2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of version 2 of the GNU General Public
8 * License as published by the Free Software Foundation.
12 #include <asm/types.h>
13 #include <linux/types.h>
24 #include <sys/capability.h>
25 #include <sys/resource.h>
27 #include <linux/unistd.h>
28 #include <linux/filter.h>
29 #include <linux/bpf_perf_event.h>
30 #include <linux/bpf.h>
35 # include "autoconf.h"
37 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
38 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
42 #include "../../../include/linux/filter.h"
45 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
52 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
53 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
57 struct bpf_insn insns[MAX_INSNS];
58 int fixup_map1[MAX_FIXUPS];
59 int fixup_map2[MAX_FIXUPS];
60 int fixup_prog[MAX_FIXUPS];
61 int fixup_map_in_map[MAX_FIXUPS];
63 const char *errstr_unpriv;
68 } result, result_unpriv;
69 enum bpf_prog_type prog_type;
73 /* Note we want this to be 64 bit aligned so that the end of our array is
74 * actually the end of the structure.
76 #define MAX_ENTRIES 11
83 static struct bpf_test tests[] = {
87 BPF_MOV64_IMM(BPF_REG_1, 1),
88 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
89 BPF_MOV64_IMM(BPF_REG_2, 3),
90 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
91 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
92 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
93 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
104 .errstr = "unreachable",
110 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
111 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
114 .errstr = "unreachable",
120 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
123 .errstr = "jump out of range",
127 "out of range jump2",
129 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
132 .errstr = "jump out of range",
138 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
139 BPF_LD_IMM64(BPF_REG_0, 0),
140 BPF_LD_IMM64(BPF_REG_0, 0),
141 BPF_LD_IMM64(BPF_REG_0, 1),
142 BPF_LD_IMM64(BPF_REG_0, 1),
143 BPF_MOV64_IMM(BPF_REG_0, 2),
146 .errstr = "invalid BPF_LD_IMM insn",
147 .errstr_unpriv = "R1 pointer comparison",
153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
154 BPF_LD_IMM64(BPF_REG_0, 0),
155 BPF_LD_IMM64(BPF_REG_0, 0),
156 BPF_LD_IMM64(BPF_REG_0, 1),
157 BPF_LD_IMM64(BPF_REG_0, 1),
160 .errstr = "invalid BPF_LD_IMM insn",
161 .errstr_unpriv = "R1 pointer comparison",
167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
168 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
169 BPF_LD_IMM64(BPF_REG_0, 0),
170 BPF_LD_IMM64(BPF_REG_0, 0),
171 BPF_LD_IMM64(BPF_REG_0, 1),
172 BPF_LD_IMM64(BPF_REG_0, 1),
175 .errstr = "invalid bpf_ld_imm64 insn",
181 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
184 .errstr = "invalid bpf_ld_imm64 insn",
190 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
192 .errstr = "invalid bpf_ld_imm64 insn",
198 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
199 BPF_RAW_INSN(0, 0, 0, 0, 0),
207 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
208 BPF_RAW_INSN(0, 0, 0, 0, 1),
216 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
217 BPF_RAW_INSN(0, 0, 0, 0, 1),
220 .errstr = "uses reserved fields",
226 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
227 BPF_RAW_INSN(0, 0, 0, 1, 1),
230 .errstr = "invalid bpf_ld_imm64 insn",
236 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
237 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
240 .errstr = "invalid bpf_ld_imm64 insn",
246 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
247 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
250 .errstr = "invalid bpf_ld_imm64 insn",
256 BPF_MOV64_IMM(BPF_REG_1, 0),
257 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
258 BPF_RAW_INSN(0, 0, 0, 0, 1),
261 .errstr = "not pointing to valid bpf_map",
267 BPF_MOV64_IMM(BPF_REG_1, 0),
268 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
269 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
272 .errstr = "invalid bpf_ld_imm64 insn",
278 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
280 .errstr = "jump out of range",
286 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
289 .errstr = "back-edge",
295 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
296 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
297 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
298 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
301 .errstr = "back-edge",
307 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
308 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
309 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
310 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
313 .errstr = "back-edge",
317 "read uninitialized register",
319 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
322 .errstr = "R2 !read_ok",
326 "read invalid register",
328 BPF_MOV64_REG(BPF_REG_0, -1),
331 .errstr = "R15 is invalid",
335 "program doesn't init R0 before exit",
337 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
340 .errstr = "R0 !read_ok",
344 "program doesn't init R0 before exit in all branches",
346 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
347 BPF_MOV64_IMM(BPF_REG_0, 1),
348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
351 .errstr = "R0 !read_ok",
352 .errstr_unpriv = "R1 pointer comparison",
356 "stack out of bounds",
358 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
361 .errstr = "invalid stack",
365 "invalid call insn1",
367 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
370 .errstr = "BPF_CALL uses reserved",
374 "invalid call insn2",
376 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
379 .errstr = "BPF_CALL uses reserved",
383 "invalid function call",
385 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
388 .errstr = "invalid func unknown#1234567",
392 "uninitialized stack1",
394 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
395 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
396 BPF_LD_MAP_FD(BPF_REG_1, 0),
397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
398 BPF_FUNC_map_lookup_elem),
402 .errstr = "invalid indirect read from stack",
406 "uninitialized stack2",
408 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
409 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
412 .errstr = "invalid read from stack",
416 "invalid fp arithmetic",
417 /* If this gets ever changed, make sure JITs can deal with it. */
419 BPF_MOV64_IMM(BPF_REG_0, 0),
420 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
421 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
422 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
425 .errstr_unpriv = "R1 subtraction from stack pointer",
426 .result_unpriv = REJECT,
427 .errstr = "R1 invalid mem access",
431 "non-invalid fp arithmetic",
433 BPF_MOV64_IMM(BPF_REG_0, 0),
434 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
440 "invalid argument register",
442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
443 BPF_FUNC_get_cgroup_classid),
444 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
445 BPF_FUNC_get_cgroup_classid),
448 .errstr = "R1 !read_ok",
450 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
453 "non-invalid argument register",
455 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
456 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
457 BPF_FUNC_get_cgroup_classid),
458 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
459 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
460 BPF_FUNC_get_cgroup_classid),
464 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
467 "check valid spill/fill",
469 /* spill R1(ctx) into stack */
470 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
471 /* fill it back into R2 */
472 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
473 /* should be able to access R0 = *(R2 + 8) */
474 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
475 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
478 .errstr_unpriv = "R0 leaks addr",
480 .result_unpriv = REJECT,
483 "check valid spill/fill, skb mark",
485 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
486 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
487 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
488 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
489 offsetof(struct __sk_buff, mark)),
493 .result_unpriv = ACCEPT,
496 "check corrupted spill/fill",
498 /* spill R1(ctx) into stack */
499 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
500 /* mess up with R1 pointer on stack */
501 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
502 /* fill back into R0 should fail */
503 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
506 .errstr_unpriv = "attempt to corrupt spilled",
507 .errstr = "corrupted spill",
511 "invalid src register in STX",
513 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
516 .errstr = "R15 is invalid",
520 "invalid dst register in STX",
522 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
525 .errstr = "R14 is invalid",
529 "invalid dst register in ST",
531 BPF_ST_MEM(BPF_B, 14, -1, -1),
534 .errstr = "R14 is invalid",
538 "invalid src register in LDX",
540 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
543 .errstr = "R12 is invalid",
547 "invalid dst register in LDX",
549 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
552 .errstr = "R11 is invalid",
558 BPF_RAW_INSN(0, 0, 0, 0, 0),
561 .errstr = "invalid BPF_LD_IMM",
567 BPF_RAW_INSN(1, 0, 0, 0, 0),
570 .errstr = "BPF_LDX uses reserved fields",
576 BPF_RAW_INSN(-1, 0, 0, 0, 0),
579 .errstr = "invalid BPF_ALU opcode f0",
585 BPF_RAW_INSN(-1, -1, -1, -1, -1),
588 .errstr = "invalid BPF_ALU opcode f0",
594 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
597 .errstr = "BPF_ALU uses reserved fields",
601 "misaligned read from stack",
603 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
604 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
607 .errstr = "misaligned stack access",
609 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
612 "invalid map_fd for function call",
614 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
615 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
616 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
617 BPF_LD_MAP_FD(BPF_REG_1, 0),
618 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
619 BPF_FUNC_map_delete_elem),
622 .errstr = "fd 0 is not pointing to valid bpf_map",
626 "don't check return value before access",
628 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
629 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
630 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
631 BPF_LD_MAP_FD(BPF_REG_1, 0),
632 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
633 BPF_FUNC_map_lookup_elem),
634 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
638 .errstr = "R0 invalid mem access 'map_value_or_null'",
642 "access memory with incorrect alignment",
644 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
645 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
646 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
647 BPF_LD_MAP_FD(BPF_REG_1, 0),
648 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
649 BPF_FUNC_map_lookup_elem),
650 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
651 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
655 .errstr = "misaligned value access",
657 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
660 "sometimes access memory with incorrect alignment",
662 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
663 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
665 BPF_LD_MAP_FD(BPF_REG_1, 0),
666 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
667 BPF_FUNC_map_lookup_elem),
668 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
669 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
671 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
675 .errstr = "R0 invalid mem access",
676 .errstr_unpriv = "R0 leaks addr",
678 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
683 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
684 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
685 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
686 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
688 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
689 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
690 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
691 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
692 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
693 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
694 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
695 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
696 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
697 BPF_MOV64_IMM(BPF_REG_0, 0),
700 .errstr_unpriv = "R1 pointer comparison",
701 .result_unpriv = REJECT,
707 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
708 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
709 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
710 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
711 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
712 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
713 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
714 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
715 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
716 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
717 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
718 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
719 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
720 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
721 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
722 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
723 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
724 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
725 BPF_MOV64_IMM(BPF_REG_0, 0),
728 .errstr_unpriv = "R1 pointer comparison",
729 .result_unpriv = REJECT,
735 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
736 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
737 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
739 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
740 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
741 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
743 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
744 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
745 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
746 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
747 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
748 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
749 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
751 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
752 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
753 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
755 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
756 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
757 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
758 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
759 BPF_LD_MAP_FD(BPF_REG_1, 0),
760 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
761 BPF_FUNC_map_delete_elem),
764 .fixup_map1 = { 24 },
765 .errstr_unpriv = "R1 pointer comparison",
766 .result_unpriv = REJECT,
772 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
773 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
774 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
776 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
778 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
779 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
780 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
782 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
783 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
784 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
786 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
787 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
788 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
790 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
792 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
793 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
794 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
795 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
796 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
798 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
799 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
800 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
801 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
802 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
804 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
805 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
806 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
807 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
808 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
809 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
810 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
811 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
812 BPF_MOV64_IMM(BPF_REG_0, 0),
815 .errstr_unpriv = "R1 pointer comparison",
816 .result_unpriv = REJECT,
822 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
823 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
824 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
825 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
826 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
827 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
828 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
829 BPF_MOV64_IMM(BPF_REG_0, 0),
830 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
831 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
832 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
833 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
834 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
835 BPF_MOV64_IMM(BPF_REG_0, 0),
836 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
837 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
838 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
839 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
840 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
841 BPF_MOV64_IMM(BPF_REG_0, 0),
842 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
843 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
844 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
845 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
846 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
847 BPF_MOV64_IMM(BPF_REG_0, 0),
848 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
849 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
850 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
851 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
852 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
853 BPF_MOV64_IMM(BPF_REG_0, 0),
856 .errstr_unpriv = "R1 pointer comparison",
857 .result_unpriv = REJECT,
861 "access skb fields ok",
863 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
864 offsetof(struct __sk_buff, len)),
865 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
866 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
867 offsetof(struct __sk_buff, mark)),
868 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
869 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
870 offsetof(struct __sk_buff, pkt_type)),
871 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
872 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
873 offsetof(struct __sk_buff, queue_mapping)),
874 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
875 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
876 offsetof(struct __sk_buff, protocol)),
877 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
878 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
879 offsetof(struct __sk_buff, vlan_present)),
880 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
881 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
882 offsetof(struct __sk_buff, vlan_tci)),
883 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
884 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
885 offsetof(struct __sk_buff, napi_id)),
886 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
892 "access skb fields bad1",
894 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
897 .errstr = "invalid bpf_context access",
901 "access skb fields bad2",
903 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
904 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
905 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
906 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
907 BPF_LD_MAP_FD(BPF_REG_1, 0),
908 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
909 BPF_FUNC_map_lookup_elem),
910 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
912 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
913 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
914 offsetof(struct __sk_buff, pkt_type)),
918 .errstr = "different pointers",
919 .errstr_unpriv = "R1 pointer comparison",
923 "access skb fields bad3",
925 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
926 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
927 offsetof(struct __sk_buff, pkt_type)),
929 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
930 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
932 BPF_LD_MAP_FD(BPF_REG_1, 0),
933 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
934 BPF_FUNC_map_lookup_elem),
935 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
937 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
938 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
941 .errstr = "different pointers",
942 .errstr_unpriv = "R1 pointer comparison",
946 "access skb fields bad4",
948 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
949 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
950 offsetof(struct __sk_buff, len)),
951 BPF_MOV64_IMM(BPF_REG_0, 0),
953 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
954 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
956 BPF_LD_MAP_FD(BPF_REG_1, 0),
957 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
958 BPF_FUNC_map_lookup_elem),
959 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
961 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
962 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
965 .errstr = "different pointers",
966 .errstr_unpriv = "R1 pointer comparison",
970 "invalid access __sk_buff family",
972 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
973 offsetof(struct __sk_buff, family)),
976 .errstr = "invalid bpf_context access",
980 "invalid access __sk_buff remote_ip4",
982 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
983 offsetof(struct __sk_buff, remote_ip4)),
986 .errstr = "invalid bpf_context access",
990 "invalid access __sk_buff local_ip4",
992 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
993 offsetof(struct __sk_buff, local_ip4)),
996 .errstr = "invalid bpf_context access",
1000 "invalid access __sk_buff remote_ip6",
1002 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1003 offsetof(struct __sk_buff, remote_ip6)),
1006 .errstr = "invalid bpf_context access",
1010 "invalid access __sk_buff local_ip6",
1012 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1013 offsetof(struct __sk_buff, local_ip6)),
1016 .errstr = "invalid bpf_context access",
1020 "invalid access __sk_buff remote_port",
1022 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1023 offsetof(struct __sk_buff, remote_port)),
1026 .errstr = "invalid bpf_context access",
1030 "invalid access __sk_buff remote_port",
1032 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1033 offsetof(struct __sk_buff, local_port)),
1036 .errstr = "invalid bpf_context access",
1040 "valid access __sk_buff family",
1042 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1043 offsetof(struct __sk_buff, family)),
1047 .prog_type = BPF_PROG_TYPE_SK_SKB,
1050 "valid access __sk_buff remote_ip4",
1052 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1053 offsetof(struct __sk_buff, remote_ip4)),
1057 .prog_type = BPF_PROG_TYPE_SK_SKB,
1060 "valid access __sk_buff local_ip4",
1062 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1063 offsetof(struct __sk_buff, local_ip4)),
1067 .prog_type = BPF_PROG_TYPE_SK_SKB,
1070 "valid access __sk_buff remote_ip6",
1072 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1073 offsetof(struct __sk_buff, remote_ip6[0])),
1074 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1075 offsetof(struct __sk_buff, remote_ip6[1])),
1076 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1077 offsetof(struct __sk_buff, remote_ip6[2])),
1078 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1079 offsetof(struct __sk_buff, remote_ip6[3])),
1083 .prog_type = BPF_PROG_TYPE_SK_SKB,
1086 "valid access __sk_buff local_ip6",
1088 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1089 offsetof(struct __sk_buff, local_ip6[0])),
1090 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1091 offsetof(struct __sk_buff, local_ip6[1])),
1092 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1093 offsetof(struct __sk_buff, local_ip6[2])),
1094 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1095 offsetof(struct __sk_buff, local_ip6[3])),
1099 .prog_type = BPF_PROG_TYPE_SK_SKB,
1102 "valid access __sk_buff remote_port",
1104 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1105 offsetof(struct __sk_buff, remote_port)),
1109 .prog_type = BPF_PROG_TYPE_SK_SKB,
1112 "valid access __sk_buff remote_port",
1114 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1115 offsetof(struct __sk_buff, local_port)),
1119 .prog_type = BPF_PROG_TYPE_SK_SKB,
1122 "invalid access of tc_classid for SK_SKB",
1124 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1125 offsetof(struct __sk_buff, tc_classid)),
1129 .prog_type = BPF_PROG_TYPE_SK_SKB,
1130 .errstr = "invalid bpf_context access",
1133 "invalid access of skb->mark for SK_SKB",
1135 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1136 offsetof(struct __sk_buff, mark)),
1140 .prog_type = BPF_PROG_TYPE_SK_SKB,
1141 .errstr = "invalid bpf_context access",
1144 "check skb->mark is not writeable by SK_SKB",
1146 BPF_MOV64_IMM(BPF_REG_0, 0),
1147 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1148 offsetof(struct __sk_buff, mark)),
1152 .prog_type = BPF_PROG_TYPE_SK_SKB,
1153 .errstr = "invalid bpf_context access",
1156 "check skb->tc_index is writeable by SK_SKB",
1158 BPF_MOV64_IMM(BPF_REG_0, 0),
1159 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1160 offsetof(struct __sk_buff, tc_index)),
1164 .prog_type = BPF_PROG_TYPE_SK_SKB,
1167 "check skb->priority is writeable by SK_SKB",
1169 BPF_MOV64_IMM(BPF_REG_0, 0),
1170 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1171 offsetof(struct __sk_buff, priority)),
1175 .prog_type = BPF_PROG_TYPE_SK_SKB,
1178 "direct packet read for SK_SKB",
1180 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1181 offsetof(struct __sk_buff, data)),
1182 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1183 offsetof(struct __sk_buff, data_end)),
1184 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1186 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1187 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1188 BPF_MOV64_IMM(BPF_REG_0, 0),
1192 .prog_type = BPF_PROG_TYPE_SK_SKB,
1195 "direct packet write for SK_SKB",
1197 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1198 offsetof(struct __sk_buff, data)),
1199 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1200 offsetof(struct __sk_buff, data_end)),
1201 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1202 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1203 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1204 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1205 BPF_MOV64_IMM(BPF_REG_0, 0),
1209 .prog_type = BPF_PROG_TYPE_SK_SKB,
1212 "overlapping checks for direct packet access SK_SKB",
1214 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1215 offsetof(struct __sk_buff, data)),
1216 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1217 offsetof(struct __sk_buff, data_end)),
1218 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1220 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1221 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1223 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1224 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1225 BPF_MOV64_IMM(BPF_REG_0, 0),
1229 .prog_type = BPF_PROG_TYPE_SK_SKB,
1232 "check skb->mark is not writeable by sockets",
1234 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1235 offsetof(struct __sk_buff, mark)),
1238 .errstr = "invalid bpf_context access",
1239 .errstr_unpriv = "R1 leaks addr",
1243 "check skb->tc_index is not writeable by sockets",
1245 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1246 offsetof(struct __sk_buff, tc_index)),
1249 .errstr = "invalid bpf_context access",
1250 .errstr_unpriv = "R1 leaks addr",
1254 "check cb access: byte",
1256 BPF_MOV64_IMM(BPF_REG_0, 0),
1257 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1258 offsetof(struct __sk_buff, cb[0])),
1259 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1260 offsetof(struct __sk_buff, cb[0]) + 1),
1261 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1262 offsetof(struct __sk_buff, cb[0]) + 2),
1263 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1264 offsetof(struct __sk_buff, cb[0]) + 3),
1265 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1266 offsetof(struct __sk_buff, cb[1])),
1267 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1268 offsetof(struct __sk_buff, cb[1]) + 1),
1269 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1270 offsetof(struct __sk_buff, cb[1]) + 2),
1271 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1272 offsetof(struct __sk_buff, cb[1]) + 3),
1273 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1274 offsetof(struct __sk_buff, cb[2])),
1275 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1276 offsetof(struct __sk_buff, cb[2]) + 1),
1277 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1278 offsetof(struct __sk_buff, cb[2]) + 2),
1279 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1280 offsetof(struct __sk_buff, cb[2]) + 3),
1281 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1282 offsetof(struct __sk_buff, cb[3])),
1283 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1284 offsetof(struct __sk_buff, cb[3]) + 1),
1285 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1286 offsetof(struct __sk_buff, cb[3]) + 2),
1287 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1288 offsetof(struct __sk_buff, cb[3]) + 3),
1289 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1290 offsetof(struct __sk_buff, cb[4])),
1291 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1292 offsetof(struct __sk_buff, cb[4]) + 1),
1293 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1294 offsetof(struct __sk_buff, cb[4]) + 2),
1295 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1296 offsetof(struct __sk_buff, cb[4]) + 3),
1297 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1298 offsetof(struct __sk_buff, cb[0])),
1299 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1300 offsetof(struct __sk_buff, cb[0]) + 1),
1301 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1302 offsetof(struct __sk_buff, cb[0]) + 2),
1303 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1304 offsetof(struct __sk_buff, cb[0]) + 3),
1305 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1306 offsetof(struct __sk_buff, cb[1])),
1307 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1308 offsetof(struct __sk_buff, cb[1]) + 1),
1309 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1310 offsetof(struct __sk_buff, cb[1]) + 2),
1311 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1312 offsetof(struct __sk_buff, cb[1]) + 3),
1313 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1314 offsetof(struct __sk_buff, cb[2])),
1315 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1316 offsetof(struct __sk_buff, cb[2]) + 1),
1317 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1318 offsetof(struct __sk_buff, cb[2]) + 2),
1319 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1320 offsetof(struct __sk_buff, cb[2]) + 3),
1321 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1322 offsetof(struct __sk_buff, cb[3])),
