2 * Testsuite for eBPF verifier
4 * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of version 2 of the GNU General Public
8 * License as published by the Free Software Foundation.
12 #include <asm/types.h>
13 #include <linux/types.h>
24 #include <sys/capability.h>
25 #include <sys/resource.h>
27 #include <linux/unistd.h>
28 #include <linux/filter.h>
29 #include <linux/bpf_perf_event.h>
30 #include <linux/bpf.h>
35 # include "autoconf.h"
37 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
38 # define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
42 #include "../../../include/linux/filter.h"
45 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
52 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS (1 << 0)
53 #define F_LOAD_WITH_STRICT_ALIGNMENT (1 << 1)
57 struct bpf_insn insns[MAX_INSNS];
58 int fixup_map1[MAX_FIXUPS];
59 int fixup_map2[MAX_FIXUPS];
60 int fixup_prog[MAX_FIXUPS];
61 int fixup_map_in_map[MAX_FIXUPS];
63 const char *errstr_unpriv;
68 } result, result_unpriv;
69 enum bpf_prog_type prog_type;
73 /* Note we want this to be 64 bit aligned so that the end of our array is
74 * actually the end of the structure.
76 #define MAX_ENTRIES 11
83 static struct bpf_test tests[] = {
87 BPF_MOV64_IMM(BPF_REG_1, 1),
88 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
89 BPF_MOV64_IMM(BPF_REG_2, 3),
90 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
91 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
92 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
93 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
104 .errstr = "unreachable",
110 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
111 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
114 .errstr = "unreachable",
120 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
123 .errstr = "jump out of range",
127 "out of range jump2",
129 BPF_JMP_IMM(BPF_JA, 0, 0, -2),
132 .errstr = "jump out of range",
138 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
139 BPF_LD_IMM64(BPF_REG_0, 0),
140 BPF_LD_IMM64(BPF_REG_0, 0),
141 BPF_LD_IMM64(BPF_REG_0, 1),
142 BPF_LD_IMM64(BPF_REG_0, 1),
143 BPF_MOV64_IMM(BPF_REG_0, 2),
146 .errstr = "invalid BPF_LD_IMM insn",
147 .errstr_unpriv = "R1 pointer comparison",
153 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
154 BPF_LD_IMM64(BPF_REG_0, 0),
155 BPF_LD_IMM64(BPF_REG_0, 0),
156 BPF_LD_IMM64(BPF_REG_0, 1),
157 BPF_LD_IMM64(BPF_REG_0, 1),
160 .errstr = "invalid BPF_LD_IMM insn",
161 .errstr_unpriv = "R1 pointer comparison",
167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
168 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
169 BPF_LD_IMM64(BPF_REG_0, 0),
170 BPF_LD_IMM64(BPF_REG_0, 0),
171 BPF_LD_IMM64(BPF_REG_0, 1),
172 BPF_LD_IMM64(BPF_REG_0, 1),
175 .errstr = "invalid bpf_ld_imm64 insn",
181 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
184 .errstr = "invalid bpf_ld_imm64 insn",
190 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
192 .errstr = "invalid bpf_ld_imm64 insn",
198 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
199 BPF_RAW_INSN(0, 0, 0, 0, 0),
207 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
208 BPF_RAW_INSN(0, 0, 0, 0, 1),
216 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
217 BPF_RAW_INSN(0, 0, 0, 0, 1),
220 .errstr = "uses reserved fields",
226 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
227 BPF_RAW_INSN(0, 0, 0, 1, 1),
230 .errstr = "invalid bpf_ld_imm64 insn",
236 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
237 BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
240 .errstr = "invalid bpf_ld_imm64 insn",
246 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
247 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
250 .errstr = "invalid bpf_ld_imm64 insn",
256 BPF_MOV64_IMM(BPF_REG_1, 0),
257 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
258 BPF_RAW_INSN(0, 0, 0, 0, 1),
261 .errstr = "not pointing to valid bpf_map",
267 BPF_MOV64_IMM(BPF_REG_1, 0),
268 BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
269 BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
272 .errstr = "invalid bpf_ld_imm64 insn",
278 BPF_MOV64_IMM(BPF_REG_0, 1),
279 BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
283 .errstr = "BPF_ARSH not supported for 32 bit ALU",
288 BPF_MOV64_IMM(BPF_REG_0, 1),
289 BPF_MOV64_IMM(BPF_REG_1, 5),
290 BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
294 .errstr = "BPF_ARSH not supported for 32 bit ALU",
299 BPF_MOV64_IMM(BPF_REG_0, 1),
300 BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
308 BPF_MOV64_IMM(BPF_REG_0, 1),
309 BPF_MOV64_IMM(BPF_REG_1, 5),
310 BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
318 BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
320 .errstr = "jump out of range",
326 BPF_JMP_IMM(BPF_JA, 0, 0, -1),
329 .errstr = "back-edge",
335 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
336 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
337 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
338 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
341 .errstr = "back-edge",
347 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
348 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
349 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
350 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
353 .errstr = "back-edge",
357 "read uninitialized register",
359 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
362 .errstr = "R2 !read_ok",
366 "read invalid register",
368 BPF_MOV64_REG(BPF_REG_0, -1),
371 .errstr = "R15 is invalid",
375 "program doesn't init R0 before exit",
377 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
380 .errstr = "R0 !read_ok",
384 "program doesn't init R0 before exit in all branches",
386 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
387 BPF_MOV64_IMM(BPF_REG_0, 1),
388 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
391 .errstr = "R0 !read_ok",
392 .errstr_unpriv = "R1 pointer comparison",
396 "stack out of bounds",
398 BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
401 .errstr = "invalid stack",
405 "invalid call insn1",
407 BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
410 .errstr = "BPF_CALL uses reserved",
414 "invalid call insn2",
416 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
419 .errstr = "BPF_CALL uses reserved",
423 "invalid function call",
425 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
428 .errstr = "invalid func unknown#1234567",
432 "uninitialized stack1",
434 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
436 BPF_LD_MAP_FD(BPF_REG_1, 0),
437 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
438 BPF_FUNC_map_lookup_elem),
442 .errstr = "invalid indirect read from stack",
446 "uninitialized stack2",
448 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
449 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
452 .errstr = "invalid read from stack",
456 "invalid fp arithmetic",
457 /* If this gets ever changed, make sure JITs can deal with it. */
459 BPF_MOV64_IMM(BPF_REG_0, 0),
460 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
461 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
462 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
465 .errstr = "R1 subtraction from stack pointer",
469 "non-invalid fp arithmetic",
471 BPF_MOV64_IMM(BPF_REG_0, 0),
472 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
478 "invalid argument register",
480 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
481 BPF_FUNC_get_cgroup_classid),
482 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
483 BPF_FUNC_get_cgroup_classid),
486 .errstr = "R1 !read_ok",
488 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
