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4215 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4216 BPF_MOV32_IMM(BPF_REG_1, 0),
4217 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4218 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4219 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4220 offsetof(struct test_val, foo)),
4223 .fixup_map2 = { 3 },
4224 .errstr_unpriv = "R0 leaks addr",
4225 .result_unpriv = REJECT,
4227 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4230 "invalid map access into an array with a constant",
4232 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4233 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4234 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4235 BPF_LD_MAP_FD(BPF_REG_1, 0),
4236 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4237 BPF_FUNC_map_lookup_elem),
4238 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4239 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4240 offsetof(struct test_val, foo)),
4243 .fixup_map2 = { 3 },
4244 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4248 "invalid map access into an array with a register",
4250 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4251 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4253 BPF_LD_MAP_FD(BPF_REG_1, 0),
4254 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4255 BPF_FUNC_map_lookup_elem),
4256 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4257 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4258 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4259 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4260 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4261 offsetof(struct test_val, foo)),
4264 .fixup_map2 = { 3 },
4265 .errstr = "R0 min value is outside of the array range",
4267 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4270 "invalid map access into an array with a variable",
4272 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4273 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4275 BPF_LD_MAP_FD(BPF_REG_1, 0),
4276 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4277 BPF_FUNC_map_lookup_elem),
4278 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4279 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4280 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4281 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4282 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4283 offsetof(struct test_val, foo)),
4286 .fixup_map2 = { 3 },
4287 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4289 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4292 "invalid map access into an array with no floor check",
4294 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4295 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4296 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4297 BPF_LD_MAP_FD(BPF_REG_1, 0),
4298 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4299 BPF_FUNC_map_lookup_elem),
4300 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4301 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4302 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4303 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4304 BPF_MOV32_IMM(BPF_REG_1, 0),
4305 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4306 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4307 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4308 offsetof(struct test_val, foo)),
4311 .fixup_map2 = { 3 },
4312 .errstr_unpriv = "R0 leaks addr",
4313 .errstr = "R0 unbounded memory access",
4314 .result_unpriv = REJECT,
4316 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4319 "invalid map access into an array with a invalid max check",
4321 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4322 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4323 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4324 BPF_LD_MAP_FD(BPF_REG_1, 0),
4325 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4326 BPF_FUNC_map_lookup_elem),
4327 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4328 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4329 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4330 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4331 BPF_MOV32_IMM(BPF_REG_1, 0),
4332 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4333 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4334 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4335 offsetof(struct test_val, foo)),
4338 .fixup_map2 = { 3 },
4339 .errstr_unpriv = "R0 leaks addr",
4340 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
4341 .result_unpriv = REJECT,
4343 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4346 "invalid map access into an array with a invalid max check",
4348 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4349 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4350 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4351 BPF_LD_MAP_FD(BPF_REG_1, 0),
4352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4353 BPF_FUNC_map_lookup_elem),
4354 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4355 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4356 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4357 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4358 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4359 BPF_LD_MAP_FD(BPF_REG_1, 0),
4360 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4361 BPF_FUNC_map_lookup_elem),
4362 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4363 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4364 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4365 offsetof(struct test_val, foo)),
4368 .fixup_map2 = { 3, 11 },
4369 .errstr = "R0 pointer += pointer",
4371 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4374 "multiple registers share map_lookup_elem result",
4376 BPF_MOV64_IMM(BPF_REG_1, 10),
4377 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4378 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4380 BPF_LD_MAP_FD(BPF_REG_1, 0),
4381 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4382 BPF_FUNC_map_lookup_elem),
4383 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4384 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4385 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4388 .fixup_map1 = { 4 },
4390 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4393 "alu ops on ptr_to_map_value_or_null, 1",
4395 BPF_MOV64_IMM(BPF_REG_1, 10),
4396 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4397 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4399 BPF_LD_MAP_FD(BPF_REG_1, 0),
4400 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4401 BPF_FUNC_map_lookup_elem),
4402 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4403 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4405 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4406 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4409 .fixup_map1 = { 4 },
4410 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4412 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4415 "alu ops on ptr_to_map_value_or_null, 2",
4417 BPF_MOV64_IMM(BPF_REG_1, 10),
4418 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4419 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4421 BPF_LD_MAP_FD(BPF_REG_1, 0),
4422 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4423 BPF_FUNC_map_lookup_elem),
4424 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4425 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4426 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4427 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4430 .fixup_map1 = { 4 },
4431 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4433 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4436 "alu ops on ptr_to_map_value_or_null, 3",
4438 BPF_MOV64_IMM(BPF_REG_1, 10),
4439 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4440 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4441 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4442 BPF_LD_MAP_FD(BPF_REG_1, 0),
4443 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4444 BPF_FUNC_map_lookup_elem),
4445 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4446 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4447 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4448 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4451 .fixup_map1 = { 4 },
4452 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4454 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4457 "invalid memory access with multiple map_lookup_elem calls",
4459 BPF_MOV64_IMM(BPF_REG_1, 10),
4460 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4461 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4462 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4463 BPF_LD_MAP_FD(BPF_REG_1, 0),
4464 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4465 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4466 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4467 BPF_FUNC_map_lookup_elem),
4468 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4469 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4470 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4471 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4472 BPF_FUNC_map_lookup_elem),
4473 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4474 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4477 .fixup_map1 = { 4 },
4479 .errstr = "R4 !read_ok",
4480 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4483 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4485 BPF_MOV64_IMM(BPF_REG_1, 10),
4486 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4487 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4488 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4489 BPF_LD_MAP_FD(BPF_REG_1, 0),
4490 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4491 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4492 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4493 BPF_FUNC_map_lookup_elem),
4494 BPF_MOV64_IMM(BPF_REG_2, 10),
4495 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4496 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4497 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4498 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4499 BPF_FUNC_map_lookup_elem),
4500 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4501 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4502 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4505 .fixup_map1 = { 4 },
4507 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4510 "invalid map access from else condition",
4512 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4513 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4514 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4515 BPF_LD_MAP_FD(BPF_REG_1, 0),
4516 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4517 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4518 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4519 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4521 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4522 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4523 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4526 .fixup_map2 = { 3 },
4527 .errstr = "R0 unbounded memory access",
4529 .errstr_unpriv = "R0 leaks addr",
4530 .result_unpriv = REJECT,
4531 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4534 "constant register |= constant should keep constant type",
4536 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4537 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4538 BPF_MOV64_IMM(BPF_REG_2, 34),
4539 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4540 BPF_MOV64_IMM(BPF_REG_3, 0),
4541 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4545 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4548 "constant register |= constant should not bypass stack boundary checks",
4550 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4551 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4552 BPF_MOV64_IMM(BPF_REG_2, 34),
4553 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4554 BPF_MOV64_IMM(BPF_REG_3, 0),
4555 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4558 .errstr = "invalid stack type R1 off=-48 access_size=58",
4560 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4563 "constant register |= constant register should keep constant type",
4565 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4566 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4567 BPF_MOV64_IMM(BPF_REG_2, 34),
4568 BPF_MOV64_IMM(BPF_REG_4, 13),
4569 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4570 BPF_MOV64_IMM(BPF_REG_3, 0),
4571 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4575 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4578 "constant register |= constant register should not bypass stack boundary checks",
4580 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4582 BPF_MOV64_IMM(BPF_REG_2, 34),
4583 BPF_MOV64_IMM(BPF_REG_4, 24),
4584 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4585 BPF_MOV64_IMM(BPF_REG_3, 0),
4586 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4589 .errstr = "invalid stack type R1 off=-48 access_size=58",
4591 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4594 "invalid direct packet write for LWT_IN",
4596 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4597 offsetof(struct __sk_buff, data)),
4598 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4599 offsetof(struct __sk_buff, data_end)),
4600 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4601 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4602 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4603 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4604 BPF_MOV64_IMM(BPF_REG_0, 0),
4607 .errstr = "cannot write into packet",
4609 .prog_type = BPF_PROG_TYPE_LWT_IN,
4612 "invalid direct packet write for LWT_OUT",
4614 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4615 offsetof(struct __sk_buff, data)),
4616 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4617 offsetof(struct __sk_buff, data_end)),
4618 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4619 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4620 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4621 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4622 BPF_MOV64_IMM(BPF_REG_0, 0),
4625 .errstr = "cannot write into packet",
4627 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4630 "direct packet write for LWT_XMIT",
4632 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4633 offsetof(struct __sk_buff, data)),
4634 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4635 offsetof(struct __sk_buff, data_end)),
4636 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4637 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4638 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4639 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4640 BPF_MOV64_IMM(BPF_REG_0, 0),
4644 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4647 "direct packet read for LWT_IN",
4649 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4650 offsetof(struct __sk_buff, data)),
4651 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4652 offsetof(struct __sk_buff, data_end)),
4653 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4654 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4655 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4656 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4657 BPF_MOV64_IMM(BPF_REG_0, 0),
4661 .prog_type = BPF_PROG_TYPE_LWT_IN,
4664 "direct packet read for LWT_OUT",
4666 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4667 offsetof(struct __sk_buff, data)),
4668 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4669 offsetof(struct __sk_buff, data_end)),
4670 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4671 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4672 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4673 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4674 BPF_MOV64_IMM(BPF_REG_0, 0),
4678 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4681 "direct packet read for LWT_XMIT",
4683 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4684 offsetof(struct __sk_buff, data)),
4685 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4686 offsetof(struct __sk_buff, data_end)),
4687 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4688 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4689 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4690 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4691 BPF_MOV64_IMM(BPF_REG_0, 0),
4695 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4698 "overlapping checks for direct packet access",
4700 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4701 offsetof(struct __sk_buff, data)),
4702 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4703 offsetof(struct __sk_buff, data_end)),
4704 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4705 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4706 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4707 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4709 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4710 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4711 BPF_MOV64_IMM(BPF_REG_0, 0),
4715 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4718 "invalid access of tc_classid for LWT_IN",
4720 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4721 offsetof(struct __sk_buff, tc_classid)),
4725 .errstr = "invalid bpf_context access",
4728 "invalid access of tc_classid for LWT_OUT",
4730 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4731 offsetof(struct __sk_buff, tc_classid)),
4735 .errstr = "invalid bpf_context access",
4738 "invalid access of tc_classid for LWT_XMIT",
4740 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4741 offsetof(struct __sk_buff, tc_classid)),
4745 .errstr = "invalid bpf_context access",
4748 "leak pointer into ctx 1",
4750 BPF_MOV64_IMM(BPF_REG_0, 0),
4751 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4752 offsetof(struct __sk_buff, cb[0])),
4753 BPF_LD_MAP_FD(BPF_REG_2, 0),
4754 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
4755 offsetof(struct __sk_buff, cb[0])),
4758 .fixup_map1 = { 2 },
4759 .errstr_unpriv = "R2 leaks addr into mem",
4760 .result_unpriv = REJECT,
4762 .errstr = "BPF_XADD stores into R1 context is not allowed",
4765 "leak pointer into ctx 2",
4767 BPF_MOV64_IMM(BPF_REG_0, 0),
4768 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4769 offsetof(struct __sk_buff, cb[0])),
4770 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
4771 offsetof(struct __sk_buff, cb[0])),
4774 .errstr_unpriv = "R10 leaks addr into mem",
4775 .result_unpriv = REJECT,
4777 .errstr = "BPF_XADD stores into R1 context is not allowed",
4780 "leak pointer into ctx 3",
4782 BPF_MOV64_IMM(BPF_REG_0, 0),
4783 BPF_LD_MAP_FD(BPF_REG_2, 0),
4784 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
4785 offsetof(struct __sk_buff, cb[0])),
4788 .fixup_map1 = { 1 },
4789 .errstr_unpriv = "R2 leaks addr into ctx",
4790 .result_unpriv = REJECT,
4794 "leak pointer into map val",
4796 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
4797 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4798 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4800 BPF_LD_MAP_FD(BPF_REG_1, 0),
4801 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4802 BPF_FUNC_map_lookup_elem),
4803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4804 BPF_MOV64_IMM(BPF_REG_3, 0),
4805 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
4806 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
4807 BPF_MOV64_IMM(BPF_REG_0, 0),
4810 .fixup_map1 = { 4 },
4811 .errstr_unpriv = "R6 leaks addr into mem",
4812 .result_unpriv = REJECT,
4816 "helper access to map: full range",
4818 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4819 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4820 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4821 BPF_LD_MAP_FD(BPF_REG_1, 0),
4822 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4823 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4824 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4825 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4826 BPF_MOV64_IMM(BPF_REG_3, 0),
4827 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4830 .fixup_map2 = { 3 },
4832 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4835 "helper access to map: partial range",
4837 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4838 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4839 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4840 BPF_LD_MAP_FD(BPF_REG_1, 0),
4841 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4842 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4843 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4844 BPF_MOV64_IMM(BPF_REG_2, 8),
4845 BPF_MOV64_IMM(BPF_REG_3, 0),
4846 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4849 .fixup_map2 = { 3 },
4851 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4854 "helper access to map: empty range",
4856 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4857 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4858 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4859 BPF_LD_MAP_FD(BPF_REG_1, 0),
4860 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4861 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4862 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4863 BPF_MOV64_IMM(BPF_REG_2, 0),
4864 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4867 .fixup_map2 = { 3 },
4868 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
4870 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4873 "helper access to map: out-of-bound range",
4875 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4876 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4877 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4878 BPF_LD_MAP_FD(BPF_REG_1, 0),
4879 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4880 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4881 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4882 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
4883 BPF_MOV64_IMM(BPF_REG_3, 0),
4884 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4887 .fixup_map2 = { 3 },
4888 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
4890 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4893 "helper access to map: negative range",
4895 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4897 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4898 BPF_LD_MAP_FD(BPF_REG_1, 0),
4899 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4900 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4901 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4902 BPF_MOV64_IMM(BPF_REG_2, -8),
4903 BPF_MOV64_IMM(BPF_REG_3, 0),
4904 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4907 .fixup_map2 = { 3 },
4908 .errstr = "R2 min value is negative",
4910 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4913 "helper access to adjusted map (via const imm): full range",
4915 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4917 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4918 BPF_LD_MAP_FD(BPF_REG_1, 0),
4919 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4920 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4921 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4922 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4923 offsetof(struct test_val, foo)),
4924 BPF_MOV64_IMM(BPF_REG_2,
4925 sizeof(struct test_val) -
4926 offsetof(struct test_val, foo)),
4927 BPF_MOV64_IMM(BPF_REG_3, 0),
4928 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4931 .fixup_map2 = { 3 },
4933 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4936 "helper access to adjusted map (via const imm): partial range",
4938 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4939 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4940 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4941 BPF_LD_MAP_FD(BPF_REG_1, 0),
4942 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4943 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4944 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4945 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4946 offsetof(struct test_val, foo)),
4947 BPF_MOV64_IMM(BPF_REG_2, 8),
4948 BPF_MOV64_IMM(BPF_REG_3, 0),
4949 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4952 .fixup_map2 = { 3 },
4954 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4957 "helper access to adjusted map (via const imm): empty range",
4959 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4960 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4961 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4962 BPF_LD_MAP_FD(BPF_REG_1, 0),
4963 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4964 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4965 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4966 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4967 offsetof(struct test_val, foo)),
4968 BPF_MOV64_IMM(BPF_REG_2, 0),
4969 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4972 .fixup_map2 = { 3 },
4973 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
4975 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4978 "helper access to adjusted map (via const imm): out-of-bound range",
4980 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4982 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4983 BPF_LD_MAP_FD(BPF_REG_1, 0),
4984 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4985 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4986 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4987 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4988 offsetof(struct test_val, foo)),
4989 BPF_MOV64_IMM(BPF_REG_2,
4990 sizeof(struct test_val) -
4991 offsetof(struct test_val, foo) + 8),
4992 BPF_MOV64_IMM(BPF_REG_3, 0),
4993 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4996 .fixup_map2 = { 3 },
4997 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4999 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5002 "helper access to adjusted map (via const imm): negative range (> adjustment)",
5004 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5006 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5007 BPF_LD_MAP_FD(BPF_REG_1, 0),
5008 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5009 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5010 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5011 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5012 offsetof(struct test_val, foo)),
5013 BPF_MOV64_IMM(BPF_REG_2, -8),
5014 BPF_MOV64_IMM(BPF_REG_3, 0),
5015 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5018 .fixup_map2 = { 3 },
5019 .errstr = "R2 min value is negative",
5021 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5024 "helper access to adjusted map (via const imm): negative range (< adjustment)",
5026 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5027 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5028 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5029 BPF_LD_MAP_FD(BPF_REG_1, 0),
5030 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5031 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5032 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5033 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5034 offsetof(struct test_val, foo)),
5035 BPF_MOV64_IMM(BPF_REG_2, -1),
5036 BPF_MOV64_IMM(BPF_REG_3, 0),
5037 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5040 .fixup_map2 = { 3 },
5041 .errstr = "R2 min value is negative",
5043 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5046 "helper access to adjusted map (via const reg): full range",
5048 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5049 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5050 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5051 BPF_LD_MAP_FD(BPF_REG_1, 0),
5052 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5053 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5054 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5055 BPF_MOV64_IMM(BPF_REG_3,
5056 offsetof(struct test_val, foo)),
5057 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5058 BPF_MOV64_IMM(BPF_REG_2,
5059 sizeof(struct test_val) -
5060 offsetof(struct test_val, foo)),
5061 BPF_MOV64_IMM(BPF_REG_3, 0),
5062 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5065 .fixup_map2 = { 3 },
5067 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5070 "helper access to adjusted map (via const reg): partial range",
5072 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5073 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5074 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5075 BPF_LD_MAP_FD(BPF_REG_1, 0),
5076 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5077 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5078 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5079 BPF_MOV64_IMM(BPF_REG_3,
5080 offsetof(struct test_val, foo)),
5081 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5082 BPF_MOV64_IMM(BPF_REG_2, 8),
5083 BPF_MOV64_IMM(BPF_REG_3, 0),
5084 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5087 .fixup_map2 = { 3 },
5089 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5092 "helper access to adjusted map (via const reg): empty range",
5094 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5096 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5097 BPF_LD_MAP_FD(BPF_REG_1, 0),
5098 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5099 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5100 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5101 BPF_MOV64_IMM(BPF_REG_3, 0),
5102 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5103 BPF_MOV64_IMM(BPF_REG_2, 0),
5104 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5107 .fixup_map2 = { 3 },
5108 .errstr = "R1 min value is outside of the array range",
5110 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5113 "helper access to adjusted map (via const reg): out-of-bound range",
5115 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5117 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5118 BPF_LD_MAP_FD(BPF_REG_1, 0),