1323 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1324 offsetof(struct __sk_buff, cb[3]) + 1),
1325 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1326 offsetof(struct __sk_buff, cb[3]) + 2),
1327 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1328 offsetof(struct __sk_buff, cb[3]) + 3),
1329 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1330 offsetof(struct __sk_buff, cb[4])),
1331 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1332 offsetof(struct __sk_buff, cb[4]) + 1),
1333 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1334 offsetof(struct __sk_buff, cb[4]) + 2),
1335 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1336 offsetof(struct __sk_buff, cb[4]) + 3),
1342 "__sk_buff->hash, offset 0, byte store not permitted",
1344 BPF_MOV64_IMM(BPF_REG_0, 0),
1345 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1346 offsetof(struct __sk_buff, hash)),
1349 .errstr = "invalid bpf_context access",
1353 "__sk_buff->tc_index, offset 3, byte store not permitted",
1355 BPF_MOV64_IMM(BPF_REG_0, 0),
1356 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1357 offsetof(struct __sk_buff, tc_index) + 3),
1360 .errstr = "invalid bpf_context access",
1364 "check skb->hash byte load permitted",
1366 BPF_MOV64_IMM(BPF_REG_0, 0),
1367 #if __BYTE_ORDER == __LITTLE_ENDIAN
1368 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1369 offsetof(struct __sk_buff, hash)),
1371 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1372 offsetof(struct __sk_buff, hash) + 3),
1379 "check skb->hash byte load not permitted 1",
1381 BPF_MOV64_IMM(BPF_REG_0, 0),
1382 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1383 offsetof(struct __sk_buff, hash) + 1),
1386 .errstr = "invalid bpf_context access",
1390 "check skb->hash byte load not permitted 2",
1392 BPF_MOV64_IMM(BPF_REG_0, 0),
1393 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1394 offsetof(struct __sk_buff, hash) + 2),
1397 .errstr = "invalid bpf_context access",
1401 "check skb->hash byte load not permitted 3",
1403 BPF_MOV64_IMM(BPF_REG_0, 0),
1404 #if __BYTE_ORDER == __LITTLE_ENDIAN
1405 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1406 offsetof(struct __sk_buff, hash) + 3),
1408 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1409 offsetof(struct __sk_buff, hash)),
1413 .errstr = "invalid bpf_context access",
1417 "check cb access: byte, wrong type",
1419 BPF_MOV64_IMM(BPF_REG_0, 0),
1420 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1421 offsetof(struct __sk_buff, cb[0])),
1424 .errstr = "invalid bpf_context access",
1426 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1429 "check cb access: half",
1431 BPF_MOV64_IMM(BPF_REG_0, 0),
1432 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1433 offsetof(struct __sk_buff, cb[0])),
1434 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1435 offsetof(struct __sk_buff, cb[0]) + 2),
1436 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1437 offsetof(struct __sk_buff, cb[1])),
1438 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1439 offsetof(struct __sk_buff, cb[1]) + 2),
1440 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1441 offsetof(struct __sk_buff, cb[2])),
1442 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1443 offsetof(struct __sk_buff, cb[2]) + 2),
1444 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1445 offsetof(struct __sk_buff, cb[3])),
1446 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1447 offsetof(struct __sk_buff, cb[3]) + 2),
1448 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1449 offsetof(struct __sk_buff, cb[4])),
1450 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1451 offsetof(struct __sk_buff, cb[4]) + 2),
1452 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1453 offsetof(struct __sk_buff, cb[0])),
1454 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1455 offsetof(struct __sk_buff, cb[0]) + 2),
1456 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1457 offsetof(struct __sk_buff, cb[1])),
1458 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1459 offsetof(struct __sk_buff, cb[1]) + 2),
1460 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1461 offsetof(struct __sk_buff, cb[2])),
1462 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1463 offsetof(struct __sk_buff, cb[2]) + 2),
1464 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1465 offsetof(struct __sk_buff, cb[3])),
1466 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1467 offsetof(struct __sk_buff, cb[3]) + 2),
1468 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1469 offsetof(struct __sk_buff, cb[4])),
1470 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1471 offsetof(struct __sk_buff, cb[4]) + 2),
1477 "check cb access: half, unaligned",
1479 BPF_MOV64_IMM(BPF_REG_0, 0),
1480 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1481 offsetof(struct __sk_buff, cb[0]) + 1),
1484 .errstr = "misaligned context access",
1486 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1489 "check __sk_buff->hash, offset 0, half store not permitted",
1491 BPF_MOV64_IMM(BPF_REG_0, 0),
1492 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1493 offsetof(struct __sk_buff, hash)),
1496 .errstr = "invalid bpf_context access",
1500 "check __sk_buff->tc_index, offset 2, half store not permitted",
1502 BPF_MOV64_IMM(BPF_REG_0, 0),
1503 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1504 offsetof(struct __sk_buff, tc_index) + 2),
1507 .errstr = "invalid bpf_context access",
1511 "check skb->hash half load permitted",
1513 BPF_MOV64_IMM(BPF_REG_0, 0),
1514 #if __BYTE_ORDER == __LITTLE_ENDIAN
1515 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1516 offsetof(struct __sk_buff, hash)),
1518 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1519 offsetof(struct __sk_buff, hash) + 2),
1526 "check skb->hash half load not permitted",
1528 BPF_MOV64_IMM(BPF_REG_0, 0),
1529 #if __BYTE_ORDER == __LITTLE_ENDIAN
1530 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1531 offsetof(struct __sk_buff, hash) + 2),
1533 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1534 offsetof(struct __sk_buff, hash)),
1538 .errstr = "invalid bpf_context access",
1542 "check cb access: half, wrong type",
1544 BPF_MOV64_IMM(BPF_REG_0, 0),
1545 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1546 offsetof(struct __sk_buff, cb[0])),
1549 .errstr = "invalid bpf_context access",
1551 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1554 "check cb access: word",
1556 BPF_MOV64_IMM(BPF_REG_0, 0),
1557 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1558 offsetof(struct __sk_buff, cb[0])),
1559 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1560 offsetof(struct __sk_buff, cb[1])),
1561 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1562 offsetof(struct __sk_buff, cb[2])),
1563 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1564 offsetof(struct __sk_buff, cb[3])),
1565 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1566 offsetof(struct __sk_buff, cb[4])),
1567 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1568 offsetof(struct __sk_buff, cb[0])),
1569 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1570 offsetof(struct __sk_buff, cb[1])),
1571 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572 offsetof(struct __sk_buff, cb[2])),
1573 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1574 offsetof(struct __sk_buff, cb[3])),
1575 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1576 offsetof(struct __sk_buff, cb[4])),
1582 "check cb access: word, unaligned 1",
1584 BPF_MOV64_IMM(BPF_REG_0, 0),
1585 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1586 offsetof(struct __sk_buff, cb[0]) + 2),
1589 .errstr = "misaligned context access",
1591 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1594 "check cb access: word, unaligned 2",
1596 BPF_MOV64_IMM(BPF_REG_0, 0),
1597 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1598 offsetof(struct __sk_buff, cb[4]) + 1),
1601 .errstr = "misaligned context access",
1603 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1606 "check cb access: word, unaligned 3",
1608 BPF_MOV64_IMM(BPF_REG_0, 0),
1609 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1610 offsetof(struct __sk_buff, cb[4]) + 2),
1613 .errstr = "misaligned context access",
1615 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1618 "check cb access: word, unaligned 4",
1620 BPF_MOV64_IMM(BPF_REG_0, 0),
1621 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1622 offsetof(struct __sk_buff, cb[4]) + 3),
1625 .errstr = "misaligned context access",
1627 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1630 "check cb access: double",
1632 BPF_MOV64_IMM(BPF_REG_0, 0),
1633 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1634 offsetof(struct __sk_buff, cb[0])),
1635 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1636 offsetof(struct __sk_buff, cb[2])),
1637 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1638 offsetof(struct __sk_buff, cb[0])),
1639 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1640 offsetof(struct __sk_buff, cb[2])),
1646 "check cb access: double, unaligned 1",
1648 BPF_MOV64_IMM(BPF_REG_0, 0),
1649 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1650 offsetof(struct __sk_buff, cb[1])),
1653 .errstr = "misaligned context access",
1655 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1658 "check cb access: double, unaligned 2",
1660 BPF_MOV64_IMM(BPF_REG_0, 0),
1661 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1662 offsetof(struct __sk_buff, cb[3])),
1665 .errstr = "misaligned context access",
1667 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1670 "check cb access: double, oob 1",
1672 BPF_MOV64_IMM(BPF_REG_0, 0),
1673 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1674 offsetof(struct __sk_buff, cb[4])),
1677 .errstr = "invalid bpf_context access",
1681 "check cb access: double, oob 2",
1683 BPF_MOV64_IMM(BPF_REG_0, 0),
1684 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1685 offsetof(struct __sk_buff, cb[4])),
1688 .errstr = "invalid bpf_context access",
1692 "check __sk_buff->ifindex dw store not permitted",
1694 BPF_MOV64_IMM(BPF_REG_0, 0),
1695 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1696 offsetof(struct __sk_buff, ifindex)),
1699 .errstr = "invalid bpf_context access",
1703 "check __sk_buff->ifindex dw load not permitted",
1705 BPF_MOV64_IMM(BPF_REG_0, 0),
1706 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1707 offsetof(struct __sk_buff, ifindex)),
1710 .errstr = "invalid bpf_context access",
1714 "check cb access: double, wrong type",
1716 BPF_MOV64_IMM(BPF_REG_0, 0),
1717 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1718 offsetof(struct __sk_buff, cb[0])),
1721 .errstr = "invalid bpf_context access",
1723 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1726 "check out of range skb->cb access",
1728 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1729 offsetof(struct __sk_buff, cb[0]) + 256),
1732 .errstr = "invalid bpf_context access",
1733 .errstr_unpriv = "",
1735 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
1738 "write skb fields from socket prog",
1740 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1741 offsetof(struct __sk_buff, cb[4])),
1742 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1743 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1744 offsetof(struct __sk_buff, mark)),
1745 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746 offsetof(struct __sk_buff, tc_index)),
1747 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1748 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1749 offsetof(struct __sk_buff, cb[0])),
1750 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1751 offsetof(struct __sk_buff, cb[2])),
1755 .errstr_unpriv = "R1 leaks addr",
1756 .result_unpriv = REJECT,
1759 "write skb fields from tc_cls_act prog",
1761 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1762 offsetof(struct __sk_buff, cb[0])),
1763 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1764 offsetof(struct __sk_buff, mark)),
1765 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1766 offsetof(struct __sk_buff, tc_index)),
1767 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1768 offsetof(struct __sk_buff, tc_index)),
1769 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1770 offsetof(struct __sk_buff, cb[3])),
1773 .errstr_unpriv = "",
1774 .result_unpriv = REJECT,
1776 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1779 "PTR_TO_STACK store/load",
1781 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1782 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1783 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1784 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1790 "PTR_TO_STACK store/load - bad alignment on off",
1792 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1794 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1795 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1799 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
1800 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1803 "PTR_TO_STACK store/load - bad alignment on reg",
1805 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1807 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1808 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1812 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
1813 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1816 "PTR_TO_STACK store/load - out of bounds low",
1818 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1819 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
1820 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1821 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1825 .errstr = "invalid stack off=-79992 size=8",
1828 "PTR_TO_STACK store/load - out of bounds high",
1830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1831 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1832 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1833 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1837 .errstr = "invalid stack off=0 size=8",
1840 "unpriv: return pointer",
1842 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
1846 .result_unpriv = REJECT,
1847 .errstr_unpriv = "R0 leaks addr",
1850 "unpriv: add const to pointer",
1852 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
1853 BPF_MOV64_IMM(BPF_REG_0, 0),
1859 "unpriv: add pointer to pointer",
1861 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
1862 BPF_MOV64_IMM(BPF_REG_0, 0),
1866 .result_unpriv = REJECT,
1867 .errstr_unpriv = "R1 pointer += pointer",
1870 "unpriv: neg pointer",
1872 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
1873 BPF_MOV64_IMM(BPF_REG_0, 0),
1877 .result_unpriv = REJECT,
1878 .errstr_unpriv = "R1 pointer arithmetic",
1881 "unpriv: cmp pointer with const",
1883 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1884 BPF_MOV64_IMM(BPF_REG_0, 0),
1888 .result_unpriv = REJECT,
1889 .errstr_unpriv = "R1 pointer comparison",
1892 "unpriv: cmp pointer with pointer",
1894 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1895 BPF_MOV64_IMM(BPF_REG_0, 0),
1899 .result_unpriv = REJECT,
1900 .errstr_unpriv = "R10 pointer comparison",
1903 "unpriv: check that printk is disallowed",
1905 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1906 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1908 BPF_MOV64_IMM(BPF_REG_2, 8),
1909 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
1910 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1911 BPF_FUNC_trace_printk),
1912 BPF_MOV64_IMM(BPF_REG_0, 0),
1915 .errstr_unpriv = "unknown func bpf_trace_printk#6",
1916 .result_unpriv = REJECT,
1920 "unpriv: pass pointer to helper function",
1922 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1923 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1925 BPF_LD_MAP_FD(BPF_REG_1, 0),
1926 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1927 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
1928 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1929 BPF_FUNC_map_update_elem),
1930 BPF_MOV64_IMM(BPF_REG_0, 0),
1933 .fixup_map1 = { 3 },
1934 .errstr_unpriv = "R4 leaks addr",
1935 .result_unpriv = REJECT,
1939 "unpriv: indirectly pass pointer on stack to helper function",
1941 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1944 BPF_LD_MAP_FD(BPF_REG_1, 0),
1945 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1946 BPF_FUNC_map_lookup_elem),
1947 BPF_MOV64_IMM(BPF_REG_0, 0),
1950 .fixup_map1 = { 3 },
1951 .errstr = "invalid indirect read from stack off -8+0 size 8",
1955 "unpriv: mangle pointer on stack 1",
1957 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1958 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
1959 BPF_MOV64_IMM(BPF_REG_0, 0),
1962 .errstr_unpriv = "attempt to corrupt spilled",
1963 .result_unpriv = REJECT,
1967 "unpriv: mangle pointer on stack 2",
1969 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1970 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
1971 BPF_MOV64_IMM(BPF_REG_0, 0),
1974 .errstr_unpriv = "attempt to corrupt spilled",
1975 .result_unpriv = REJECT,
1979 "unpriv: read pointer from stack in small chunks",
1981 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1982 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
1983 BPF_MOV64_IMM(BPF_REG_0, 0),
1986 .errstr = "invalid size",
1990 "unpriv: write pointer into ctx",
1992 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
1993 BPF_MOV64_IMM(BPF_REG_0, 0),
1996 .errstr_unpriv = "R1 leaks addr",
1997 .result_unpriv = REJECT,
1998 .errstr = "invalid bpf_context access",
2002 "unpriv: spill/fill of ctx",
2004 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2006 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2007 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2008 BPF_MOV64_IMM(BPF_REG_0, 0),
2014 "unpriv: spill/fill of ctx 2",
2016 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2018 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2019 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2020 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2021 BPF_FUNC_get_hash_recalc),
2025 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2028 "unpriv: spill/fill of ctx 3",
2030 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2032 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2033 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2034 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2035 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2036 BPF_FUNC_get_hash_recalc),
2040 .errstr = "R1 type=fp expected=ctx",
2041 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2044 "unpriv: spill/fill of ctx 4",
2046 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2047 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2048 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2049 BPF_MOV64_IMM(BPF_REG_0, 1),
2050 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2052 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2053 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2054 BPF_FUNC_get_hash_recalc),
2058 .errstr = "R1 type=inv expected=ctx",
2059 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2062 "unpriv: spill/fill of different pointers stx",
2064 BPF_MOV64_IMM(BPF_REG_3, 42),
2065 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2067 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2068 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2069 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2070 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2071 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2072 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2073 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2074 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2075 offsetof(struct __sk_buff, mark)),
2076 BPF_MOV64_IMM(BPF_REG_0, 0),
2080 .errstr = "same insn cannot be used with different pointers",
2081 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2084 "unpriv: spill/fill of different pointers ldx",
2086 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2088 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2089 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2090 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2091 -(__s32)offsetof(struct bpf_perf_event_data,
2092 sample_period) - 8),
2093 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2094 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2095 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2096 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2097 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2098 offsetof(struct bpf_perf_event_data,
2100 BPF_MOV64_IMM(BPF_REG_0, 0),
2104 .errstr = "same insn cannot be used with different pointers",
2105 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2108 "unpriv: write pointer into map elem value",
2110 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2111 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2112 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2113 BPF_LD_MAP_FD(BPF_REG_1, 0),
2114 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2115 BPF_FUNC_map_lookup_elem),
2116 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2117 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2120 .fixup_map1 = { 3 },
2121 .errstr_unpriv = "R0 leaks addr",
2122 .result_unpriv = REJECT,
2126 "unpriv: partial copy of pointer",
2128 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2129 BPF_MOV64_IMM(BPF_REG_0, 0),
2132 .errstr_unpriv = "R10 partial copy",
2133 .result_unpriv = REJECT,
2137 "unpriv: pass pointer to tail_call",
2139 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2140 BPF_LD_MAP_FD(BPF_REG_2, 0),
2141 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2142 BPF_FUNC_tail_call),
2143 BPF_MOV64_IMM(BPF_REG_0, 0),
2146 .fixup_prog = { 1 },
2147 .errstr_unpriv = "R3 leaks addr into helper",
2148 .result_unpriv = REJECT,
2152 "unpriv: cmp map pointer with zero",
2154 BPF_MOV64_IMM(BPF_REG_1, 0),
2155 BPF_LD_MAP_FD(BPF_REG_1, 0),
2156 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2157 BPF_MOV64_IMM(BPF_REG_0, 0),
2160 .fixup_map1 = { 1 },
2161 .errstr_unpriv = "R1 pointer comparison",
2162 .result_unpriv = REJECT,
2166 "unpriv: write into frame pointer",
2168 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2169 BPF_MOV64_IMM(BPF_REG_0, 0),
2172 .errstr = "frame pointer is read only",
2176 "unpriv: spill/fill frame pointer",
2178 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2179 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2180 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2181 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2182 BPF_MOV64_IMM(BPF_REG_0, 0),
2185 .errstr = "frame pointer is read only",
2189 "unpriv: cmp of frame pointer",
2191 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2192 BPF_MOV64_IMM(BPF_REG_0, 0),
2195 .errstr_unpriv = "R10 pointer comparison",
2196 .result_unpriv = REJECT,
2200 "unpriv: adding of fp",
2202 BPF_MOV64_IMM(BPF_REG_0, 0),
2203 BPF_MOV64_IMM(BPF_REG_1, 0),
2204 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2205 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2211 "unpriv: cmp of stack pointer",
2213 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2215 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2216 BPF_MOV64_IMM(BPF_REG_0, 0),
2219 .errstr_unpriv = "R2 pointer comparison",
2220 .result_unpriv = REJECT,
2224 "stack pointer arithmetic",
2226 BPF_MOV64_IMM(BPF_REG_1, 4),
2227 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2228 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2230 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2231 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2232 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2233 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2234 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2235 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2236 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2237 BPF_MOV64_IMM(BPF_REG_0, 0),
2243 "raw_stack: no skb_load_bytes",
2245 BPF_MOV64_IMM(BPF_REG_2, 4),
2246 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2247 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2248 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2249 BPF_MOV64_IMM(BPF_REG_4, 8),
2250 /* Call to skb_load_bytes() omitted. */
2251 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2255 .errstr = "invalid read from stack off -8+0 size 8",
2256 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2259 "raw_stack: skb_load_bytes, negative len",
2261 BPF_MOV64_IMM(BPF_REG_2, 4),
2262 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2263 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2264 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2265 BPF_MOV64_IMM(BPF_REG_4, -8),
2266 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2267 BPF_FUNC_skb_load_bytes),
2268 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2272 .errstr = "R4 min value is negative",
2273 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2276 "raw_stack: skb_load_bytes, negative len 2",
2278 BPF_MOV64_IMM(BPF_REG_2, 4),
2279 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2281 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2282 BPF_MOV64_IMM(BPF_REG_4, ~0),
2283 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2284 BPF_FUNC_skb_load_bytes),
2285 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2289 .errstr = "R4 min value is negative",
2290 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2293 "raw_stack: skb_load_bytes, zero len",
2295 BPF_MOV64_IMM(BPF_REG_2, 4),
2296 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2298 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2299 BPF_MOV64_IMM(BPF_REG_4, 0),
2300 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2301 BPF_FUNC_skb_load_bytes),
2302 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2306 .errstr = "invalid stack type R3",
2307 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2310 "raw_stack: skb_load_bytes, no init",
2312 BPF_MOV64_IMM(BPF_REG_2, 4),
2313 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2314 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2315 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2316 BPF_MOV64_IMM(BPF_REG_4, 8),
2317 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2318 BPF_FUNC_skb_load_bytes),
2319 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2323 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2326 "raw_stack: skb_load_bytes, init",
2328 BPF_MOV64_IMM(BPF_REG_2, 4),
2329 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2330 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2331 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2332 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2333 BPF_MOV64_IMM(BPF_REG_4, 8),
2334 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2335 BPF_FUNC_skb_load_bytes),
2336 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2340 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2343 "raw_stack: skb_load_bytes, spilled regs around bounds",
2345 BPF_MOV64_IMM(BPF_REG_2, 4),
2346 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2348 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2349 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2350 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2351 BPF_MOV64_IMM(BPF_REG_4, 8),
2352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2353 BPF_FUNC_skb_load_bytes),
2354 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2355 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2356 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2357 offsetof(struct __sk_buff, mark)),
2358 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2359 offsetof(struct __sk_buff, priority)),
2360 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2364 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2367 "raw_stack: skb_load_bytes, spilled regs corruption",
2369 BPF_MOV64_IMM(BPF_REG_2, 4),
2370 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2371 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2372 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2373 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2374 BPF_MOV64_IMM(BPF_REG_4, 8),
2375 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2376 BPF_FUNC_skb_load_bytes),
2377 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2378 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2379 offsetof(struct __sk_buff, mark)),
2383 .errstr = "R0 invalid mem access 'inv'",
2384 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2387 "raw_stack: skb_load_bytes, spilled regs corruption 2",
2389 BPF_MOV64_IMM(BPF_REG_2, 4),
2390 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2391 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2392 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2393 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2394 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2395 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2396 BPF_MOV64_IMM(BPF_REG_4, 8),
2397 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2398 BPF_FUNC_skb_load_bytes),
2399 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2400 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2401 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
2402 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2403 offsetof(struct __sk_buff, mark)),
2404 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2405 offsetof(struct __sk_buff, priority)),
2406 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2407 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
2408 offsetof(struct __sk_buff, pkt_type)),
2409 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2413 .errstr = "R3 invalid mem access 'inv'",
2414 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2417 "raw_stack: skb_load_bytes, spilled regs + data",
2419 BPF_MOV64_IMM(BPF_REG_2, 4),
2420 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2421 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2422 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2423 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2424 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2425 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2426 BPF_MOV64_IMM(BPF_REG_4, 8),
2427 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2428 BPF_FUNC_skb_load_bytes),
2429 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2430 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2431 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
2432 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2433 offsetof(struct __sk_buff, mark)),
2434 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2435 offsetof(struct __sk_buff, priority)),
2436 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2437 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2441 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2444 "raw_stack: skb_load_bytes, invalid access 1",
2446 BPF_MOV64_IMM(BPF_REG_2, 4),
2447 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2448 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2449 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2450 BPF_MOV64_IMM(BPF_REG_4, 8),
2451 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2452 BPF_FUNC_skb_load_bytes),
2453 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2457 .errstr = "invalid stack type R3 off=-513 access_size=8",
2458 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2461 "raw_stack: skb_load_bytes, invalid access 2",
2463 BPF_MOV64_IMM(BPF_REG_2, 4),
2464 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2465 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2466 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2467 BPF_MOV64_IMM(BPF_REG_4, 8),
2468 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2469 BPF_FUNC_skb_load_bytes),
2470 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2474 .errstr = "invalid stack type R3 off=-1 access_size=8",
2475 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2478 "raw_stack: skb_load_bytes, invalid access 3",
2480 BPF_MOV64_IMM(BPF_REG_2, 4),
2481 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2482 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2483 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2484 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2485 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2486 BPF_FUNC_skb_load_bytes),
2487 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2491 .errstr = "R4 min value is negative",