491 "non-invalid argument register",
493 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
494 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
495 BPF_FUNC_get_cgroup_classid),
496 BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
497 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
498 BPF_FUNC_get_cgroup_classid),
502 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
505 "check valid spill/fill",
507 /* spill R1(ctx) into stack */
508 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
509 /* fill it back into R2 */
510 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
511 /* should be able to access R0 = *(R2 + 8) */
512 /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
513 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
516 .errstr_unpriv = "R0 leaks addr",
518 .result_unpriv = REJECT,
521 "check valid spill/fill, skb mark",
523 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
524 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
525 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
526 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
527 offsetof(struct __sk_buff, mark)),
531 .result_unpriv = ACCEPT,
534 "check corrupted spill/fill",
536 /* spill R1(ctx) into stack */
537 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
538 /* mess up with R1 pointer on stack */
539 BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
540 /* fill back into R0 should fail */
541 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
544 .errstr_unpriv = "attempt to corrupt spilled",
545 .errstr = "corrupted spill",
549 "invalid src register in STX",
551 BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
554 .errstr = "R15 is invalid",
558 "invalid dst register in STX",
560 BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
563 .errstr = "R14 is invalid",
567 "invalid dst register in ST",
569 BPF_ST_MEM(BPF_B, 14, -1, -1),
572 .errstr = "R14 is invalid",
576 "invalid src register in LDX",
578 BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
581 .errstr = "R12 is invalid",
585 "invalid dst register in LDX",
587 BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
590 .errstr = "R11 is invalid",
596 BPF_RAW_INSN(0, 0, 0, 0, 0),
599 .errstr = "invalid BPF_LD_IMM",
605 BPF_RAW_INSN(1, 0, 0, 0, 0),
608 .errstr = "BPF_LDX uses reserved fields",
614 BPF_RAW_INSN(-1, 0, 0, 0, 0),
617 .errstr = "invalid BPF_ALU opcode f0",
623 BPF_RAW_INSN(-1, -1, -1, -1, -1),
626 .errstr = "invalid BPF_ALU opcode f0",
632 BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
635 .errstr = "BPF_ALU uses reserved fields",
639 "misaligned read from stack",
641 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
642 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
645 .errstr = "misaligned stack access",
649 "invalid map_fd for function call",
651 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
652 BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
653 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
654 BPF_LD_MAP_FD(BPF_REG_1, 0),
655 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
656 BPF_FUNC_map_delete_elem),
659 .errstr = "fd 0 is not pointing to valid bpf_map",
663 "don't check return value before access",
665 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
666 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
667 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
668 BPF_LD_MAP_FD(BPF_REG_1, 0),
669 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
670 BPF_FUNC_map_lookup_elem),
671 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
675 .errstr = "R0 invalid mem access 'map_value_or_null'",
679 "access memory with incorrect alignment",
681 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
682 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
683 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
684 BPF_LD_MAP_FD(BPF_REG_1, 0),
685 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
686 BPF_FUNC_map_lookup_elem),
687 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
688 BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
692 .errstr = "misaligned value access",
694 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
697 "sometimes access memory with incorrect alignment",
699 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
700 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
701 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
702 BPF_LD_MAP_FD(BPF_REG_1, 0),
703 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
704 BPF_FUNC_map_lookup_elem),
705 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
706 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
708 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
712 .errstr = "R0 invalid mem access",
713 .errstr_unpriv = "R0 leaks addr",
715 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
720 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
721 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
722 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
723 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
724 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
725 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
726 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
727 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
728 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
729 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
730 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
731 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
732 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
733 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
734 BPF_MOV64_IMM(BPF_REG_0, 0),
737 .errstr_unpriv = "R1 pointer comparison",
738 .result_unpriv = REJECT,
744 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
745 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
746 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
747 BPF_JMP_IMM(BPF_JA, 0, 0, 14),
748 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
749 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
750 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
751 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
752 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
753 BPF_JMP_IMM(BPF_JA, 0, 0, 8),
754 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
755 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
756 BPF_JMP_IMM(BPF_JA, 0, 0, 5),
757 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
758 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
759 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
760 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
761 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
762 BPF_MOV64_IMM(BPF_REG_0, 0),
765 .errstr_unpriv = "R1 pointer comparison",
766 .result_unpriv = REJECT,
772 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
773 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
774 BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
775 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
776 BPF_JMP_IMM(BPF_JA, 0, 0, 19),
777 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
778 BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
780 BPF_JMP_IMM(BPF_JA, 0, 0, 15),
781 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
782 BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
783 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
784 BPF_JMP_IMM(BPF_JA, 0, 0, 11),
785 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
786 BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
788 BPF_JMP_IMM(BPF_JA, 0, 0, 7),
789 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