5119 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5120 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5121 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5122 BPF_MOV64_IMM(BPF_REG_3,
5123 offsetof(struct test_val, foo)),
5124 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5125 BPF_MOV64_IMM(BPF_REG_2,
5126 sizeof(struct test_val) -
5127 offsetof(struct test_val, foo) + 8),
5128 BPF_MOV64_IMM(BPF_REG_3, 0),
5129 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5132 .fixup_map2 = { 3 },
5133 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5135 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5138 "helper access to adjusted map (via const reg): negative range (> adjustment)",
5140 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5141 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5142 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5143 BPF_LD_MAP_FD(BPF_REG_1, 0),
5144 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5145 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5146 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5147 BPF_MOV64_IMM(BPF_REG_3,
5148 offsetof(struct test_val, foo)),
5149 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5150 BPF_MOV64_IMM(BPF_REG_2, -8),
5151 BPF_MOV64_IMM(BPF_REG_3, 0),
5152 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5155 .fixup_map2 = { 3 },
5156 .errstr = "R2 min value is negative",
5158 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5161 "helper access to adjusted map (via const reg): negative range (< adjustment)",
5163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5164 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5165 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5166 BPF_LD_MAP_FD(BPF_REG_1, 0),
5167 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5168 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5169 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5170 BPF_MOV64_IMM(BPF_REG_3,
5171 offsetof(struct test_val, foo)),
5172 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5173 BPF_MOV64_IMM(BPF_REG_2, -1),
5174 BPF_MOV64_IMM(BPF_REG_3, 0),
5175 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5178 .fixup_map2 = { 3 },
5179 .errstr = "R2 min value is negative",
5181 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5184 "helper access to adjusted map (via variable): full range",
5186 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5187 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5188 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5189 BPF_LD_MAP_FD(BPF_REG_1, 0),
5190 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5191 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5192 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5193 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5194 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5195 offsetof(struct test_val, foo), 4),
5196 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5197 BPF_MOV64_IMM(BPF_REG_2,
5198 sizeof(struct test_val) -
5199 offsetof(struct test_val, foo)),
5200 BPF_MOV64_IMM(BPF_REG_3, 0),
5201 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5204 .fixup_map2 = { 3 },
5206 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5209 "helper access to adjusted map (via variable): partial range",
5211 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5212 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5213 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5214 BPF_LD_MAP_FD(BPF_REG_1, 0),
5215 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5216 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5217 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5218 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5219 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5220 offsetof(struct test_val, foo), 4),
5221 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5222 BPF_MOV64_IMM(BPF_REG_2, 8),
5223 BPF_MOV64_IMM(BPF_REG_3, 0),
5224 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5227 .fixup_map2 = { 3 },
5229 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5232 "helper access to adjusted map (via variable): empty range",
5234 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5235 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5236 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5237 BPF_LD_MAP_FD(BPF_REG_1, 0),
5238 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5239 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5240 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5241 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5242 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5243 offsetof(struct test_val, foo), 3),
5244 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5245 BPF_MOV64_IMM(BPF_REG_2, 0),
5246 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5249 .fixup_map2 = { 3 },
5250 .errstr = "R1 min value is outside of the array range",
5252 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5255 "helper access to adjusted map (via variable): no max check",
5257 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5258 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5259 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5260 BPF_LD_MAP_FD(BPF_REG_1, 0),
5261 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5262 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5263 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5264 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5265 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5266 BPF_MOV64_IMM(BPF_REG_2, 1),
5267 BPF_MOV64_IMM(BPF_REG_3, 0),
5268 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5271 .fixup_map2 = { 3 },
5272 .errstr = "R1 unbounded memory access",
5274 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5277 "helper access to adjusted map (via variable): wrong max check",
5279 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5281 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5282 BPF_LD_MAP_FD(BPF_REG_1, 0),
5283 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5284 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5285 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5286 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5287 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5288 offsetof(struct test_val, foo), 4),
5289 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5290 BPF_MOV64_IMM(BPF_REG_2,
5291 sizeof(struct test_val) -
5292 offsetof(struct test_val, foo) + 1),
5293 BPF_MOV64_IMM(BPF_REG_3, 0),
5294 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5297 .fixup_map2 = { 3 },
5298 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
5300 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5303 "helper access to map: bounds check using <, good access",
5305 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5306 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5307 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5308 BPF_LD_MAP_FD(BPF_REG_1, 0),
5309 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5310 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5311 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5312 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5313 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5314 BPF_MOV64_IMM(BPF_REG_0, 0),
5316 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5317 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5318 BPF_MOV64_IMM(BPF_REG_0, 0),
5321 .fixup_map2 = { 3 },
5323 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5326 "helper access to map: bounds check using <, bad access",
5328 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5329 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5330 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5331 BPF_LD_MAP_FD(BPF_REG_1, 0),
5332 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5333 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5334 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5335 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5336 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5337 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5338 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5339 BPF_MOV64_IMM(BPF_REG_0, 0),
5341 BPF_MOV64_IMM(BPF_REG_0, 0),
5344 .fixup_map2 = { 3 },
5346 .errstr = "R1 unbounded memory access",
5347 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5350 "helper access to map: bounds check using <=, good access",
5352 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5354 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5355 BPF_LD_MAP_FD(BPF_REG_1, 0),
5356 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5357 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5358 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5359 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5360 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5361 BPF_MOV64_IMM(BPF_REG_0, 0),
5363 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5364 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5365 BPF_MOV64_IMM(BPF_REG_0, 0),
5368 .fixup_map2 = { 3 },
5370 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5373 "helper access to map: bounds check using <=, bad access",
5375 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5377 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5378 BPF_LD_MAP_FD(BPF_REG_1, 0),
5379 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5380 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5381 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5382 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5383 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5384 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5385 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5386 BPF_MOV64_IMM(BPF_REG_0, 0),
5388 BPF_MOV64_IMM(BPF_REG_0, 0),
5391 .fixup_map2 = { 3 },
5393 .errstr = "R1 unbounded memory access",
5394 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5397 "helper access to map: bounds check using s<, good access",
5399 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5400 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5401 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5402 BPF_LD_MAP_FD(BPF_REG_1, 0),
5403 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5404 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5405 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5406 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5407 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5408 BPF_MOV64_IMM(BPF_REG_0, 0),
5410 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5411 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5412 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5413 BPF_MOV64_IMM(BPF_REG_0, 0),
5416 .fixup_map2 = { 3 },
5418 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5421 "helper access to map: bounds check using s<, good access 2",
5423 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5424 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5425 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5426 BPF_LD_MAP_FD(BPF_REG_1, 0),
5427 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5428 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5429 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5430 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5431 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5432 BPF_MOV64_IMM(BPF_REG_0, 0),
5434 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5435 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5436 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5437 BPF_MOV64_IMM(BPF_REG_0, 0),
5440 .fixup_map2 = { 3 },
5442 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5445 "helper access to map: bounds check using s<, bad access",
5447 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5449 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5450 BPF_LD_MAP_FD(BPF_REG_1, 0),
5451 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5452 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5453 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5454 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5455 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5456 BPF_MOV64_IMM(BPF_REG_0, 0),
5458 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5459 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5460 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5461 BPF_MOV64_IMM(BPF_REG_0, 0),
5464 .fixup_map2 = { 3 },
5466 .errstr = "R1 min value is negative",
5467 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5470 "helper access to map: bounds check using s<=, good access",
5472 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5474 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5475 BPF_LD_MAP_FD(BPF_REG_1, 0),
5476 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5477 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5478 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5479 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5480 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5481 BPF_MOV64_IMM(BPF_REG_0, 0),
5483 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5484 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5485 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5486 BPF_MOV64_IMM(BPF_REG_0, 0),
5489 .fixup_map2 = { 3 },
5491 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5494 "helper access to map: bounds check using s<=, good access 2",
5496 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5497 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5498 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5499 BPF_LD_MAP_FD(BPF_REG_1, 0),
5500 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5501 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5502 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5503 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5504 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5505 BPF_MOV64_IMM(BPF_REG_0, 0),
5507 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5508 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5509 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5510 BPF_MOV64_IMM(BPF_REG_0, 0),
5513 .fixup_map2 = { 3 },
5515 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5518 "helper access to map: bounds check using s<=, bad access",
5520 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5522 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5523 BPF_LD_MAP_FD(BPF_REG_1, 0),
5524 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5525 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5526 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5527 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5528 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5529 BPF_MOV64_IMM(BPF_REG_0, 0),
5531 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5532 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5533 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5534 BPF_MOV64_IMM(BPF_REG_0, 0),
5537 .fixup_map2 = { 3 },
5539 .errstr = "R1 min value is negative",
5540 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5543 "map element value is preserved across register spilling",
5545 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5546 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5547 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5548 BPF_LD_MAP_FD(BPF_REG_1, 0),
5549 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5550 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5551 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5552 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5553 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5554 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5555 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5556 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5559 .fixup_map2 = { 3 },
5560 .errstr_unpriv = "R0 leaks addr",
5562 .result_unpriv = REJECT,
5565 "map element value or null is marked on register spilling",
5567 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5569 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5570 BPF_LD_MAP_FD(BPF_REG_1, 0),
5571 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5572 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5573 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
5574 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5575 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5576 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5577 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5580 .fixup_map2 = { 3 },
5581 .errstr_unpriv = "R0 leaks addr",
5583 .result_unpriv = REJECT,
5586 "map element value store of cleared call register",
5588 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5589 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5590 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5591 BPF_LD_MAP_FD(BPF_REG_1, 0),
5592 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5593 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5594 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
5597 .fixup_map2 = { 3 },
5598 .errstr_unpriv = "R1 !read_ok",
5599 .errstr = "R1 !read_ok",
5601 .result_unpriv = REJECT,
5604 "map element value with unaligned store",
5606 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5608 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5609 BPF_LD_MAP_FD(BPF_REG_1, 0),
5610 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5611 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
5612 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5613 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5614 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
5615 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
5616 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5617 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
5618 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
5619 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
5620 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
5621 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
5622 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
5623 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
5624 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
5625 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
5626 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
5627 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
5628 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
5631 .fixup_map2 = { 3 },
5632 .errstr_unpriv = "R0 leaks addr",
5634 .result_unpriv = REJECT,
5635 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5638 "map element value with unaligned load",
5640 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5641 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5642 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5643 BPF_LD_MAP_FD(BPF_REG_1, 0),
5644 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5645 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5646 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5647 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
5648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5649 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5650 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
5651 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5652 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
5653 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
5654 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
5655 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5656 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
5659 .fixup_map2 = { 3 },
5660 .errstr_unpriv = "R0 leaks addr",
5662 .result_unpriv = REJECT,
5663 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5666 "map element value illegal alu op, 1",
5668 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5669 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5670 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5671 BPF_LD_MAP_FD(BPF_REG_1, 0),
5672 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5673 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5674 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
5675 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5678 .fixup_map2 = { 3 },
5679 .errstr = "R0 bitwise operator &= on pointer",
5683 "map element value illegal alu op, 2",
5685 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5687 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5688 BPF_LD_MAP_FD(BPF_REG_1, 0),
5689 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5690 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5691 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
5692 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5695 .fixup_map2 = { 3 },
5696 .errstr = "R0 32-bit pointer arithmetic prohibited",
5700 "map element value illegal alu op, 3",
5702 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5703 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5704 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5705 BPF_LD_MAP_FD(BPF_REG_1, 0),
5706 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5707 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5708 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
5709 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5712 .fixup_map2 = { 3 },
5713 .errstr = "R0 pointer arithmetic with /= operator",
5717 "map element value illegal alu op, 4",
5719 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5720 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5721 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5722 BPF_LD_MAP_FD(BPF_REG_1, 0),
5723 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5724 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5725 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
5726 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5729 .fixup_map2 = { 3 },
5730 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5731 .errstr = "invalid mem access 'inv'",
5733 .result_unpriv = REJECT,
5736 "map element value illegal alu op, 5",
5738 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5739 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5740 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5741 BPF_LD_MAP_FD(BPF_REG_1, 0),
5742 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5743 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5744 BPF_MOV64_IMM(BPF_REG_3, 4096),
5745 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5747 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5748 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
5749 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
5750 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5753 .fixup_map2 = { 3 },
5754 .errstr = "R0 invalid mem access 'inv'",
5758 "map element value is preserved across register spilling",
5760 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5762 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5763 BPF_LD_MAP_FD(BPF_REG_1, 0),
5764 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5765 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5766 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
5767 offsetof(struct test_val, foo)),
5768 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5769 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5771 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5772 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5773 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5776 .fixup_map2 = { 3 },
5777 .errstr_unpriv = "R0 leaks addr",
5779 .result_unpriv = REJECT,
5780 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5783 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
5785 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5786 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5787 BPF_MOV64_IMM(BPF_REG_0, 0),
5788 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5789 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5790 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5791 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5792 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5793 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5794 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5795 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5796 BPF_MOV64_IMM(BPF_REG_2, 16),
5797 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5798 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5799 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5800 BPF_MOV64_IMM(BPF_REG_4, 0),
5801 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5802 BPF_MOV64_IMM(BPF_REG_3, 0),
5803 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5804 BPF_MOV64_IMM(BPF_REG_0, 0),
5808 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5811 "helper access to variable memory: stack, bitwise AND, zero included",
5813 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5815 BPF_MOV64_IMM(BPF_REG_2, 16),
5816 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5817 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5818 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5819 BPF_MOV64_IMM(BPF_REG_3, 0),
5820 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5823 .errstr = "invalid indirect read from stack off -64+0 size 64",
5825 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5828 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
5830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5832 BPF_MOV64_IMM(BPF_REG_2, 16),
5833 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5834 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5835 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
5836 BPF_MOV64_IMM(BPF_REG_4, 0),
5837 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5838 BPF_MOV64_IMM(BPF_REG_3, 0),
5839 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5840 BPF_MOV64_IMM(BPF_REG_0, 0),
5843 .errstr = "invalid stack type R1 off=-64 access_size=65",
5845 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5848 "helper access to variable memory: stack, JMP, correct bounds",
5850 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5851 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5852 BPF_MOV64_IMM(BPF_REG_0, 0),
5853 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5854 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5855 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5856 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5857 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5858 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5859 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5860 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5861 BPF_MOV64_IMM(BPF_REG_2, 16),
5862 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5863 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5864 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
5865 BPF_MOV64_IMM(BPF_REG_4, 0),
5866 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5867 BPF_MOV64_IMM(BPF_REG_3, 0),
5868 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5869 BPF_MOV64_IMM(BPF_REG_0, 0),
5873 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5876 "helper access to variable memory: stack, JMP (signed), correct bounds",
5878 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5879 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5880 BPF_MOV64_IMM(BPF_REG_0, 0),
5881 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5882 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5883 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5884 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5885 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5886 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5887 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5888 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5889 BPF_MOV64_IMM(BPF_REG_2, 16),
5890 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5891 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5892 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
5893 BPF_MOV64_IMM(BPF_REG_4, 0),
5894 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5895 BPF_MOV64_IMM(BPF_REG_3, 0),
5896 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5897 BPF_MOV64_IMM(BPF_REG_0, 0),
5901 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5904 "helper access to variable memory: stack, JMP, bounds + offset",
5906 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5908 BPF_MOV64_IMM(BPF_REG_2, 16),
5909 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5910 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5911 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
5912 BPF_MOV64_IMM(BPF_REG_4, 0),
5913 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
5914 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5915 BPF_MOV64_IMM(BPF_REG_3, 0),
5916 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5917 BPF_MOV64_IMM(BPF_REG_0, 0),
5920 .errstr = "invalid stack type R1 off=-64 access_size=65",
5922 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5925 "helper access to variable memory: stack, JMP, wrong max",
5927 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5929 BPF_MOV64_IMM(BPF_REG_2, 16),
5930 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5931 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5932 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
5933 BPF_MOV64_IMM(BPF_REG_4, 0),
5934 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5935 BPF_MOV64_IMM(BPF_REG_3, 0),
5936 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5937 BPF_MOV64_IMM(BPF_REG_0, 0),
5940 .errstr = "invalid stack type R1 off=-64 access_size=65",
5942 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5945 "helper access to variable memory: stack, JMP, no max check",
5947 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5948 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5949 BPF_MOV64_IMM(BPF_REG_2, 16),
5950 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5951 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5952 BPF_MOV64_IMM(BPF_REG_4, 0),
5953 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5954 BPF_MOV64_IMM(BPF_REG_3, 0),
5955 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5956 BPF_MOV64_IMM(BPF_REG_0, 0),