2492 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2495 "raw_stack: skb_load_bytes, invalid access 4",
2497 BPF_MOV64_IMM(BPF_REG_2, 4),
2498 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2499 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2500 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2501 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2502 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2503 BPF_FUNC_skb_load_bytes),
2504 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2508 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
2509 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2512 "raw_stack: skb_load_bytes, invalid access 5",
2514 BPF_MOV64_IMM(BPF_REG_2, 4),
2515 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2516 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2517 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2518 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2519 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2520 BPF_FUNC_skb_load_bytes),
2521 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2525 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
2526 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2529 "raw_stack: skb_load_bytes, invalid access 6",
2531 BPF_MOV64_IMM(BPF_REG_2, 4),
2532 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2534 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2535 BPF_MOV64_IMM(BPF_REG_4, 0),
2536 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2537 BPF_FUNC_skb_load_bytes),
2538 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2542 .errstr = "invalid stack type R3 off=-512 access_size=0",
2543 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2546 "raw_stack: skb_load_bytes, large access",
2548 BPF_MOV64_IMM(BPF_REG_2, 4),
2549 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2550 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2551 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2552 BPF_MOV64_IMM(BPF_REG_4, 512),
2553 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2554 BPF_FUNC_skb_load_bytes),
2555 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2559 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2562 "direct packet access: test1",
2564 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2565 offsetof(struct __sk_buff, data)),
2566 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2567 offsetof(struct __sk_buff, data_end)),
2568 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2569 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2570 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2571 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2572 BPF_MOV64_IMM(BPF_REG_0, 0),
2576 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2579 "direct packet access: test2",
2581 BPF_MOV64_IMM(BPF_REG_0, 1),
2582 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
2583 offsetof(struct __sk_buff, data_end)),
2584 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2585 offsetof(struct __sk_buff, data)),
2586 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
2588 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
2589 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
2590 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
2591 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
2592 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2593 offsetof(struct __sk_buff, data)),
2594 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
2595 BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
2596 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
2597 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
2598 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
2599 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
2600 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2601 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2602 offsetof(struct __sk_buff, data_end)),
2603 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
2604 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
2605 BPF_MOV64_IMM(BPF_REG_0, 0),
2609 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2612 "direct packet access: test3",
2614 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2615 offsetof(struct __sk_buff, data)),
2616 BPF_MOV64_IMM(BPF_REG_0, 0),
2619 .errstr = "invalid bpf_context access off=76",
2621 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2624 "direct packet access: test4 (write)",
2626 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2627 offsetof(struct __sk_buff, data)),
2628 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2629 offsetof(struct __sk_buff, data_end)),
2630 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2632 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2633 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2634 BPF_MOV64_IMM(BPF_REG_0, 0),
2638 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2641 "direct packet access: test5 (pkt_end >= reg, good access)",
2643 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2644 offsetof(struct __sk_buff, data)),
2645 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2646 offsetof(struct __sk_buff, data_end)),
2647 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2649 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2650 BPF_MOV64_IMM(BPF_REG_0, 1),
2652 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2653 BPF_MOV64_IMM(BPF_REG_0, 0),
2657 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2660 "direct packet access: test6 (pkt_end >= reg, bad access)",
2662 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2663 offsetof(struct __sk_buff, data)),
2664 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2665 offsetof(struct __sk_buff, data_end)),
2666 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2668 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2669 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2670 BPF_MOV64_IMM(BPF_REG_0, 1),
2672 BPF_MOV64_IMM(BPF_REG_0, 0),
2675 .errstr = "invalid access to packet",
2677 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2680 "direct packet access: test7 (pkt_end >= reg, both accesses)",
2682 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2683 offsetof(struct __sk_buff, data)),
2684 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2685 offsetof(struct __sk_buff, data_end)),
2686 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2688 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2689 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2690 BPF_MOV64_IMM(BPF_REG_0, 1),
2692 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2693 BPF_MOV64_IMM(BPF_REG_0, 0),
2696 .errstr = "invalid access to packet",
2698 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2701 "direct packet access: test8 (double test, variant 1)",
2703 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2704 offsetof(struct __sk_buff, data)),
2705 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2706 offsetof(struct __sk_buff, data_end)),
2707 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2709 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
2710 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2711 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2712 BPF_MOV64_IMM(BPF_REG_0, 1),
2714 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2715 BPF_MOV64_IMM(BPF_REG_0, 0),
2719 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2722 "direct packet access: test9 (double test, variant 2)",
2724 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2725 offsetof(struct __sk_buff, data)),
2726 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2727 offsetof(struct __sk_buff, data_end)),
2728 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2729 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2730 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2731 BPF_MOV64_IMM(BPF_REG_0, 1),
2733 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2734 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2735 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2736 BPF_MOV64_IMM(BPF_REG_0, 0),
2740 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2743 "direct packet access: test10 (write invalid)",
2745 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2746 offsetof(struct __sk_buff, data)),
2747 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2748 offsetof(struct __sk_buff, data_end)),
2749 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2750 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2751 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
2752 BPF_MOV64_IMM(BPF_REG_0, 0),
2754 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2755 BPF_MOV64_IMM(BPF_REG_0, 0),
2758 .errstr = "invalid access to packet",
2760 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2763 "direct packet access: test11 (shift, good access)",
2765 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2766 offsetof(struct __sk_buff, data)),
2767 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2768 offsetof(struct __sk_buff, data_end)),
2769 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2771 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2772 BPF_MOV64_IMM(BPF_REG_3, 144),
2773 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2774 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2775 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
2776 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2777 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2778 BPF_MOV64_IMM(BPF_REG_0, 1),
2780 BPF_MOV64_IMM(BPF_REG_0, 0),
2784 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2787 "direct packet access: test12 (and, good access)",
2789 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2790 offsetof(struct __sk_buff, data)),
2791 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2792 offsetof(struct __sk_buff, data_end)),
2793 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2794 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2795 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2796 BPF_MOV64_IMM(BPF_REG_3, 144),
2797 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2798 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2799 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2800 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2801 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2802 BPF_MOV64_IMM(BPF_REG_0, 1),
2804 BPF_MOV64_IMM(BPF_REG_0, 0),
2808 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2811 "direct packet access: test13 (branches, good access)",
2813 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2814 offsetof(struct __sk_buff, data)),
2815 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2816 offsetof(struct __sk_buff, data_end)),
2817 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2819 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
2820 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2821 offsetof(struct __sk_buff, mark)),
2822 BPF_MOV64_IMM(BPF_REG_4, 1),
2823 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
2824 BPF_MOV64_IMM(BPF_REG_3, 14),
2825 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
2826 BPF_MOV64_IMM(BPF_REG_3, 24),
2827 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2828 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2829 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2830 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2831 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2832 BPF_MOV64_IMM(BPF_REG_0, 1),
2834 BPF_MOV64_IMM(BPF_REG_0, 0),
2838 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2841 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
2843 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2844 offsetof(struct __sk_buff, data)),
2845 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2846 offsetof(struct __sk_buff, data_end)),
2847 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2849 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
2850 BPF_MOV64_IMM(BPF_REG_5, 12),
2851 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
2852 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2853 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2854 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
2855 BPF_MOV64_IMM(BPF_REG_0, 1),
2857 BPF_MOV64_IMM(BPF_REG_0, 0),
2861 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2864 "direct packet access: test15 (spill with xadd)",
2866 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2867 offsetof(struct __sk_buff, data)),
2868 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2869 offsetof(struct __sk_buff, data_end)),
2870 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2871 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2872 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2873 BPF_MOV64_IMM(BPF_REG_5, 4096),
2874 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2875 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2876 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2877 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
2878 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
2879 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
2880 BPF_MOV64_IMM(BPF_REG_0, 0),
2883 .errstr = "R2 invalid mem access 'inv'",
2885 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2888 "direct packet access: test16 (arith on data_end)",
2890 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2891 offsetof(struct __sk_buff, data)),
2892 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2893 offsetof(struct __sk_buff, data_end)),
2894 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2895 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2896 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
2897 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2898 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2899 BPF_MOV64_IMM(BPF_REG_0, 0),
2902 .errstr = "invalid access to packet",
2904 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2907 "direct packet access: test17 (pruning, alignment)",
2909 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2910 offsetof(struct __sk_buff, data)),
2911 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2912 offsetof(struct __sk_buff, data_end)),
2913 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2914 offsetof(struct __sk_buff, mark)),
2915 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
2917 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
2918 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2919 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
2920 BPF_MOV64_IMM(BPF_REG_0, 0),
2922 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
2925 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
2927 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2928 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2931 "direct packet access: test18 (imm += pkt_ptr, 1)",
2933 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2934 offsetof(struct __sk_buff, data)),
2935 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2936 offsetof(struct __sk_buff, data_end)),
2937 BPF_MOV64_IMM(BPF_REG_0, 8),
2938 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2939 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2940 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2941 BPF_MOV64_IMM(BPF_REG_0, 0),
2945 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2948 "direct packet access: test19 (imm += pkt_ptr, 2)",
2950 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2951 offsetof(struct __sk_buff, data)),
2952 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2953 offsetof(struct __sk_buff, data_end)),
2954 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2956 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
2957 BPF_MOV64_IMM(BPF_REG_4, 4),
2958 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2959 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
2960 BPF_MOV64_IMM(BPF_REG_0, 0),
2964 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2967 "direct packet access: test20 (x += pkt_ptr, 1)",
2969 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2970 offsetof(struct __sk_buff, data)),
2971 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2972 offsetof(struct __sk_buff, data_end)),
2973 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
2974 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
2975 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
2976 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
2977 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
2978 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2979 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2980 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
2981 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
2982 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
2983 BPF_MOV64_IMM(BPF_REG_0, 0),
2986 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2990 "direct packet access: test21 (x += pkt_ptr, 2)",
2992 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2993 offsetof(struct __sk_buff, data)),
2994 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2995 offsetof(struct __sk_buff, data_end)),
2996 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2997 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2998 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
2999 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3000 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3001 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3002 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3003 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3004 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3006 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3007 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3008 BPF_MOV64_IMM(BPF_REG_0, 0),
3011 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3015 "direct packet access: test22 (x += pkt_ptr, 3)",
3017 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3018 offsetof(struct __sk_buff, data)),
3019 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3020 offsetof(struct __sk_buff, data_end)),
3021 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3022 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3023 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3024 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3025 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3026 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3027 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3028 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3029 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3030 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3031 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3032 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3033 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3035 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3036 BPF_MOV64_IMM(BPF_REG_2, 1),
3037 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3038 BPF_MOV64_IMM(BPF_REG_0, 0),
3041 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3045 "direct packet access: test23 (x += pkt_ptr, 4)",
3047 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3048 offsetof(struct __sk_buff, data)),
3049 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3050 offsetof(struct __sk_buff, data_end)),
3051 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3052 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3053 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3054 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3055 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3056 BPF_MOV64_IMM(BPF_REG_0, 31),
3057 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3058 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3059 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3061 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3062 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3063 BPF_MOV64_IMM(BPF_REG_0, 0),
3066 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3068 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3071 "direct packet access: test24 (x += pkt_ptr, 5)",
3073 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3074 offsetof(struct __sk_buff, data)),
3075 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3076 offsetof(struct __sk_buff, data_end)),
3077 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3078 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3079 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3080 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3081 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3082 BPF_MOV64_IMM(BPF_REG_0, 64),
3083 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3084 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3085 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3086 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3087 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3088 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3089 BPF_MOV64_IMM(BPF_REG_0, 0),
3092 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3096 "direct packet access: test25 (marking on <, good access)",
3098 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3099 offsetof(struct __sk_buff, data)),
3100 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3101 offsetof(struct __sk_buff, data_end)),
3102 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3104 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3105 BPF_MOV64_IMM(BPF_REG_0, 0),
3107 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3108 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3111 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3114 "direct packet access: test26 (marking on <, bad access)",
3116 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3117 offsetof(struct __sk_buff, data)),
3118 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3119 offsetof(struct __sk_buff, data_end)),
3120 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3122 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3123 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3124 BPF_MOV64_IMM(BPF_REG_0, 0),
3126 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3129 .errstr = "invalid access to packet",
3130 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3133 "direct packet access: test27 (marking on <=, good access)",
3135 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3136 offsetof(struct __sk_buff, data)),
3137 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3138 offsetof(struct __sk_buff, data_end)),
3139 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3140 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3141 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3142 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3143 BPF_MOV64_IMM(BPF_REG_0, 1),
3147 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3150 "direct packet access: test28 (marking on <=, bad access)",
3152 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3153 offsetof(struct __sk_buff, data)),
3154 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3155 offsetof(struct __sk_buff, data_end)),
3156 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3157 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3158 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3159 BPF_MOV64_IMM(BPF_REG_0, 1),
3161 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3162 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3165 .errstr = "invalid access to packet",
3166 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3169 "helper access to packet: test1, valid packet_ptr range",
3171 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3172 offsetof(struct xdp_md, data)),
3173 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3174 offsetof(struct xdp_md, data_end)),
3175 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3176 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3177 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3178 BPF_LD_MAP_FD(BPF_REG_1, 0),
3179 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3180 BPF_MOV64_IMM(BPF_REG_4, 0),
3181 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3182 BPF_FUNC_map_update_elem),
3183 BPF_MOV64_IMM(BPF_REG_0, 0),
3186 .fixup_map1 = { 5 },
3187 .result_unpriv = ACCEPT,
3189 .prog_type = BPF_PROG_TYPE_XDP,
3192 "helper access to packet: test2, unchecked packet_ptr",
3194 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3195 offsetof(struct xdp_md, data)),
3196 BPF_LD_MAP_FD(BPF_REG_1, 0),
3197 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3198 BPF_FUNC_map_lookup_elem),
3199 BPF_MOV64_IMM(BPF_REG_0, 0),
3202 .fixup_map1 = { 1 },
3204 .errstr = "invalid access to packet",
3205 .prog_type = BPF_PROG_TYPE_XDP,
3208 "helper access to packet: test3, variable add",
3210 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3211 offsetof(struct xdp_md, data)),
3212 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3213 offsetof(struct xdp_md, data_end)),
3214 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3215 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3216 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3217 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3218 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3219 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3220 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3221 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3222 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3223 BPF_LD_MAP_FD(BPF_REG_1, 0),
3224 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3225 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3226 BPF_FUNC_map_lookup_elem),
3227 BPF_MOV64_IMM(BPF_REG_0, 0),
3230 .fixup_map1 = { 11 },
3232 .prog_type = BPF_PROG_TYPE_XDP,
3235 "helper access to packet: test4, packet_ptr with bad range",
3237 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3238 offsetof(struct xdp_md, data)),
3239 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3240 offsetof(struct xdp_md, data_end)),
3241 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3242 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3243 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3244 BPF_MOV64_IMM(BPF_REG_0, 0),
3246 BPF_LD_MAP_FD(BPF_REG_1, 0),
3247 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3248 BPF_FUNC_map_lookup_elem),
3249 BPF_MOV64_IMM(BPF_REG_0, 0),
3252 .fixup_map1 = { 7 },
3254 .errstr = "invalid access to packet",
3255 .prog_type = BPF_PROG_TYPE_XDP,
3258 "helper access to packet: test5, packet_ptr with too short range",
3260 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3261 offsetof(struct xdp_md, data)),
3262 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3263 offsetof(struct xdp_md, data_end)),
3264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3265 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3266 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3267 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3268 BPF_LD_MAP_FD(BPF_REG_1, 0),
3269 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3270 BPF_FUNC_map_lookup_elem),
3271 BPF_MOV64_IMM(BPF_REG_0, 0),
3274 .fixup_map1 = { 6 },
3276 .errstr = "invalid access to packet",
3277 .prog_type = BPF_PROG_TYPE_XDP,
3280 "helper access to packet: test6, cls valid packet_ptr range",
3282 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3283 offsetof(struct __sk_buff, data)),
3284 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3285 offsetof(struct __sk_buff, data_end)),
3286 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3287 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3288 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3289 BPF_LD_MAP_FD(BPF_REG_1, 0),
3290 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3291 BPF_MOV64_IMM(BPF_REG_4, 0),
3292 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3293 BPF_FUNC_map_update_elem),
3294 BPF_MOV64_IMM(BPF_REG_0, 0),
3297 .fixup_map1 = { 5 },
3299 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3302 "helper access to packet: test7, cls unchecked packet_ptr",
3304 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3305 offsetof(struct __sk_buff, data)),
3306 BPF_LD_MAP_FD(BPF_REG_1, 0),
3307 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3308 BPF_FUNC_map_lookup_elem),
3309 BPF_MOV64_IMM(BPF_REG_0, 0),
3312 .fixup_map1 = { 1 },
3314 .errstr = "invalid access to packet",
3315 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3318 "helper access to packet: test8, cls variable add",
3320 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3321 offsetof(struct __sk_buff, data)),
3322 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3323 offsetof(struct __sk_buff, data_end)),
3324 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3326 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3327 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3328 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3329 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3330 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3332 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3333 BPF_LD_MAP_FD(BPF_REG_1, 0),
3334 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3335 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3336 BPF_FUNC_map_lookup_elem),
3337 BPF_MOV64_IMM(BPF_REG_0, 0),
3340 .fixup_map1 = { 11 },
3342 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3345 "helper access to packet: test9, cls packet_ptr with bad range",
3347 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3348 offsetof(struct __sk_buff, data)),
3349 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3350 offsetof(struct __sk_buff, data_end)),
3351 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3352 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3353 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3354 BPF_MOV64_IMM(BPF_REG_0, 0),
3356 BPF_LD_MAP_FD(BPF_REG_1, 0),
3357 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3358 BPF_FUNC_map_lookup_elem),
3359 BPF_MOV64_IMM(BPF_REG_0, 0),
3362 .fixup_map1 = { 7 },
3364 .errstr = "invalid access to packet",
3365 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3368 "helper access to packet: test10, cls packet_ptr with too short range",
3370 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3371 offsetof(struct __sk_buff, data)),
3372 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3373 offsetof(struct __sk_buff, data_end)),
3374 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3375 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3377 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3378 BPF_LD_MAP_FD(BPF_REG_1, 0),
3379 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3380 BPF_FUNC_map_lookup_elem),
3381 BPF_MOV64_IMM(BPF_REG_0, 0),
3384 .fixup_map1 = { 6 },
3386 .errstr = "invalid access to packet",
3387 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3390 "helper access to packet: test11, cls unsuitable helper 1",
3392 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3393 offsetof(struct __sk_buff, data)),
3394 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3395 offsetof(struct __sk_buff, data_end)),
3396 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3397 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3398 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
3399 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
3400 BPF_MOV64_IMM(BPF_REG_2, 0),
3401 BPF_MOV64_IMM(BPF_REG_4, 42),
3402 BPF_MOV64_IMM(BPF_REG_5, 0),
3403 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3404 BPF_FUNC_skb_store_bytes),
3405 BPF_MOV64_IMM(BPF_REG_0, 0),
3409 .errstr = "helper access to the packet",
3410 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3413 "helper access to packet: test12, cls unsuitable helper 2",
3415 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3416 offsetof(struct __sk_buff, data)),
3417 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3418 offsetof(struct __sk_buff, data_end)),
3419 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3420 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
3421 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
3422 BPF_MOV64_IMM(BPF_REG_2, 0),
3423 BPF_MOV64_IMM(BPF_REG_4, 4),
3424 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3425 BPF_FUNC_skb_load_bytes),
3426 BPF_MOV64_IMM(BPF_REG_0, 0),
3430 .errstr = "helper access to the packet",