790 BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
791 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
792 BPF_JMP_IMM(BPF_JA, 0, 0, 3),
793 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
794 BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
795 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
796 BPF_LD_MAP_FD(BPF_REG_1, 0),
797 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
798 BPF_FUNC_map_delete_elem),
801 .fixup_map1 = { 24 },
802 .errstr_unpriv = "R1 pointer comparison",
803 .result_unpriv = REJECT,
809 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
810 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
811 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
812 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
813 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
814 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
815 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
816 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
817 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
818 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
819 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
820 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
821 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
822 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
823 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
824 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
825 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
826 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
827 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
828 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
829 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
830 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
831 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
832 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
833 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
834 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
835 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
836 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
837 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
838 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
839 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
840 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
841 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
842 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
843 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
844 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
845 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
846 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
847 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
848 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
849 BPF_MOV64_IMM(BPF_REG_0, 0),
852 .errstr_unpriv = "R1 pointer comparison",
853 .result_unpriv = REJECT,
859 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
860 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
861 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
862 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
863 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
864 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
865 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
866 BPF_MOV64_IMM(BPF_REG_0, 0),
867 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
868 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
869 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
870 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
871 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
872 BPF_MOV64_IMM(BPF_REG_0, 0),
873 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
874 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
875 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
876 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
877 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
878 BPF_MOV64_IMM(BPF_REG_0, 0),
879 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
880 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
881 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
882 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
883 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
884 BPF_MOV64_IMM(BPF_REG_0, 0),
885 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
886 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
887 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
888 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
889 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
890 BPF_MOV64_IMM(BPF_REG_0, 0),
893 .errstr_unpriv = "R1 pointer comparison",
894 .result_unpriv = REJECT,
898 "access skb fields ok",
900 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
901 offsetof(struct __sk_buff, len)),
902 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
903 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
904 offsetof(struct __sk_buff, mark)),
905 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
906 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
907 offsetof(struct __sk_buff, pkt_type)),
908 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
909 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
910 offsetof(struct __sk_buff, queue_mapping)),
911 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
912 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
913 offsetof(struct __sk_buff, protocol)),
914 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
915 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
916 offsetof(struct __sk_buff, vlan_present)),
917 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
918 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
919 offsetof(struct __sk_buff, vlan_tci)),
920 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
921 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
922 offsetof(struct __sk_buff, napi_id)),
923 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
929 "access skb fields bad1",
931 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
934 .errstr = "invalid bpf_context access",
938 "access skb fields bad2",
940 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
941 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
944 BPF_LD_MAP_FD(BPF_REG_1, 0),
945 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
946 BPF_FUNC_map_lookup_elem),
947 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
949 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
950 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
951 offsetof(struct __sk_buff, pkt_type)),
955 .errstr = "different pointers",
956 .errstr_unpriv = "R1 pointer comparison",
960 "access skb fields bad3",
962 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
963 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
964 offsetof(struct __sk_buff, pkt_type)),
966 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
967 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
968 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
969 BPF_LD_MAP_FD(BPF_REG_1, 0),
970 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
971 BPF_FUNC_map_lookup_elem),
972 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
974 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
975 BPF_JMP_IMM(BPF_JA, 0, 0, -12),
978 .errstr = "different pointers",
979 .errstr_unpriv = "R1 pointer comparison",
983 "access skb fields bad4",
985 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
986 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
987 offsetof(struct __sk_buff, len)),
988 BPF_MOV64_IMM(BPF_REG_0, 0),