5959 /* because max wasn't checked, signed min is negative */
5960 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
5962 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5965 "helper access to variable memory: stack, JMP, no min check",
5967 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5968 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5969 BPF_MOV64_IMM(BPF_REG_2, 16),
5970 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5971 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5972 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
5973 BPF_MOV64_IMM(BPF_REG_3, 0),
5974 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5975 BPF_MOV64_IMM(BPF_REG_0, 0),
5978 .errstr = "invalid indirect read from stack off -64+0 size 64",
5980 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5983 "helper access to variable memory: stack, JMP (signed), no min check",
5985 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5986 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5987 BPF_MOV64_IMM(BPF_REG_2, 16),
5988 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5989 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5990 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
5991 BPF_MOV64_IMM(BPF_REG_3, 0),
5992 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5993 BPF_MOV64_IMM(BPF_REG_0, 0),
5996 .errstr = "R2 min value is negative",
5998 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6001 "helper access to variable memory: map, JMP, correct bounds",
6003 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6004 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6005 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6006 BPF_LD_MAP_FD(BPF_REG_1, 0),
6007 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6008 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6009 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6010 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6011 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6012 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6013 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6014 sizeof(struct test_val), 4),
6015 BPF_MOV64_IMM(BPF_REG_4, 0),
6016 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6017 BPF_MOV64_IMM(BPF_REG_3, 0),
6018 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6019 BPF_MOV64_IMM(BPF_REG_0, 0),
6022 .fixup_map2 = { 3 },
6024 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6027 "helper access to variable memory: map, JMP, wrong max",
6029 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6030 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6031 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6032 BPF_LD_MAP_FD(BPF_REG_1, 0),
6033 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6034 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6035 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6036 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6037 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6038 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6039 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6040 sizeof(struct test_val) + 1, 4),
6041 BPF_MOV64_IMM(BPF_REG_4, 0),
6042 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6043 BPF_MOV64_IMM(BPF_REG_3, 0),
6044 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6045 BPF_MOV64_IMM(BPF_REG_0, 0),
6048 .fixup_map2 = { 3 },
6049 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
6051 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6054 "helper access to variable memory: map adjusted, JMP, correct bounds",
6056 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6057 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6058 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6059 BPF_LD_MAP_FD(BPF_REG_1, 0),
6060 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6061 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6062 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6063 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6064 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6065 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6066 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6067 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6068 sizeof(struct test_val) - 20, 4),
6069 BPF_MOV64_IMM(BPF_REG_4, 0),
6070 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6071 BPF_MOV64_IMM(BPF_REG_3, 0),
6072 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6073 BPF_MOV64_IMM(BPF_REG_0, 0),
6076 .fixup_map2 = { 3 },
6078 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6081 "helper access to variable memory: map adjusted, JMP, wrong max",
6083 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6085 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6086 BPF_LD_MAP_FD(BPF_REG_1, 0),
6087 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6088 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6089 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6090 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6091 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6092 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6093 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6094 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6095 sizeof(struct test_val) - 19, 4),
6096 BPF_MOV64_IMM(BPF_REG_4, 0),
6097 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6098 BPF_MOV64_IMM(BPF_REG_3, 0),
6099 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6100 BPF_MOV64_IMM(BPF_REG_0, 0),
6103 .fixup_map2 = { 3 },
6104 .errstr = "R1 min value is outside of the array range",
6106 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6109 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6111 BPF_MOV64_IMM(BPF_REG_1, 0),
6112 BPF_MOV64_IMM(BPF_REG_2, 0),
6113 BPF_MOV64_IMM(BPF_REG_3, 0),
6114 BPF_MOV64_IMM(BPF_REG_4, 0),
6115 BPF_MOV64_IMM(BPF_REG_5, 0),
6116 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6120 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6123 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6125 BPF_MOV64_IMM(BPF_REG_1, 0),
6126 BPF_MOV64_IMM(BPF_REG_2, 1),
6127 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6128 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6129 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6130 BPF_MOV64_IMM(BPF_REG_3, 0),
6131 BPF_MOV64_IMM(BPF_REG_4, 0),
6132 BPF_MOV64_IMM(BPF_REG_5, 0),
6133 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6136 .errstr = "R1 type=inv expected=fp",
6138 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6141 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6143 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6145 BPF_MOV64_IMM(BPF_REG_2, 0),
6146 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6147 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
6148 BPF_MOV64_IMM(BPF_REG_3, 0),
6149 BPF_MOV64_IMM(BPF_REG_4, 0),
6150 BPF_MOV64_IMM(BPF_REG_5, 0),
6151 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6155 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6158 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6160 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6161 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6162 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6163 BPF_LD_MAP_FD(BPF_REG_1, 0),
6164 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6165 BPF_FUNC_map_lookup_elem),
6166 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6167 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6168 BPF_MOV64_IMM(BPF_REG_2, 0),
6169 BPF_MOV64_IMM(BPF_REG_3, 0),
6170 BPF_MOV64_IMM(BPF_REG_4, 0),
6171 BPF_MOV64_IMM(BPF_REG_5, 0),
6172 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6175 .fixup_map1 = { 3 },
6177 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6180 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6182 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6183 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6184 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6185 BPF_LD_MAP_FD(BPF_REG_1, 0),
6186 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6187 BPF_FUNC_map_lookup_elem),
6188 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6189 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6190 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
6191 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6193 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6194 BPF_MOV64_IMM(BPF_REG_3, 0),
6195 BPF_MOV64_IMM(BPF_REG_4, 0),
6196 BPF_MOV64_IMM(BPF_REG_5, 0),
6197 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6200 .fixup_map1 = { 3 },
6202 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6205 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6207 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6208 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6210 BPF_LD_MAP_FD(BPF_REG_1, 0),
6211 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6212 BPF_FUNC_map_lookup_elem),
6213 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6214 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6215 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6216 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6217 BPF_MOV64_IMM(BPF_REG_3, 0),
6218 BPF_MOV64_IMM(BPF_REG_4, 0),
6219 BPF_MOV64_IMM(BPF_REG_5, 0),
6220 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6223 .fixup_map1 = { 3 },
6225 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6228 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
6230 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6231 offsetof(struct __sk_buff, data)),
6232 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6233 offsetof(struct __sk_buff, data_end)),
6234 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
6235 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6236 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
6237 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6238 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
6239 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6240 BPF_MOV64_IMM(BPF_REG_3, 0),
6241 BPF_MOV64_IMM(BPF_REG_4, 0),
6242 BPF_MOV64_IMM(BPF_REG_5, 0),
6243 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6247 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6248 .retval = 0 /* csum_diff of 64-byte packet */,
6251 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6253 BPF_MOV64_IMM(BPF_REG_1, 0),
6254 BPF_MOV64_IMM(BPF_REG_2, 0),
6255 BPF_MOV64_IMM(BPF_REG_3, 0),
6256 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6259 .errstr = "R1 type=inv expected=fp",
6261 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6264 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6266 BPF_MOV64_IMM(BPF_REG_1, 0),
6267 BPF_MOV64_IMM(BPF_REG_2, 1),
6268 BPF_MOV64_IMM(BPF_REG_3, 0),
6269 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6272 .errstr = "R1 type=inv expected=fp",
6274 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6277 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6279 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6281 BPF_MOV64_IMM(BPF_REG_2, 0),
6282 BPF_MOV64_IMM(BPF_REG_3, 0),
6283 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6287 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6290 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6292 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6293 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6294 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6295 BPF_LD_MAP_FD(BPF_REG_1, 0),
6296 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6297 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6298 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6299 BPF_MOV64_IMM(BPF_REG_2, 0),
6300 BPF_MOV64_IMM(BPF_REG_3, 0),
6301 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6304 .fixup_map1 = { 3 },
6306 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6309 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6311 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6312 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6313 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6314 BPF_LD_MAP_FD(BPF_REG_1, 0),
6315 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6316 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6317 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6318 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6319 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6321 BPF_MOV64_IMM(BPF_REG_3, 0),
6322 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6325 .fixup_map1 = { 3 },
6327 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6330 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6332 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6333 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6334 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6335 BPF_LD_MAP_FD(BPF_REG_1, 0),
6336 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6337 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6339 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6340 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
6341 BPF_MOV64_IMM(BPF_REG_3, 0),
6342 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6345 .fixup_map1 = { 3 },
6347 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6350 "helper access to variable memory: 8 bytes leak",
6352 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6354 BPF_MOV64_IMM(BPF_REG_0, 0),
6355 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6356 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6357 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6358 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6359 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6360 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6361 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6362 BPF_MOV64_IMM(BPF_REG_2, 1),
6363 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6364 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6365 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
6366 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6367 BPF_MOV64_IMM(BPF_REG_3, 0),
6368 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6369 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6372 .errstr = "invalid indirect read from stack off -64+32 size 64",
6374 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6377 "helper access to variable memory: 8 bytes no leak (init memory)",
6379 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6380 BPF_MOV64_IMM(BPF_REG_0, 0),
6381 BPF_MOV64_IMM(BPF_REG_0, 0),
6382 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6383 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6384 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6385 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6386 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6387 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6388 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6389 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6391 BPF_MOV64_IMM(BPF_REG_2, 0),
6392 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
6393 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
6394 BPF_MOV64_IMM(BPF_REG_3, 0),
6395 BPF_EMIT_CALL(BPF_FUNC_probe_read),
6396 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6400 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6403 "invalid and of negative number",
6405 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6406 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6408 BPF_LD_MAP_FD(BPF_REG_1, 0),
6409 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6410 BPF_FUNC_map_lookup_elem),
6411 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6412 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6413 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
6414 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
6415 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6416 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
6417 offsetof(struct test_val, foo)),
6420 .fixup_map2 = { 3 },
6421 .errstr = "R0 max value is outside of the array range",
6423 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6426 "invalid range check",
6428 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6429 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6430 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6431 BPF_LD_MAP_FD(BPF_REG_1, 0),
6432 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6433 BPF_FUNC_map_lookup_elem),
6434 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
6435 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6436 BPF_MOV64_IMM(BPF_REG_9, 1),
6437 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
6438 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
6439 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
6440 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
6441 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
6442 BPF_MOV32_IMM(BPF_REG_3, 1),
6443 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
6444 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
6445 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
6446 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
6447 BPF_MOV64_REG(BPF_REG_0, 0),
6450 .fixup_map2 = { 3 },
6451 .errstr = "R0 max value is outside of the array range",
6453 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6456 "map in map access",
6458 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6459 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6461 BPF_LD_MAP_FD(BPF_REG_1, 0),
6462 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6463 BPF_FUNC_map_lookup_elem),
6464 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6465 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6466 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6467 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6468 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6469 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6470 BPF_FUNC_map_lookup_elem),
6471 BPF_MOV64_REG(BPF_REG_0, 0),
6474 .fixup_map_in_map = { 3 },
6478 "invalid inner map pointer",
6480 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6481 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6482 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6483 BPF_LD_MAP_FD(BPF_REG_1, 0),
6484 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6485 BPF_FUNC_map_lookup_elem),
6486 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6487 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6488 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6489 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6490 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
6492 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6493 BPF_FUNC_map_lookup_elem),
6494 BPF_MOV64_REG(BPF_REG_0, 0),
6497 .fixup_map_in_map = { 3 },
6498 .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
6502 "forgot null checking on the inner map pointer",
6504 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6505 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6507 BPF_LD_MAP_FD(BPF_REG_1, 0),
6508 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6509 BPF_FUNC_map_lookup_elem),
6510 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6511 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6512 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6513 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6514 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6515 BPF_FUNC_map_lookup_elem),
6516 BPF_MOV64_REG(BPF_REG_0, 0),
6519 .fixup_map_in_map = { 3 },
6520 .errstr = "R1 type=map_value_or_null expected=map_ptr",
6524 "ld_abs: check calling conv, r1",
6526 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6527 BPF_MOV64_IMM(BPF_REG_1, 0),
6528 BPF_LD_ABS(BPF_W, -0x200000),
6529 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6532 .errstr = "R1 !read_ok",
6536 "ld_abs: check calling conv, r2",
6538 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6539 BPF_MOV64_IMM(BPF_REG_2, 0),
6540 BPF_LD_ABS(BPF_W, -0x200000),
6541 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6544 .errstr = "R2 !read_ok",
6548 "ld_abs: check calling conv, r3",
6550 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6551 BPF_MOV64_IMM(BPF_REG_3, 0),
6552 BPF_LD_ABS(BPF_W, -0x200000),
6553 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6556 .errstr = "R3 !read_ok",
6560 "ld_abs: check calling conv, r4",
6562 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6563 BPF_MOV64_IMM(BPF_REG_4, 0),
6564 BPF_LD_ABS(BPF_W, -0x200000),
6565 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6568 .errstr = "R4 !read_ok",
6572 "ld_abs: check calling conv, r5",
6574 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6575 BPF_MOV64_IMM(BPF_REG_5, 0),
6576 BPF_LD_ABS(BPF_W, -0x200000),
6577 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6580 .errstr = "R5 !read_ok",
6584 "ld_abs: check calling conv, r7",
6586 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6587 BPF_MOV64_IMM(BPF_REG_7, 0),
6588 BPF_LD_ABS(BPF_W, -0x200000),
6589 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6595 "ld_abs: tests on r6 and skb data reload helper",
6597 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6598 BPF_LD_ABS(BPF_B, 0),
6599 BPF_LD_ABS(BPF_H, 0),
6600 BPF_LD_ABS(BPF_W, 0),
6601 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
6602 BPF_MOV64_IMM(BPF_REG_6, 0),
6603 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
6604 BPF_MOV64_IMM(BPF_REG_2, 1),
6605 BPF_MOV64_IMM(BPF_REG_3, 2),
6606 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6607 BPF_FUNC_skb_vlan_push),
6608 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
6609 BPF_LD_ABS(BPF_B, 0),
6610 BPF_LD_ABS(BPF_H, 0),
6611 BPF_LD_ABS(BPF_W, 0),
6612 BPF_MOV64_IMM(BPF_REG_0, 42),
6615 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6617 .retval = 42 /* ultimate return value */,
6620 "ld_ind: check calling conv, r1",
6622 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6623 BPF_MOV64_IMM(BPF_REG_1, 1),
6624 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
6625 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6628 .errstr = "R1 !read_ok",
6632 "ld_ind: check calling conv, r2",
6634 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6635 BPF_MOV64_IMM(BPF_REG_2, 1),
6636 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
6637 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6640 .errstr = "R2 !read_ok",
6644 "ld_ind: check calling conv, r3",
6646 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6647 BPF_MOV64_IMM(BPF_REG_3, 1),
6648 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
6649 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6652 .errstr = "R3 !read_ok",
6656 "ld_ind: check calling conv, r4",
6658 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6659 BPF_MOV64_IMM(BPF_REG_4, 1),
6660 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
6661 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6664 .errstr = "R4 !read_ok",
6668 "ld_ind: check calling conv, r5",
6670 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6671 BPF_MOV64_IMM(BPF_REG_5, 1),
6672 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
6673 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6676 .errstr = "R5 !read_ok",
6680 "ld_ind: check calling conv, r7",
6682 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6683 BPF_MOV64_IMM(BPF_REG_7, 1),
6684 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
6685 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6692 "check bpf_perf_event_data->sample_period byte load permitted",
6694 BPF_MOV64_IMM(BPF_REG_0, 0),
6695 #if __BYTE_ORDER == __LITTLE_ENDIAN
6696 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6697 offsetof(struct bpf_perf_event_data, sample_period)),
6699 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6700 offsetof(struct bpf_perf_event_data, sample_period) + 7),
6705 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6708 "check bpf_perf_event_data->sample_period half load permitted",
6710 BPF_MOV64_IMM(BPF_REG_0, 0),
6711 #if __BYTE_ORDER == __LITTLE_ENDIAN
6712 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6713 offsetof(struct bpf_perf_event_data, sample_period)),
6715 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6716 offsetof(struct bpf_perf_event_data, sample_period) + 6),
6721 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6724 "check bpf_perf_event_data->sample_period word load permitted",
6726 BPF_MOV64_IMM(BPF_REG_0, 0),
6727 #if __BYTE_ORDER == __LITTLE_ENDIAN
6728 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6729 offsetof(struct bpf_perf_event_data, sample_period)),
6731 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6732 offsetof(struct bpf_perf_event_data, sample_period) + 4),
6737 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6740 "check bpf_perf_event_data->sample_period dword load permitted",
6742 BPF_MOV64_IMM(BPF_REG_0, 0),
6743 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
6744 offsetof(struct bpf_perf_event_data, sample_period)),
6748 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6751 "check skb->data half load not permitted",
6753 BPF_MOV64_IMM(BPF_REG_0, 0),
6754 #if __BYTE_ORDER == __LITTLE_ENDIAN
6755 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6756 offsetof(struct __sk_buff, data)),
6758 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6759 offsetof(struct __sk_buff, data) + 2),
6764 .errstr = "invalid bpf_context access",
6767 "check skb->tc_classid half load not permitted for lwt prog",
6769 BPF_MOV64_IMM(BPF_REG_0, 0),
6770 #if __BYTE_ORDER == __LITTLE_ENDIAN
6771 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6772 offsetof(struct __sk_buff, tc_classid)),
6774 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6775 offsetof(struct __sk_buff, tc_classid) + 2),
6780 .errstr = "invalid bpf_context access",
6781 .prog_type = BPF_PROG_TYPE_LWT_IN,
6784 "bounds checks mixing signed and unsigned, positive bounds",
6786 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6787 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6788 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6789 BPF_LD_MAP_FD(BPF_REG_1, 0),
6790 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6791 BPF_FUNC_map_lookup_elem),
6792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6793 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6794 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6795 BPF_MOV64_IMM(BPF_REG_2, 2),
6796 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
6797 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
6798 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6799 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6800 BPF_MOV64_IMM(BPF_REG_0, 0),
6803 .fixup_map1 = { 3 },
6804 .errstr = "unbounded min value",
6808 "bounds checks mixing signed and unsigned",
6810 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6811 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6812 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6813 BPF_LD_MAP_FD(BPF_REG_1, 0),
6814 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6815 BPF_FUNC_map_lookup_elem),
6816 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6817 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6818 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6819 BPF_MOV64_IMM(BPF_REG_2, -1),
6820 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6821 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6822 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6823 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6824 BPF_MOV64_IMM(BPF_REG_0, 0),
6827 .fixup_map1 = { 3 },
6828 .errstr = "unbounded min value",
6832 "bounds checks mixing signed and unsigned, variant 2",
6834 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6835 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6836 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6837 BPF_LD_MAP_FD(BPF_REG_1, 0),
6838 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6839 BPF_FUNC_map_lookup_elem),
6840 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6841 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6842 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6843 BPF_MOV64_IMM(BPF_REG_2, -1),
6844 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6845 BPF_MOV64_IMM(BPF_REG_8, 0),
6846 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
6847 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6848 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6849 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6850 BPF_MOV64_IMM(BPF_REG_0, 0),
6853 .fixup_map1 = { 3 },
6854 .errstr = "unbounded min value",
6858 "bounds checks mixing signed and unsigned, variant 3",
6860 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6861 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6862 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6863 BPF_LD_MAP_FD(BPF_REG_1, 0),
6864 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6865 BPF_FUNC_map_lookup_elem),
6866 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6867 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6868 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6869 BPF_MOV64_IMM(BPF_REG_2, -1),
6870 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
6871 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
6872 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6873 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6874 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6875 BPF_MOV64_IMM(BPF_REG_0, 0),
6878 .fixup_map1 = { 3 },
6879 .errstr = "unbounded min value",
6883 "bounds checks mixing signed and unsigned, variant 4",
6885 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6886 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6887 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6888 BPF_LD_MAP_FD(BPF_REG_1, 0),
6889 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6890 BPF_FUNC_map_lookup_elem),
6891 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6892 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6893 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6894 BPF_MOV64_IMM(BPF_REG_2, 1),
6895 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
6896 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6897 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6898 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6899 BPF_MOV64_IMM(BPF_REG_0, 0),