3431 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3434 "helper access to packet: test13, cls helper ok",
3436 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3437 offsetof(struct __sk_buff, data)),
3438 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3439 offsetof(struct __sk_buff, data_end)),
3440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3441 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3443 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3444 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3445 BPF_MOV64_IMM(BPF_REG_2, 4),
3446 BPF_MOV64_IMM(BPF_REG_3, 0),
3447 BPF_MOV64_IMM(BPF_REG_4, 0),
3448 BPF_MOV64_IMM(BPF_REG_5, 0),
3449 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3450 BPF_FUNC_csum_diff),
3451 BPF_MOV64_IMM(BPF_REG_0, 0),
3455 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3458 "helper access to packet: test14, cls helper ok sub",
3460 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3461 offsetof(struct __sk_buff, data)),
3462 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3463 offsetof(struct __sk_buff, data_end)),
3464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3465 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3466 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3467 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3468 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
3469 BPF_MOV64_IMM(BPF_REG_2, 4),
3470 BPF_MOV64_IMM(BPF_REG_3, 0),
3471 BPF_MOV64_IMM(BPF_REG_4, 0),
3472 BPF_MOV64_IMM(BPF_REG_5, 0),
3473 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3474 BPF_FUNC_csum_diff),
3475 BPF_MOV64_IMM(BPF_REG_0, 0),
3479 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3482 "helper access to packet: test15, cls helper fail sub",
3484 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3485 offsetof(struct __sk_buff, data)),
3486 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3487 offsetof(struct __sk_buff, data_end)),
3488 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3489 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3490 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3491 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3492 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
3493 BPF_MOV64_IMM(BPF_REG_2, 4),
3494 BPF_MOV64_IMM(BPF_REG_3, 0),
3495 BPF_MOV64_IMM(BPF_REG_4, 0),
3496 BPF_MOV64_IMM(BPF_REG_5, 0),
3497 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3498 BPF_FUNC_csum_diff),
3499 BPF_MOV64_IMM(BPF_REG_0, 0),
3503 .errstr = "invalid access to packet",
3504 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3507 "helper access to packet: test16, cls helper fail range 1",
3509 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3510 offsetof(struct __sk_buff, data)),
3511 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3512 offsetof(struct __sk_buff, data_end)),
3513 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3514 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3515 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3516 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3517 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3518 BPF_MOV64_IMM(BPF_REG_2, 8),
3519 BPF_MOV64_IMM(BPF_REG_3, 0),
3520 BPF_MOV64_IMM(BPF_REG_4, 0),
3521 BPF_MOV64_IMM(BPF_REG_5, 0),
3522 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3523 BPF_FUNC_csum_diff),
3524 BPF_MOV64_IMM(BPF_REG_0, 0),
3528 .errstr = "invalid access to packet",
3529 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3532 "helper access to packet: test17, cls helper fail range 2",
3534 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3535 offsetof(struct __sk_buff, data)),
3536 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3537 offsetof(struct __sk_buff, data_end)),
3538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3539 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3541 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3542 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3543 BPF_MOV64_IMM(BPF_REG_2, -9),
3544 BPF_MOV64_IMM(BPF_REG_3, 0),
3545 BPF_MOV64_IMM(BPF_REG_4, 0),
3546 BPF_MOV64_IMM(BPF_REG_5, 0),
3547 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3548 BPF_FUNC_csum_diff),
3549 BPF_MOV64_IMM(BPF_REG_0, 0),
3553 .errstr = "R2 min value is negative",
3554 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3557 "helper access to packet: test18, cls helper fail range 3",
3559 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3560 offsetof(struct __sk_buff, data)),
3561 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3562 offsetof(struct __sk_buff, data_end)),
3563 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3564 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3565 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3566 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3567 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3568 BPF_MOV64_IMM(BPF_REG_2, ~0),
3569 BPF_MOV64_IMM(BPF_REG_3, 0),
3570 BPF_MOV64_IMM(BPF_REG_4, 0),
3571 BPF_MOV64_IMM(BPF_REG_5, 0),
3572 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3573 BPF_FUNC_csum_diff),
3574 BPF_MOV64_IMM(BPF_REG_0, 0),
3578 .errstr = "R2 min value is negative",
3579 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3582 "helper access to packet: test19, cls helper range zero",
3584 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3585 offsetof(struct __sk_buff, data)),
3586 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3587 offsetof(struct __sk_buff, data_end)),
3588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3589 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3591 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3592 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3593 BPF_MOV64_IMM(BPF_REG_2, 0),
3594 BPF_MOV64_IMM(BPF_REG_3, 0),
3595 BPF_MOV64_IMM(BPF_REG_4, 0),
3596 BPF_MOV64_IMM(BPF_REG_5, 0),
3597 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3598 BPF_FUNC_csum_diff),
3599 BPF_MOV64_IMM(BPF_REG_0, 0),
3603 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3606 "helper access to packet: test20, pkt end as input",
3608 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3609 offsetof(struct __sk_buff, data)),
3610 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3611 offsetof(struct __sk_buff, data_end)),
3612 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3613 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3615 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3616 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
3617 BPF_MOV64_IMM(BPF_REG_2, 4),
3618 BPF_MOV64_IMM(BPF_REG_3, 0),
3619 BPF_MOV64_IMM(BPF_REG_4, 0),
3620 BPF_MOV64_IMM(BPF_REG_5, 0),
3621 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3622 BPF_FUNC_csum_diff),
3623 BPF_MOV64_IMM(BPF_REG_0, 0),
3627 .errstr = "R1 type=pkt_end expected=fp",
3628 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3631 "helper access to packet: test21, wrong reg",
3633 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3634 offsetof(struct __sk_buff, data)),
3635 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3636 offsetof(struct __sk_buff, data_end)),
3637 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3638 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3639 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3640 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3641 BPF_MOV64_IMM(BPF_REG_2, 4),
3642 BPF_MOV64_IMM(BPF_REG_3, 0),
3643 BPF_MOV64_IMM(BPF_REG_4, 0),
3644 BPF_MOV64_IMM(BPF_REG_5, 0),
3645 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3646 BPF_FUNC_csum_diff),
3647 BPF_MOV64_IMM(BPF_REG_0, 0),
3651 .errstr = "invalid access to packet",
3652 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3655 "valid map access into an array with a constant",
3657 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3658 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3659 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3660 BPF_LD_MAP_FD(BPF_REG_1, 0),
3661 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3662 BPF_FUNC_map_lookup_elem),
3663 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3664 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3665 offsetof(struct test_val, foo)),
3668 .fixup_map2 = { 3 },
3669 .errstr_unpriv = "R0 leaks addr",
3670 .result_unpriv = REJECT,
3674 "valid map access into an array with a register",
3676 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3677 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3678 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3679 BPF_LD_MAP_FD(BPF_REG_1, 0),
3680 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3681 BPF_FUNC_map_lookup_elem),
3682 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3683 BPF_MOV64_IMM(BPF_REG_1, 4),
3684 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3685 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3686 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3687 offsetof(struct test_val, foo)),
3690 .fixup_map2 = { 3 },
3691 .errstr_unpriv = "R0 leaks addr",
3692 .result_unpriv = REJECT,
3694 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3697 "valid map access into an array with a variable",
3699 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3700 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3702 BPF_LD_MAP_FD(BPF_REG_1, 0),
3703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3704 BPF_FUNC_map_lookup_elem),
3705 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3706 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3707 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
3708 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3709 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3710 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3711 offsetof(struct test_val, foo)),
3714 .fixup_map2 = { 3 },
3715 .errstr_unpriv = "R0 leaks addr",
3716 .result_unpriv = REJECT,
3718 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3721 "valid map access into an array with a signed variable",
3723 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3724 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3725 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3726 BPF_LD_MAP_FD(BPF_REG_1, 0),
3727 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3728 BPF_FUNC_map_lookup_elem),
3729 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
3730 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3731 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
3732 BPF_MOV32_IMM(BPF_REG_1, 0),
3733 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3734 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3735 BPF_MOV32_IMM(BPF_REG_1, 0),
3736 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3737 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3738 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3739 offsetof(struct test_val, foo)),
3742 .fixup_map2 = { 3 },
3743 .errstr_unpriv = "R0 leaks addr",
3744 .result_unpriv = REJECT,
3746 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3749 "invalid map access into an array with a constant",
3751 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3752 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3753 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3754 BPF_LD_MAP_FD(BPF_REG_1, 0),
3755 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3756 BPF_FUNC_map_lookup_elem),
3757 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3758 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
3759 offsetof(struct test_val, foo)),
3762 .fixup_map2 = { 3 },
3763 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
3767 "invalid map access into an array with a register",
3769 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3770 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3771 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3772 BPF_LD_MAP_FD(BPF_REG_1, 0),
3773 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3774 BPF_FUNC_map_lookup_elem),
3775 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3776 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
3777 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3778 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3779 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3780 offsetof(struct test_val, foo)),
3783 .fixup_map2 = { 3 },
3784 .errstr = "R0 min value is outside of the array range",
3786 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3789 "invalid map access into an array with a variable",
3791 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3792 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3793 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3794 BPF_LD_MAP_FD(BPF_REG_1, 0),
3795 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3796 BPF_FUNC_map_lookup_elem),
3797 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3798 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3799 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3800 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3801 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3802 offsetof(struct test_val, foo)),
3805 .fixup_map2 = { 3 },
3806 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
3808 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3811 "invalid map access into an array with no floor check",
3813 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3814 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3815 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3816 BPF_LD_MAP_FD(BPF_REG_1, 0),
3817 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3818 BPF_FUNC_map_lookup_elem),
3819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3820 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
3821 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3822 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3823 BPF_MOV32_IMM(BPF_REG_1, 0),
3824 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3825 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3826 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3827 offsetof(struct test_val, foo)),
3830 .fixup_map2 = { 3 },
3831 .errstr_unpriv = "R0 leaks addr",
3832 .errstr = "R0 unbounded memory access",
3833 .result_unpriv = REJECT,
3835 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3838 "invalid map access into an array with a invalid max check",
3840 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3841 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3843 BPF_LD_MAP_FD(BPF_REG_1, 0),
3844 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3845 BPF_FUNC_map_lookup_elem),
3846 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3847 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3848 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
3849 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3850 BPF_MOV32_IMM(BPF_REG_1, 0),
3851 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3852 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3853 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3854 offsetof(struct test_val, foo)),
3857 .fixup_map2 = { 3 },
3858 .errstr_unpriv = "R0 leaks addr",
3859 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
3860 .result_unpriv = REJECT,
3862 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3865 "invalid map access into an array with a invalid max check",
3867 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3868 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3870 BPF_LD_MAP_FD(BPF_REG_1, 0),
3871 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3872 BPF_FUNC_map_lookup_elem),
3873 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
3874 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
3875 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3876 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3878 BPF_LD_MAP_FD(BPF_REG_1, 0),
3879 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3880 BPF_FUNC_map_lookup_elem),
3881 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
3882 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
3883 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3884 offsetof(struct test_val, foo)),
3887 .fixup_map2 = { 3, 11 },
3888 .errstr_unpriv = "R0 pointer += pointer",
3889 .errstr = "R0 invalid mem access 'inv'",
3890 .result_unpriv = REJECT,
3892 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3895 "multiple registers share map_lookup_elem result",
3897 BPF_MOV64_IMM(BPF_REG_1, 10),
3898 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3899 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3901 BPF_LD_MAP_FD(BPF_REG_1, 0),
3902 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3903 BPF_FUNC_map_lookup_elem),
3904 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3905 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3906 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3909 .fixup_map1 = { 4 },
3911 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3914 "alu ops on ptr_to_map_value_or_null, 1",
3916 BPF_MOV64_IMM(BPF_REG_1, 10),
3917 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3918 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3920 BPF_LD_MAP_FD(BPF_REG_1, 0),
3921 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3922 BPF_FUNC_map_lookup_elem),
3923 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
3925 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
3926 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3927 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3930 .fixup_map1 = { 4 },
3931 .errstr = "R4 invalid mem access",
3933 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3936 "alu ops on ptr_to_map_value_or_null, 2",
3938 BPF_MOV64_IMM(BPF_REG_1, 10),
3939 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3940 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3941 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3942 BPF_LD_MAP_FD(BPF_REG_1, 0),
3943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3944 BPF_FUNC_map_lookup_elem),
3945 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3946 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
3947 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3948 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3951 .fixup_map1 = { 4 },
3952 .errstr = "R4 invalid mem access",
3954 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3957 "alu ops on ptr_to_map_value_or_null, 3",
3959 BPF_MOV64_IMM(BPF_REG_1, 10),
3960 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3961 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3962 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3963 BPF_LD_MAP_FD(BPF_REG_1, 0),
3964 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3965 BPF_FUNC_map_lookup_elem),
3966 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3967 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
3968 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3969 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3972 .fixup_map1 = { 4 },
3973 .errstr = "R4 invalid mem access",
3975 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3978 "invalid memory access with multiple map_lookup_elem calls",
3980 BPF_MOV64_IMM(BPF_REG_1, 10),
3981 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3982 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3983 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3984 BPF_LD_MAP_FD(BPF_REG_1, 0),
3985 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
3986 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
3987 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3988 BPF_FUNC_map_lookup_elem),
3989 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3990 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
3991 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3992 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3993 BPF_FUNC_map_lookup_elem),
3994 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3995 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3998 .fixup_map1 = { 4 },
4000 .errstr = "R4 !read_ok",
4001 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4004 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4006 BPF_MOV64_IMM(BPF_REG_1, 10),
4007 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4008 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4009 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4010 BPF_LD_MAP_FD(BPF_REG_1, 0),
4011 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4012 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4013 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4014 BPF_FUNC_map_lookup_elem),
4015 BPF_MOV64_IMM(BPF_REG_2, 10),
4016 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4017 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4018 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4019 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4020 BPF_FUNC_map_lookup_elem),
4021 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4022 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4023 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4026 .fixup_map1 = { 4 },
4028 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4031 "invalid map access from else condition",
4033 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4034 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4035 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4036 BPF_LD_MAP_FD(BPF_REG_1, 0),
4037 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4038 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4039 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4040 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4041 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4042 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4043 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4044 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4047 .fixup_map2 = { 3 },
4048 .errstr = "R0 unbounded memory access",
4050 .errstr_unpriv = "R0 leaks addr",
4051 .result_unpriv = REJECT,
4052 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4055 "constant register |= constant should keep constant type",
4057 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4058 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4059 BPF_MOV64_IMM(BPF_REG_2, 34),
4060 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4061 BPF_MOV64_IMM(BPF_REG_3, 0),
4062 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4066 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4069 "constant register |= constant should not bypass stack boundary checks",
4071 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4073 BPF_MOV64_IMM(BPF_REG_2, 34),
4074 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4075 BPF_MOV64_IMM(BPF_REG_3, 0),
4076 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4079 .errstr = "invalid stack type R1 off=-48 access_size=58",
4081 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4084 "constant register |= constant register should keep constant type",
4086 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4088 BPF_MOV64_IMM(BPF_REG_2, 34),
4089 BPF_MOV64_IMM(BPF_REG_4, 13),
4090 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4091 BPF_MOV64_IMM(BPF_REG_3, 0),
4092 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4096 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4099 "constant register |= constant register should not bypass stack boundary checks",
4101 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4103 BPF_MOV64_IMM(BPF_REG_2, 34),
4104 BPF_MOV64_IMM(BPF_REG_4, 24),
4105 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4106 BPF_MOV64_IMM(BPF_REG_3, 0),
4107 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4110 .errstr = "invalid stack type R1 off=-48 access_size=58",
4112 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4115 "invalid direct packet write for LWT_IN",
4117 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4118 offsetof(struct __sk_buff, data)),
4119 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4120 offsetof(struct __sk_buff, data_end)),
4121 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4122 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4123 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4124 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4125 BPF_MOV64_IMM(BPF_REG_0, 0),
4128 .errstr = "cannot write into packet",
4130 .prog_type = BPF_PROG_TYPE_LWT_IN,
4133 "invalid direct packet write for LWT_OUT",
4135 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4136 offsetof(struct __sk_buff, data)),
4137 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4138 offsetof(struct __sk_buff, data_end)),
4139 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4140 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4141 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4142 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4143 BPF_MOV64_IMM(BPF_REG_0, 0),
4146 .errstr = "cannot write into packet",
4148 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4151 "direct packet write for LWT_XMIT",
4153 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4154 offsetof(struct __sk_buff, data)),
4155 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4156 offsetof(struct __sk_buff, data_end)),
4157 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4158 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4159 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4160 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4161 BPF_MOV64_IMM(BPF_REG_0, 0),
4165 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4168 "direct packet read for LWT_IN",
4170 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4171 offsetof(struct __sk_buff, data)),
4172 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4173 offsetof(struct __sk_buff, data_end)),
4174 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4175 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4176 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4177 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4178 BPF_MOV64_IMM(BPF_REG_0, 0),
4182 .prog_type = BPF_PROG_TYPE_LWT_IN,
4185 "direct packet read for LWT_OUT",
4187 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4188 offsetof(struct __sk_buff, data)),
4189 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4190 offsetof(struct __sk_buff, data_end)),
4191 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4193 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4194 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4195 BPF_MOV64_IMM(BPF_REG_0, 0),
4199 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4202 "direct packet read for LWT_XMIT",
4204 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4205 offsetof(struct __sk_buff, data)),
4206 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4207 offsetof(struct __sk_buff, data_end)),
4208 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4209 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4210 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4211 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4212 BPF_MOV64_IMM(BPF_REG_0, 0),
4216 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4219 "overlapping checks for direct packet access",
4221 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4222 offsetof(struct __sk_buff, data)),
4223 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4224 offsetof(struct __sk_buff, data_end)),
4225 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4227 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4230 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4231 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4232 BPF_MOV64_IMM(BPF_REG_0, 0),
4236 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4239 "invalid access of tc_classid for LWT_IN",
4241 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4242 offsetof(struct __sk_buff, tc_classid)),
4246 .errstr = "invalid bpf_context access",
4249 "invalid access of tc_classid for LWT_OUT",
4251 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4252 offsetof(struct __sk_buff, tc_classid)),
4256 .errstr = "invalid bpf_context access",
4259 "invalid access of tc_classid for LWT_XMIT",
4261 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4262 offsetof(struct __sk_buff, tc_classid)),
4266 .errstr = "invalid bpf_context access",
4269 "leak pointer into ctx 1",
4271 BPF_MOV64_IMM(BPF_REG_0, 0),
4272 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4273 offsetof(struct __sk_buff, cb[0])),
4274 BPF_LD_MAP_FD(BPF_REG_2, 0),
4275 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
4276 offsetof(struct __sk_buff, cb[0])),
4279 .fixup_map1 = { 2 },
4280 .errstr_unpriv = "R2 leaks addr into mem",
4281 .result_unpriv = REJECT,
4285 "leak pointer into ctx 2",
4287 BPF_MOV64_IMM(BPF_REG_0, 0),
4288 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4289 offsetof(struct __sk_buff, cb[0])),
4290 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
4291 offsetof(struct __sk_buff, cb[0])),
4294 .errstr_unpriv = "R10 leaks addr into mem",
4295 .result_unpriv = REJECT,
4299 "leak pointer into ctx 3",
4301 BPF_MOV64_IMM(BPF_REG_0, 0),
4302 BPF_LD_MAP_FD(BPF_REG_2, 0),
4303 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
4304 offsetof(struct __sk_buff, cb[0])),
4307 .fixup_map1 = { 1 },
4308 .errstr_unpriv = "R2 leaks addr into ctx",
4309 .result_unpriv = REJECT,
4313 "leak pointer into map val",
4315 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
4316 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4317 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4318 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4319 BPF_LD_MAP_FD(BPF_REG_1, 0),
4320 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4321 BPF_FUNC_map_lookup_elem),
4322 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4323 BPF_MOV64_IMM(BPF_REG_3, 0),
4324 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
4325 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
4326 BPF_MOV64_IMM(BPF_REG_0, 0),
4329 .fixup_map1 = { 4 },
4330 .errstr_unpriv = "R6 leaks addr into mem",
4331 .result_unpriv = REJECT,
4335 "helper access to map: full range",
4337 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4339 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4340 BPF_LD_MAP_FD(BPF_REG_1, 0),
4341 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4342 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4343 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4344 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4345 BPF_MOV64_IMM(BPF_REG_3, 0),
4346 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4349 .fixup_map2 = { 3 },
4351 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4354 "helper access to map: partial range",
4356 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4358 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4359 BPF_LD_MAP_FD(BPF_REG_1, 0),
4360 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4361 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4362 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4363 BPF_MOV64_IMM(BPF_REG_2, 8),
4364 BPF_MOV64_IMM(BPF_REG_3, 0),
4365 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4368 .fixup_map2 = { 3 },
4370 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4373 "helper access to map: empty range",
4375 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4377 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4378 BPF_LD_MAP_FD(BPF_REG_1, 0),
4379 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4380 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4381 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4382 BPF_MOV64_IMM(BPF_REG_2, 0),
4383 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4386 .fixup_map2 = { 3 },
4387 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
4389 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4392 "helper access to map: out-of-bound range",
4394 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4395 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4396 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4397 BPF_LD_MAP_FD(BPF_REG_1, 0),
4398 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4399 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4400 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4401 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
4402 BPF_MOV64_IMM(BPF_REG_3, 0),
4403 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4406 .fixup_map2 = { 3 },
4407 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