990 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
991 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
992 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
993 BPF_LD_MAP_FD(BPF_REG_1, 0),
994 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
995 BPF_FUNC_map_lookup_elem),
996 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
998 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
999 BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1001 .fixup_map1 = { 7 },
1002 .errstr = "different pointers",
1003 .errstr_unpriv = "R1 pointer comparison",
1007 "invalid access __sk_buff family",
1009 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1010 offsetof(struct __sk_buff, family)),
1013 .errstr = "invalid bpf_context access",
1017 "invalid access __sk_buff remote_ip4",
1019 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1020 offsetof(struct __sk_buff, remote_ip4)),
1023 .errstr = "invalid bpf_context access",
1027 "invalid access __sk_buff local_ip4",
1029 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1030 offsetof(struct __sk_buff, local_ip4)),
1033 .errstr = "invalid bpf_context access",
1037 "invalid access __sk_buff remote_ip6",
1039 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1040 offsetof(struct __sk_buff, remote_ip6)),
1043 .errstr = "invalid bpf_context access",
1047 "invalid access __sk_buff local_ip6",
1049 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1050 offsetof(struct __sk_buff, local_ip6)),
1053 .errstr = "invalid bpf_context access",
1057 "invalid access __sk_buff remote_port",
1059 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1060 offsetof(struct __sk_buff, remote_port)),
1063 .errstr = "invalid bpf_context access",
1067 "invalid access __sk_buff remote_port",
1069 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1070 offsetof(struct __sk_buff, local_port)),
1073 .errstr = "invalid bpf_context access",
1077 "valid access __sk_buff family",
1079 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1080 offsetof(struct __sk_buff, family)),
1084 .prog_type = BPF_PROG_TYPE_SK_SKB,
1087 "valid access __sk_buff remote_ip4",
1089 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1090 offsetof(struct __sk_buff, remote_ip4)),
1094 .prog_type = BPF_PROG_TYPE_SK_SKB,
1097 "valid access __sk_buff local_ip4",
1099 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1100 offsetof(struct __sk_buff, local_ip4)),
1104 .prog_type = BPF_PROG_TYPE_SK_SKB,
1107 "valid access __sk_buff remote_ip6",
1109 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1110 offsetof(struct __sk_buff, remote_ip6[0])),
1111 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1112 offsetof(struct __sk_buff, remote_ip6[1])),
1113 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1114 offsetof(struct __sk_buff, remote_ip6[2])),
1115 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1116 offsetof(struct __sk_buff, remote_ip6[3])),
1120 .prog_type = BPF_PROG_TYPE_SK_SKB,
1123 "valid access __sk_buff local_ip6",
1125 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1126 offsetof(struct __sk_buff, local_ip6[0])),
1127 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1128 offsetof(struct __sk_buff, local_ip6[1])),
1129 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1130 offsetof(struct __sk_buff, local_ip6[2])),
1131 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1132 offsetof(struct __sk_buff, local_ip6[3])),
1136 .prog_type = BPF_PROG_TYPE_SK_SKB,
1139 "valid access __sk_buff remote_port",
1141 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1142 offsetof(struct __sk_buff, remote_port)),
1146 .prog_type = BPF_PROG_TYPE_SK_SKB,
1149 "valid access __sk_buff remote_port",
1151 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1152 offsetof(struct __sk_buff, local_port)),
1156 .prog_type = BPF_PROG_TYPE_SK_SKB,
1159 "invalid access of tc_classid for SK_SKB",
1161 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1162 offsetof(struct __sk_buff, tc_classid)),
1166 .prog_type = BPF_PROG_TYPE_SK_SKB,
1167 .errstr = "invalid bpf_context access",
1170 "invalid access of skb->mark for SK_SKB",
1172 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1173 offsetof(struct __sk_buff, mark)),
1177 .prog_type = BPF_PROG_TYPE_SK_SKB,
1178 .errstr = "invalid bpf_context access",
1181 "check skb->mark is not writeable by SK_SKB",
1183 BPF_MOV64_IMM(BPF_REG_0, 0),
1184 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1185 offsetof(struct __sk_buff, mark)),
1189 .prog_type = BPF_PROG_TYPE_SK_SKB,
1190 .errstr = "invalid bpf_context access",
1193 "check skb->tc_index is writeable by SK_SKB",
1195 BPF_MOV64_IMM(BPF_REG_0, 0),
1196 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1197 offsetof(struct __sk_buff, tc_index)),
1201 .prog_type = BPF_PROG_TYPE_SK_SKB,
1204 "check skb->priority is writeable by SK_SKB",
1206 BPF_MOV64_IMM(BPF_REG_0, 0),
1207 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1208 offsetof(struct __sk_buff, priority)),
1212 .prog_type = BPF_PROG_TYPE_SK_SKB,
1215 "direct packet read for SK_SKB",
1217 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1218 offsetof(struct __sk_buff, data)),
1219 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1220 offsetof(struct __sk_buff, data_end)),
1221 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1222 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1223 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1224 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1225 BPF_MOV64_IMM(BPF_REG_0, 0),
1229 .prog_type = BPF_PROG_TYPE_SK_SKB,
1232 "direct packet write for SK_SKB",
1234 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1235 offsetof(struct __sk_buff, data)),
1236 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1237 offsetof(struct __sk_buff, data_end)),
1238 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1239 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1240 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1241 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1242 BPF_MOV64_IMM(BPF_REG_0, 0),
1246 .prog_type = BPF_PROG_TYPE_SK_SKB,
1249 "overlapping checks for direct packet access SK_SKB",
1251 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1252 offsetof(struct __sk_buff, data)),
1253 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1254 offsetof(struct __sk_buff, data_end)),
1255 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1256 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1257 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1258 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1259 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1260 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1261 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1262 BPF_MOV64_IMM(BPF_REG_0, 0),
1266 .prog_type = BPF_PROG_TYPE_SK_SKB,
1269 "check skb->mark is not writeable by sockets",
1271 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1272 offsetof(struct __sk_buff, mark)),
1275 .errstr = "invalid bpf_context access",
1276 .errstr_unpriv = "R1 leaks addr",
1280 "check skb->tc_index is not writeable by sockets",
1282 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1283 offsetof(struct __sk_buff, tc_index)),
1286 .errstr = "invalid bpf_context access",
1287 .errstr_unpriv = "R1 leaks addr",
1291 "check cb access: byte",
1293 BPF_MOV64_IMM(BPF_REG_0, 0),
1294 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1295 offsetof(struct __sk_buff, cb[0])),
1296 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1297 offsetof(struct __sk_buff, cb[0]) + 1),
1298 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1299 offsetof(struct __sk_buff, cb[0]) + 2),