6902 .fixup_map1 = { 3 },
6906 "bounds checks mixing signed and unsigned, variant 5",
6908 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6909 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6910 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6911 BPF_LD_MAP_FD(BPF_REG_1, 0),
6912 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6913 BPF_FUNC_map_lookup_elem),
6914 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6915 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6916 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6917 BPF_MOV64_IMM(BPF_REG_2, -1),
6918 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6919 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
6920 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
6921 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6922 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6923 BPF_MOV64_IMM(BPF_REG_0, 0),
6926 .fixup_map1 = { 3 },
6927 .errstr = "unbounded min value",
6931 "bounds checks mixing signed and unsigned, variant 6",
6933 BPF_MOV64_IMM(BPF_REG_2, 0),
6934 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
6935 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
6936 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6937 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
6938 BPF_MOV64_IMM(BPF_REG_6, -1),
6939 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
6940 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
6941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
6942 BPF_MOV64_IMM(BPF_REG_5, 0),
6943 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
6944 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6945 BPF_FUNC_skb_load_bytes),
6946 BPF_MOV64_IMM(BPF_REG_0, 0),
6949 .errstr = "R4 min value is negative, either use unsigned",
6953 "bounds checks mixing signed and unsigned, variant 7",
6955 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6956 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6957 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6958 BPF_LD_MAP_FD(BPF_REG_1, 0),
6959 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6960 BPF_FUNC_map_lookup_elem),
6961 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6962 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6963 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6964 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
6965 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6966 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6967 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6968 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6969 BPF_MOV64_IMM(BPF_REG_0, 0),
6972 .fixup_map1 = { 3 },
6976 "bounds checks mixing signed and unsigned, variant 8",
6978 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6979 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6980 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6981 BPF_LD_MAP_FD(BPF_REG_1, 0),
6982 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6983 BPF_FUNC_map_lookup_elem),
6984 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6985 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6986 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6987 BPF_MOV64_IMM(BPF_REG_2, -1),
6988 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6989 BPF_MOV64_IMM(BPF_REG_0, 0),
6991 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6992 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6993 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6994 BPF_MOV64_IMM(BPF_REG_0, 0),
6997 .fixup_map1 = { 3 },
6998 .errstr = "unbounded min value",
7002 "bounds checks mixing signed and unsigned, variant 9",
7004 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7005 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7007 BPF_LD_MAP_FD(BPF_REG_1, 0),
7008 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7009 BPF_FUNC_map_lookup_elem),
7010 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7011 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7012 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7013 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
7014 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7015 BPF_MOV64_IMM(BPF_REG_0, 0),
7017 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7018 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7019 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7020 BPF_MOV64_IMM(BPF_REG_0, 0),
7023 .fixup_map1 = { 3 },
7027 "bounds checks mixing signed and unsigned, variant 10",
7029 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7030 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7032 BPF_LD_MAP_FD(BPF_REG_1, 0),
7033 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7034 BPF_FUNC_map_lookup_elem),
7035 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7036 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7037 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7038 BPF_MOV64_IMM(BPF_REG_2, 0),
7039 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7040 BPF_MOV64_IMM(BPF_REG_0, 0),
7042 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7043 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7044 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7045 BPF_MOV64_IMM(BPF_REG_0, 0),
7048 .fixup_map1 = { 3 },
7049 .errstr = "unbounded min value",
7053 "bounds checks mixing signed and unsigned, variant 11",
7055 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7056 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7057 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7058 BPF_LD_MAP_FD(BPF_REG_1, 0),
7059 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7060 BPF_FUNC_map_lookup_elem),
7061 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7062 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7063 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7064 BPF_MOV64_IMM(BPF_REG_2, -1),
7065 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7067 BPF_MOV64_IMM(BPF_REG_0, 0),
7069 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7070 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7071 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7072 BPF_MOV64_IMM(BPF_REG_0, 0),
7075 .fixup_map1 = { 3 },
7076 .errstr = "unbounded min value",
7080 "bounds checks mixing signed and unsigned, variant 12",
7082 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7083 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7085 BPF_LD_MAP_FD(BPF_REG_1, 0),
7086 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7087 BPF_FUNC_map_lookup_elem),
7088 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7089 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7090 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7091 BPF_MOV64_IMM(BPF_REG_2, -6),
7092 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7093 BPF_MOV64_IMM(BPF_REG_0, 0),
7095 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7096 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7097 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7098 BPF_MOV64_IMM(BPF_REG_0, 0),
7101 .fixup_map1 = { 3 },
7102 .errstr = "unbounded min value",
7106 "bounds checks mixing signed and unsigned, variant 13",
7108 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7109 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7111 BPF_LD_MAP_FD(BPF_REG_1, 0),
7112 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7113 BPF_FUNC_map_lookup_elem),
7114 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7115 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7116 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7117 BPF_MOV64_IMM(BPF_REG_2, 2),
7118 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7119 BPF_MOV64_IMM(BPF_REG_7, 1),
7120 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
7121 BPF_MOV64_IMM(BPF_REG_0, 0),
7123 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
7124 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
7125 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
7126 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7127 BPF_MOV64_IMM(BPF_REG_0, 0),
7130 .fixup_map1 = { 3 },
7131 .errstr = "unbounded min value",
7135 "bounds checks mixing signed and unsigned, variant 14",
7137 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
7138 offsetof(struct __sk_buff, mark)),
7139 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7140 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7141 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7142 BPF_LD_MAP_FD(BPF_REG_1, 0),
7143 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7144 BPF_FUNC_map_lookup_elem),
7145 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7146 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7147 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7148 BPF_MOV64_IMM(BPF_REG_2, -1),
7149 BPF_MOV64_IMM(BPF_REG_8, 2),
7150 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
7151 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
7152 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7153 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7154 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7155 BPF_MOV64_IMM(BPF_REG_0, 0),
7157 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
7158 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
7160 .fixup_map1 = { 4 },
7161 .errstr = "R0 invalid mem access 'inv'",
7165 "bounds checks mixing signed and unsigned, variant 15",
7167 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7168 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7169 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7170 BPF_LD_MAP_FD(BPF_REG_1, 0),
7171 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7172 BPF_FUNC_map_lookup_elem),
7173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7174 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7175 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7176 BPF_MOV64_IMM(BPF_REG_2, -6),
7177 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7178 BPF_MOV64_IMM(BPF_REG_0, 0),
7180 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7181 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
7182 BPF_MOV64_IMM(BPF_REG_0, 0),
7184 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7185 BPF_MOV64_IMM(BPF_REG_0, 0),
7188 .fixup_map1 = { 3 },
7189 .errstr = "unbounded min value",
7191 .result_unpriv = REJECT,
7194 "subtraction bounds (map value) variant 1",
7196 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7197 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7198 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7199 BPF_LD_MAP_FD(BPF_REG_1, 0),
7200 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7201 BPF_FUNC_map_lookup_elem),
7202 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7203 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7204 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
7205 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7206 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
7207 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7208 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
7209 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7210 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7212 BPF_MOV64_IMM(BPF_REG_0, 0),
7215 .fixup_map1 = { 3 },
7216 .errstr = "R0 max value is outside of the array range",
7220 "subtraction bounds (map value) variant 2",
7222 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7223 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7224 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7225 BPF_LD_MAP_FD(BPF_REG_1, 0),
7226 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7227 BPF_FUNC_map_lookup_elem),
7228 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7229 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7230 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
7231 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7232 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
7233 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7234 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7235 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7237 BPF_MOV64_IMM(BPF_REG_0, 0),
7240 .fixup_map1 = { 3 },
7241 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
7245 "bounds check based on zero-extended MOV",
7247 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7248 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7250 BPF_LD_MAP_FD(BPF_REG_1, 0),
7251 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7252 BPF_FUNC_map_lookup_elem),
7253 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7254 /* r2 = 0x0000'0000'ffff'ffff */
7255 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
7257 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7259 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7260 /* access at offset 0 */
7261 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7263 BPF_MOV64_IMM(BPF_REG_0, 0),
7266 .fixup_map1 = { 3 },
7270 "bounds check based on sign-extended MOV. test1",
7272 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7273 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7275 BPF_LD_MAP_FD(BPF_REG_1, 0),
7276 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7277 BPF_FUNC_map_lookup_elem),
7278 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7279 /* r2 = 0xffff'ffff'ffff'ffff */
7280 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7281 /* r2 = 0xffff'ffff */
7282 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7283 /* r0 = <oob pointer> */
7284 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7285 /* access to OOB pointer */
7286 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7288 BPF_MOV64_IMM(BPF_REG_0, 0),
7291 .fixup_map1 = { 3 },
7292 .errstr = "map_value pointer and 4294967295",
7296 "bounds check based on sign-extended MOV. test2",
7298 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7299 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7300 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7301 BPF_LD_MAP_FD(BPF_REG_1, 0),
7302 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7303 BPF_FUNC_map_lookup_elem),
7304 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7305 /* r2 = 0xffff'ffff'ffff'ffff */
7306 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7307 /* r2 = 0xfff'ffff */
7308 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
7309 /* r0 = <oob pointer> */
7310 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7311 /* access to OOB pointer */
7312 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7314 BPF_MOV64_IMM(BPF_REG_0, 0),
7317 .fixup_map1 = { 3 },
7318 .errstr = "R0 min value is outside of the array range",
7322 "bounds check based on reg_off + var_off + insn_off. test1",
7324 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7325 offsetof(struct __sk_buff, mark)),
7326 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7327 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7329 BPF_LD_MAP_FD(BPF_REG_1, 0),
7330 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7331 BPF_FUNC_map_lookup_elem),
7332 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7333 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7334 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
7335 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7337 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7338 BPF_MOV64_IMM(BPF_REG_0, 0),
7341 .fixup_map1 = { 4 },
7342 .errstr = "value_size=8 off=1073741825",
7344 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7347 "bounds check based on reg_off + var_off + insn_off. test2",
7349 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7350 offsetof(struct __sk_buff, mark)),
7351 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7352 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7354 BPF_LD_MAP_FD(BPF_REG_1, 0),
7355 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7356 BPF_FUNC_map_lookup_elem),
7357 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7358 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
7360 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7362 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7363 BPF_MOV64_IMM(BPF_REG_0, 0),
7366 .fixup_map1 = { 4 },
7367 .errstr = "value 1073741823",
7369 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7372 "bounds check after truncation of non-boundary-crossing range",
7374 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7375 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7377 BPF_LD_MAP_FD(BPF_REG_1, 0),
7378 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7379 BPF_FUNC_map_lookup_elem),
7380 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7381 /* r1 = [0x00, 0xff] */
7382 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7383 BPF_MOV64_IMM(BPF_REG_2, 1),
7384 /* r2 = 0x10'0000'0000 */
7385 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
7386 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
7387 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
7388 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
7389 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7390 /* r1 = [0x00, 0xff] */
7391 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
7393 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7395 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7396 /* access at offset 0 */
7397 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7399 BPF_MOV64_IMM(BPF_REG_0, 0),
7402 .fixup_map1 = { 3 },
7406 "bounds check after truncation of boundary-crossing range (1)",
7408 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7409 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7410 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7411 BPF_LD_MAP_FD(BPF_REG_1, 0),
7412 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7413 BPF_FUNC_map_lookup_elem),
7414 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7415 /* r1 = [0x00, 0xff] */
7416 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7417 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7418 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
7419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7420 /* r1 = [0xffff'ff80, 0xffff'ffff] or
7421 * [0x0000'0000, 0x0000'007f]
7423 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
7424 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7425 /* r1 = [0x00, 0xff] or
7426 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7428 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7430 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7432 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7433 /* no-op or OOB pointer computation */
7434 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7435 /* potentially OOB access */
7436 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7438 BPF_MOV64_IMM(BPF_REG_0, 0),
7441 .fixup_map1 = { 3 },
7442 /* not actually fully unbounded, but the bound is very high */
7443 .errstr = "R0 unbounded memory access",
7447 "bounds check after truncation of boundary-crossing range (2)",
7449 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7450 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7451 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7452 BPF_LD_MAP_FD(BPF_REG_1, 0),
7453 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7454 BPF_FUNC_map_lookup_elem),
7455 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7456 /* r1 = [0x00, 0xff] */
7457 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7459 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
7460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7461 /* r1 = [0xffff'ff80, 0xffff'ffff] or
7462 * [0x0000'0000, 0x0000'007f]
7463 * difference to previous test: truncation via MOV32
7466 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
7467 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7468 /* r1 = [0x00, 0xff] or
7469 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7471 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7473 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7475 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7476 /* no-op or OOB pointer computation */
7477 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7478 /* potentially OOB access */
7479 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7481 BPF_MOV64_IMM(BPF_REG_0, 0),
7484 .fixup_map1 = { 3 },
7485 /* not actually fully unbounded, but the bound is very high */
7486 .errstr = "R0 unbounded memory access",
7490 "bounds check after wrapping 32-bit addition",
7492 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7493 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7494 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7495 BPF_LD_MAP_FD(BPF_REG_1, 0),
7496 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7497 BPF_FUNC_map_lookup_elem),
7498 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7499 /* r1 = 0x7fff'ffff */
7500 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
7501 /* r1 = 0xffff'fffe */
7502 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7504 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
7506 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7507 /* access at offset 0 */
7508 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7510 BPF_MOV64_IMM(BPF_REG_0, 0),
7513 .fixup_map1 = { 3 },
7517 "bounds check after shift with oversized count operand",
7519 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7520 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7522 BPF_LD_MAP_FD(BPF_REG_1, 0),
7523 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7524 BPF_FUNC_map_lookup_elem),
7525 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7526 BPF_MOV64_IMM(BPF_REG_2, 32),
7527 BPF_MOV64_IMM(BPF_REG_1, 1),
7528 /* r1 = (u32)1 << (u32)32 = ? */
7529 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
7530 /* r1 = [0x0000, 0xffff] */
7531 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
7532 /* computes unknown pointer, potentially OOB */
7533 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7534 /* potentially OOB access */
7535 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7537 BPF_MOV64_IMM(BPF_REG_0, 0),
7540 .fixup_map1 = { 3 },
7541 .errstr = "R0 max value is outside of the array range",
7545 "bounds check after right shift of maybe-negative number",
7547 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7548 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7549 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7550 BPF_LD_MAP_FD(BPF_REG_1, 0),
7551 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7552 BPF_FUNC_map_lookup_elem),
7553 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7554 /* r1 = [0x00, 0xff] */
7555 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7556 /* r1 = [-0x01, 0xfe] */
7557 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
7558 /* r1 = 0 or 0xff'ffff'ffff'ffff */
7559 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7560 /* r1 = 0 or 0xffff'ffff'ffff */
7561 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7562 /* computes unknown pointer, potentially OOB */
7563 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7564 /* potentially OOB access */
7565 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7567 BPF_MOV64_IMM(BPF_REG_0, 0),
7570 .fixup_map1 = { 3 },
7571 .errstr = "R0 unbounded memory access",
7575 "bounds check map access with off+size signed 32bit overflow. test1",
7577 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7578 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7579 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7580 BPF_LD_MAP_FD(BPF_REG_1, 0),
7581 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7582 BPF_FUNC_map_lookup_elem),
7583 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7585 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
7586 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7590 .fixup_map1 = { 3 },
7591 .errstr = "map_value pointer and 2147483646",
7595 "bounds check map access with off+size signed 32bit overflow. test2",
7597 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7598 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7599 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7600 BPF_LD_MAP_FD(BPF_REG_1, 0),
7601 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7602 BPF_FUNC_map_lookup_elem),
7603 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7606 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7607 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7608 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7612 .fixup_map1 = { 3 },
7613 .errstr = "pointer offset 1073741822",
7617 "bounds check map access with off+size signed 32bit overflow. test3",
7619 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7620 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7621 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7622 BPF_LD_MAP_FD(BPF_REG_1, 0),
7623 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7624 BPF_FUNC_map_lookup_elem),
7625 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7627 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
7628 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
7629 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
7633 .fixup_map1 = { 3 },
7634 .errstr = "pointer offset -1073741822",
7638 "bounds check map access with off+size signed 32bit overflow. test4",
7640 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7641 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7642 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7643 BPF_LD_MAP_FD(BPF_REG_1, 0),
7644 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7645 BPF_FUNC_map_lookup_elem),
7646 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7648 BPF_MOV64_IMM(BPF_REG_1, 1000000),
7649 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
7650 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7651 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
7655 .fixup_map1 = { 3 },
7656 .errstr = "map_value pointer and 1000000000000",
7660 "pointer/scalar confusion in state equality check (way 1)",
7662 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7663 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7665 BPF_LD_MAP_FD(BPF_REG_1, 0),
7666 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7667 BPF_FUNC_map_lookup_elem),
7668 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7669 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7671 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
7675 .fixup_map1 = { 3 },
7677 .retval = POINTER_VALUE,
7678 .result_unpriv = REJECT,
7679 .errstr_unpriv = "R0 leaks addr as return value"
7682 "pointer/scalar confusion in state equality check (way 2)",
7684 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7685 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7687 BPF_LD_MAP_FD(BPF_REG_1, 0),
7688 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7689 BPF_FUNC_map_lookup_elem),
7690 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
7691 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
7693 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7696 .fixup_map1 = { 3 },
7698 .retval = POINTER_VALUE,
7699 .result_unpriv = REJECT,
7700 .errstr_unpriv = "R0 leaks addr as return value"
7703 "variable-offset ctx access",
7705 /* Get an unknown value */
7706 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7707 /* Make it small and 4-byte aligned */
7708 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7709 /* add it to skb. We now have either &skb->len or
7710 * &skb->pkt_type, but we don't know which
7712 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
7713 /* dereference it */
7714 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7717 .errstr = "variable ctx access var_off=(0x0; 0x4)",
7719 .prog_type = BPF_PROG_TYPE_LWT_IN,
7722 "variable-offset stack access",
7724 /* Fill the top 8 bytes of the stack */
7725 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7726 /* Get an unknown value */
7727 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7728 /* Make it small and 4-byte aligned */
7729 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7730 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
7731 /* add it to fp. We now have either fp-4 or fp-8, but
7732 * we don't know which
7734 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
7735 /* dereference it */
7736 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
7739 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
7741 .prog_type = BPF_PROG_TYPE_LWT_IN,
7744 "indirect variable-offset stack access",
7746 /* Fill the top 8 bytes of the stack */
7747 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7748 /* Get an unknown value */
7749 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7750 /* Make it small and 4-byte aligned */
7751 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7752 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
7753 /* add it to fp. We now have either fp-4 or fp-8, but
7754 * we don't know which
7756 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
7757 /* dereference it indirectly */
7758 BPF_LD_MAP_FD(BPF_REG_1, 0),
7759 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7760 BPF_FUNC_map_lookup_elem),
7761 BPF_MOV64_IMM(BPF_REG_0, 0),
7764 .fixup_map1 = { 5 },
7765 .errstr = "variable stack read R2",
7767 .prog_type = BPF_PROG_TYPE_LWT_IN,
7770 "direct stack access with 32-bit wraparound. test1",
7772 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7773 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7775 BPF_MOV32_IMM(BPF_REG_0, 0),
7776 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7779 .errstr = "fp pointer and 2147483647",
7783 "direct stack access with 32-bit wraparound. test2",
7785 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7786 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
7787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
7788 BPF_MOV32_IMM(BPF_REG_0, 0),
7789 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7792 .errstr = "fp pointer and 1073741823",
7796 "direct stack access with 32-bit wraparound. test3",
7798 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
7800 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
7801 BPF_MOV32_IMM(BPF_REG_0, 0),
7802 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7805 .errstr = "fp pointer offset 1073741822",