4409 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4412 "helper access to map: negative range",
4414 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4415 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4416 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4417 BPF_LD_MAP_FD(BPF_REG_1, 0),
4418 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4419 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4420 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4421 BPF_MOV64_IMM(BPF_REG_2, -8),
4422 BPF_MOV64_IMM(BPF_REG_3, 0),
4423 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4426 .fixup_map2 = { 3 },
4427 .errstr = "R2 min value is negative",
4429 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4432 "helper access to adjusted map (via const imm): full range",
4434 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4436 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4437 BPF_LD_MAP_FD(BPF_REG_1, 0),
4438 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4439 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4440 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4441 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4442 offsetof(struct test_val, foo)),
4443 BPF_MOV64_IMM(BPF_REG_2,
4444 sizeof(struct test_val) -
4445 offsetof(struct test_val, foo)),
4446 BPF_MOV64_IMM(BPF_REG_3, 0),
4447 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4450 .fixup_map2 = { 3 },
4452 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4455 "helper access to adjusted map (via const imm): partial range",
4457 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4459 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4460 BPF_LD_MAP_FD(BPF_REG_1, 0),
4461 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4462 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4463 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4465 offsetof(struct test_val, foo)),
4466 BPF_MOV64_IMM(BPF_REG_2, 8),
4467 BPF_MOV64_IMM(BPF_REG_3, 0),
4468 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4471 .fixup_map2 = { 3 },
4473 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4476 "helper access to adjusted map (via const imm): empty range",
4478 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4480 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4481 BPF_LD_MAP_FD(BPF_REG_1, 0),
4482 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4483 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4484 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4485 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4486 offsetof(struct test_val, foo)),
4487 BPF_MOV64_IMM(BPF_REG_2, 0),
4488 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4491 .fixup_map2 = { 3 },
4492 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
4494 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4497 "helper access to adjusted map (via const imm): out-of-bound range",
4499 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4500 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4501 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4502 BPF_LD_MAP_FD(BPF_REG_1, 0),
4503 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4504 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4505 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4507 offsetof(struct test_val, foo)),
4508 BPF_MOV64_IMM(BPF_REG_2,
4509 sizeof(struct test_val) -
4510 offsetof(struct test_val, foo) + 8),
4511 BPF_MOV64_IMM(BPF_REG_3, 0),
4512 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4515 .fixup_map2 = { 3 },
4516 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4518 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4521 "helper access to adjusted map (via const imm): negative range (> adjustment)",
4523 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4525 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4526 BPF_LD_MAP_FD(BPF_REG_1, 0),
4527 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4528 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4529 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4530 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4531 offsetof(struct test_val, foo)),
4532 BPF_MOV64_IMM(BPF_REG_2, -8),
4533 BPF_MOV64_IMM(BPF_REG_3, 0),
4534 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4537 .fixup_map2 = { 3 },
4538 .errstr = "R2 min value is negative",
4540 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4543 "helper access to adjusted map (via const imm): negative range (< adjustment)",
4545 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4546 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4547 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4548 BPF_LD_MAP_FD(BPF_REG_1, 0),
4549 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4550 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4551 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4552 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4553 offsetof(struct test_val, foo)),
4554 BPF_MOV64_IMM(BPF_REG_2, -1),
4555 BPF_MOV64_IMM(BPF_REG_3, 0),
4556 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4559 .fixup_map2 = { 3 },
4560 .errstr = "R2 min value is negative",
4562 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4565 "helper access to adjusted map (via const reg): full range",
4567 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4568 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4569 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4570 BPF_LD_MAP_FD(BPF_REG_1, 0),
4571 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4572 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4573 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4574 BPF_MOV64_IMM(BPF_REG_3,
4575 offsetof(struct test_val, foo)),
4576 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4577 BPF_MOV64_IMM(BPF_REG_2,
4578 sizeof(struct test_val) -
4579 offsetof(struct test_val, foo)),
4580 BPF_MOV64_IMM(BPF_REG_3, 0),
4581 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4584 .fixup_map2 = { 3 },
4586 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4589 "helper access to adjusted map (via const reg): partial range",
4591 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4593 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4594 BPF_LD_MAP_FD(BPF_REG_1, 0),
4595 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4596 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4597 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4598 BPF_MOV64_IMM(BPF_REG_3,
4599 offsetof(struct test_val, foo)),
4600 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4601 BPF_MOV64_IMM(BPF_REG_2, 8),
4602 BPF_MOV64_IMM(BPF_REG_3, 0),
4603 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4606 .fixup_map2 = { 3 },
4608 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4611 "helper access to adjusted map (via const reg): empty range",
4613 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4614 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4615 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4616 BPF_LD_MAP_FD(BPF_REG_1, 0),
4617 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4618 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4619 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4620 BPF_MOV64_IMM(BPF_REG_3, 0),
4621 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4622 BPF_MOV64_IMM(BPF_REG_2, 0),
4623 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4626 .fixup_map2 = { 3 },
4627 .errstr = "R1 min value is outside of the array range",
4629 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4632 "helper access to adjusted map (via const reg): out-of-bound range",
4634 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4635 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4636 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4637 BPF_LD_MAP_FD(BPF_REG_1, 0),
4638 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4639 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4640 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4641 BPF_MOV64_IMM(BPF_REG_3,
4642 offsetof(struct test_val, foo)),
4643 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4644 BPF_MOV64_IMM(BPF_REG_2,
4645 sizeof(struct test_val) -
4646 offsetof(struct test_val, foo) + 8),
4647 BPF_MOV64_IMM(BPF_REG_3, 0),
4648 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4651 .fixup_map2 = { 3 },
4652 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4654 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4657 "helper access to adjusted map (via const reg): negative range (> adjustment)",
4659 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4661 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4662 BPF_LD_MAP_FD(BPF_REG_1, 0),
4663 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4664 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4665 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4666 BPF_MOV64_IMM(BPF_REG_3,
4667 offsetof(struct test_val, foo)),
4668 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4669 BPF_MOV64_IMM(BPF_REG_2, -8),
4670 BPF_MOV64_IMM(BPF_REG_3, 0),
4671 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4674 .fixup_map2 = { 3 },
4675 .errstr = "R2 min value is negative",
4677 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4680 "helper access to adjusted map (via const reg): negative range (< adjustment)",
4682 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4683 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4684 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4685 BPF_LD_MAP_FD(BPF_REG_1, 0),
4686 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4688 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4689 BPF_MOV64_IMM(BPF_REG_3,
4690 offsetof(struct test_val, foo)),
4691 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4692 BPF_MOV64_IMM(BPF_REG_2, -1),
4693 BPF_MOV64_IMM(BPF_REG_3, 0),
4694 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4697 .fixup_map2 = { 3 },
4698 .errstr = "R2 min value is negative",
4700 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4703 "helper access to adjusted map (via variable): full range",
4705 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4706 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4707 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4708 BPF_LD_MAP_FD(BPF_REG_1, 0),
4709 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4710 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4711 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4712 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4713 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4714 offsetof(struct test_val, foo), 4),
4715 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4716 BPF_MOV64_IMM(BPF_REG_2,
4717 sizeof(struct test_val) -
4718 offsetof(struct test_val, foo)),
4719 BPF_MOV64_IMM(BPF_REG_3, 0),
4720 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4723 .fixup_map2 = { 3 },
4725 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4728 "helper access to adjusted map (via variable): partial range",
4730 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4732 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4733 BPF_LD_MAP_FD(BPF_REG_1, 0),
4734 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4735 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4736 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4737 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4738 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4739 offsetof(struct test_val, foo), 4),
4740 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4741 BPF_MOV64_IMM(BPF_REG_2, 8),
4742 BPF_MOV64_IMM(BPF_REG_3, 0),
4743 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4746 .fixup_map2 = { 3 },
4748 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4751 "helper access to adjusted map (via variable): empty range",
4753 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4754 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4755 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4756 BPF_LD_MAP_FD(BPF_REG_1, 0),
4757 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4758 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4759 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4760 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4761 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4762 offsetof(struct test_val, foo), 3),
4763 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4764 BPF_MOV64_IMM(BPF_REG_2, 0),
4765 BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4768 .fixup_map2 = { 3 },
4769 .errstr = "R1 min value is outside of the array range",
4771 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4774 "helper access to adjusted map (via variable): no max check",
4776 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4778 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4779 BPF_LD_MAP_FD(BPF_REG_1, 0),
4780 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4782 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4783 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4784 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4785 BPF_MOV64_IMM(BPF_REG_2, 1),
4786 BPF_MOV64_IMM(BPF_REG_3, 0),
4787 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4790 .fixup_map2 = { 3 },
4791 .errstr = "R1 unbounded memory access",
4793 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4796 "helper access to adjusted map (via variable): wrong max check",
4798 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4800 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4801 BPF_LD_MAP_FD(BPF_REG_1, 0),
4802 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4803 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4804 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4805 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4806 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4807 offsetof(struct test_val, foo), 4),
4808 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4809 BPF_MOV64_IMM(BPF_REG_2,
4810 sizeof(struct test_val) -
4811 offsetof(struct test_val, foo) + 1),
4812 BPF_MOV64_IMM(BPF_REG_3, 0),
4813 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4816 .fixup_map2 = { 3 },
4817 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
4819 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4822 "helper access to map: bounds check using <, good access",
4824 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4825 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4826 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4827 BPF_LD_MAP_FD(BPF_REG_1, 0),
4828 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4829 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4830 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4831 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4832 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
4833 BPF_MOV64_IMM(BPF_REG_0, 0),
4835 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4836 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4837 BPF_MOV64_IMM(BPF_REG_0, 0),
4840 .fixup_map2 = { 3 },
4842 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4845 "helper access to map: bounds check using <, bad access",
4847 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4848 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4849 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4850 BPF_LD_MAP_FD(BPF_REG_1, 0),
4851 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4852 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4853 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4854 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4855 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
4856 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4857 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4858 BPF_MOV64_IMM(BPF_REG_0, 0),
4860 BPF_MOV64_IMM(BPF_REG_0, 0),
4863 .fixup_map2 = { 3 },
4865 .errstr = "R1 unbounded memory access",
4866 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4869 "helper access to map: bounds check using <=, good access",
4871 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4873 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4874 BPF_LD_MAP_FD(BPF_REG_1, 0),
4875 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4876 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4877 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4878 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4879 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
4880 BPF_MOV64_IMM(BPF_REG_0, 0),
4882 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4883 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4884 BPF_MOV64_IMM(BPF_REG_0, 0),
4887 .fixup_map2 = { 3 },
4889 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4892 "helper access to map: bounds check using <=, bad access",
4894 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4895 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4896 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4897 BPF_LD_MAP_FD(BPF_REG_1, 0),
4898 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4899 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4900 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4901 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4902 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
4903 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4904 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4905 BPF_MOV64_IMM(BPF_REG_0, 0),
4907 BPF_MOV64_IMM(BPF_REG_0, 0),
4910 .fixup_map2 = { 3 },
4912 .errstr = "R1 unbounded memory access",
4913 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4916 "helper access to map: bounds check using s<, good access",
4918 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4919 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4920 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4921 BPF_LD_MAP_FD(BPF_REG_1, 0),
4922 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4923 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4924 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4925 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4926 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4927 BPF_MOV64_IMM(BPF_REG_0, 0),
4929 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
4930 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4931 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4932 BPF_MOV64_IMM(BPF_REG_0, 0),
4935 .fixup_map2 = { 3 },
4937 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4940 "helper access to map: bounds check using s<, good access 2",
4942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4944 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4945 BPF_LD_MAP_FD(BPF_REG_1, 0),
4946 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4947 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4948 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4949 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4950 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4951 BPF_MOV64_IMM(BPF_REG_0, 0),
4953 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
4954 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4955 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4956 BPF_MOV64_IMM(BPF_REG_0, 0),
4959 .fixup_map2 = { 3 },
4961 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4964 "helper access to map: bounds check using s<, bad access",
4966 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4967 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4968 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4969 BPF_LD_MAP_FD(BPF_REG_1, 0),
4970 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4971 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4972 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4973 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
4974 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4975 BPF_MOV64_IMM(BPF_REG_0, 0),
4977 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
4978 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4979 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4980 BPF_MOV64_IMM(BPF_REG_0, 0),
4983 .fixup_map2 = { 3 },
4985 .errstr = "R1 min value is negative",
4986 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4989 "helper access to map: bounds check using s<=, good access",
4991 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4992 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4993 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4994 BPF_LD_MAP_FD(BPF_REG_1, 0),
4995 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4996 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4997 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4998 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4999 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5000 BPF_MOV64_IMM(BPF_REG_0, 0),
5002 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5003 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5004 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5005 BPF_MOV64_IMM(BPF_REG_0, 0),
5008 .fixup_map2 = { 3 },
5010 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5013 "helper access to map: bounds check using s<=, good access 2",
5015 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5016 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5017 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5018 BPF_LD_MAP_FD(BPF_REG_1, 0),
5019 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5020 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5021 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5022 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5023 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5024 BPF_MOV64_IMM(BPF_REG_0, 0),
5026 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5027 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5028 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5029 BPF_MOV64_IMM(BPF_REG_0, 0),
5032 .fixup_map2 = { 3 },
5034 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5037 "helper access to map: bounds check using s<=, bad access",
5039 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5041 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5042 BPF_LD_MAP_FD(BPF_REG_1, 0),
5043 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5044 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5045 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5046 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5047 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5048 BPF_MOV64_IMM(BPF_REG_0, 0),
5050 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5051 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5052 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5053 BPF_MOV64_IMM(BPF_REG_0, 0),
5056 .fixup_map2 = { 3 },
5058 .errstr = "R1 min value is negative",
5059 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5062 "map element value is preserved across register spilling",
5064 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5065 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5066 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5067 BPF_LD_MAP_FD(BPF_REG_1, 0),
5068 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5069 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5070 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5071 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5073 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5074 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5075 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5078 .fixup_map2 = { 3 },
5079 .errstr_unpriv = "R0 leaks addr",
5081 .result_unpriv = REJECT,
5084 "map element value or null is marked on register spilling",
5086 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5087 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5088 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5089 BPF_LD_MAP_FD(BPF_REG_1, 0),
5090 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5091 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5092 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
5093 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5094 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5095 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5096 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5099 .fixup_map2 = { 3 },
5100 .errstr_unpriv = "R0 leaks addr",
5102 .result_unpriv = REJECT,
5105 "map element value store of cleared call register",
5107 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5108 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5109 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5110 BPF_LD_MAP_FD(BPF_REG_1, 0),
5111 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5112 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5113 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
5116 .fixup_map2 = { 3 },
5117 .errstr_unpriv = "R1 !read_ok",
5118 .errstr = "R1 !read_ok",
5120 .result_unpriv = REJECT,
5123 "map element value with unaligned store",
5125 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5126 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5127 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5128 BPF_LD_MAP_FD(BPF_REG_1, 0),
5129 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5130 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
5131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5132 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5133 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
5134 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
5135 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5136 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
5137 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
5138 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
5139 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
5140 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
5141 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
5142 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
5143 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
5144 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
5145 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
5146 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
5147 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
5150 .fixup_map2 = { 3 },
5151 .errstr_unpriv = "R0 leaks addr",
5153 .result_unpriv = REJECT,
5154 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5157 "map element value with unaligned load",
5159 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5161 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5162 BPF_LD_MAP_FD(BPF_REG_1, 0),
5163 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5164 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5165 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5166 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
5167 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5168 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5169 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
5170 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5171 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
5172 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
5173 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
5174 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5175 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
5178 .fixup_map2 = { 3 },
5179 .errstr_unpriv = "R0 leaks addr",
5181 .result_unpriv = REJECT,
5182 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5185 "map element value illegal alu op, 1",
5187 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5189 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5190 BPF_LD_MAP_FD(BPF_REG_1, 0),
5191 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5192 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5193 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
5194 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5197 .fixup_map2 = { 3 },
5198 .errstr_unpriv = "R0 bitwise operator &= on pointer",
5199 .errstr = "invalid mem access 'inv'",
5201 .result_unpriv = REJECT,
5204 "map element value illegal alu op, 2",
5206 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5207 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5208 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5209 BPF_LD_MAP_FD(BPF_REG_1, 0),
5210 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5211 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5212 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
5213 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5216 .fixup_map2 = { 3 },
5217 .errstr_unpriv = "R0 32-bit pointer arithmetic prohibited",
5218 .errstr = "invalid mem access 'inv'",
5220 .result_unpriv = REJECT,
5223 "map element value illegal alu op, 3",
5225 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5226 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5227 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5228 BPF_LD_MAP_FD(BPF_REG_1, 0),
5229 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5230 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5231 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
5232 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5235 .fixup_map2 = { 3 },
5236 .errstr_unpriv = "R0 pointer arithmetic with /= operator",
5237 .errstr = "invalid mem access 'inv'",
5239 .result_unpriv = REJECT,
5242 "map element value illegal alu op, 4",
5244 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5245 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5246 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5247 BPF_LD_MAP_FD(BPF_REG_1, 0),
5248 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5249 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5250 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
5251 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5254 .fixup_map2 = { 3 },
5255 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5256 .errstr = "invalid mem access 'inv'",
5258 .result_unpriv = REJECT,
5261 "map element value illegal alu op, 5",
5263 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5265 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5266 BPF_LD_MAP_FD(BPF_REG_1, 0),
5267 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5268 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5269 BPF_MOV64_IMM(BPF_REG_3, 4096),
5270 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5271 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5272 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5273 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
5274 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
5275 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5278 .fixup_map2 = { 3 },
5279 .errstr = "R0 invalid mem access 'inv'",
5283 "map element value is preserved across register spilling",
5285 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5286 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5287 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5288 BPF_LD_MAP_FD(BPF_REG_1, 0),
5289 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5290 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
5292 offsetof(struct test_val, foo)),
5293 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5294 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5295 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5296 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5297 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5298 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5301 .fixup_map2 = { 3 },
5302 .errstr_unpriv = "R0 leaks addr",
5304 .result_unpriv = REJECT,
5305 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5308 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
5310 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5312 BPF_MOV64_IMM(BPF_REG_0, 0),
5313 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5314 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5315 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5316 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5317 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5318 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5319 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5320 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5321 BPF_MOV64_IMM(BPF_REG_2, 16),
5322 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5323 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5324 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5325 BPF_MOV64_IMM(BPF_REG_4, 0),