1300 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1301 offsetof(struct __sk_buff, cb[0]) + 3),
1302 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1303 offsetof(struct __sk_buff, cb[1])),
1304 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1305 offsetof(struct __sk_buff, cb[1]) + 1),
1306 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1307 offsetof(struct __sk_buff, cb[1]) + 2),
1308 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1309 offsetof(struct __sk_buff, cb[1]) + 3),
1310 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1311 offsetof(struct __sk_buff, cb[2])),
1312 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1313 offsetof(struct __sk_buff, cb[2]) + 1),
1314 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1315 offsetof(struct __sk_buff, cb[2]) + 2),
1316 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1317 offsetof(struct __sk_buff, cb[2]) + 3),
1318 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1319 offsetof(struct __sk_buff, cb[3])),
1320 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1321 offsetof(struct __sk_buff, cb[3]) + 1),
1322 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1323 offsetof(struct __sk_buff, cb[3]) + 2),
1324 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1325 offsetof(struct __sk_buff, cb[3]) + 3),
1326 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1327 offsetof(struct __sk_buff, cb[4])),
1328 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1329 offsetof(struct __sk_buff, cb[4]) + 1),
1330 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1331 offsetof(struct __sk_buff, cb[4]) + 2),
1332 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1333 offsetof(struct __sk_buff, cb[4]) + 3),
1334 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1335 offsetof(struct __sk_buff, cb[0])),
1336 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1337 offsetof(struct __sk_buff, cb[0]) + 1),
1338 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1339 offsetof(struct __sk_buff, cb[0]) + 2),
1340 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1341 offsetof(struct __sk_buff, cb[0]) + 3),
1342 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1343 offsetof(struct __sk_buff, cb[1])),
1344 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1345 offsetof(struct __sk_buff, cb[1]) + 1),
1346 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1347 offsetof(struct __sk_buff, cb[1]) + 2),
1348 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1349 offsetof(struct __sk_buff, cb[1]) + 3),
1350 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1351 offsetof(struct __sk_buff, cb[2])),
1352 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1353 offsetof(struct __sk_buff, cb[2]) + 1),
1354 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1355 offsetof(struct __sk_buff, cb[2]) + 2),
1356 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1357 offsetof(struct __sk_buff, cb[2]) + 3),
1358 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1359 offsetof(struct __sk_buff, cb[3])),
1360 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1361 offsetof(struct __sk_buff, cb[3]) + 1),
1362 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1363 offsetof(struct __sk_buff, cb[3]) + 2),
1364 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1365 offsetof(struct __sk_buff, cb[3]) + 3),
1366 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1367 offsetof(struct __sk_buff, cb[4])),
1368 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1369 offsetof(struct __sk_buff, cb[4]) + 1),
1370 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1371 offsetof(struct __sk_buff, cb[4]) + 2),
1372 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1373 offsetof(struct __sk_buff, cb[4]) + 3),
1379 "__sk_buff->hash, offset 0, byte store not permitted",
1381 BPF_MOV64_IMM(BPF_REG_0, 0),
1382 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1383 offsetof(struct __sk_buff, hash)),
1386 .errstr = "invalid bpf_context access",
1390 "__sk_buff->tc_index, offset 3, byte store not permitted",
1392 BPF_MOV64_IMM(BPF_REG_0, 0),
1393 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1394 offsetof(struct __sk_buff, tc_index) + 3),
1397 .errstr = "invalid bpf_context access",
1401 "check skb->hash byte load permitted",
1403 BPF_MOV64_IMM(BPF_REG_0, 0),
1404 #if __BYTE_ORDER == __LITTLE_ENDIAN
1405 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1406 offsetof(struct __sk_buff, hash)),
1408 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1409 offsetof(struct __sk_buff, hash) + 3),
1416 "check skb->hash byte load not permitted 1",
1418 BPF_MOV64_IMM(BPF_REG_0, 0),
1419 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1420 offsetof(struct __sk_buff, hash) + 1),
1423 .errstr = "invalid bpf_context access",
1427 "check skb->hash byte load not permitted 2",
1429 BPF_MOV64_IMM(BPF_REG_0, 0),
1430 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1431 offsetof(struct __sk_buff, hash) + 2),
1434 .errstr = "invalid bpf_context access",
1438 "check skb->hash byte load not permitted 3",
1440 BPF_MOV64_IMM(BPF_REG_0, 0),
1441 #if __BYTE_ORDER == __LITTLE_ENDIAN
1442 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1443 offsetof(struct __sk_buff, hash) + 3),
1445 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1446 offsetof(struct __sk_buff, hash)),
1450 .errstr = "invalid bpf_context access",
1454 "check cb access: byte, wrong type",
1456 BPF_MOV64_IMM(BPF_REG_0, 0),
1457 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1458 offsetof(struct __sk_buff, cb[0])),
1461 .errstr = "invalid bpf_context access",
1463 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1466 "check cb access: half",
1468 BPF_MOV64_IMM(BPF_REG_0, 0),
1469 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1470 offsetof(struct __sk_buff, cb[0])),
1471 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1472 offsetof(struct __sk_buff, cb[0]) + 2),
1473 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1474 offsetof(struct __sk_buff, cb[1])),
1475 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1476 offsetof(struct __sk_buff, cb[1]) + 2),
1477 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1478 offsetof(struct __sk_buff, cb[2])),
1479 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1480 offsetof(struct __sk_buff, cb[2]) + 2),
1481 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1482 offsetof(struct __sk_buff, cb[3])),
1483 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1484 offsetof(struct __sk_buff, cb[3]) + 2),
1485 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1486 offsetof(struct __sk_buff, cb[4])),
1487 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1488 offsetof(struct __sk_buff, cb[4]) + 2),
1489 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1490 offsetof(struct __sk_buff, cb[0])),
1491 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1492 offsetof(struct __sk_buff, cb[0]) + 2),
1493 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1494 offsetof(struct __sk_buff, cb[1])),
1495 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1496 offsetof(struct __sk_buff, cb[1]) + 2),
1497 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1498 offsetof(struct __sk_buff, cb[2])),
1499 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1500 offsetof(struct __sk_buff, cb[2]) + 2),
1501 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1502 offsetof(struct __sk_buff, cb[3])),
1503 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1504 offsetof(struct __sk_buff, cb[3]) + 2),
1505 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1506 offsetof(struct __sk_buff, cb[4])),