7809 "liveness pruning and write screening",
7811 /* Get an unknown value */
7812 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7813 /* branch conditions teach us nothing about R2 */
7814 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
7815 BPF_MOV64_IMM(BPF_REG_0, 0),
7816 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
7817 BPF_MOV64_IMM(BPF_REG_0, 0),
7820 .errstr = "R0 !read_ok",
7822 .prog_type = BPF_PROG_TYPE_LWT_IN,
7825 "varlen_map_value_access pruning",
7827 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7828 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7829 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7830 BPF_LD_MAP_FD(BPF_REG_1, 0),
7831 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7832 BPF_FUNC_map_lookup_elem),
7833 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7834 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7835 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
7836 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
7837 BPF_MOV32_IMM(BPF_REG_1, 0),
7838 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
7839 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7840 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
7841 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7842 offsetof(struct test_val, foo)),
7845 .fixup_map2 = { 3 },
7846 .errstr_unpriv = "R0 leaks addr",
7847 .errstr = "R0 unbounded memory access",
7848 .result_unpriv = REJECT,
7850 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7853 "invalid 64-bit BPF_END",
7855 BPF_MOV32_IMM(BPF_REG_0, 0),
7857 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
7858 .dst_reg = BPF_REG_0,
7865 .errstr = "unknown opcode d7",
7869 "XDP, using ifindex from netdev",
7871 BPF_MOV64_IMM(BPF_REG_0, 0),
7872 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7873 offsetof(struct xdp_md, ingress_ifindex)),
7874 BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
7875 BPF_MOV64_IMM(BPF_REG_0, 1),
7879 .prog_type = BPF_PROG_TYPE_XDP,
7883 "meta access, test1",
7885 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7886 offsetof(struct xdp_md, data_meta)),
7887 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7888 offsetof(struct xdp_md, data)),
7889 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7891 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7892 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7893 BPF_MOV64_IMM(BPF_REG_0, 0),
7897 .prog_type = BPF_PROG_TYPE_XDP,
7900 "meta access, test2",
7902 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7903 offsetof(struct xdp_md, data_meta)),
7904 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7905 offsetof(struct xdp_md, data)),
7906 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7907 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
7908 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7909 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
7910 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7911 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7912 BPF_MOV64_IMM(BPF_REG_0, 0),
7916 .errstr = "invalid access to packet, off=-8",
7917 .prog_type = BPF_PROG_TYPE_XDP,
7920 "meta access, test3",
7922 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7923 offsetof(struct xdp_md, data_meta)),
7924 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7925 offsetof(struct xdp_md, data_end)),
7926 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7927 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7928 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7929 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7930 BPF_MOV64_IMM(BPF_REG_0, 0),
7934 .errstr = "invalid access to packet",
7935 .prog_type = BPF_PROG_TYPE_XDP,
7938 "meta access, test4",
7940 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7941 offsetof(struct xdp_md, data_meta)),
7942 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7943 offsetof(struct xdp_md, data_end)),
7944 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7945 offsetof(struct xdp_md, data)),
7946 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7947 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7948 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7949 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7950 BPF_MOV64_IMM(BPF_REG_0, 0),
7954 .errstr = "invalid access to packet",
7955 .prog_type = BPF_PROG_TYPE_XDP,
7958 "meta access, test5",
7960 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7961 offsetof(struct xdp_md, data_meta)),
7962 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7963 offsetof(struct xdp_md, data)),
7964 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7966 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
7967 BPF_MOV64_IMM(BPF_REG_2, -8),
7968 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7969 BPF_FUNC_xdp_adjust_meta),
7970 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
7971 BPF_MOV64_IMM(BPF_REG_0, 0),
7975 .errstr = "R3 !read_ok",
7976 .prog_type = BPF_PROG_TYPE_XDP,
7979 "meta access, test6",
7981 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7982 offsetof(struct xdp_md, data_meta)),
7983 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7984 offsetof(struct xdp_md, data)),
7985 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7986 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7987 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
7989 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
7990 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7991 BPF_MOV64_IMM(BPF_REG_0, 0),
7995 .errstr = "invalid access to packet",
7996 .prog_type = BPF_PROG_TYPE_XDP,
7999 "meta access, test7",
8001 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8002 offsetof(struct xdp_md, data_meta)),
8003 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8004 offsetof(struct xdp_md, data)),
8005 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8007 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8009 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8010 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8011 BPF_MOV64_IMM(BPF_REG_0, 0),
8015 .prog_type = BPF_PROG_TYPE_XDP,
8018 "meta access, test8",
8020 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8021 offsetof(struct xdp_md, data_meta)),
8022 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8023 offsetof(struct xdp_md, data)),
8024 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8025 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8026 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8027 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8028 BPF_MOV64_IMM(BPF_REG_0, 0),
8032 .prog_type = BPF_PROG_TYPE_XDP,
8035 "meta access, test9",
8037 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8038 offsetof(struct xdp_md, data_meta)),
8039 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8040 offsetof(struct xdp_md, data)),
8041 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8042 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8043 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8044 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8045 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8046 BPF_MOV64_IMM(BPF_REG_0, 0),
8050 .errstr = "invalid access to packet",
8051 .prog_type = BPF_PROG_TYPE_XDP,
8054 "meta access, test10",
8056 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8057 offsetof(struct xdp_md, data_meta)),
8058 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8059 offsetof(struct xdp_md, data)),
8060 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8061 offsetof(struct xdp_md, data_end)),
8062 BPF_MOV64_IMM(BPF_REG_5, 42),
8063 BPF_MOV64_IMM(BPF_REG_6, 24),
8064 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8065 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8066 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8067 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8068 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
8069 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8070 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8071 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8072 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
8073 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
8074 BPF_MOV64_IMM(BPF_REG_0, 0),
8078 .errstr = "invalid access to packet",
8079 .prog_type = BPF_PROG_TYPE_XDP,
8082 "meta access, test11",
8084 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8085 offsetof(struct xdp_md, data_meta)),
8086 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8087 offsetof(struct xdp_md, data)),
8088 BPF_MOV64_IMM(BPF_REG_5, 42),
8089 BPF_MOV64_IMM(BPF_REG_6, 24),
8090 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8091 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8092 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8093 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8094 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
8095 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8096 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8098 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
8099 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
8100 BPF_MOV64_IMM(BPF_REG_0, 0),
8104 .prog_type = BPF_PROG_TYPE_XDP,
8107 "meta access, test12",
8109 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8110 offsetof(struct xdp_md, data_meta)),
8111 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8112 offsetof(struct xdp_md, data)),
8113 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8114 offsetof(struct xdp_md, data_end)),
8115 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8117 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
8118 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8119 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8120 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8121 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
8122 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8123 BPF_MOV64_IMM(BPF_REG_0, 0),
8127 .prog_type = BPF_PROG_TYPE_XDP,
8130 "arithmetic ops make PTR_TO_CTX unusable",
8132 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
8133 offsetof(struct __sk_buff, data) -
8134 offsetof(struct __sk_buff, mark)),
8135 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8136 offsetof(struct __sk_buff, mark)),
8139 .errstr = "dereference of modified ctx ptr R1 off=68+8, ctx+const is allowed, ctx+const+const is not",
8141 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8144 "pkt_end - pkt_start is allowed",
8146 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8147 offsetof(struct __sk_buff, data_end)),
8148 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8149 offsetof(struct __sk_buff, data)),
8150 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
8154 .retval = TEST_DATA_LEN,
8155 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8158 "XDP pkt read, pkt_end mangling, bad access 1",
8160 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8161 offsetof(struct xdp_md, data)),
8162 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8163 offsetof(struct xdp_md, data_end)),
8164 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8165 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8166 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
8167 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8168 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8169 BPF_MOV64_IMM(BPF_REG_0, 0),
8172 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8174 .prog_type = BPF_PROG_TYPE_XDP,
8177 "XDP pkt read, pkt_end mangling, bad access 2",
8179 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8180 offsetof(struct xdp_md, data)),
8181 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8182 offsetof(struct xdp_md, data_end)),
8183 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8184 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8185 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
8186 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8187 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8188 BPF_MOV64_IMM(BPF_REG_0, 0),
8191 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8193 .prog_type = BPF_PROG_TYPE_XDP,
8196 "XDP pkt read, pkt_data' > pkt_end, good access",
8198 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8199 offsetof(struct xdp_md, data)),
8200 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8201 offsetof(struct xdp_md, data_end)),
8202 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8203 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8204 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8205 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8206 BPF_MOV64_IMM(BPF_REG_0, 0),
8210 .prog_type = BPF_PROG_TYPE_XDP,
8213 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
8215 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8216 offsetof(struct xdp_md, data)),
8217 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8218 offsetof(struct xdp_md, data_end)),
8219 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8220 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8221 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8222 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8223 BPF_MOV64_IMM(BPF_REG_0, 0),
8226 .errstr = "R1 offset is outside of the packet",
8228 .prog_type = BPF_PROG_TYPE_XDP,
8229 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8232 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
8234 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8235 offsetof(struct xdp_md, data)),
8236 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8237 offsetof(struct xdp_md, data_end)),
8238 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8239 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8240 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8241 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8242 BPF_MOV64_IMM(BPF_REG_0, 0),
8245 .errstr = "R1 offset is outside of the packet",
8247 .prog_type = BPF_PROG_TYPE_XDP,
8250 "XDP pkt read, pkt_end > pkt_data', good access",
8252 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8253 offsetof(struct xdp_md, data)),
8254 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8255 offsetof(struct xdp_md, data_end)),
8256 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8257 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8258 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8259 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8260 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8261 BPF_MOV64_IMM(BPF_REG_0, 0),
8265 .prog_type = BPF_PROG_TYPE_XDP,
8266 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8269 "XDP pkt read, pkt_end > pkt_data', bad access 1",
8271 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8272 offsetof(struct xdp_md, data)),
8273 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8274 offsetof(struct xdp_md, data_end)),
8275 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8276 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8277 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8278 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8279 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8280 BPF_MOV64_IMM(BPF_REG_0, 0),
8283 .errstr = "R1 offset is outside of the packet",
8285 .prog_type = BPF_PROG_TYPE_XDP,
8288 "XDP pkt read, pkt_end > pkt_data', bad access 2",
8290 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8291 offsetof(struct xdp_md, data)),
8292 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8293 offsetof(struct xdp_md, data_end)),
8294 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8295 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8296 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8297 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8298 BPF_MOV64_IMM(BPF_REG_0, 0),
8301 .errstr = "R1 offset is outside of the packet",
8303 .prog_type = BPF_PROG_TYPE_XDP,
8306 "XDP pkt read, pkt_data' < pkt_end, good access",
8308 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8309 offsetof(struct xdp_md, data)),
8310 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8311 offsetof(struct xdp_md, data_end)),
8312 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8313 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8314 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8315 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8316 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8317 BPF_MOV64_IMM(BPF_REG_0, 0),
8321 .prog_type = BPF_PROG_TYPE_XDP,
8322 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8325 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
8327 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8328 offsetof(struct xdp_md, data)),
8329 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8330 offsetof(struct xdp_md, data_end)),
8331 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8333 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8334 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8335 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8336 BPF_MOV64_IMM(BPF_REG_0, 0),
8339 .errstr = "R1 offset is outside of the packet",
8341 .prog_type = BPF_PROG_TYPE_XDP,
8344 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
8346 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8347 offsetof(struct xdp_md, data)),
8348 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8349 offsetof(struct xdp_md, data_end)),
8350 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8351 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8352 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8353 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8354 BPF_MOV64_IMM(BPF_REG_0, 0),
8357 .errstr = "R1 offset is outside of the packet",
8359 .prog_type = BPF_PROG_TYPE_XDP,
8362 "XDP pkt read, pkt_end < pkt_data', good access",
8364 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8365 offsetof(struct xdp_md, data)),
8366 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8367 offsetof(struct xdp_md, data_end)),
8368 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8369 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8370 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8371 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8372 BPF_MOV64_IMM(BPF_REG_0, 0),
8376 .prog_type = BPF_PROG_TYPE_XDP,
8379 "XDP pkt read, pkt_end < pkt_data', bad access 1",
8381 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8382 offsetof(struct xdp_md, data)),
8383 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8384 offsetof(struct xdp_md, data_end)),
8385 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8387 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8388 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8389 BPF_MOV64_IMM(BPF_REG_0, 0),
8392 .errstr = "R1 offset is outside of the packet",
8394 .prog_type = BPF_PROG_TYPE_XDP,
8395 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8398 "XDP pkt read, pkt_end < pkt_data', bad access 2",
8400 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8401 offsetof(struct xdp_md, data)),
8402 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8403 offsetof(struct xdp_md, data_end)),
8404 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8405 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8406 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
8407 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8408 BPF_MOV64_IMM(BPF_REG_0, 0),
8411 .errstr = "R1 offset is outside of the packet",
8413 .prog_type = BPF_PROG_TYPE_XDP,
8416 "XDP pkt read, pkt_data' >= pkt_end, good access",
8418 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8419 offsetof(struct xdp_md, data)),
8420 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8421 offsetof(struct xdp_md, data_end)),
8422 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8423 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8424 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8425 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8426 BPF_MOV64_IMM(BPF_REG_0, 0),
8430 .prog_type = BPF_PROG_TYPE_XDP,
8431 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8434 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
8436 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8437 offsetof(struct xdp_md, data)),
8438 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8439 offsetof(struct xdp_md, data_end)),
8440 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8441 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8442 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8443 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8444 BPF_MOV64_IMM(BPF_REG_0, 0),
8447 .errstr = "R1 offset is outside of the packet",
8449 .prog_type = BPF_PROG_TYPE_XDP,
8452 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
8454 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8455 offsetof(struct xdp_md, data)),
8456 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8457 offsetof(struct xdp_md, data_end)),
8458 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8459 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8460 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
8461 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8462 BPF_MOV64_IMM(BPF_REG_0, 0),
8465 .errstr = "R1 offset is outside of the packet",
8467 .prog_type = BPF_PROG_TYPE_XDP,
8468 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8471 "XDP pkt read, pkt_end >= pkt_data', good access",
8473 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8474 offsetof(struct xdp_md, data)),
8475 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8476 offsetof(struct xdp_md, data_end)),
8477 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8478 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8479 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8480 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8481 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8482 BPF_MOV64_IMM(BPF_REG_0, 0),
8486 .prog_type = BPF_PROG_TYPE_XDP,
8489 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
8491 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8492 offsetof(struct xdp_md, data)),
8493 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8494 offsetof(struct xdp_md, data_end)),
8495 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8496 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8497 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8498 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8499 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8500 BPF_MOV64_IMM(BPF_REG_0, 0),
8503 .errstr = "R1 offset is outside of the packet",
8505 .prog_type = BPF_PROG_TYPE_XDP,
8506 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8509 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
8511 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8512 offsetof(struct xdp_md, data)),
8513 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8514 offsetof(struct xdp_md, data_end)),
8515 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8516 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8517 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8518 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8519 BPF_MOV64_IMM(BPF_REG_0, 0),
8522 .errstr = "R1 offset is outside of the packet",
8524 .prog_type = BPF_PROG_TYPE_XDP,
8527 "XDP pkt read, pkt_data' <= pkt_end, good access",
8529 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8530 offsetof(struct xdp_md, data)),
8531 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8532 offsetof(struct xdp_md, data_end)),
8533 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8535 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8536 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8537 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8538 BPF_MOV64_IMM(BPF_REG_0, 0),
8542 .prog_type = BPF_PROG_TYPE_XDP,
8545 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
8547 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8548 offsetof(struct xdp_md, data)),
8549 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8550 offsetof(struct xdp_md, data_end)),
8551 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8552 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8553 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8554 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8555 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8556 BPF_MOV64_IMM(BPF_REG_0, 0),
8559 .errstr = "R1 offset is outside of the packet",
8561 .prog_type = BPF_PROG_TYPE_XDP,
8562 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8565 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
8567 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8568 offsetof(struct xdp_md, data)),
8569 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8570 offsetof(struct xdp_md, data_end)),
8571 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8572 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8573 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8574 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8575 BPF_MOV64_IMM(BPF_REG_0, 0),
8578 .errstr = "R1 offset is outside of the packet",
8580 .prog_type = BPF_PROG_TYPE_XDP,
8583 "XDP pkt read, pkt_end <= pkt_data', good access",
8585 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8586 offsetof(struct xdp_md, data)),
8587 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8588 offsetof(struct xdp_md, data_end)),
8589 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8591 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8592 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8593 BPF_MOV64_IMM(BPF_REG_0, 0),
8597 .prog_type = BPF_PROG_TYPE_XDP,
8598 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8601 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
8603 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8604 offsetof(struct xdp_md, data)),
8605 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8606 offsetof(struct xdp_md, data_end)),
8607 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8608 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8609 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8610 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8611 BPF_MOV64_IMM(BPF_REG_0, 0),
8614 .errstr = "R1 offset is outside of the packet",
8616 .prog_type = BPF_PROG_TYPE_XDP,
8619 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
8621 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8622 offsetof(struct xdp_md, data)),
8623 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8624 offsetof(struct xdp_md, data_end)),
8625 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8627 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
8628 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8629 BPF_MOV64_IMM(BPF_REG_0, 0),
8632 .errstr = "R1 offset is outside of the packet",
8634 .prog_type = BPF_PROG_TYPE_XDP,
8635 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8638 "XDP pkt read, pkt_meta' > pkt_data, good access",
8640 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8641 offsetof(struct xdp_md, data_meta)),
8642 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8643 offsetof(struct xdp_md, data)),
8644 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8645 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8646 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8647 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8648 BPF_MOV64_IMM(BPF_REG_0, 0),
8652 .prog_type = BPF_PROG_TYPE_XDP,
8655 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
8657 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8658 offsetof(struct xdp_md, data_meta)),
8659 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8660 offsetof(struct xdp_md, data)),
8661 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8662 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8663 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8664 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8665 BPF_MOV64_IMM(BPF_REG_0, 0),
8668 .errstr = "R1 offset is outside of the packet",
8670 .prog_type = BPF_PROG_TYPE_XDP,
8671 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8674 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
8676 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8677 offsetof(struct xdp_md, data_meta)),
8678 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8679 offsetof(struct xdp_md, data)),
8680 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8681 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8682 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8683 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8684 BPF_MOV64_IMM(BPF_REG_0, 0),
8687 .errstr = "R1 offset is outside of the packet",
8689 .prog_type = BPF_PROG_TYPE_XDP,
8692 "XDP pkt read, pkt_data > pkt_meta', good access",
8694 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8695 offsetof(struct xdp_md, data_meta)),
8696 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8697 offsetof(struct xdp_md, data)),
8698 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8700 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8701 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8702 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8703 BPF_MOV64_IMM(BPF_REG_0, 0),
8707 .prog_type = BPF_PROG_TYPE_XDP,
8708 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8711 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
8713 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8714 offsetof(struct xdp_md, data_meta)),
8715 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8716 offsetof(struct xdp_md, data)),
8717 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8718 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8719 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8720 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8721 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8722 BPF_MOV64_IMM(BPF_REG_0, 0),
8725 .errstr = "R1 offset is outside of the packet",
8727 .prog_type = BPF_PROG_TYPE_XDP,
8730 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
8732 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8733 offsetof(struct xdp_md, data_meta)),
8734 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8735 offsetof(struct xdp_md, data)),