5326 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5327 BPF_MOV64_IMM(BPF_REG_3, 0),
5328 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5329 BPF_MOV64_IMM(BPF_REG_0, 0),
5333 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5336 "helper access to variable memory: stack, bitwise AND, zero included",
5338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5340 BPF_MOV64_IMM(BPF_REG_2, 16),
5341 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5342 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5343 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5344 BPF_MOV64_IMM(BPF_REG_3, 0),
5345 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5348 .errstr = "invalid indirect read from stack off -64+0 size 64",
5350 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5353 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
5355 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5356 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5357 BPF_MOV64_IMM(BPF_REG_2, 16),
5358 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5359 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5360 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
5361 BPF_MOV64_IMM(BPF_REG_4, 0),
5362 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5363 BPF_MOV64_IMM(BPF_REG_3, 0),
5364 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5365 BPF_MOV64_IMM(BPF_REG_0, 0),
5368 .errstr = "invalid stack type R1 off=-64 access_size=65",
5370 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5373 "helper access to variable memory: stack, JMP, correct bounds",
5375 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5376 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5377 BPF_MOV64_IMM(BPF_REG_0, 0),
5378 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5379 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5380 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5381 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5382 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5383 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5384 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5385 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5386 BPF_MOV64_IMM(BPF_REG_2, 16),
5387 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5388 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5389 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
5390 BPF_MOV64_IMM(BPF_REG_4, 0),
5391 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5392 BPF_MOV64_IMM(BPF_REG_3, 0),
5393 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5394 BPF_MOV64_IMM(BPF_REG_0, 0),
5398 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5401 "helper access to variable memory: stack, JMP (signed), correct bounds",
5403 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5405 BPF_MOV64_IMM(BPF_REG_0, 0),
5406 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5407 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5408 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5409 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5410 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5411 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5412 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5413 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5414 BPF_MOV64_IMM(BPF_REG_2, 16),
5415 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5416 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5417 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
5418 BPF_MOV64_IMM(BPF_REG_4, 0),
5419 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5420 BPF_MOV64_IMM(BPF_REG_3, 0),
5421 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5422 BPF_MOV64_IMM(BPF_REG_0, 0),
5426 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5429 "helper access to variable memory: stack, JMP, bounds + offset",
5431 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5432 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5433 BPF_MOV64_IMM(BPF_REG_2, 16),
5434 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5435 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5436 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
5437 BPF_MOV64_IMM(BPF_REG_4, 0),
5438 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
5439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5440 BPF_MOV64_IMM(BPF_REG_3, 0),
5441 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5442 BPF_MOV64_IMM(BPF_REG_0, 0),
5445 .errstr = "invalid stack type R1 off=-64 access_size=65",
5447 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5450 "helper access to variable memory: stack, JMP, wrong max",
5452 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5454 BPF_MOV64_IMM(BPF_REG_2, 16),
5455 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5456 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5457 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
5458 BPF_MOV64_IMM(BPF_REG_4, 0),
5459 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5460 BPF_MOV64_IMM(BPF_REG_3, 0),
5461 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5462 BPF_MOV64_IMM(BPF_REG_0, 0),
5465 .errstr = "invalid stack type R1 off=-64 access_size=65",
5467 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5470 "helper access to variable memory: stack, JMP, no max check",
5472 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5474 BPF_MOV64_IMM(BPF_REG_2, 16),
5475 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5476 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5477 BPF_MOV64_IMM(BPF_REG_4, 0),
5478 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5479 BPF_MOV64_IMM(BPF_REG_3, 0),
5480 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5481 BPF_MOV64_IMM(BPF_REG_0, 0),
5484 /* because max wasn't checked, signed min is negative */
5485 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
5487 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5490 "helper access to variable memory: stack, JMP, no min check",
5492 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5493 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5494 BPF_MOV64_IMM(BPF_REG_2, 16),
5495 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5496 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5497 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
5498 BPF_MOV64_IMM(BPF_REG_3, 0),
5499 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5500 BPF_MOV64_IMM(BPF_REG_0, 0),
5503 .errstr = "invalid indirect read from stack off -64+0 size 64",
5505 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5508 "helper access to variable memory: stack, JMP (signed), no min check",
5510 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5511 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5512 BPF_MOV64_IMM(BPF_REG_2, 16),
5513 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5514 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5515 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
5516 BPF_MOV64_IMM(BPF_REG_3, 0),
5517 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5518 BPF_MOV64_IMM(BPF_REG_0, 0),
5521 .errstr = "R2 min value is negative",
5523 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5526 "helper access to variable memory: map, JMP, correct bounds",
5528 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5529 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5530 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5531 BPF_LD_MAP_FD(BPF_REG_1, 0),
5532 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5533 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5534 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5535 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5536 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5537 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5538 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5539 sizeof(struct test_val), 4),
5540 BPF_MOV64_IMM(BPF_REG_4, 0),
5541 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5542 BPF_MOV64_IMM(BPF_REG_3, 0),
5543 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5544 BPF_MOV64_IMM(BPF_REG_0, 0),
5547 .fixup_map2 = { 3 },
5549 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5552 "helper access to variable memory: map, JMP, wrong max",
5554 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5555 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5556 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5557 BPF_LD_MAP_FD(BPF_REG_1, 0),
5558 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5559 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5560 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5561 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5562 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5563 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5564 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5565 sizeof(struct test_val) + 1, 4),
5566 BPF_MOV64_IMM(BPF_REG_4, 0),
5567 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5568 BPF_MOV64_IMM(BPF_REG_3, 0),
5569 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5570 BPF_MOV64_IMM(BPF_REG_0, 0),
5573 .fixup_map2 = { 3 },
5574 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
5576 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5579 "helper access to variable memory: map adjusted, JMP, correct bounds",
5581 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5582 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5583 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5584 BPF_LD_MAP_FD(BPF_REG_1, 0),
5585 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5586 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5587 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5589 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5590 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5591 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5592 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5593 sizeof(struct test_val) - 20, 4),
5594 BPF_MOV64_IMM(BPF_REG_4, 0),
5595 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5596 BPF_MOV64_IMM(BPF_REG_3, 0),
5597 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5598 BPF_MOV64_IMM(BPF_REG_0, 0),
5601 .fixup_map2 = { 3 },
5603 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5606 "helper access to variable memory: map adjusted, JMP, wrong max",
5608 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5610 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5611 BPF_LD_MAP_FD(BPF_REG_1, 0),
5612 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5613 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5614 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5616 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5617 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5618 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5619 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5620 sizeof(struct test_val) - 19, 4),
5621 BPF_MOV64_IMM(BPF_REG_4, 0),
5622 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5623 BPF_MOV64_IMM(BPF_REG_3, 0),
5624 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5625 BPF_MOV64_IMM(BPF_REG_0, 0),
5628 .fixup_map2 = { 3 },
5629 .errstr = "R1 min value is outside of the array range",
5631 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5634 "helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
5636 BPF_MOV64_IMM(BPF_REG_1, 0),
5637 BPF_MOV64_IMM(BPF_REG_2, 0),
5638 BPF_MOV64_IMM(BPF_REG_3, 0),
5639 BPF_MOV64_IMM(BPF_REG_4, 0),
5640 BPF_MOV64_IMM(BPF_REG_5, 0),
5641 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5645 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5648 "helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
5650 BPF_MOV64_IMM(BPF_REG_1, 0),
5651 BPF_MOV64_IMM(BPF_REG_2, 0),
5652 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5653 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5654 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5655 BPF_MOV64_IMM(BPF_REG_3, 0),
5656 BPF_MOV64_IMM(BPF_REG_4, 0),
5657 BPF_MOV64_IMM(BPF_REG_5, 0),
5658 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5661 .errstr = "R1 type=inv expected=fp",
5663 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5666 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
5668 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5669 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5670 BPF_MOV64_IMM(BPF_REG_2, 0),
5671 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5672 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
5673 BPF_MOV64_IMM(BPF_REG_3, 0),
5674 BPF_MOV64_IMM(BPF_REG_4, 0),
5675 BPF_MOV64_IMM(BPF_REG_5, 0),
5676 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5680 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5683 "helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
5685 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5686 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5688 BPF_LD_MAP_FD(BPF_REG_1, 0),
5689 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5690 BPF_FUNC_map_lookup_elem),
5691 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5692 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5693 BPF_MOV64_IMM(BPF_REG_2, 0),
5694 BPF_MOV64_IMM(BPF_REG_3, 0),
5695 BPF_MOV64_IMM(BPF_REG_4, 0),
5696 BPF_MOV64_IMM(BPF_REG_5, 0),
5697 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5700 .fixup_map1 = { 3 },
5702 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5705 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
5707 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5708 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5709 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5710 BPF_LD_MAP_FD(BPF_REG_1, 0),
5711 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5712 BPF_FUNC_map_lookup_elem),
5713 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5714 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5715 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
5716 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5717 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5718 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5719 BPF_MOV64_IMM(BPF_REG_3, 0),
5720 BPF_MOV64_IMM(BPF_REG_4, 0),
5721 BPF_MOV64_IMM(BPF_REG_5, 0),
5722 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5725 .fixup_map1 = { 3 },
5727 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5730 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
5732 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5733 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5734 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5735 BPF_LD_MAP_FD(BPF_REG_1, 0),
5736 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5737 BPF_FUNC_map_lookup_elem),
5738 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5739 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5740 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5741 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5742 BPF_MOV64_IMM(BPF_REG_3, 0),
5743 BPF_MOV64_IMM(BPF_REG_4, 0),
5744 BPF_MOV64_IMM(BPF_REG_5, 0),
5745 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5748 .fixup_map1 = { 3 },
5750 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5753 "helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
5755 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5756 offsetof(struct __sk_buff, data)),
5757 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5758 offsetof(struct __sk_buff, data_end)),
5759 BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
5760 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5761 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
5762 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5763 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
5764 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5765 BPF_MOV64_IMM(BPF_REG_3, 0),
5766 BPF_MOV64_IMM(BPF_REG_4, 0),
5767 BPF_MOV64_IMM(BPF_REG_5, 0),
5768 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5772 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5775 "helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
5777 BPF_MOV64_IMM(BPF_REG_1, 0),
5778 BPF_MOV64_IMM(BPF_REG_2, 0),
5779 BPF_MOV64_IMM(BPF_REG_3, 0),
5780 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5783 .errstr = "R1 type=inv expected=fp",
5785 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5788 "helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
5790 BPF_MOV64_IMM(BPF_REG_1, 0),
5791 BPF_MOV64_IMM(BPF_REG_2, 1),
5792 BPF_MOV64_IMM(BPF_REG_3, 0),
5793 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5796 .errstr = "R1 type=inv expected=fp",
5798 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5801 "helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5803 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5804 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5805 BPF_MOV64_IMM(BPF_REG_2, 0),
5806 BPF_MOV64_IMM(BPF_REG_3, 0),
5807 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5811 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5814 "helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5816 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5819 BPF_LD_MAP_FD(BPF_REG_1, 0),
5820 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5821 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5822 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5823 BPF_MOV64_IMM(BPF_REG_2, 0),
5824 BPF_MOV64_IMM(BPF_REG_3, 0),
5825 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5828 .fixup_map1 = { 3 },
5830 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5833 "helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5835 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5836 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5837 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5838 BPF_LD_MAP_FD(BPF_REG_1, 0),
5839 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5840 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5841 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5842 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5843 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5844 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5845 BPF_MOV64_IMM(BPF_REG_3, 0),
5846 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5849 .fixup_map1 = { 3 },
5851 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5854 "helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5856 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5857 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5858 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5859 BPF_LD_MAP_FD(BPF_REG_1, 0),
5860 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5861 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5862 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5863 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5864 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
5865 BPF_MOV64_IMM(BPF_REG_3, 0),
5866 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5869 .fixup_map1 = { 3 },
5871 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5874 "helper access to variable memory: 8 bytes leak",
5876 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5877 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5878 BPF_MOV64_IMM(BPF_REG_0, 0),
5879 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5880 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5881 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5882 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5883 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5884 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5885 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5886 BPF_MOV64_IMM(BPF_REG_2, 0),
5887 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5888 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5889 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
5890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5891 BPF_MOV64_IMM(BPF_REG_3, 0),
5892 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5893 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5896 .errstr = "invalid indirect read from stack off -64+32 size 64",
5898 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5901 "helper access to variable memory: 8 bytes no leak (init memory)",
5903 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5904 BPF_MOV64_IMM(BPF_REG_0, 0),
5905 BPF_MOV64_IMM(BPF_REG_0, 0),
5906 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5907 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5908 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5909 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5910 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5911 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5912 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5913 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5914 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5915 BPF_MOV64_IMM(BPF_REG_2, 0),
5916 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
5917 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
5918 BPF_MOV64_IMM(BPF_REG_3, 0),
5919 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5920 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5924 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5927 "invalid and of negative number",
5929 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5930 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5931 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5932 BPF_LD_MAP_FD(BPF_REG_1, 0),
5933 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5934 BPF_FUNC_map_lookup_elem),
5935 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5936 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
5937 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
5938 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5939 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5940 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5941 offsetof(struct test_val, foo)),
5944 .fixup_map2 = { 3 },
5945 .errstr = "R0 max value is outside of the array range",
5947 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5950 "invalid range check",
5952 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5953 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5954 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5955 BPF_LD_MAP_FD(BPF_REG_1, 0),
5956 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5957 BPF_FUNC_map_lookup_elem),
5958 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
5959 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5960 BPF_MOV64_IMM(BPF_REG_9, 1),
5961 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
5962 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
5963 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
5964 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
5965 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
5966 BPF_MOV32_IMM(BPF_REG_3, 1),
5967 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
5968 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
5969 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
5970 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
5971 BPF_MOV64_REG(BPF_REG_0, 0),
5974 .fixup_map2 = { 3 },
5975 .errstr = "R0 max value is outside of the array range",
5977 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5980 "map in map access",
5982 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5983 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5984 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5985 BPF_LD_MAP_FD(BPF_REG_1, 0),
5986 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5987 BPF_FUNC_map_lookup_elem),
5988 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5989 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5990 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5991 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5992 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5993 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5994 BPF_FUNC_map_lookup_elem),
5995 BPF_MOV64_REG(BPF_REG_0, 0),
5998 .fixup_map_in_map = { 3 },
6002 "invalid inner map pointer",
6004 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6005 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6007 BPF_LD_MAP_FD(BPF_REG_1, 0),
6008 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6009 BPF_FUNC_map_lookup_elem),
6010 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6011 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6012 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6014 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6015 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
6016 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6017 BPF_FUNC_map_lookup_elem),
6018 BPF_MOV64_REG(BPF_REG_0, 0),
6021 .fixup_map_in_map = { 3 },
6022 .errstr = "R1 type=inv expected=map_ptr",
6023 .errstr_unpriv = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
6027 "forgot null checking on the inner map pointer",
6029 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6030 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6031 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6032 BPF_LD_MAP_FD(BPF_REG_1, 0),
6033 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6034 BPF_FUNC_map_lookup_elem),
6035 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6036 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6037 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6038 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6039 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6040 BPF_FUNC_map_lookup_elem),
6041 BPF_MOV64_REG(BPF_REG_0, 0),
6044 .fixup_map_in_map = { 3 },
6045 .errstr = "R1 type=map_value_or_null expected=map_ptr",
6049 "ld_abs: check calling conv, r1",
6051 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6052 BPF_MOV64_IMM(BPF_REG_1, 0),
6053 BPF_LD_ABS(BPF_W, -0x200000),
6054 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6057 .errstr = "R1 !read_ok",
6061 "ld_abs: check calling conv, r2",
6063 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6064 BPF_MOV64_IMM(BPF_REG_2, 0),
6065 BPF_LD_ABS(BPF_W, -0x200000),
6066 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6069 .errstr = "R2 !read_ok",
6073 "ld_abs: check calling conv, r3",
6075 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6076 BPF_MOV64_IMM(BPF_REG_3, 0),
6077 BPF_LD_ABS(BPF_W, -0x200000),
6078 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6081 .errstr = "R3 !read_ok",
6085 "ld_abs: check calling conv, r4",
6087 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6088 BPF_MOV64_IMM(BPF_REG_4, 0),
6089 BPF_LD_ABS(BPF_W, -0x200000),
6090 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6093 .errstr = "R4 !read_ok",
6097 "ld_abs: check calling conv, r5",
6099 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6100 BPF_MOV64_IMM(BPF_REG_5, 0),
6101 BPF_LD_ABS(BPF_W, -0x200000),
6102 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6105 .errstr = "R5 !read_ok",
6109 "ld_abs: check calling conv, r7",
6111 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6112 BPF_MOV64_IMM(BPF_REG_7, 0),
6113 BPF_LD_ABS(BPF_W, -0x200000),
6114 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6120 "ld_ind: check calling conv, r1",
6122 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6123 BPF_MOV64_IMM(BPF_REG_1, 1),
6124 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
6125 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6128 .errstr = "R1 !read_ok",
6132 "ld_ind: check calling conv, r2",
6134 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6135 BPF_MOV64_IMM(BPF_REG_2, 1),
6136 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
6137 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6140 .errstr = "R2 !read_ok",
6144 "ld_ind: check calling conv, r3",
6146 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6147 BPF_MOV64_IMM(BPF_REG_3, 1),
6148 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
6149 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6152 .errstr = "R3 !read_ok",
6156 "ld_ind: check calling conv, r4",
6158 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6159 BPF_MOV64_IMM(BPF_REG_4, 1),
6160 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
6161 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6164 .errstr = "R4 !read_ok",
6168 "ld_ind: check calling conv, r5",
6170 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6171 BPF_MOV64_IMM(BPF_REG_5, 1),
6172 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
6173 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6176 .errstr = "R5 !read_ok",
6180 "ld_ind: check calling conv, r7",
6182 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6183 BPF_MOV64_IMM(BPF_REG_7, 1),
6184 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
6185 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6191 "check bpf_perf_event_data->sample_period byte load permitted",
6193 BPF_MOV64_IMM(BPF_REG_0, 0),
6194 #if __BYTE_ORDER == __LITTLE_ENDIAN
6195 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6196 offsetof(struct bpf_perf_event_data, sample_period)),
6198 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6199 offsetof(struct bpf_perf_event_data, sample_period) + 7),
6204 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6207 "check bpf_perf_event_data->sample_period half load permitted",
6209 BPF_MOV64_IMM(BPF_REG_0, 0),
6210 #if __BYTE_ORDER == __LITTLE_ENDIAN
6211 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6212 offsetof(struct bpf_perf_event_data, sample_period)),
6214 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6215 offsetof(struct bpf_perf_event_data, sample_period) + 6),
6220 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6223 "check bpf_perf_event_data->sample_period word load permitted",
6225 BPF_MOV64_IMM(BPF_REG_0, 0),
6226 #if __BYTE_ORDER == __LITTLE_ENDIAN
6227 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6228 offsetof(struct bpf_perf_event_data, sample_period)),
6230 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6231 offsetof(struct bpf_perf_event_data, sample_period) + 4),
6236 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6239 "check bpf_perf_event_data->sample_period dword load permitted",
6241 BPF_MOV64_IMM(BPF_REG_0, 0),
6242 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
6243 offsetof(struct bpf_perf_event_data, sample_period)),
6247 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6250 "check skb->data half load not permitted",
6252 BPF_MOV64_IMM(BPF_REG_0, 0),
6253 #if __BYTE_ORDER == __LITTLE_ENDIAN
6254 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6255 offsetof(struct __sk_buff, data)),
6257 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6258 offsetof(struct __sk_buff, data) + 2),
6263 .errstr = "invalid bpf_context access",
6266 "check skb->tc_classid half load not permitted for lwt prog",
6268 BPF_MOV64_IMM(BPF_REG_0, 0),
6269 #if __BYTE_ORDER == __LITTLE_ENDIAN
6270 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6271 offsetof(struct __sk_buff, tc_classid)),
6273 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6274 offsetof(struct __sk_buff, tc_classid) + 2),
6279 .errstr = "invalid bpf_context access",
6280 .prog_type = BPF_PROG_TYPE_LWT_IN,
6283 "bounds checks mixing signed and unsigned, positive bounds",
6285 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6286 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6287 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6288 BPF_LD_MAP_FD(BPF_REG_1, 0),
6289 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6290 BPF_FUNC_map_lookup_elem),
6291 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6292 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6293 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6294 BPF_MOV64_IMM(BPF_REG_2, 2),
6295 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
6296 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
6297 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6298 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6299 BPF_MOV64_IMM(BPF_REG_0, 0),
6302 .fixup_map1 = { 3 },
6303 .errstr = "R0 min value is negative",
6307 "bounds checks mixing signed and unsigned",
6309 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6310 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6312 BPF_LD_MAP_FD(BPF_REG_1, 0),
6313 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6314 BPF_FUNC_map_lookup_elem),