1507 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1508 offsetof(struct __sk_buff, cb[4]) + 2),
1514 "check cb access: half, unaligned",
1516 BPF_MOV64_IMM(BPF_REG_0, 0),
1517 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1518 offsetof(struct __sk_buff, cb[0]) + 1),
1521 .errstr = "misaligned context access",
1523 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1526 "check __sk_buff->hash, offset 0, half store not permitted",
1528 BPF_MOV64_IMM(BPF_REG_0, 0),
1529 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1530 offsetof(struct __sk_buff, hash)),
1533 .errstr = "invalid bpf_context access",
1537 "check __sk_buff->tc_index, offset 2, half store not permitted",
1539 BPF_MOV64_IMM(BPF_REG_0, 0),
1540 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1541 offsetof(struct __sk_buff, tc_index) + 2),
1544 .errstr = "invalid bpf_context access",
1548 "check skb->hash half load permitted",
1550 BPF_MOV64_IMM(BPF_REG_0, 0),
1551 #if __BYTE_ORDER == __LITTLE_ENDIAN
1552 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1553 offsetof(struct __sk_buff, hash)),
1555 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1556 offsetof(struct __sk_buff, hash) + 2),
1563 "check skb->hash half load not permitted",
1565 BPF_MOV64_IMM(BPF_REG_0, 0),
1566 #if __BYTE_ORDER == __LITTLE_ENDIAN
1567 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1568 offsetof(struct __sk_buff, hash) + 2),
1570 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1571 offsetof(struct __sk_buff, hash)),
1575 .errstr = "invalid bpf_context access",
1579 "check cb access: half, wrong type",
1581 BPF_MOV64_IMM(BPF_REG_0, 0),
1582 BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1583 offsetof(struct __sk_buff, cb[0])),
1586 .errstr = "invalid bpf_context access",
1588 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1591 "check cb access: word",
1593 BPF_MOV64_IMM(BPF_REG_0, 0),
1594 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1595 offsetof(struct __sk_buff, cb[0])),
1596 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1597 offsetof(struct __sk_buff, cb[1])),
1598 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1599 offsetof(struct __sk_buff, cb[2])),
1600 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1601 offsetof(struct __sk_buff, cb[3])),
1602 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1603 offsetof(struct __sk_buff, cb[4])),
1604 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1605 offsetof(struct __sk_buff, cb[0])),
1606 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1607 offsetof(struct __sk_buff, cb[1])),
1608 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1609 offsetof(struct __sk_buff, cb[2])),
1610 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1611 offsetof(struct __sk_buff, cb[3])),
1612 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1613 offsetof(struct __sk_buff, cb[4])),
1619 "check cb access: word, unaligned 1",
1621 BPF_MOV64_IMM(BPF_REG_0, 0),
1622 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1623 offsetof(struct __sk_buff, cb[0]) + 2),
1626 .errstr = "misaligned context access",
1628 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1631 "check cb access: word, unaligned 2",
1633 BPF_MOV64_IMM(BPF_REG_0, 0),
1634 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1635 offsetof(struct __sk_buff, cb[4]) + 1),
1638 .errstr = "misaligned context access",
1640 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1643 "check cb access: word, unaligned 3",
1645 BPF_MOV64_IMM(BPF_REG_0, 0),
1646 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1647 offsetof(struct __sk_buff, cb[4]) + 2),
1650 .errstr = "misaligned context access",
1652 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1655 "check cb access: word, unaligned 4",
1657 BPF_MOV64_IMM(BPF_REG_0, 0),
1658 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1659 offsetof(struct __sk_buff, cb[4]) + 3),
1662 .errstr = "misaligned context access",
1664 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1667 "check cb access: double",
1669 BPF_MOV64_IMM(BPF_REG_0, 0),
1670 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1671 offsetof(struct __sk_buff, cb[0])),
1672 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1673 offsetof(struct __sk_buff, cb[2])),
1674 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1675 offsetof(struct __sk_buff, cb[0])),
1676 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1677 offsetof(struct __sk_buff, cb[2])),
1683 "check cb access: double, unaligned 1",
1685 BPF_MOV64_IMM(BPF_REG_0, 0),
1686 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1687 offsetof(struct __sk_buff, cb[1])),
1690 .errstr = "misaligned context access",
1692 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1695 "check cb access: double, unaligned 2",
1697 BPF_MOV64_IMM(BPF_REG_0, 0),
1698 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1699 offsetof(struct __sk_buff, cb[3])),
1702 .errstr = "misaligned context access",
1704 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1707 "check cb access: double, oob 1",
1709 BPF_MOV64_IMM(BPF_REG_0, 0),
1710 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1711 offsetof(struct __sk_buff, cb[4])),
1714 .errstr = "invalid bpf_context access",
1718 "check cb access: double, oob 2",
1720 BPF_MOV64_IMM(BPF_REG_0, 0),
1721 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1722 offsetof(struct __sk_buff, cb[4])),
1725 .errstr = "invalid bpf_context access",
1729 "check __sk_buff->ifindex dw store not permitted",
1731 BPF_MOV64_IMM(BPF_REG_0, 0),
1732 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1733 offsetof(struct __sk_buff, ifindex)),
1736 .errstr = "invalid bpf_context access",
1740 "check __sk_buff->ifindex dw load not permitted",
1742 BPF_MOV64_IMM(BPF_REG_0, 0),
1743 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1744 offsetof(struct __sk_buff, ifindex)),
1747 .errstr = "invalid bpf_context access",
1751 "check cb access: double, wrong type",
1753 BPF_MOV64_IMM(BPF_REG_0, 0),
1754 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1755 offsetof(struct __sk_buff, cb[0])),
1758 .errstr = "invalid bpf_context access",
1760 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1763 "check out of range skb->cb access",
1765 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1766 offsetof(struct __sk_buff, cb[0]) + 256),
1769 .errstr = "invalid bpf_context access",
1770 .errstr_unpriv = "",
1772 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
1775 "write skb fields from socket prog",
1777 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1778 offsetof(struct __sk_buff, cb[4])),
1779 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1780 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1781 offsetof(struct __sk_buff, mark)),
1782 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1783 offsetof(struct __sk_buff, tc_index)),
1784 BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1785 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1786 offsetof(struct __sk_buff, cb[0])),
1787 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1788 offsetof(struct __sk_buff, cb[2])),
1792 .errstr_unpriv = "R1 leaks addr",
1793 .result_unpriv = REJECT,
1796 "write skb fields from tc_cls_act prog",
1798 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1799 offsetof(struct __sk_buff, cb[0])),
1800 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1801 offsetof(struct __sk_buff, mark)),
1802 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1803 offsetof(struct __sk_buff, tc_index)),
1804 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1805 offsetof(struct __sk_buff, tc_index)),