8736 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8737 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8738 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8739 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8740 BPF_MOV64_IMM(BPF_REG_0, 0),
8743 .errstr = "R1 offset is outside of the packet",
8745 .prog_type = BPF_PROG_TYPE_XDP,
8748 "XDP pkt read, pkt_meta' < pkt_data, good access",
8750 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8751 offsetof(struct xdp_md, data_meta)),
8752 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8753 offsetof(struct xdp_md, data)),
8754 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8756 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8757 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8758 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8759 BPF_MOV64_IMM(BPF_REG_0, 0),
8763 .prog_type = BPF_PROG_TYPE_XDP,
8764 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8767 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
8769 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8770 offsetof(struct xdp_md, data_meta)),
8771 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8772 offsetof(struct xdp_md, data)),
8773 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8775 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8776 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8777 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8778 BPF_MOV64_IMM(BPF_REG_0, 0),
8781 .errstr = "R1 offset is outside of the packet",
8783 .prog_type = BPF_PROG_TYPE_XDP,
8786 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
8788 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8789 offsetof(struct xdp_md, data_meta)),
8790 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8791 offsetof(struct xdp_md, data)),
8792 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8794 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8795 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8796 BPF_MOV64_IMM(BPF_REG_0, 0),
8799 .errstr = "R1 offset is outside of the packet",
8801 .prog_type = BPF_PROG_TYPE_XDP,
8804 "XDP pkt read, pkt_data < pkt_meta', good access",
8806 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8807 offsetof(struct xdp_md, data_meta)),
8808 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8809 offsetof(struct xdp_md, data)),
8810 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8811 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8812 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8813 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8814 BPF_MOV64_IMM(BPF_REG_0, 0),
8818 .prog_type = BPF_PROG_TYPE_XDP,
8821 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
8823 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8824 offsetof(struct xdp_md, data_meta)),
8825 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8826 offsetof(struct xdp_md, data)),
8827 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8829 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8830 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8831 BPF_MOV64_IMM(BPF_REG_0, 0),
8834 .errstr = "R1 offset is outside of the packet",
8836 .prog_type = BPF_PROG_TYPE_XDP,
8837 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8840 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
8842 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8843 offsetof(struct xdp_md, data_meta)),
8844 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8845 offsetof(struct xdp_md, data)),
8846 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8848 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
8849 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8850 BPF_MOV64_IMM(BPF_REG_0, 0),
8853 .errstr = "R1 offset is outside of the packet",
8855 .prog_type = BPF_PROG_TYPE_XDP,
8858 "XDP pkt read, pkt_meta' >= pkt_data, good access",
8860 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8861 offsetof(struct xdp_md, data_meta)),
8862 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8863 offsetof(struct xdp_md, data)),
8864 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8865 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8866 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8867 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8868 BPF_MOV64_IMM(BPF_REG_0, 0),
8872 .prog_type = BPF_PROG_TYPE_XDP,
8873 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8876 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
8878 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8879 offsetof(struct xdp_md, data_meta)),
8880 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8881 offsetof(struct xdp_md, data)),
8882 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8883 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8884 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8885 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8886 BPF_MOV64_IMM(BPF_REG_0, 0),
8889 .errstr = "R1 offset is outside of the packet",
8891 .prog_type = BPF_PROG_TYPE_XDP,
8894 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
8896 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8897 offsetof(struct xdp_md, data_meta)),
8898 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8899 offsetof(struct xdp_md, data)),
8900 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8901 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8902 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
8903 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8904 BPF_MOV64_IMM(BPF_REG_0, 0),
8907 .errstr = "R1 offset is outside of the packet",
8909 .prog_type = BPF_PROG_TYPE_XDP,
8910 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8913 "XDP pkt read, pkt_data >= pkt_meta', good access",
8915 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8916 offsetof(struct xdp_md, data_meta)),
8917 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8918 offsetof(struct xdp_md, data)),
8919 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8920 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8921 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8922 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8923 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8924 BPF_MOV64_IMM(BPF_REG_0, 0),
8928 .prog_type = BPF_PROG_TYPE_XDP,
8931 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
8933 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8934 offsetof(struct xdp_md, data_meta)),
8935 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8936 offsetof(struct xdp_md, data)),
8937 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8938 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8939 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8940 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8941 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8942 BPF_MOV64_IMM(BPF_REG_0, 0),
8945 .errstr = "R1 offset is outside of the packet",
8947 .prog_type = BPF_PROG_TYPE_XDP,
8948 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8951 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
8953 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8954 offsetof(struct xdp_md, data_meta)),
8955 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8956 offsetof(struct xdp_md, data)),
8957 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8958 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8959 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8960 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8961 BPF_MOV64_IMM(BPF_REG_0, 0),
8964 .errstr = "R1 offset is outside of the packet",
8966 .prog_type = BPF_PROG_TYPE_XDP,
8969 "XDP pkt read, pkt_meta' <= pkt_data, good access",
8971 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8972 offsetof(struct xdp_md, data_meta)),
8973 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8974 offsetof(struct xdp_md, data)),
8975 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8976 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8977 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8978 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8979 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8980 BPF_MOV64_IMM(BPF_REG_0, 0),
8984 .prog_type = BPF_PROG_TYPE_XDP,
8987 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
8989 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8990 offsetof(struct xdp_md, data_meta)),
8991 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8992 offsetof(struct xdp_md, data)),
8993 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8994 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8995 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8996 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8997 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8998 BPF_MOV64_IMM(BPF_REG_0, 0),
9001 .errstr = "R1 offset is outside of the packet",
9003 .prog_type = BPF_PROG_TYPE_XDP,
9004 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9007 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
9009 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9010 offsetof(struct xdp_md, data_meta)),
9011 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9012 offsetof(struct xdp_md, data)),
9013 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9014 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9015 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9016 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9017 BPF_MOV64_IMM(BPF_REG_0, 0),
9020 .errstr = "R1 offset is outside of the packet",
9022 .prog_type = BPF_PROG_TYPE_XDP,
9025 "XDP pkt read, pkt_data <= pkt_meta', good access",
9027 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9028 offsetof(struct xdp_md, data_meta)),
9029 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9030 offsetof(struct xdp_md, data)),
9031 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9032 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9033 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9034 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9035 BPF_MOV64_IMM(BPF_REG_0, 0),
9039 .prog_type = BPF_PROG_TYPE_XDP,
9040 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9043 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
9045 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9046 offsetof(struct xdp_md, data_meta)),
9047 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9048 offsetof(struct xdp_md, data)),
9049 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9050 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9051 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9052 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9053 BPF_MOV64_IMM(BPF_REG_0, 0),
9056 .errstr = "R1 offset is outside of the packet",
9058 .prog_type = BPF_PROG_TYPE_XDP,
9061 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
9063 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9064 offsetof(struct xdp_md, data_meta)),
9065 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9066 offsetof(struct xdp_md, data)),
9067 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9068 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9069 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9070 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9071 BPF_MOV64_IMM(BPF_REG_0, 0),
9074 .errstr = "R1 offset is outside of the packet",
9076 .prog_type = BPF_PROG_TYPE_XDP,
9077 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9080 "check deducing bounds from const, 1",
9082 BPF_MOV64_IMM(BPF_REG_0, 1),
9083 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
9084 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9088 .errstr = "R0 tried to subtract pointer from scalar",
9091 "check deducing bounds from const, 2",
9093 BPF_MOV64_IMM(BPF_REG_0, 1),
9094 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
9096 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
9098 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9105 "check deducing bounds from const, 3",
9107 BPF_MOV64_IMM(BPF_REG_0, 0),
9108 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9109 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9113 .errstr = "R0 tried to subtract pointer from scalar",
9116 "check deducing bounds from const, 4",
9118 BPF_MOV64_IMM(BPF_REG_0, 0),
9119 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
9121 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9123 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9129 "check deducing bounds from const, 5",
9131 BPF_MOV64_IMM(BPF_REG_0, 0),
9132 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9133 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9137 .errstr = "R0 tried to subtract pointer from scalar",
9140 "check deducing bounds from const, 6",
9142 BPF_MOV64_IMM(BPF_REG_0, 0),
9143 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9145 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9149 .errstr = "R0 tried to subtract pointer from scalar",
9152 "check deducing bounds from const, 7",
9154 BPF_MOV64_IMM(BPF_REG_0, ~0),
9155 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9156 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9157 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9158 offsetof(struct __sk_buff, mark)),
9162 .errstr = "dereference of modified ctx ptr",
9165 "check deducing bounds from const, 8",
9167 BPF_MOV64_IMM(BPF_REG_0, ~0),
9168 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9169 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
9170 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9171 offsetof(struct __sk_buff, mark)),
9175 .errstr = "dereference of modified ctx ptr",
9178 "check deducing bounds from const, 9",
9180 BPF_MOV64_IMM(BPF_REG_0, 0),
9181 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9182 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9186 .errstr = "R0 tried to subtract pointer from scalar",
9189 "check deducing bounds from const, 10",
9191 BPF_MOV64_IMM(BPF_REG_0, 0),
9192 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9193 /* Marks reg as unknown. */
9194 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
9195 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9199 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
9202 "bpf_exit with invalid return code. test1",
9204 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9207 .errstr = "R0 has value (0x0; 0xffffffff)",
9209 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9212 "bpf_exit with invalid return code. test2",
9214 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9215 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
9219 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9222 "bpf_exit with invalid return code. test3",
9224 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9225 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
9228 .errstr = "R0 has value (0x0; 0x3)",
9230 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9233 "bpf_exit with invalid return code. test4",
9235 BPF_MOV64_IMM(BPF_REG_0, 1),
9239 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9242 "bpf_exit with invalid return code. test5",
9244 BPF_MOV64_IMM(BPF_REG_0, 2),
9247 .errstr = "R0 has value (0x2; 0x0)",
9249 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9252 "bpf_exit with invalid return code. test6",
9254 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9257 .errstr = "R0 is not a known value (ctx)",
9259 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9262 "bpf_exit with invalid return code. test7",
9264 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9265 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
9266 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
9269 .errstr = "R0 has unknown scalar value",
9271 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9274 "calls: basic sanity",
9276 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9277 BPF_MOV64_IMM(BPF_REG_0, 1),
9279 BPF_MOV64_IMM(BPF_REG_0, 2),
9282 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9286 "calls: not on unpriviledged",
9288 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9289 BPF_MOV64_IMM(BPF_REG_0, 1),
9291 BPF_MOV64_IMM(BPF_REG_0, 2),
9294 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
9295 .result_unpriv = REJECT,
9300 "calls: div by 0 in subprog",
9302 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9303 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9304 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9305 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9306 offsetof(struct __sk_buff, data_end)),
9307 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9308 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9309 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9310 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9311 BPF_MOV64_IMM(BPF_REG_0, 1),
9313 BPF_MOV32_IMM(BPF_REG_2, 0),
9314 BPF_MOV32_IMM(BPF_REG_3, 1),
9315 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
9316 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9317 offsetof(struct __sk_buff, data)),
9320 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9325 "calls: multiple ret types in subprog 1",
9327 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9328 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9329 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9330 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9331 offsetof(struct __sk_buff, data_end)),
9332 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9333 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9334 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9335 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9336 BPF_MOV64_IMM(BPF_REG_0, 1),
9338 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9339 offsetof(struct __sk_buff, data)),
9340 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9341 BPF_MOV32_IMM(BPF_REG_0, 42),
9344 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9346 .errstr = "R0 invalid mem access 'inv'",
9349 "calls: multiple ret types in subprog 2",
9351 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9353 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9354 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9355 offsetof(struct __sk_buff, data_end)),
9356 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9358 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9359 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9360 BPF_MOV64_IMM(BPF_REG_0, 1),
9362 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9363 offsetof(struct __sk_buff, data)),
9364 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9365 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
9366 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9367 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9368 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9369 BPF_LD_MAP_FD(BPF_REG_1, 0),
9370 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9371 BPF_FUNC_map_lookup_elem),
9372 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9373 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
9374 offsetof(struct __sk_buff, data)),
9375 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
9378 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9379 .fixup_map1 = { 16 },
9381 .errstr = "R0 min value is outside of the array range",
9384 "calls: overlapping caller/callee",
9386 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
9387 BPF_MOV64_IMM(BPF_REG_0, 1),
9390 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9391 .errstr = "last insn is not an exit or jmp",
9395 "calls: wrong recursive calls",
9397 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9398 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9399 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9400 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9401 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9402 BPF_MOV64_IMM(BPF_REG_0, 1),
9405 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9406 .errstr = "jump out of range",
9410 "calls: wrong src reg",
9412 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
9413 BPF_MOV64_IMM(BPF_REG_0, 1),
9416 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9417 .errstr = "BPF_CALL uses reserved fields",
9421 "calls: wrong off value",
9423 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
9424 BPF_MOV64_IMM(BPF_REG_0, 1),
9426 BPF_MOV64_IMM(BPF_REG_0, 2),
9429 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9430 .errstr = "BPF_CALL uses reserved fields",
9434 "calls: jump back loop",
9436 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
9437 BPF_MOV64_IMM(BPF_REG_0, 1),
9440 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9441 .errstr = "back-edge from insn 0 to 0",
9445 "calls: conditional call",
9447 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9448 offsetof(struct __sk_buff, mark)),
9449 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9450 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9451 BPF_MOV64_IMM(BPF_REG_0, 1),
9453 BPF_MOV64_IMM(BPF_REG_0, 2),
9456 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9457 .errstr = "jump out of range",
9461 "calls: conditional call 2",
9463 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9464 offsetof(struct __sk_buff, mark)),
9465 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9466 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9467 BPF_MOV64_IMM(BPF_REG_0, 1),
9469 BPF_MOV64_IMM(BPF_REG_0, 2),
9471 BPF_MOV64_IMM(BPF_REG_0, 3),
9474 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9478 "calls: conditional call 3",
9480 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9481 offsetof(struct __sk_buff, mark)),
9482 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9483 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9484 BPF_MOV64_IMM(BPF_REG_0, 1),
9486 BPF_MOV64_IMM(BPF_REG_0, 1),
9487 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9488 BPF_MOV64_IMM(BPF_REG_0, 3),
9489 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9491 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9492 .errstr = "back-edge from insn",
9496 "calls: conditional call 4",
9498 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9499 offsetof(struct __sk_buff, mark)),
9500 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9501 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9502 BPF_MOV64_IMM(BPF_REG_0, 1),
9504 BPF_MOV64_IMM(BPF_REG_0, 1),
9505 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
9506 BPF_MOV64_IMM(BPF_REG_0, 3),
9509 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9513 "calls: conditional call 5",
9515 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9516 offsetof(struct __sk_buff, mark)),
9517 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9518 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9519 BPF_MOV64_IMM(BPF_REG_0, 1),
9521 BPF_MOV64_IMM(BPF_REG_0, 1),
9522 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9523 BPF_MOV64_IMM(BPF_REG_0, 3),
9526 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9527 .errstr = "back-edge from insn",
9531 "calls: conditional call 6",
9533 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9534 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
9536 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9537 offsetof(struct __sk_buff, mark)),
9540 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9541 .errstr = "back-edge from insn",
9545 "calls: using r0 returned by callee",
9547 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9549 BPF_MOV64_IMM(BPF_REG_0, 2),
9552 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9556 "calls: using uninit r0 from callee",
9558 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9562 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9563 .errstr = "!read_ok",
9567 "calls: callee is using r1",
9569 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9571 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9572 offsetof(struct __sk_buff, len)),
9575 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
9577 .retval = TEST_DATA_LEN,
9580 "calls: callee using args1",
9582 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9584 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9587 .errstr_unpriv = "allowed for root only",
9588 .result_unpriv = REJECT,
9590 .retval = POINTER_VALUE,
9593 "calls: callee using wrong args2",
9595 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9597 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9600 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9601 .errstr = "R2 !read_ok",
9605 "calls: callee using two args",
9607 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9608 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
9609 offsetof(struct __sk_buff, len)),
9610 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
9611 offsetof(struct __sk_buff, len)),
9612 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9614 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9615 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
9618 .errstr_unpriv = "allowed for root only",
9619 .result_unpriv = REJECT,
9621 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
9624 "calls: callee changing pkt pointers",
9626 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
9627 offsetof(struct xdp_md, data)),
9628 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
9629 offsetof(struct xdp_md, data_end)),
9630 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
9631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
9632 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
9633 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9634 /* clear_all_pkt_pointers() has to walk all frames
9635 * to make sure that pkt pointers in the caller
9636 * are cleared when callee is calling a helper that
9637 * adjusts packet size
9639 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
9640 BPF_MOV32_IMM(BPF_REG_0, 0),
9642 BPF_MOV64_IMM(BPF_REG_2, 0),
9643 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9644 BPF_FUNC_xdp_adjust_head),
9648 .errstr = "R6 invalid mem access 'inv'",
9649 .prog_type = BPF_PROG_TYPE_XDP,
9652 "calls: two calls with args",
9654 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9656 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9657 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
9658 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
9659 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9660 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9661 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
9662 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
9664 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9665 offsetof(struct __sk_buff, len)),
9668 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9670 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
9673 "calls: calls with stack arith",
9675 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9676 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
9677 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9679 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
9680 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9682 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
9683 BPF_MOV64_IMM(BPF_REG_0, 42),
9684 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
9687 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9692 "calls: calls with misaligned stack access",
9694 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
9696 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9698 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
9699 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
9702 BPF_MOV64_IMM(BPF_REG_0, 42),
9703 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
9706 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9707 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
9708 .errstr = "misaligned stack access",
9712 "calls: calls control flow, jump test",
9714 BPF_MOV64_IMM(BPF_REG_0, 42),
9715 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
9716 BPF_MOV64_IMM(BPF_REG_0, 43),
9717 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9718 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
9721 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9726 "calls: calls control flow, jump test 2",
9728 BPF_MOV64_IMM(BPF_REG_0, 42),
9729 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
9730 BPF_MOV64_IMM(BPF_REG_0, 43),
9731 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9732 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
9735 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9736 .errstr = "jump out of range from insn 1 to 4",
9740 "calls: two calls with bad jump",
9742 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9744 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9745 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
9746 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
9747 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9748 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9749 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
9750 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
9752 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9753 offsetof(struct __sk_buff, len)),
9754 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
9757 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9758 .errstr = "jump out of range from insn 11 to 9",
9762 "calls: recursive call. test1",
9764 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9766 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
9769 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9770 .errstr = "back-edge",
9774 "calls: recursive call. test2",
9776 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9778 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
9781 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9782 .errstr = "back-edge",
9786 "calls: unreachable code",
9788 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9790 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9792 BPF_MOV64_IMM(BPF_REG_0, 0),
9794 BPF_MOV64_IMM(BPF_REG_0, 0),
9797 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9798 .errstr = "unreachable insn 6",
9802 "calls: invalid call",
9804 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9806 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
9809 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9810 .errstr = "invalid destination",
9814 "calls: invalid call 2",