6315 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6316 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6317 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6318 BPF_MOV64_IMM(BPF_REG_2, -1),
6319 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6320 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6321 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6322 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6323 BPF_MOV64_IMM(BPF_REG_0, 0),
6326 .fixup_map1 = { 3 },
6327 .errstr = "R0 min value is negative",
6331 "bounds checks mixing signed and unsigned, variant 2",
6333 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6334 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6335 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6336 BPF_LD_MAP_FD(BPF_REG_1, 0),
6337 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6338 BPF_FUNC_map_lookup_elem),
6339 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6340 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6341 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6342 BPF_MOV64_IMM(BPF_REG_2, -1),
6343 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6344 BPF_MOV64_IMM(BPF_REG_8, 0),
6345 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
6346 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6347 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6348 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6349 BPF_MOV64_IMM(BPF_REG_0, 0),
6352 .fixup_map1 = { 3 },
6353 .errstr = "R8 invalid mem access 'inv'",
6357 "bounds checks mixing signed and unsigned, variant 3",
6359 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6360 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6362 BPF_LD_MAP_FD(BPF_REG_1, 0),
6363 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6364 BPF_FUNC_map_lookup_elem),
6365 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6366 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6367 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6368 BPF_MOV64_IMM(BPF_REG_2, -1),
6369 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
6370 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
6371 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6372 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6373 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6374 BPF_MOV64_IMM(BPF_REG_0, 0),
6377 .fixup_map1 = { 3 },
6378 .errstr = "R8 invalid mem access 'inv'",
6382 "bounds checks mixing signed and unsigned, variant 4",
6384 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6385 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6387 BPF_LD_MAP_FD(BPF_REG_1, 0),
6388 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6389 BPF_FUNC_map_lookup_elem),
6390 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6391 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6392 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6393 BPF_MOV64_IMM(BPF_REG_2, 1),
6394 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
6395 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6396 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6397 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6398 BPF_MOV64_IMM(BPF_REG_0, 0),
6401 .fixup_map1 = { 3 },
6405 "bounds checks mixing signed and unsigned, variant 5",
6407 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6408 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6410 BPF_LD_MAP_FD(BPF_REG_1, 0),
6411 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6412 BPF_FUNC_map_lookup_elem),
6413 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6414 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6415 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6416 BPF_MOV64_IMM(BPF_REG_2, -1),
6417 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6418 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
6419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
6420 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6421 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6422 BPF_MOV64_IMM(BPF_REG_0, 0),
6425 .fixup_map1 = { 3 },
6426 .errstr = "R0 min value is negative",
6430 "bounds checks mixing signed and unsigned, variant 6",
6432 BPF_MOV64_IMM(BPF_REG_2, 0),
6433 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
6434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
6435 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6436 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
6437 BPF_MOV64_IMM(BPF_REG_6, -1),
6438 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
6439 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
6440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
6441 BPF_MOV64_IMM(BPF_REG_5, 0),
6442 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
6443 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6444 BPF_FUNC_skb_load_bytes),
6445 BPF_MOV64_IMM(BPF_REG_0, 0),
6448 .errstr = "R4 min value is negative, either use unsigned",
6452 "bounds checks mixing signed and unsigned, variant 7",
6454 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6455 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6457 BPF_LD_MAP_FD(BPF_REG_1, 0),
6458 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6459 BPF_FUNC_map_lookup_elem),
6460 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6461 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6462 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6463 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
6464 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6465 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6466 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6467 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6468 BPF_MOV64_IMM(BPF_REG_0, 0),
6471 .fixup_map1 = { 3 },
6475 "bounds checks mixing signed and unsigned, variant 8",
6477 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6478 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6480 BPF_LD_MAP_FD(BPF_REG_1, 0),
6481 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6482 BPF_FUNC_map_lookup_elem),
6483 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6484 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6485 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6486 BPF_MOV64_IMM(BPF_REG_2, -1),
6487 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6488 BPF_MOV64_IMM(BPF_REG_0, 0),
6490 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6491 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6492 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6493 BPF_MOV64_IMM(BPF_REG_0, 0),
6496 .fixup_map1 = { 3 },
6497 .errstr = "R0 min value is negative",
6501 "bounds checks mixing signed and unsigned, variant 9",
6503 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6504 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6505 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6506 BPF_LD_MAP_FD(BPF_REG_1, 0),
6507 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6508 BPF_FUNC_map_lookup_elem),
6509 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6510 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6511 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6512 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
6513 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6514 BPF_MOV64_IMM(BPF_REG_0, 0),
6516 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6517 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6518 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6519 BPF_MOV64_IMM(BPF_REG_0, 0),
6522 .fixup_map1 = { 3 },
6526 "bounds checks mixing signed and unsigned, variant 10",
6528 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6529 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6530 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6531 BPF_LD_MAP_FD(BPF_REG_1, 0),
6532 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6533 BPF_FUNC_map_lookup_elem),
6534 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6535 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6536 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6537 BPF_MOV64_IMM(BPF_REG_2, 0),
6538 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6539 BPF_MOV64_IMM(BPF_REG_0, 0),
6541 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6542 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6543 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6544 BPF_MOV64_IMM(BPF_REG_0, 0),
6547 .fixup_map1 = { 3 },
6548 .errstr = "R0 min value is negative",
6552 "bounds checks mixing signed and unsigned, variant 11",
6554 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6555 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6557 BPF_LD_MAP_FD(BPF_REG_1, 0),
6558 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6559 BPF_FUNC_map_lookup_elem),
6560 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6561 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6562 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6563 BPF_MOV64_IMM(BPF_REG_2, -1),
6564 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6566 BPF_MOV64_IMM(BPF_REG_0, 0),
6568 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6569 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6570 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6571 BPF_MOV64_IMM(BPF_REG_0, 0),
6574 .fixup_map1 = { 3 },
6575 .errstr = "R0 min value is negative",
6579 "bounds checks mixing signed and unsigned, variant 12",
6581 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6582 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6583 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6584 BPF_LD_MAP_FD(BPF_REG_1, 0),
6585 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6586 BPF_FUNC_map_lookup_elem),
6587 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6588 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6589 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6590 BPF_MOV64_IMM(BPF_REG_2, -6),
6591 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6592 BPF_MOV64_IMM(BPF_REG_0, 0),
6594 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6595 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6596 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6597 BPF_MOV64_IMM(BPF_REG_0, 0),
6600 .fixup_map1 = { 3 },
6601 .errstr = "R0 min value is negative",
6605 "bounds checks mixing signed and unsigned, variant 13",
6607 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6608 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6610 BPF_LD_MAP_FD(BPF_REG_1, 0),
6611 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6612 BPF_FUNC_map_lookup_elem),
6613 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6614 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6615 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6616 BPF_MOV64_IMM(BPF_REG_2, 2),
6617 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6618 BPF_MOV64_IMM(BPF_REG_7, 1),
6619 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
6620 BPF_MOV64_IMM(BPF_REG_0, 0),
6622 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
6623 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
6624 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
6625 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6626 BPF_MOV64_IMM(BPF_REG_0, 0),
6629 .fixup_map1 = { 3 },
6630 .errstr = "R0 min value is negative",
6634 "bounds checks mixing signed and unsigned, variant 14",
6636 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
6637 offsetof(struct __sk_buff, mark)),
6638 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6639 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6641 BPF_LD_MAP_FD(BPF_REG_1, 0),
6642 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6643 BPF_FUNC_map_lookup_elem),
6644 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6645 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6646 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6647 BPF_MOV64_IMM(BPF_REG_2, -1),
6648 BPF_MOV64_IMM(BPF_REG_8, 2),
6649 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
6650 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
6651 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6652 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6653 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6654 BPF_MOV64_IMM(BPF_REG_0, 0),
6656 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
6657 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
6659 .fixup_map1 = { 4 },
6660 .errstr = "R0 min value is negative",
6664 "bounds checks mixing signed and unsigned, variant 15",
6666 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6667 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6668 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6669 BPF_LD_MAP_FD(BPF_REG_1, 0),
6670 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6671 BPF_FUNC_map_lookup_elem),
6672 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6673 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6674 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6675 BPF_MOV64_IMM(BPF_REG_2, -6),
6676 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6677 BPF_MOV64_IMM(BPF_REG_0, 0),
6679 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6680 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
6681 BPF_MOV64_IMM(BPF_REG_0, 0),
6683 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6684 BPF_MOV64_IMM(BPF_REG_0, 0),
6687 .fixup_map1 = { 3 },
6688 .errstr_unpriv = "R0 pointer comparison prohibited",
6689 .errstr = "R0 min value is negative",
6691 .result_unpriv = REJECT,
6694 "subtraction bounds (map value) variant 1",
6696 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6697 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6698 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6699 BPF_LD_MAP_FD(BPF_REG_1, 0),
6700 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6701 BPF_FUNC_map_lookup_elem),
6702 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6703 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6704 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
6705 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
6706 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
6707 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
6708 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
6709 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6710 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6712 BPF_MOV64_IMM(BPF_REG_0, 0),
6715 .fixup_map1 = { 3 },
6716 .errstr = "R0 max value is outside of the array range",
6720 "subtraction bounds (map value) variant 2",
6722 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6723 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6724 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6725 BPF_LD_MAP_FD(BPF_REG_1, 0),
6726 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6727 BPF_FUNC_map_lookup_elem),
6728 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6729 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6730 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
6731 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
6732 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
6733 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
6734 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6735 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6737 BPF_MOV64_IMM(BPF_REG_0, 0),
6740 .fixup_map1 = { 3 },
6741 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
6745 "variable-offset ctx access",
6747 /* Get an unknown value */
6748 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
6749 /* Make it small and 4-byte aligned */
6750 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
6751 /* add it to skb. We now have either &skb->len or
6752 * &skb->pkt_type, but we don't know which
6754 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
6755 /* dereference it */
6756 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
6759 .errstr = "variable ctx access var_off=(0x0; 0x4)",
6761 .prog_type = BPF_PROG_TYPE_LWT_IN,
6764 "variable-offset stack access",
6766 /* Fill the top 8 bytes of the stack */
6767 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6768 /* Get an unknown value */
6769 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
6770 /* Make it small and 4-byte aligned */
6771 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
6772 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
6773 /* add it to fp. We now have either fp-4 or fp-8, but
6774 * we don't know which
6776 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
6777 /* dereference it */
6778 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
6781 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
6783 .prog_type = BPF_PROG_TYPE_LWT_IN,
6786 "liveness pruning and write screening",
6788 /* Get an unknown value */
6789 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
6790 /* branch conditions teach us nothing about R2 */
6791 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
6792 BPF_MOV64_IMM(BPF_REG_0, 0),
6793 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
6794 BPF_MOV64_IMM(BPF_REG_0, 0),
6797 .errstr = "R0 !read_ok",
6799 .prog_type = BPF_PROG_TYPE_LWT_IN,
6802 "varlen_map_value_access pruning",
6804 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6805 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6806 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6807 BPF_LD_MAP_FD(BPF_REG_1, 0),
6808 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6809 BPF_FUNC_map_lookup_elem),
6810 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6811 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6812 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
6813 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
6814 BPF_MOV32_IMM(BPF_REG_1, 0),
6815 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
6816 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6817 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
6818 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
6819 offsetof(struct test_val, foo)),
6822 .fixup_map2 = { 3 },
6823 .errstr_unpriv = "R0 leaks addr",
6824 .errstr = "R0 unbounded memory access",
6825 .result_unpriv = REJECT,
6827 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6830 "invalid 64-bit BPF_END",
6832 BPF_MOV32_IMM(BPF_REG_0, 0),
6834 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
6835 .dst_reg = BPF_REG_0,
6842 .errstr = "BPF_END uses reserved fields",
6846 "meta access, test1",
6848 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6849 offsetof(struct xdp_md, data_meta)),
6850 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6851 offsetof(struct xdp_md, data)),
6852 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6853 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6854 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
6855 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6856 BPF_MOV64_IMM(BPF_REG_0, 0),
6860 .prog_type = BPF_PROG_TYPE_XDP,
6863 "meta access, test2",
6865 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6866 offsetof(struct xdp_md, data_meta)),
6867 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6868 offsetof(struct xdp_md, data)),
6869 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6870 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
6871 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
6872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
6873 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
6874 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6875 BPF_MOV64_IMM(BPF_REG_0, 0),
6879 .errstr = "invalid access to packet, off=-8",
6880 .prog_type = BPF_PROG_TYPE_XDP,
6883 "meta access, test3",
6885 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6886 offsetof(struct xdp_md, data_meta)),
6887 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6888 offsetof(struct xdp_md, data_end)),
6889 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6890 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6891 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
6892 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6893 BPF_MOV64_IMM(BPF_REG_0, 0),
6897 .errstr = "invalid access to packet",
6898 .prog_type = BPF_PROG_TYPE_XDP,
6901 "meta access, test4",
6903 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6904 offsetof(struct xdp_md, data_meta)),
6905 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6906 offsetof(struct xdp_md, data_end)),
6907 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
6908 offsetof(struct xdp_md, data)),
6909 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6910 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6911 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
6912 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6913 BPF_MOV64_IMM(BPF_REG_0, 0),
6917 .errstr = "invalid access to packet",
6918 .prog_type = BPF_PROG_TYPE_XDP,
6921 "meta access, test5",
6923 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6924 offsetof(struct xdp_md, data_meta)),
6925 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
6926 offsetof(struct xdp_md, data)),
6927 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6929 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
6930 BPF_MOV64_IMM(BPF_REG_2, -8),
6931 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6932 BPF_FUNC_xdp_adjust_meta),
6933 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
6934 BPF_MOV64_IMM(BPF_REG_0, 0),
6938 .errstr = "R3 !read_ok",
6939 .prog_type = BPF_PROG_TYPE_XDP,
6942 "meta access, test6",
6944 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6945 offsetof(struct xdp_md, data_meta)),
6946 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6947 offsetof(struct xdp_md, data)),
6948 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6949 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6950 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
6951 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
6952 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
6953 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6954 BPF_MOV64_IMM(BPF_REG_0, 0),
6958 .errstr = "invalid access to packet",
6959 .prog_type = BPF_PROG_TYPE_XDP,
6962 "meta access, test7",
6964 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6965 offsetof(struct xdp_md, data_meta)),
6966 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6967 offsetof(struct xdp_md, data)),
6968 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6969 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6970 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
6971 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
6972 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
6973 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6974 BPF_MOV64_IMM(BPF_REG_0, 0),
6978 .prog_type = BPF_PROG_TYPE_XDP,
6981 "meta access, test8",
6983 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6984 offsetof(struct xdp_md, data_meta)),
6985 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6986 offsetof(struct xdp_md, data)),
6987 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
6988 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
6989 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
6990 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6991 BPF_MOV64_IMM(BPF_REG_0, 0),
6995 .prog_type = BPF_PROG_TYPE_XDP,
6998 "meta access, test9",
7000 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7001 offsetof(struct xdp_md, data_meta)),
7002 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7003 offsetof(struct xdp_md, data)),
7004 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7005 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
7006 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7007 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7008 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7009 BPF_MOV64_IMM(BPF_REG_0, 0),
7013 .errstr = "invalid access to packet",
7014 .prog_type = BPF_PROG_TYPE_XDP,
7017 "meta access, test10",
7019 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7020 offsetof(struct xdp_md, data_meta)),
7021 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7022 offsetof(struct xdp_md, data)),
7023 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7024 offsetof(struct xdp_md, data_end)),
7025 BPF_MOV64_IMM(BPF_REG_5, 42),
7026 BPF_MOV64_IMM(BPF_REG_6, 24),
7027 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
7028 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
7029 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
7030 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
7031 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
7032 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
7033 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
7034 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
7035 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
7036 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
7037 BPF_MOV64_IMM(BPF_REG_0, 0),
7041 .errstr = "invalid access to packet",
7042 .prog_type = BPF_PROG_TYPE_XDP,
7045 "meta access, test11",
7047 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7048 offsetof(struct xdp_md, data_meta)),
7049 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7050 offsetof(struct xdp_md, data)),
7051 BPF_MOV64_IMM(BPF_REG_5, 42),
7052 BPF_MOV64_IMM(BPF_REG_6, 24),
7053 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
7054 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
7055 BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
7056 BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
7057 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
7058 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
7059 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
7060 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
7061 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
7062 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
7063 BPF_MOV64_IMM(BPF_REG_0, 0),
7067 .prog_type = BPF_PROG_TYPE_XDP,
7070 "meta access, test12",
7072 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7073 offsetof(struct xdp_md, data_meta)),
7074 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7075 offsetof(struct xdp_md, data)),
7076 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7077 offsetof(struct xdp_md, data_end)),
7078 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
7079 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
7080 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
7081 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
7082 BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
7083 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
7084 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
7085 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7086 BPF_MOV64_IMM(BPF_REG_0, 0),
7090 .prog_type = BPF_PROG_TYPE_XDP,
7093 "arithmetic ops make PTR_TO_CTX unusable",
7095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
7096 offsetof(struct __sk_buff, data) -
7097 offsetof(struct __sk_buff, mark)),
7098 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7099 offsetof(struct __sk_buff, mark)),
7102 .errstr = "dereference of modified ctx ptr R1 off=68+8, ctx+const is allowed, ctx+const+const is not",
7104 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7107 "XDP pkt read, pkt_end mangling, bad access 1",
7109 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7110 offsetof(struct xdp_md, data)),
7111 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7112 offsetof(struct xdp_md, data_end)),
7113 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7114 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7115 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
7116 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7117 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7118 BPF_MOV64_IMM(BPF_REG_0, 0),
7121 .errstr = "R1 offset is outside of the packet",
7123 .prog_type = BPF_PROG_TYPE_XDP,
7126 "XDP pkt read, pkt_end mangling, bad access 2",
7128 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7129 offsetof(struct xdp_md, data)),
7130 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7131 offsetof(struct xdp_md, data_end)),
7132 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7134 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
7135 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7136 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7137 BPF_MOV64_IMM(BPF_REG_0, 0),
7140 .errstr = "R1 offset is outside of the packet",
7142 .prog_type = BPF_PROG_TYPE_XDP,
7145 "XDP pkt read, pkt_data' > pkt_end, good access",
7147 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7148 offsetof(struct xdp_md, data)),
7149 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7150 offsetof(struct xdp_md, data_end)),
7151 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7152 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7153 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7154 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7155 BPF_MOV64_IMM(BPF_REG_0, 0),
7159 .prog_type = BPF_PROG_TYPE_XDP,
7162 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
7164 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7165 offsetof(struct xdp_md, data)),
7166 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7167 offsetof(struct xdp_md, data_end)),
7168 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7169 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7170 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7171 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7172 BPF_MOV64_IMM(BPF_REG_0, 0),
7175 .errstr = "R1 offset is outside of the packet",
7177 .prog_type = BPF_PROG_TYPE_XDP,
7178 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7181 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
7183 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7184 offsetof(struct xdp_md, data)),
7185 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7186 offsetof(struct xdp_md, data_end)),
7187 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7188 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7189 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
7190 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7191 BPF_MOV64_IMM(BPF_REG_0, 0),
7194 .errstr = "R1 offset is outside of the packet",
7196 .prog_type = BPF_PROG_TYPE_XDP,
7199 "XDP pkt read, pkt_end > pkt_data', good access",
7201 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7202 offsetof(struct xdp_md, data)),
7203 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7204 offsetof(struct xdp_md, data_end)),
7205 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7207 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7208 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7209 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7210 BPF_MOV64_IMM(BPF_REG_0, 0),
7214 .prog_type = BPF_PROG_TYPE_XDP,
7215 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7218 "XDP pkt read, pkt_end > pkt_data', bad access 1",
7220 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7221 offsetof(struct xdp_md, data)),
7222 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7223 offsetof(struct xdp_md, data_end)),
7224 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7225 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7226 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7227 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7228 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7229 BPF_MOV64_IMM(BPF_REG_0, 0),
7232 .errstr = "R1 offset is outside of the packet",
7234 .prog_type = BPF_PROG_TYPE_XDP,
7237 "XDP pkt read, pkt_end > pkt_data', bad access 2",
7239 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7240 offsetof(struct xdp_md, data)),
7241 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7242 offsetof(struct xdp_md, data_end)),
7243 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7244 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7245 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7246 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7247 BPF_MOV64_IMM(BPF_REG_0, 0),
7250 .errstr = "R1 offset is outside of the packet",
7252 .prog_type = BPF_PROG_TYPE_XDP,
7255 "XDP pkt read, pkt_data' < pkt_end, good access",
7257 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7258 offsetof(struct xdp_md, data)),
7259 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7260 offsetof(struct xdp_md, data_end)),