1806 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1807 offsetof(struct __sk_buff, cb[3])),
1810 .errstr_unpriv = "",
1811 .result_unpriv = REJECT,
1813 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1816 "PTR_TO_STACK store/load",
1818 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1819 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1820 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1821 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1827 "PTR_TO_STACK store/load - bad alignment on off",
1829 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1831 BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1832 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1836 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
1839 "PTR_TO_STACK store/load - bad alignment on reg",
1841 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1842 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1843 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1844 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1848 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
1851 "PTR_TO_STACK store/load - out of bounds low",
1853 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1854 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
1855 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1856 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1860 .errstr = "invalid stack off=-79992 size=8",
1861 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
1864 "PTR_TO_STACK store/load - out of bounds high",
1866 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1867 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1868 BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1869 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1873 .errstr = "invalid stack off=0 size=8",
1876 "unpriv: return pointer",
1878 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
1882 .result_unpriv = REJECT,
1883 .errstr_unpriv = "R0 leaks addr",
1886 "unpriv: add const to pointer",
1888 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
1889 BPF_MOV64_IMM(BPF_REG_0, 0),
1895 "unpriv: add pointer to pointer",
1897 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
1898 BPF_MOV64_IMM(BPF_REG_0, 0),
1902 .errstr = "R1 pointer += pointer",
1905 "unpriv: neg pointer",
1907 BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
1908 BPF_MOV64_IMM(BPF_REG_0, 0),
1912 .result_unpriv = REJECT,
1913 .errstr_unpriv = "R1 pointer arithmetic",
1916 "unpriv: cmp pointer with const",
1918 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1919 BPF_MOV64_IMM(BPF_REG_0, 0),
1923 .result_unpriv = REJECT,
1924 .errstr_unpriv = "R1 pointer comparison",
1927 "unpriv: cmp pointer with pointer",
1929 BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1930 BPF_MOV64_IMM(BPF_REG_0, 0),
1934 .result_unpriv = REJECT,
1935 .errstr_unpriv = "R10 pointer comparison",
1938 "unpriv: check that printk is disallowed",
1940 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1941 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1942 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1943 BPF_MOV64_IMM(BPF_REG_2, 8),
1944 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
1945 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1946 BPF_FUNC_trace_printk),
1947 BPF_MOV64_IMM(BPF_REG_0, 0),
1950 .errstr_unpriv = "unknown func bpf_trace_printk#6",
1951 .result_unpriv = REJECT,
1955 "unpriv: pass pointer to helper function",
1957 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1958 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1959 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1960 BPF_LD_MAP_FD(BPF_REG_1, 0),
1961 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1962 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
1963 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1964 BPF_FUNC_map_update_elem),
1965 BPF_MOV64_IMM(BPF_REG_0, 0),
1968 .fixup_map1 = { 3 },
1969 .errstr_unpriv = "R4 leaks addr",
1970 .result_unpriv = REJECT,
1974 "unpriv: indirectly pass pointer on stack to helper function",
1976 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1977 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1978 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1979 BPF_LD_MAP_FD(BPF_REG_1, 0),
1980 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1981 BPF_FUNC_map_lookup_elem),
1982 BPF_MOV64_IMM(BPF_REG_0, 0),
1985 .fixup_map1 = { 3 },
1986 .errstr = "invalid indirect read from stack off -8+0 size 8",
1990 "unpriv: mangle pointer on stack 1",
1992 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1993 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
1994 BPF_MOV64_IMM(BPF_REG_0, 0),
1997 .errstr_unpriv = "attempt to corrupt spilled",
1998 .result_unpriv = REJECT,
2002 "unpriv: mangle pointer on stack 2",
2004 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2005 BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2006 BPF_MOV64_IMM(BPF_REG_0, 0),
2009 .errstr_unpriv = "attempt to corrupt spilled",
2010 .result_unpriv = REJECT,
2014 "unpriv: read pointer from stack in small chunks",
2016 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2017 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2018 BPF_MOV64_IMM(BPF_REG_0, 0),
2021 .errstr = "invalid size",
2025 "unpriv: write pointer into ctx",
2027 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2028 BPF_MOV64_IMM(BPF_REG_0, 0),
2031 .errstr_unpriv = "R1 leaks addr",
2032 .result_unpriv = REJECT,
2033 .errstr = "invalid bpf_context access",
2037 "unpriv: spill/fill of ctx",
2039 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2041 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2042 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2043 BPF_MOV64_IMM(BPF_REG_0, 0),
2049 "unpriv: spill/fill of ctx 2",
2051 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2052 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2053 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2054 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2055 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2056 BPF_FUNC_get_hash_recalc),
2060 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2063 "unpriv: spill/fill of ctx 3",
2065 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2066 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2067 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2068 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2069 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2070 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2071 BPF_FUNC_get_hash_recalc),
2075 .errstr = "R1 type=fp expected=ctx",
2076 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2079 "unpriv: spill/fill of ctx 4",
2081 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2083 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2084 BPF_MOV64_IMM(BPF_REG_0, 1),
2085 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2087 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2088 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2089 BPF_FUNC_get_hash_recalc),
2093 .errstr = "R1 type=inv expected=ctx",
2094 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2097 "unpriv: spill/fill of different pointers stx",
2099 BPF_MOV64_IMM(BPF_REG_3, 42),
2100 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2101 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2102 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2103 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2104 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2105 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2106 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2107 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2108 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2109 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2110 offsetof(struct __sk_buff, mark)),