9816 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9818 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
9821 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9822 .errstr = "invalid destination",
9826 "calls: jumping across function bodies. test1",
9828 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9829 BPF_MOV64_IMM(BPF_REG_0, 0),
9831 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
9834 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9835 .errstr = "jump out of range",
9839 "calls: jumping across function bodies. test2",
9841 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
9842 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9843 BPF_MOV64_IMM(BPF_REG_0, 0),
9847 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9848 .errstr = "jump out of range",
9852 "calls: call without exit",
9854 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9856 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9858 BPF_MOV64_IMM(BPF_REG_0, 0),
9859 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
9861 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9862 .errstr = "not an exit",
9866 "calls: call into middle of ld_imm64",
9868 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9869 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9870 BPF_MOV64_IMM(BPF_REG_0, 0),
9872 BPF_LD_IMM64(BPF_REG_0, 0),
9875 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9876 .errstr = "last insn",
9880 "calls: call into middle of other call",
9882 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9883 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9884 BPF_MOV64_IMM(BPF_REG_0, 0),
9886 BPF_MOV64_IMM(BPF_REG_0, 0),
9887 BPF_MOV64_IMM(BPF_REG_0, 0),
9890 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9891 .errstr = "last insn",
9895 "calls: ld_abs with changing ctx data in callee",
9897 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9898 BPF_LD_ABS(BPF_B, 0),
9899 BPF_LD_ABS(BPF_H, 0),
9900 BPF_LD_ABS(BPF_W, 0),
9901 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
9902 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
9903 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
9904 BPF_LD_ABS(BPF_B, 0),
9905 BPF_LD_ABS(BPF_H, 0),
9906 BPF_LD_ABS(BPF_W, 0),
9908 BPF_MOV64_IMM(BPF_REG_2, 1),
9909 BPF_MOV64_IMM(BPF_REG_3, 2),
9910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9911 BPF_FUNC_skb_vlan_push),
9914 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
9915 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
9919 "calls: two calls with bad fallthrough",
9921 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9923 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9924 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
9925 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
9926 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9927 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9928 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
9929 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
9930 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
9931 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9932 offsetof(struct __sk_buff, len)),
9935 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9936 .errstr = "not an exit",
9940 "calls: two calls with stack read",
9942 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9943 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9944 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9945 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9947 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9948 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
9949 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
9950 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9951 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9952 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
9953 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
9955 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9958 .prog_type = BPF_PROG_TYPE_XDP,
9962 "calls: two calls with stack write",
9965 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9966 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9968 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9969 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
9970 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9971 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
9975 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9976 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
9977 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
9978 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
9979 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9980 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9981 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
9982 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
9983 /* write into stack frame of main prog */
9984 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
9988 /* read from stack frame of main prog */
9989 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9992 .prog_type = BPF_PROG_TYPE_XDP,
9996 "calls: stack overflow using two frames (pre-call access)",
9999 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10000 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
10004 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10005 BPF_MOV64_IMM(BPF_REG_0, 0),
10008 .prog_type = BPF_PROG_TYPE_XDP,
10009 .errstr = "combined stack size",
10013 "calls: stack overflow using two frames (post-call access)",
10016 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
10017 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10021 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10022 BPF_MOV64_IMM(BPF_REG_0, 0),
10025 .prog_type = BPF_PROG_TYPE_XDP,
10026 .errstr = "combined stack size",
10030 "calls: stack depth check using three frames. test1",
10033 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10034 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10035 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10036 BPF_MOV64_IMM(BPF_REG_0, 0),
10039 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10042 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10043 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10046 .prog_type = BPF_PROG_TYPE_XDP,
10047 /* stack_main=32, stack_A=256, stack_B=64
10048 * and max(main+A, main+A+B) < 512
10053 "calls: stack depth check using three frames. test2",
10056 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10057 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10058 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10059 BPF_MOV64_IMM(BPF_REG_0, 0),
10062 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10065 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10066 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10069 .prog_type = BPF_PROG_TYPE_XDP,
10070 /* stack_main=32, stack_A=64, stack_B=256
10071 * and max(main+A, main+A+B) < 512
10076 "calls: stack depth check using three frames. test3",
10079 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10080 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10081 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10082 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
10083 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
10084 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10085 BPF_MOV64_IMM(BPF_REG_0, 0),
10088 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
10090 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
10091 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10093 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
10094 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
10095 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10098 .prog_type = BPF_PROG_TYPE_XDP,
10099 /* stack_main=64, stack_A=224, stack_B=256
10100 * and max(main+A, main+A+B) > 512
10102 .errstr = "combined stack",
10106 "calls: stack depth check using three frames. test4",
10107 /* void main(void) {
10112 * void func1(int alloc_or_recurse) {
10113 * if (alloc_or_recurse) {
10114 * frame_pointer[-300] = 1;
10116 * func2(alloc_or_recurse);
10119 * void func2(int alloc_or_recurse) {
10120 * if (alloc_or_recurse) {
10121 * frame_pointer[-300] = 1;
10127 BPF_MOV64_IMM(BPF_REG_1, 0),
10128 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10129 BPF_MOV64_IMM(BPF_REG_1, 1),
10130 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10131 BPF_MOV64_IMM(BPF_REG_1, 1),
10132 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
10133 BPF_MOV64_IMM(BPF_REG_0, 0),
10136 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
10137 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10139 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10142 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10143 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10146 .prog_type = BPF_PROG_TYPE_XDP,
10148 .errstr = "combined stack",
10151 "calls: stack depth check using three frames. test5",
10154 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
10157 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10160 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
10163 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
10166 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
10169 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
10172 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
10175 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
10178 BPF_MOV64_IMM(BPF_REG_0, 0),
10181 .prog_type = BPF_PROG_TYPE_XDP,
10182 .errstr = "call stack",
10186 "calls: spill into caller stack frame",
10188 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10189 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10190 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10191 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10193 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
10194 BPF_MOV64_IMM(BPF_REG_0, 0),
10197 .prog_type = BPF_PROG_TYPE_XDP,
10198 .errstr = "cannot spill",
10202 "calls: write into caller stack frame",
10204 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10206 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10207 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10208 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10210 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
10211 BPF_MOV64_IMM(BPF_REG_0, 0),
10214 .prog_type = BPF_PROG_TYPE_XDP,
10219 "calls: write into callee stack frame",
10221 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10222 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
10224 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
10228 .prog_type = BPF_PROG_TYPE_XDP,
10229 .errstr = "cannot return stack pointer",
10233 "calls: two calls with stack write and void return",
10236 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10237 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10239 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10240 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10241 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10242 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10246 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10247 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10248 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10249 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10250 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10254 /* write into stack frame of main prog */
10255 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
10256 BPF_EXIT_INSN(), /* void return */
10258 .prog_type = BPF_PROG_TYPE_XDP,
10262 "calls: ambiguous return value",
10264 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10265 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10266 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10267 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10268 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10269 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10271 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10272 BPF_MOV64_IMM(BPF_REG_0, 0),
10275 .errstr_unpriv = "allowed for root only",
10276 .result_unpriv = REJECT,
10277 .errstr = "R0 !read_ok",
10281 "calls: two calls that return map_value",
10284 /* pass fp-16, fp-8 into a function */
10285 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10287 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10288 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10289 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10291 /* fetch map_value_ptr from the stack of this function */
10292 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
10293 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10294 /* write into map value */
10295 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10296 /* fetch secound map_value_ptr from the stack */
10297 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10298 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10299 /* write into map value */
10300 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10301 BPF_MOV64_IMM(BPF_REG_0, 0),
10305 /* call 3rd function twice */
10306 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10307 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10308 /* first time with fp-8 */
10309 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10310 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10311 /* second time with fp-16 */
10312 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10316 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10317 /* lookup from map */
10318 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10319 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10320 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10321 BPF_LD_MAP_FD(BPF_REG_1, 0),
10322 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10323 BPF_FUNC_map_lookup_elem),
10324 /* write map_value_ptr into stack frame of main prog */
10325 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10326 BPF_MOV64_IMM(BPF_REG_0, 0),
10327 BPF_EXIT_INSN(), /* return 0 */
10329 .prog_type = BPF_PROG_TYPE_XDP,
10330 .fixup_map1 = { 23 },
10334 "calls: two calls that return map_value with bool condition",
10337 /* pass fp-16, fp-8 into a function */
10338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10340 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10341 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10342 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10343 BPF_MOV64_IMM(BPF_REG_0, 0),
10347 /* call 3rd function twice */
10348 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10349 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10350 /* first time with fp-8 */
10351 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10352 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10353 /* fetch map_value_ptr from the stack of this function */
10354 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10355 /* write into map value */
10356 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10357 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10358 /* second time with fp-16 */
10359 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10360 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10361 /* fetch secound map_value_ptr from the stack */
10362 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
10363 /* write into map value */
10364 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10368 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10369 /* lookup from map */
10370 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10371 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10372 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10373 BPF_LD_MAP_FD(BPF_REG_1, 0),
10374 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10375 BPF_FUNC_map_lookup_elem),
10376 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10377 BPF_MOV64_IMM(BPF_REG_0, 0),
10378 BPF_EXIT_INSN(), /* return 0 */
10379 /* write map_value_ptr into stack frame of main prog */
10380 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10381 BPF_MOV64_IMM(BPF_REG_0, 1),
10382 BPF_EXIT_INSN(), /* return 1 */
10384 .prog_type = BPF_PROG_TYPE_XDP,
10385 .fixup_map1 = { 23 },
10389 "calls: two calls that return map_value with incorrect bool check",
10392 /* pass fp-16, fp-8 into a function */
10393 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10394 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10395 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10396 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10398 BPF_MOV64_IMM(BPF_REG_0, 0),
10402 /* call 3rd function twice */
10403 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10404 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10405 /* first time with fp-8 */
10406 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10407 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10408 /* fetch map_value_ptr from the stack of this function */
10409 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10410 /* write into map value */
10411 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10412 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10413 /* second time with fp-16 */
10414 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10415 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10416 /* fetch secound map_value_ptr from the stack */
10417 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
10418 /* write into map value */
10419 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10423 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10424 /* lookup from map */
10425 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10426 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10427 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10428 BPF_LD_MAP_FD(BPF_REG_1, 0),
10429 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10430 BPF_FUNC_map_lookup_elem),
10431 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10432 BPF_MOV64_IMM(BPF_REG_0, 0),
10433 BPF_EXIT_INSN(), /* return 0 */
10434 /* write map_value_ptr into stack frame of main prog */
10435 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10436 BPF_MOV64_IMM(BPF_REG_0, 1),
10437 BPF_EXIT_INSN(), /* return 1 */
10439 .prog_type = BPF_PROG_TYPE_XDP,
10440 .fixup_map1 = { 23 },
10442 .errstr = "invalid read from stack off -16+0 size 8",
10445 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
10448 /* pass fp-16, fp-8 into a function */
10449 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10450 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10451 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10452 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10453 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10454 BPF_MOV64_IMM(BPF_REG_0, 0),
10458 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10459 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10460 /* 1st lookup from map */
10461 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10462 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10463 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10464 BPF_LD_MAP_FD(BPF_REG_1, 0),
10465 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10466 BPF_FUNC_map_lookup_elem),
10467 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10468 BPF_MOV64_IMM(BPF_REG_8, 0),
10469 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10470 /* write map_value_ptr into stack frame of main prog at fp-8 */
10471 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10472 BPF_MOV64_IMM(BPF_REG_8, 1),
10474 /* 2nd lookup from map */
10475 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
10476 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10477 BPF_LD_MAP_FD(BPF_REG_1, 0),
10478 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
10479 BPF_FUNC_map_lookup_elem),
10480 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10481 BPF_MOV64_IMM(BPF_REG_9, 0),
10482 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10483 /* write map_value_ptr into stack frame of main prog at fp-16 */
10484 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10485 BPF_MOV64_IMM(BPF_REG_9, 1),
10487 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10488 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
10489 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10490 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10491 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10492 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
10496 /* if arg2 == 1 do *arg1 = 0 */
10497 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10498 /* fetch map_value_ptr from the stack of this function */
10499 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10500 /* write into map value */
10501 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10503 /* if arg4 == 1 do *arg3 = 0 */
10504 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10505 /* fetch map_value_ptr from the stack of this function */
10506 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10507 /* write into map value */
10508 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
10511 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10512 .fixup_map1 = { 12, 22 },
10514 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
10517 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
10520 /* pass fp-16, fp-8 into a function */
10521 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10522 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10523 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10525 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10526 BPF_MOV64_IMM(BPF_REG_0, 0),
10530 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10531 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10532 /* 1st lookup from map */
10533 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10534 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10535 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10536 BPF_LD_MAP_FD(BPF_REG_1, 0),
10537 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10538 BPF_FUNC_map_lookup_elem),
10539 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10540 BPF_MOV64_IMM(BPF_REG_8, 0),
10541 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10542 /* write map_value_ptr into stack frame of main prog at fp-8 */
10543 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10544 BPF_MOV64_IMM(BPF_REG_8, 1),
10546 /* 2nd lookup from map */
10547 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
10548 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10549 BPF_LD_MAP_FD(BPF_REG_1, 0),
10550 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
10551 BPF_FUNC_map_lookup_elem),
10552 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10553 BPF_MOV64_IMM(BPF_REG_9, 0),
10554 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10555 /* write map_value_ptr into stack frame of main prog at fp-16 */
10556 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10557 BPF_MOV64_IMM(BPF_REG_9, 1),
10559 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10560 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
10561 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10562 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10563 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10564 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
10568 /* if arg2 == 1 do *arg1 = 0 */
10569 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10570 /* fetch map_value_ptr from the stack of this function */
10571 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10572 /* write into map value */
10573 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10575 /* if arg4 == 1 do *arg3 = 0 */
10576 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10577 /* fetch map_value_ptr from the stack of this function */
10578 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10579 /* write into map value */
10580 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10583 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10584 .fixup_map1 = { 12, 22 },
10588 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
10591 /* pass fp-16, fp-8 into a function */
10592 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10593 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10594 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10595 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10596 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
10597 BPF_MOV64_IMM(BPF_REG_0, 0),
10601 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10602 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10603 /* 1st lookup from map */
10604 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
10605 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10606 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
10607 BPF_LD_MAP_FD(BPF_REG_1, 0),
10608 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10609 BPF_FUNC_map_lookup_elem),
10610 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10611 BPF_MOV64_IMM(BPF_REG_8, 0),
10612 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10613 /* write map_value_ptr into stack frame of main prog at fp-8 */
10614 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10615 BPF_MOV64_IMM(BPF_REG_8, 1),
10617 /* 2nd lookup from map */
10618 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10619 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
10620 BPF_LD_MAP_FD(BPF_REG_1, 0),
10621 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10622 BPF_FUNC_map_lookup_elem),
10623 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10624 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
10625 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10626 /* write map_value_ptr into stack frame of main prog at fp-16 */
10627 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10628 BPF_MOV64_IMM(BPF_REG_9, 1),
10630 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10631 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
10632 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10633 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10634 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10635 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
10636 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
10639 /* if arg2 == 1 do *arg1 = 0 */
10640 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10641 /* fetch map_value_ptr from the stack of this function */
10642 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10643 /* write into map value */
10644 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10646 /* if arg4 == 1 do *arg3 = 0 */
10647 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10648 /* fetch map_value_ptr from the stack of this function */
10649 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10650 /* write into map value */
10651 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
10652 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
10654 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10655 .fixup_map1 = { 12, 22 },
10657 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
10660 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
10663 /* pass fp-16, fp-8 into a function */
10664 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10665 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10666 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10668 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10669 BPF_MOV64_IMM(BPF_REG_0, 0),
10673 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10674 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10675 /* 1st lookup from map */
10676 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10677 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10678 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10679 BPF_LD_MAP_FD(BPF_REG_1, 0),
10680 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10681 BPF_FUNC_map_lookup_elem),
10682 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
10683 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10684 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10685 BPF_MOV64_IMM(BPF_REG_8, 0),
10686 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10687 BPF_MOV64_IMM(BPF_REG_8, 1),
10689 /* 2nd lookup from map */
10690 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10691 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10692 BPF_LD_MAP_FD(BPF_REG_1, 0),
10693 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10694 BPF_FUNC_map_lookup_elem),
10695 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
10696 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10697 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10698 BPF_MOV64_IMM(BPF_REG_9, 0),
10699 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10700 BPF_MOV64_IMM(BPF_REG_9, 1),
10702 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10703 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10704 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10705 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10706 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10707 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10711 /* if arg2 == 1 do *arg1 = 0 */
10712 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10713 /* fetch map_value_ptr from the stack of this function */
10714 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10715 /* write into map value */
10716 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10718 /* if arg4 == 1 do *arg3 = 0 */
10719 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10720 /* fetch map_value_ptr from the stack of this function */
10721 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10722 /* write into map value */
10723 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10726 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10727 .fixup_map1 = { 12, 22 },
10731 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
10734 /* pass fp-16, fp-8 into a function */
10735 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10737 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10739 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10740 BPF_MOV64_IMM(BPF_REG_0, 0),
10744 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10745 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10746 /* 1st lookup from map */