7261 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7262 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7263 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7264 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7265 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7266 BPF_MOV64_IMM(BPF_REG_0, 0),
7270 .prog_type = BPF_PROG_TYPE_XDP,
7271 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7274 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
7276 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7277 offsetof(struct xdp_md, data)),
7278 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7279 offsetof(struct xdp_md, data_end)),
7280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7281 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7282 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7283 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7284 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7285 BPF_MOV64_IMM(BPF_REG_0, 0),
7288 .errstr = "R1 offset is outside of the packet",
7290 .prog_type = BPF_PROG_TYPE_XDP,
7293 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
7295 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7296 offsetof(struct xdp_md, data)),
7297 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7298 offsetof(struct xdp_md, data_end)),
7299 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7300 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7301 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7302 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7303 BPF_MOV64_IMM(BPF_REG_0, 0),
7306 .errstr = "R1 offset is outside of the packet",
7308 .prog_type = BPF_PROG_TYPE_XDP,
7311 "XDP pkt read, pkt_end < pkt_data', good access",
7313 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7314 offsetof(struct xdp_md, data)),
7315 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7316 offsetof(struct xdp_md, data_end)),
7317 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7318 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7319 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7320 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7321 BPF_MOV64_IMM(BPF_REG_0, 0),
7325 .prog_type = BPF_PROG_TYPE_XDP,
7328 "XDP pkt read, pkt_end < pkt_data', bad access 1",
7330 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7331 offsetof(struct xdp_md, data)),
7332 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7333 offsetof(struct xdp_md, data_end)),
7334 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7335 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7336 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7337 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7338 BPF_MOV64_IMM(BPF_REG_0, 0),
7341 .errstr = "R1 offset is outside of the packet",
7343 .prog_type = BPF_PROG_TYPE_XDP,
7344 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7347 "XDP pkt read, pkt_end < pkt_data', bad access 2",
7349 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7350 offsetof(struct xdp_md, data)),
7351 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7352 offsetof(struct xdp_md, data_end)),
7353 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7354 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7355 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
7356 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7357 BPF_MOV64_IMM(BPF_REG_0, 0),
7360 .errstr = "R1 offset is outside of the packet",
7362 .prog_type = BPF_PROG_TYPE_XDP,
7365 "XDP pkt read, pkt_data' >= pkt_end, good access",
7367 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7368 offsetof(struct xdp_md, data)),
7369 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7370 offsetof(struct xdp_md, data_end)),
7371 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7372 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7373 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7374 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7375 BPF_MOV64_IMM(BPF_REG_0, 0),
7379 .prog_type = BPF_PROG_TYPE_XDP,
7380 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7383 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
7385 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7386 offsetof(struct xdp_md, data)),
7387 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7388 offsetof(struct xdp_md, data_end)),
7389 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7391 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7392 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7393 BPF_MOV64_IMM(BPF_REG_0, 0),
7396 .errstr = "R1 offset is outside of the packet",
7398 .prog_type = BPF_PROG_TYPE_XDP,
7401 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
7403 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7404 offsetof(struct xdp_md, data)),
7405 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7406 offsetof(struct xdp_md, data_end)),
7407 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7409 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
7410 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7411 BPF_MOV64_IMM(BPF_REG_0, 0),
7414 .errstr = "R1 offset is outside of the packet",
7416 .prog_type = BPF_PROG_TYPE_XDP,
7417 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7420 "XDP pkt read, pkt_end >= pkt_data', good access",
7422 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7423 offsetof(struct xdp_md, data)),
7424 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7425 offsetof(struct xdp_md, data_end)),
7426 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7427 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7428 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7429 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7430 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7431 BPF_MOV64_IMM(BPF_REG_0, 0),
7435 .prog_type = BPF_PROG_TYPE_XDP,
7438 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
7440 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7441 offsetof(struct xdp_md, data)),
7442 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7443 offsetof(struct xdp_md, data_end)),
7444 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7445 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7446 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7447 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7448 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7449 BPF_MOV64_IMM(BPF_REG_0, 0),
7452 .errstr = "R1 offset is outside of the packet",
7454 .prog_type = BPF_PROG_TYPE_XDP,
7455 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7458 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
7460 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7461 offsetof(struct xdp_md, data)),
7462 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7463 offsetof(struct xdp_md, data_end)),
7464 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7465 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7466 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7467 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7468 BPF_MOV64_IMM(BPF_REG_0, 0),
7471 .errstr = "R1 offset is outside of the packet",
7473 .prog_type = BPF_PROG_TYPE_XDP,
7476 "XDP pkt read, pkt_data' <= pkt_end, good access",
7478 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7479 offsetof(struct xdp_md, data)),
7480 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7481 offsetof(struct xdp_md, data_end)),
7482 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7483 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7484 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7485 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7486 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7487 BPF_MOV64_IMM(BPF_REG_0, 0),
7491 .prog_type = BPF_PROG_TYPE_XDP,
7494 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
7496 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7497 offsetof(struct xdp_md, data)),
7498 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7499 offsetof(struct xdp_md, data_end)),
7500 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7501 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7502 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7503 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7504 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7505 BPF_MOV64_IMM(BPF_REG_0, 0),
7508 .errstr = "R1 offset is outside of the packet",
7510 .prog_type = BPF_PROG_TYPE_XDP,
7511 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7514 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
7516 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7517 offsetof(struct xdp_md, data)),
7518 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7519 offsetof(struct xdp_md, data_end)),
7520 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7522 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7523 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7524 BPF_MOV64_IMM(BPF_REG_0, 0),
7527 .errstr = "R1 offset is outside of the packet",
7529 .prog_type = BPF_PROG_TYPE_XDP,
7532 "XDP pkt read, pkt_end <= pkt_data', good access",
7534 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7535 offsetof(struct xdp_md, data)),
7536 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7537 offsetof(struct xdp_md, data_end)),
7538 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7539 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7540 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
7541 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7542 BPF_MOV64_IMM(BPF_REG_0, 0),
7546 .prog_type = BPF_PROG_TYPE_XDP,
7547 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7550 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
7552 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7553 offsetof(struct xdp_md, data)),
7554 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7555 offsetof(struct xdp_md, data_end)),
7556 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7557 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7558 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
7559 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7560 BPF_MOV64_IMM(BPF_REG_0, 0),
7563 .errstr = "R1 offset is outside of the packet",
7565 .prog_type = BPF_PROG_TYPE_XDP,
7568 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
7570 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7571 offsetof(struct xdp_md, data)),
7572 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7573 offsetof(struct xdp_md, data_end)),
7574 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7575 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7576 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
7577 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7578 BPF_MOV64_IMM(BPF_REG_0, 0),
7581 .errstr = "R1 offset is outside of the packet",
7583 .prog_type = BPF_PROG_TYPE_XDP,
7584 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7587 "XDP pkt read, pkt_meta' > pkt_data, good access",
7589 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7590 offsetof(struct xdp_md, data_meta)),
7591 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7592 offsetof(struct xdp_md, data)),
7593 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7594 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7595 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7596 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7597 BPF_MOV64_IMM(BPF_REG_0, 0),
7601 .prog_type = BPF_PROG_TYPE_XDP,
7604 "XDP pkt read, pkt_meta' > pkt_data, bad access 1",
7606 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7607 offsetof(struct xdp_md, data_meta)),
7608 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7609 offsetof(struct xdp_md, data)),
7610 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7611 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7612 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7613 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7614 BPF_MOV64_IMM(BPF_REG_0, 0),
7617 .errstr = "R1 offset is outside of the packet",
7619 .prog_type = BPF_PROG_TYPE_XDP,
7620 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7623 "XDP pkt read, pkt_meta' > pkt_data, bad access 2",
7625 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7626 offsetof(struct xdp_md, data_meta)),
7627 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7628 offsetof(struct xdp_md, data)),
7629 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7630 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7631 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
7632 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7633 BPF_MOV64_IMM(BPF_REG_0, 0),
7636 .errstr = "R1 offset is outside of the packet",
7638 .prog_type = BPF_PROG_TYPE_XDP,
7641 "XDP pkt read, pkt_data > pkt_meta', good access",
7643 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7644 offsetof(struct xdp_md, data_meta)),
7645 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7646 offsetof(struct xdp_md, data)),
7647 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7648 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7649 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7650 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7651 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7652 BPF_MOV64_IMM(BPF_REG_0, 0),
7656 .prog_type = BPF_PROG_TYPE_XDP,
7657 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7660 "XDP pkt read, pkt_data > pkt_meta', bad access 1",
7662 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7663 offsetof(struct xdp_md, data_meta)),
7664 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7665 offsetof(struct xdp_md, data)),
7666 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7668 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7669 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7670 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7671 BPF_MOV64_IMM(BPF_REG_0, 0),
7674 .errstr = "R1 offset is outside of the packet",
7676 .prog_type = BPF_PROG_TYPE_XDP,
7679 "XDP pkt read, pkt_data > pkt_meta', bad access 2",
7681 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7682 offsetof(struct xdp_md, data_meta)),
7683 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7684 offsetof(struct xdp_md, data)),
7685 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7687 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7688 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7689 BPF_MOV64_IMM(BPF_REG_0, 0),
7692 .errstr = "R1 offset is outside of the packet",
7694 .prog_type = BPF_PROG_TYPE_XDP,
7697 "XDP pkt read, pkt_meta' < pkt_data, good access",
7699 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7700 offsetof(struct xdp_md, data_meta)),
7701 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7702 offsetof(struct xdp_md, data)),
7703 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7704 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7705 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7706 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7707 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7708 BPF_MOV64_IMM(BPF_REG_0, 0),
7712 .prog_type = BPF_PROG_TYPE_XDP,
7713 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7716 "XDP pkt read, pkt_meta' < pkt_data, bad access 1",
7718 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7719 offsetof(struct xdp_md, data_meta)),
7720 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7721 offsetof(struct xdp_md, data)),
7722 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7723 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7724 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7725 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7726 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7727 BPF_MOV64_IMM(BPF_REG_0, 0),
7730 .errstr = "R1 offset is outside of the packet",
7732 .prog_type = BPF_PROG_TYPE_XDP,
7735 "XDP pkt read, pkt_meta' < pkt_data, bad access 2",
7737 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7738 offsetof(struct xdp_md, data_meta)),
7739 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7740 offsetof(struct xdp_md, data)),
7741 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7743 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7744 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7745 BPF_MOV64_IMM(BPF_REG_0, 0),
7748 .errstr = "R1 offset is outside of the packet",
7750 .prog_type = BPF_PROG_TYPE_XDP,
7753 "XDP pkt read, pkt_data < pkt_meta', good access",
7755 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7756 offsetof(struct xdp_md, data_meta)),
7757 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7758 offsetof(struct xdp_md, data)),
7759 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7760 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7761 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7762 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7763 BPF_MOV64_IMM(BPF_REG_0, 0),
7767 .prog_type = BPF_PROG_TYPE_XDP,
7770 "XDP pkt read, pkt_data < pkt_meta', bad access 1",
7772 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7773 offsetof(struct xdp_md, data_meta)),
7774 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7775 offsetof(struct xdp_md, data)),
7776 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7777 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7778 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7779 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7780 BPF_MOV64_IMM(BPF_REG_0, 0),
7783 .errstr = "R1 offset is outside of the packet",
7785 .prog_type = BPF_PROG_TYPE_XDP,
7786 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7789 "XDP pkt read, pkt_data < pkt_meta', bad access 2",
7791 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7792 offsetof(struct xdp_md, data_meta)),
7793 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7794 offsetof(struct xdp_md, data)),
7795 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7796 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7797 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
7798 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7799 BPF_MOV64_IMM(BPF_REG_0, 0),
7802 .errstr = "R1 offset is outside of the packet",
7804 .prog_type = BPF_PROG_TYPE_XDP,
7807 "XDP pkt read, pkt_meta' >= pkt_data, good access",
7809 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7810 offsetof(struct xdp_md, data_meta)),
7811 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7812 offsetof(struct xdp_md, data)),
7813 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7814 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7815 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7816 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7817 BPF_MOV64_IMM(BPF_REG_0, 0),
7821 .prog_type = BPF_PROG_TYPE_XDP,
7822 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7825 "XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
7827 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7828 offsetof(struct xdp_md, data_meta)),
7829 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7830 offsetof(struct xdp_md, data)),
7831 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7832 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7833 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7834 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7835 BPF_MOV64_IMM(BPF_REG_0, 0),
7838 .errstr = "R1 offset is outside of the packet",
7840 .prog_type = BPF_PROG_TYPE_XDP,
7843 "XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
7845 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7846 offsetof(struct xdp_md, data_meta)),
7847 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7848 offsetof(struct xdp_md, data)),
7849 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7851 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
7852 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7853 BPF_MOV64_IMM(BPF_REG_0, 0),
7856 .errstr = "R1 offset is outside of the packet",
7858 .prog_type = BPF_PROG_TYPE_XDP,
7859 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7862 "XDP pkt read, pkt_data >= pkt_meta', good access",
7864 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7865 offsetof(struct xdp_md, data_meta)),
7866 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7867 offsetof(struct xdp_md, data)),
7868 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7869 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7870 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7871 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7872 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7873 BPF_MOV64_IMM(BPF_REG_0, 0),
7877 .prog_type = BPF_PROG_TYPE_XDP,
7880 "XDP pkt read, pkt_data >= pkt_meta', bad access 1",
7882 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7883 offsetof(struct xdp_md, data_meta)),
7884 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7885 offsetof(struct xdp_md, data)),
7886 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7887 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7888 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7889 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7890 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7891 BPF_MOV64_IMM(BPF_REG_0, 0),
7894 .errstr = "R1 offset is outside of the packet",
7896 .prog_type = BPF_PROG_TYPE_XDP,
7897 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7900 "XDP pkt read, pkt_data >= pkt_meta', bad access 2",
7902 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7903 offsetof(struct xdp_md, data_meta)),
7904 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7905 offsetof(struct xdp_md, data)),
7906 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7907 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7908 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7909 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7910 BPF_MOV64_IMM(BPF_REG_0, 0),
7913 .errstr = "R1 offset is outside of the packet",
7915 .prog_type = BPF_PROG_TYPE_XDP,
7918 "XDP pkt read, pkt_meta' <= pkt_data, good access",
7920 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7921 offsetof(struct xdp_md, data_meta)),
7922 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7923 offsetof(struct xdp_md, data)),
7924 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7925 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7926 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7927 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7928 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7929 BPF_MOV64_IMM(BPF_REG_0, 0),
7933 .prog_type = BPF_PROG_TYPE_XDP,
7936 "XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
7938 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7939 offsetof(struct xdp_md, data_meta)),
7940 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7941 offsetof(struct xdp_md, data)),
7942 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7944 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7945 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7946 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7947 BPF_MOV64_IMM(BPF_REG_0, 0),
7950 .errstr = "R1 offset is outside of the packet",
7952 .prog_type = BPF_PROG_TYPE_XDP,
7953 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7956 "XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
7958 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7959 offsetof(struct xdp_md, data_meta)),
7960 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7961 offsetof(struct xdp_md, data)),
7962 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7963 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7964 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7965 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7966 BPF_MOV64_IMM(BPF_REG_0, 0),
7969 .errstr = "R1 offset is outside of the packet",
7971 .prog_type = BPF_PROG_TYPE_XDP,
7974 "XDP pkt read, pkt_data <= pkt_meta', good access",
7976 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7977 offsetof(struct xdp_md, data_meta)),
7978 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7979 offsetof(struct xdp_md, data)),
7980 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7981 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7982 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
7983 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7984 BPF_MOV64_IMM(BPF_REG_0, 0),
7988 .prog_type = BPF_PROG_TYPE_XDP,
7989 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7992 "XDP pkt read, pkt_data <= pkt_meta', bad access 1",
7994 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7995 offsetof(struct xdp_md, data_meta)),
7996 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7997 offsetof(struct xdp_md, data)),
7998 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7999 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8000 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8001 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8002 BPF_MOV64_IMM(BPF_REG_0, 0),
8005 .errstr = "R1 offset is outside of the packet",
8007 .prog_type = BPF_PROG_TYPE_XDP,
8010 "XDP pkt read, pkt_data <= pkt_meta', bad access 2",
8012 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8013 offsetof(struct xdp_md, data_meta)),
8014 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8015 offsetof(struct xdp_md, data)),
8016 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8018 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
8019 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8020 BPF_MOV64_IMM(BPF_REG_0, 0),
8023 .errstr = "R1 offset is outside of the packet",
8025 .prog_type = BPF_PROG_TYPE_XDP,
8026 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8029 "bpf_exit with invalid return code. test1",
8031 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8034 .errstr = "R0 has value (0x0; 0xffffffff)",
8036 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8039 "bpf_exit with invalid return code. test2",
8041 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8042 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
8046 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8049 "bpf_exit with invalid return code. test3",
8051 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8052 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
8055 .errstr = "R0 has value (0x0; 0x3)",
8057 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8060 "bpf_exit with invalid return code. test4",
8062 BPF_MOV64_IMM(BPF_REG_0, 1),
8066 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8069 "bpf_exit with invalid return code. test5",
8071 BPF_MOV64_IMM(BPF_REG_0, 2),
8074 .errstr = "R0 has value (0x2; 0x0)",
8076 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8079 "bpf_exit with invalid return code. test6",
8081 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8084 .errstr = "R0 is not a known value (ctx)",
8086 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8089 "bpf_exit with invalid return code. test7",
8091 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8092 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
8093 BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
8096 .errstr = "R0 has unknown scalar value",
8098 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8102 static int probe_filter_length(const struct bpf_insn *fp)
8106 for (len = MAX_INSNS - 1; len > 0; --len)
8107 if (fp[len].code != 0 || fp[len].imm != 0)
8112 static int create_map(uint32_t size_value, uint32_t max_elem)
8116 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
8117 size_value, max_elem, BPF_F_NO_PREALLOC);
8119 printf("Failed to create hash map '%s'!\n", strerror(errno));
8124 static int create_prog_array(void)
8128 fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
8131 printf("Failed to create prog array '%s'!\n", strerror(errno));
8136 static int create_map_in_map(void)
8138 int inner_map_fd, outer_map_fd;
8140 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
8142 if (inner_map_fd < 0) {
8143 printf("Failed to create array '%s'!\n", strerror(errno));
8144 return inner_map_fd;
8147 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
8148 sizeof(int), inner_map_fd, 1, 0);
8149 if (outer_map_fd < 0)
8150 printf("Failed to create array of maps '%s'!\n",
8153 close(inner_map_fd);
8155 return outer_map_fd;
8158 static char bpf_vlog[32768];
8160 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
8163 int *fixup_map1 = test->fixup_map1;
8164 int *fixup_map2 = test->fixup_map2;
8165 int *fixup_prog = test->fixup_prog;
8166 int *fixup_map_in_map = test->fixup_map_in_map;
8168 /* Allocating HTs with 1 elem is fine here, since we only test
8169 * for verifier and not do a runtime lookup, so the only thing
8170 * that really matters is value size in this case.
8173 map_fds[0] = create_map(sizeof(long long), 1);
8175 prog[*fixup_map1].imm = map_fds[0];
8177 } while (*fixup_map1);
8181 map_fds[1] = create_map(sizeof(struct test_val), 1);
8183 prog[*fixup_map2].imm = map_fds[1];
8185 } while (*fixup_map2);
8189 map_fds[2] = create_prog_array();
8191 prog[*fixup_prog].imm = map_fds[2];
8193 } while (*fixup_prog);
8196 if (*fixup_map_in_map) {
8197 map_fds[3] = create_map_in_map();
8199 prog[*fixup_map_in_map].imm = map_fds[3];
8201 } while (*fixup_map_in_map);
8205 static void do_test_single(struct bpf_test *test, bool unpriv,
8206 int *passes, int *errors)
8208 int fd_prog, expected_ret, reject_from_alignment;
8209 struct bpf_insn *prog = test->insns;
8210 int prog_len = probe_filter_length(prog);
8211 int prog_type = test->prog_type;
8212 int map_fds[MAX_NR_MAPS];
8213 const char *expected_err;
8216 for (i = 0; i < MAX_NR_MAPS; i++)
8219 do_test_fixup(test, prog, map_fds);
8221 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
8222 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
8223 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
8225 expected_ret = unpriv && test->result_unpriv != UNDEF ?
8226 test->result_unpriv : test->result;
8227 expected_err = unpriv && test->errstr_unpriv ?
8228 test->errstr_unpriv : test->errstr;
8230 reject_from_alignment = fd_prog < 0 &&
8231 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
8232 strstr(bpf_vlog, "Unknown alignment.");
8233 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
8234 if (reject_from_alignment) {
8235 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
8240 if (expected_ret == ACCEPT) {
8241 if (fd_prog < 0 && !reject_from_alignment) {
8242 printf("FAIL\nFailed to load prog '%s'!\n",
8248 printf("FAIL\nUnexpected success to load!\n");
8251 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
8252 printf("FAIL\nUnexpected error message!\n");
8258 printf("OK%s\n", reject_from_alignment ?
8259 " (NOTE: reject due to unknown alignment)" : "");
8262 for (i = 0; i < MAX_NR_MAPS; i++)
8268 printf("%s", bpf_vlog);
8272 static bool is_admin(void)
8275 cap_flag_value_t sysadmin = CAP_CLEAR;
8276 const cap_value_t cap_val = CAP_SYS_ADMIN;
8278 #ifdef CAP_IS_SUPPORTED
8279 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
8280 perror("cap_get_flag");
8284 caps = cap_get_proc();
8286 perror("cap_get_proc");
8289 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
8290 perror("cap_get_flag");
8293 return (sysadmin == CAP_SET);
8296 static int set_admin(bool admin)
8299 const cap_value_t cap_val = CAP_SYS_ADMIN;
8302 caps = cap_get_proc();
8304 perror("cap_get_proc");
8307 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
8308 admin ? CAP_SET : CAP_CLEAR)) {
8309 perror("cap_set_flag");
8312 if (cap_set_proc(caps)) {
8313 perror("cap_set_proc");
8323 static int do_test(bool unpriv, unsigned int from, unsigned int to)
8325 int i, passes = 0, errors = 0;
8327 for (i = from; i < to; i++) {
8328 struct bpf_test *test = &tests[i];
8330 /* Program types that are not supported by non-root we
8333 if (!test->prog_type) {
8336 printf("#%d/u %s ", i, test->descr);
8337 do_test_single(test, true, &passes, &errors);
8343 printf("#%d/p %s ", i, test->descr);
8344 do_test_single(test, false, &passes, &errors);
8348 printf("Summary: %d PASSED, %d FAILED\n", passes, errors);
8349 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
8352 int main(int argc, char **argv)
8354 struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY };
8355 struct rlimit rlim = { 1 << 20, 1 << 20 };
8356 unsigned int from = 0, to = ARRAY_SIZE(tests);
8357 bool unpriv = !is_admin();
8360 unsigned int l = atoi(argv[argc - 2]);
8361 unsigned int u = atoi(argv[argc - 1]);
8363 if (l < to && u < to) {
8367 } else if (argc == 2) {
8368 unsigned int t = atoi(argv[argc - 1]);
8376 setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf);
8377 return do_test(unpriv, from, to);
projects / linux-2.6-microblaze.git / blob