10747 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10748 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10749 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10750 BPF_LD_MAP_FD(BPF_REG_1, 0),
10751 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10752 BPF_FUNC_map_lookup_elem),
10753 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
10754 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10755 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10756 BPF_MOV64_IMM(BPF_REG_8, 0),
10757 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10758 BPF_MOV64_IMM(BPF_REG_8, 1),
10760 /* 2nd lookup from map */
10761 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10762 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10763 BPF_LD_MAP_FD(BPF_REG_1, 0),
10764 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10765 BPF_FUNC_map_lookup_elem),
10766 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
10767 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10768 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10769 BPF_MOV64_IMM(BPF_REG_9, 0),
10770 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10771 BPF_MOV64_IMM(BPF_REG_9, 1),
10773 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10774 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10775 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10776 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10777 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10778 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10782 /* if arg2 == 1 do *arg1 = 0 */
10783 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10784 /* fetch map_value_ptr from the stack of this function */
10785 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10786 /* write into map value */
10787 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10789 /* if arg4 == 0 do *arg3 = 0 */
10790 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
10791 /* fetch map_value_ptr from the stack of this function */
10792 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10793 /* write into map value */
10794 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10797 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10798 .fixup_map1 = { 12, 22 },
10800 .errstr = "R0 invalid mem access 'inv'",
10803 "calls: pkt_ptr spill into caller stack",
10805 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10807 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10811 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10812 offsetof(struct __sk_buff, data)),
10813 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10814 offsetof(struct __sk_buff, data_end)),
10815 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10816 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10817 /* spill unchecked pkt_ptr into stack of caller */
10818 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10819 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
10820 /* now the pkt range is verified, read pkt_ptr from stack */
10821 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
10822 /* write 4 bytes into packet */
10823 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10827 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10828 .retval = POINTER_VALUE,
10831 "calls: pkt_ptr spill into caller stack 2",
10833 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10834 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10835 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10836 /* Marking is still kept, but not in all cases safe. */
10837 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10838 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
10842 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10843 offsetof(struct __sk_buff, data)),
10844 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10845 offsetof(struct __sk_buff, data_end)),
10846 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10848 /* spill unchecked pkt_ptr into stack of caller */
10849 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10850 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
10851 /* now the pkt range is verified, read pkt_ptr from stack */
10852 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
10853 /* write 4 bytes into packet */
10854 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10857 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10858 .errstr = "invalid access to packet",
10862 "calls: pkt_ptr spill into caller stack 3",
10864 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10865 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10866 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10867 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
10868 /* Marking is still kept and safe here. */
10869 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10870 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
10874 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10875 offsetof(struct __sk_buff, data)),
10876 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10877 offsetof(struct __sk_buff, data_end)),
10878 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10879 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10880 /* spill unchecked pkt_ptr into stack of caller */
10881 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10882 BPF_MOV64_IMM(BPF_REG_5, 0),
10883 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
10884 BPF_MOV64_IMM(BPF_REG_5, 1),
10885 /* now the pkt range is verified, read pkt_ptr from stack */
10886 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
10887 /* write 4 bytes into packet */
10888 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10889 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10892 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10897 "calls: pkt_ptr spill into caller stack 4",
10899 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10901 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10902 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
10903 /* Check marking propagated. */
10904 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10905 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
10909 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10910 offsetof(struct __sk_buff, data)),
10911 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10912 offsetof(struct __sk_buff, data_end)),
10913 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10914 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10915 /* spill unchecked pkt_ptr into stack of caller */
10916 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10917 BPF_MOV64_IMM(BPF_REG_5, 0),
10918 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
10919 BPF_MOV64_IMM(BPF_REG_5, 1),
10920 /* don't read back pkt_ptr from stack here */
10921 /* write 4 bytes into packet */
10922 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10923 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10926 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10931 "calls: pkt_ptr spill into caller stack 5",
10933 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10934 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10935 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
10936 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10937 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10938 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
10942 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10943 offsetof(struct __sk_buff, data)),
10944 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10945 offsetof(struct __sk_buff, data_end)),
10946 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10947 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10948 BPF_MOV64_IMM(BPF_REG_5, 0),
10949 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
10950 /* spill checked pkt_ptr into stack of caller */
10951 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10952 BPF_MOV64_IMM(BPF_REG_5, 1),
10953 /* don't read back pkt_ptr from stack here */
10954 /* write 4 bytes into packet */
10955 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10956 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10959 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10960 .errstr = "same insn cannot be used with different",
10964 "calls: pkt_ptr spill into caller stack 6",
10966 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10967 offsetof(struct __sk_buff, data_end)),
10968 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10969 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10970 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10971 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10972 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10973 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
10977 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10978 offsetof(struct __sk_buff, data)),
10979 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10980 offsetof(struct __sk_buff, data_end)),
10981 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10982 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10983 BPF_MOV64_IMM(BPF_REG_5, 0),
10984 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
10985 /* spill checked pkt_ptr into stack of caller */
10986 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10987 BPF_MOV64_IMM(BPF_REG_5, 1),
10988 /* don't read back pkt_ptr from stack here */
10989 /* write 4 bytes into packet */
10990 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10991 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10994 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
10995 .errstr = "R4 invalid mem access",
10999 "calls: pkt_ptr spill into caller stack 7",
11001 BPF_MOV64_IMM(BPF_REG_2, 0),
11002 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11003 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11004 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11005 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11006 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11007 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11011 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11012 offsetof(struct __sk_buff, data)),
11013 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11014 offsetof(struct __sk_buff, data_end)),
11015 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11016 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11017 BPF_MOV64_IMM(BPF_REG_5, 0),
11018 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11019 /* spill checked pkt_ptr into stack of caller */
11020 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11021 BPF_MOV64_IMM(BPF_REG_5, 1),
11022 /* don't read back pkt_ptr from stack here */
11023 /* write 4 bytes into packet */
11024 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11025 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11028 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11029 .errstr = "R4 invalid mem access",
11033 "calls: pkt_ptr spill into caller stack 8",
11035 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11036 offsetof(struct __sk_buff, data)),
11037 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11038 offsetof(struct __sk_buff, data_end)),
11039 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11041 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11043 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11044 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11045 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11046 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11047 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11048 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11052 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11053 offsetof(struct __sk_buff, data)),
11054 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11055 offsetof(struct __sk_buff, data_end)),
11056 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11057 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11058 BPF_MOV64_IMM(BPF_REG_5, 0),
11059 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11060 /* spill checked pkt_ptr into stack of caller */
11061 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11062 BPF_MOV64_IMM(BPF_REG_5, 1),
11063 /* don't read back pkt_ptr from stack here */
11064 /* write 4 bytes into packet */
11065 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11066 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11069 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11073 "calls: pkt_ptr spill into caller stack 9",
11075 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11076 offsetof(struct __sk_buff, data)),
11077 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11078 offsetof(struct __sk_buff, data_end)),
11079 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11081 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11083 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11085 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11086 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11087 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11088 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11092 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11093 offsetof(struct __sk_buff, data)),
11094 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11095 offsetof(struct __sk_buff, data_end)),
11096 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11098 BPF_MOV64_IMM(BPF_REG_5, 0),
11099 /* spill unchecked pkt_ptr into stack of caller */
11100 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11101 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11102 BPF_MOV64_IMM(BPF_REG_5, 1),
11103 /* don't read back pkt_ptr from stack here */
11104 /* write 4 bytes into packet */
11105 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11106 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11109 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11110 .errstr = "invalid access to packet",
11114 "calls: caller stack init to zero or map_value_or_null",
11116 BPF_MOV64_IMM(BPF_REG_0, 0),
11117 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11118 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11119 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11120 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11121 /* fetch map_value_or_null or const_zero from stack */
11122 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11123 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11124 /* store into map_value */
11125 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
11129 /* if (ctx == 0) return; */
11130 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
11131 /* else bpf_map_lookup() and *(fp - 8) = r0 */
11132 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
11133 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11134 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11135 BPF_LD_MAP_FD(BPF_REG_1, 0),
11136 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11137 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11138 BPF_FUNC_map_lookup_elem),
11139 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11140 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11143 .fixup_map1 = { 13 },
11145 .prog_type = BPF_PROG_TYPE_XDP,
11148 "calls: stack init to zero and pruning",
11150 /* first make allocated_stack 16 byte */
11151 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
11152 /* now fork the execution such that the false branch
11153 * of JGT insn will be verified second and it skisp zero
11154 * init of fp-8 stack slot. If stack liveness marking
11155 * is missing live_read marks from call map_lookup
11156 * processing then pruning will incorrectly assume
11157 * that fp-8 stack slot was unused in the fall-through
11158 * branch and will accept the program incorrectly
11160 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
11161 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11162 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
11163 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11164 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11165 BPF_LD_MAP_FD(BPF_REG_1, 0),
11166 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11167 BPF_FUNC_map_lookup_elem),
11170 .fixup_map2 = { 6 },
11171 .errstr = "invalid indirect read from stack off -8+0 size 8",
11173 .prog_type = BPF_PROG_TYPE_XDP,
11176 "search pruning: all branches should be verified (nop operation)",
11178 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11180 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11181 BPF_LD_MAP_FD(BPF_REG_1, 0),
11182 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11183 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
11184 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11185 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11186 BPF_MOV64_IMM(BPF_REG_4, 0),
11188 BPF_MOV64_IMM(BPF_REG_4, 1),
11189 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11190 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11191 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11192 BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
11193 BPF_MOV64_IMM(BPF_REG_6, 0),
11194 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
11197 .fixup_map1 = { 3 },
11198 .errstr = "R6 invalid mem access 'inv'",
11200 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11203 "search pruning: all branches should be verified (invalid stack access)",
11205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11207 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11208 BPF_LD_MAP_FD(BPF_REG_1, 0),
11209 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11210 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
11211 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11212 BPF_MOV64_IMM(BPF_REG_4, 0),
11213 BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11214 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11216 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
11217 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11218 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11221 .fixup_map1 = { 3 },
11222 .errstr = "invalid read from stack off -16+0 size 8",
11224 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11227 "jit: lsh, rsh, arsh by 1",
11229 BPF_MOV64_IMM(BPF_REG_0, 1),
11230 BPF_MOV64_IMM(BPF_REG_1, 0xff),
11231 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
11232 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
11233 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
11235 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
11236 BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
11237 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
11239 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
11240 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
11242 BPF_MOV64_IMM(BPF_REG_0, 2),
11249 "jit: mov32 for ldimm64, 1",
11251 BPF_MOV64_IMM(BPF_REG_0, 2),
11252 BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
11253 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
11254 BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
11255 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
11256 BPF_MOV64_IMM(BPF_REG_0, 1),
11263 "jit: mov32 for ldimm64, 2",
11265 BPF_MOV64_IMM(BPF_REG_0, 1),
11266 BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
11267 BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
11268 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
11269 BPF_MOV64_IMM(BPF_REG_0, 2),
11276 "jit: various mul tests",
11278 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
11279 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
11280 BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
11281 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
11282 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
11283 BPF_MOV64_IMM(BPF_REG_0, 1),
11285 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
11286 BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
11287 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
11288 BPF_MOV64_IMM(BPF_REG_0, 1),
11290 BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
11291 BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
11292 BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
11293 BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
11294 BPF_MOV64_IMM(BPF_REG_0, 1),
11296 BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
11297 BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
11298 BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
11299 BPF_MOV64_IMM(BPF_REG_0, 1),
11301 BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
11302 BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
11303 BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
11304 BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
11305 BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
11306 BPF_MOV64_IMM(BPF_REG_0, 1),
11308 BPF_MOV64_IMM(BPF_REG_0, 2),
11315 "xadd/w check unaligned stack",
11317 BPF_MOV64_IMM(BPF_REG_0, 1),
11318 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11319 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
11320 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11324 .errstr = "misaligned stack access off",
11325 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11328 "xadd/w check unaligned map",
11330 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11331 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11332 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11333 BPF_LD_MAP_FD(BPF_REG_1, 0),
11334 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11335 BPF_FUNC_map_lookup_elem),
11336 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
11338 BPF_MOV64_IMM(BPF_REG_1, 1),
11339 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
11340 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
11343 .fixup_map1 = { 3 },
11345 .errstr = "misaligned value access off",
11346 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
11349 "xadd/w check unaligned pkt",
11351 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11352 offsetof(struct xdp_md, data)),
11353 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11354 offsetof(struct xdp_md, data_end)),
11355 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11356 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11357 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
11358 BPF_MOV64_IMM(BPF_REG_0, 99),
11359 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
11360 BPF_MOV64_IMM(BPF_REG_0, 1),
11361 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11362 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
11363 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
11364 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
11365 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
11369 .errstr = "BPF_XADD stores into R2 packet",
11370 .prog_type = BPF_PROG_TYPE_XDP,
11374 static int probe_filter_length(const struct bpf_insn *fp)
11378 for (len = MAX_INSNS - 1; len > 0; --len)
11379 if (fp[len].code != 0 || fp[len].imm != 0)
11384 static int create_map(uint32_t size_value, uint32_t max_elem)
11388 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
11389 size_value, max_elem, BPF_F_NO_PREALLOC);
11391 printf("Failed to create hash map '%s'!\n", strerror(errno));
11396 static int create_prog_dummy1(void)
11398 struct bpf_insn prog[] = {
11399 BPF_MOV64_IMM(BPF_REG_0, 42),
11403 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
11404 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
11407 static int create_prog_dummy2(int mfd, int idx)
11409 struct bpf_insn prog[] = {
11410 BPF_MOV64_IMM(BPF_REG_3, idx),
11411 BPF_LD_MAP_FD(BPF_REG_2, mfd),
11412 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11413 BPF_FUNC_tail_call),
11414 BPF_MOV64_IMM(BPF_REG_0, 41),
11418 return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
11419 ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
11422 static int create_prog_array(void)
11424 int p1key = 0, p2key = 1;
11425 int mfd, p1fd, p2fd;
11427 mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
11428 sizeof(int), 4, 0);
11430 printf("Failed to create prog array '%s'!\n", strerror(errno));
11434 p1fd = create_prog_dummy1();
11435 p2fd = create_prog_dummy2(mfd, p2key);
11436 if (p1fd < 0 || p2fd < 0)
11438 if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
11440 if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
11453 static int create_map_in_map(void)
11455 int inner_map_fd, outer_map_fd;
11457 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
11458 sizeof(int), 1, 0);
11459 if (inner_map_fd < 0) {
11460 printf("Failed to create array '%s'!\n", strerror(errno));
11461 return inner_map_fd;
11464 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
11465 sizeof(int), inner_map_fd, 1, 0);
11466 if (outer_map_fd < 0)
11467 printf("Failed to create array of maps '%s'!\n",
11470 close(inner_map_fd);
11472 return outer_map_fd;
11475 static char bpf_vlog[32768];
11477 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
11480 int *fixup_map1 = test->fixup_map1;
11481 int *fixup_map2 = test->fixup_map2;
11482 int *fixup_prog = test->fixup_prog;
11483 int *fixup_map_in_map = test->fixup_map_in_map;
11485 /* Allocating HTs with 1 elem is fine here, since we only test
11486 * for verifier and not do a runtime lookup, so the only thing
11487 * that really matters is value size in this case.
11490 map_fds[0] = create_map(sizeof(long long), 1);
11492 prog[*fixup_map1].imm = map_fds[0];
11494 } while (*fixup_map1);
11498 map_fds[1] = create_map(sizeof(struct test_val), 1);
11500 prog[*fixup_map2].imm = map_fds[1];
11502 } while (*fixup_map2);
11506 map_fds[2] = create_prog_array();
11508 prog[*fixup_prog].imm = map_fds[2];
11510 } while (*fixup_prog);
11513 if (*fixup_map_in_map) {
11514 map_fds[3] = create_map_in_map();
11516 prog[*fixup_map_in_map].imm = map_fds[3];
11517 fixup_map_in_map++;
11518 } while (*fixup_map_in_map);
11522 static void do_test_single(struct bpf_test *test, bool unpriv,
11523 int *passes, int *errors)
11525 int fd_prog, expected_ret, reject_from_alignment;
11526 struct bpf_insn *prog = test->insns;
11527 int prog_len = probe_filter_length(prog);
11528 char data_in[TEST_DATA_LEN] = {};
11529 int prog_type = test->prog_type;
11530 int map_fds[MAX_NR_MAPS];
11531 const char *expected_err;
11535 for (i = 0; i < MAX_NR_MAPS; i++)
11538 do_test_fixup(test, prog, map_fds);
11540 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
11541 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
11542 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
11544 expected_ret = unpriv && test->result_unpriv != UNDEF ?
11545 test->result_unpriv : test->result;
11546 expected_err = unpriv && test->errstr_unpriv ?
11547 test->errstr_unpriv : test->errstr;
11549 reject_from_alignment = fd_prog < 0 &&
11550 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
11551 strstr(bpf_vlog, "Unknown alignment.");
11552 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
11553 if (reject_from_alignment) {
11554 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
11559 if (expected_ret == ACCEPT) {
11560 if (fd_prog < 0 && !reject_from_alignment) {
11561 printf("FAIL\nFailed to load prog '%s'!\n",
11566 if (fd_prog >= 0) {
11567 printf("FAIL\nUnexpected success to load!\n");
11570 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
11571 printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
11572 expected_err, bpf_vlog);
11577 if (fd_prog >= 0) {
11578 err = bpf_prog_test_run(fd_prog, 1, data_in, sizeof(data_in),
11579 NULL, NULL, &retval, NULL);
11580 if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
11581 printf("Unexpected bpf_prog_test_run error\n");
11584 if (!err && retval != test->retval &&
11585 test->retval != POINTER_VALUE) {
11586 printf("FAIL retval %d != %d\n", retval, test->retval);
11591 printf("OK%s\n", reject_from_alignment ?
11592 " (NOTE: reject due to unknown alignment)" : "");
11595 for (i = 0; i < MAX_NR_MAPS; i++)
11601 printf("%s", bpf_vlog);
11605 static bool is_admin(void)
11608 cap_flag_value_t sysadmin = CAP_CLEAR;
11609 const cap_value_t cap_val = CAP_SYS_ADMIN;
11611 #ifdef CAP_IS_SUPPORTED
11612 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
11613 perror("cap_get_flag");
11617 caps = cap_get_proc();
11619 perror("cap_get_proc");
11622 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
11623 perror("cap_get_flag");
11624 if (cap_free(caps))
11625 perror("cap_free");
11626 return (sysadmin == CAP_SET);
11629 static int set_admin(bool admin)
11632 const cap_value_t cap_val = CAP_SYS_ADMIN;
11635 caps = cap_get_proc();
11637 perror("cap_get_proc");
11640 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
11641 admin ? CAP_SET : CAP_CLEAR)) {
11642 perror("cap_set_flag");
11645 if (cap_set_proc(caps)) {
11646 perror("cap_set_proc");
11651 if (cap_free(caps))
11652 perror("cap_free");
11656 static void get_unpriv_disabled()
11661 fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
11662 if (fgets(buf, 2, fd) == buf && atoi(buf))
11663 unpriv_disabled = true;
11667 static int do_test(bool unpriv, unsigned int from, unsigned int to)
11669 int i, passes = 0, errors = 0, skips = 0;
11671 for (i = from; i < to; i++) {
11672 struct bpf_test *test = &tests[i];
11674 /* Program types that are not supported by non-root we
11677 if (!test->prog_type && unpriv_disabled) {
11678 printf("#%d/u %s SKIP\n", i, test->descr);
11680 } else if (!test->prog_type) {
11683 printf("#%d/u %s ", i, test->descr);
11684 do_test_single(test, true, &passes, &errors);
11690 printf("#%d/p %s SKIP\n", i, test->descr);
11693 printf("#%d/p %s ", i, test->descr);
11694 do_test_single(test, false, &passes, &errors);
11698 printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
11700 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
11703 int main(int argc, char **argv)
11705 unsigned int from = 0, to = ARRAY_SIZE(tests);
11706 bool unpriv = !is_admin();
11709 unsigned int l = atoi(argv[argc - 2]);
11710 unsigned int u = atoi(argv[argc - 1]);
11712 if (l < to && u < to) {
11716 } else if (argc == 2) {
11717 unsigned int t = atoi(argv[argc - 1]);
11725 get_unpriv_disabled();
11726 if (unpriv && unpriv_disabled) {
11727 printf("Cannot run as unprivileged user with sysctl %s.\n",
11729 return EXIT_FAILURE;
11732 return do_test(unpriv, from, to);
projects / linux-2.6-microblaze.git / blob