2111 BPF_MOV64_IMM(BPF_REG_0, 0),
2115 .errstr = "same insn cannot be used with different pointers",
2116 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2119 "unpriv: spill/fill of different pointers ldx",
2121 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2122 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2123 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2124 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2125 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2126 -(__s32)offsetof(struct bpf_perf_event_data,
2127 sample_period) - 8),
2128 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2129 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2130 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2131 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2132 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2133 offsetof(struct bpf_perf_event_data,
2135 BPF_MOV64_IMM(BPF_REG_0, 0),
2139 .errstr = "same insn cannot be used with different pointers",
2140 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2143 "unpriv: write pointer into map elem value",
2145 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2146 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2147 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2148 BPF_LD_MAP_FD(BPF_REG_1, 0),
2149 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2150 BPF_FUNC_map_lookup_elem),
2151 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2152 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2155 .fixup_map1 = { 3 },
2156 .errstr_unpriv = "R0 leaks addr",
2157 .result_unpriv = REJECT,
2161 "unpriv: partial copy of pointer",
2163 BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2164 BPF_MOV64_IMM(BPF_REG_0, 0),
2167 .errstr_unpriv = "R10 partial copy",
2168 .result_unpriv = REJECT,
2172 "unpriv: pass pointer to tail_call",
2174 BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2175 BPF_LD_MAP_FD(BPF_REG_2, 0),
2176 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2177 BPF_FUNC_tail_call),
2178 BPF_MOV64_IMM(BPF_REG_0, 0),
2181 .fixup_prog = { 1 },
2182 .errstr_unpriv = "R3 leaks addr into helper",
2183 .result_unpriv = REJECT,
2187 "unpriv: cmp map pointer with zero",
2189 BPF_MOV64_IMM(BPF_REG_1, 0),
2190 BPF_LD_MAP_FD(BPF_REG_1, 0),
2191 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2192 BPF_MOV64_IMM(BPF_REG_0, 0),
2195 .fixup_map1 = { 1 },
2196 .errstr_unpriv = "R1 pointer comparison",
2197 .result_unpriv = REJECT,
2201 "unpriv: write into frame pointer",
2203 BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2204 BPF_MOV64_IMM(BPF_REG_0, 0),
2207 .errstr = "frame pointer is read only",
2211 "unpriv: spill/fill frame pointer",
2213 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2214 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2215 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2216 BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2217 BPF_MOV64_IMM(BPF_REG_0, 0),
2220 .errstr = "frame pointer is read only",
2224 "unpriv: cmp of frame pointer",
2226 BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2227 BPF_MOV64_IMM(BPF_REG_0, 0),
2230 .errstr_unpriv = "R10 pointer comparison",
2231 .result_unpriv = REJECT,
2235 "unpriv: adding of fp, reg",
2237 BPF_MOV64_IMM(BPF_REG_0, 0),
2238 BPF_MOV64_IMM(BPF_REG_1, 0),
2239 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2240 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2243 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
2244 .result_unpriv = REJECT,
2248 "unpriv: adding of fp, imm",
2250 BPF_MOV64_IMM(BPF_REG_0, 0),
2251 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
2253 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2256 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
2257 .result_unpriv = REJECT,
2261 "unpriv: cmp of stack pointer",
2263 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2266 BPF_MOV64_IMM(BPF_REG_0, 0),
2269 .errstr_unpriv = "R2 pointer comparison",
2270 .result_unpriv = REJECT,
2274 "runtime/jit: pass negative index to tail_call",
2276 BPF_MOV64_IMM(BPF_REG_3, -1),
2277 BPF_LD_MAP_FD(BPF_REG_2, 0),
2278 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2279 BPF_FUNC_tail_call),
2280 BPF_MOV64_IMM(BPF_REG_0, 0),
2283 .fixup_prog = { 1 },
2287 "runtime/jit: pass > 32bit index to tail_call",
2289 BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2290 BPF_LD_MAP_FD(BPF_REG_2, 0),
2291 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2292 BPF_FUNC_tail_call),
2293 BPF_MOV64_IMM(BPF_REG_0, 0),
2296 .fixup_prog = { 2 },
2300 "stack pointer arithmetic",
2302 BPF_MOV64_IMM(BPF_REG_1, 4),
2303 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2304 BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2305 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2306 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2307 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2308 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2309 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2310 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2312 BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2313 BPF_MOV64_IMM(BPF_REG_0, 0),
2319 "raw_stack: no skb_load_bytes",
2321 BPF_MOV64_IMM(BPF_REG_2, 4),
2322 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2323 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2324 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2325 BPF_MOV64_IMM(BPF_REG_4, 8),
2326 /* Call to skb_load_bytes() omitted. */
2327 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2331 .errstr = "invalid read from stack off -8+0 size 8",
2332 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2335 "raw_stack: skb_load_bytes, negative len",
2337 BPF_MOV64_IMM(BPF_REG_2, 4),
2338 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2339 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2340 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2341 BPF_MOV64_IMM(BPF_REG_4, -8),
2342 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2343 BPF_FUNC_skb_load_bytes),
2344 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2348 .errstr = "R4 min value is negative",
2349 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2352 "raw_stack: skb_load_bytes, negative len 2",
2354 BPF_MOV64_IMM(BPF_REG_2, 4),
2355 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2356 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2357 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2358 BPF_MOV64_IMM(BPF_REG_4, ~0),
2359 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2360 BPF_FUNC_skb_load_bytes),
2361 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2365 .errstr = "R4 min value is negative",
2366 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2369 "raw_stack: skb_load_bytes, zero len",
2371 BPF_MOV64_IMM(BPF_REG_2, 4),
2372 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2373 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2374 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2375 BPF_MOV64_IMM(BPF_REG_4, 0),
2376 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2377 BPF_FUNC_skb_load_bytes),
2378 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2382 .errstr = "invalid stack type R3",
2383 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2386 "raw_stack: skb_load_bytes, no init",
2388 BPF_MOV64_IMM(BPF_REG_2, 4),
2389 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2391 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2392 BPF_MOV64_IMM(BPF_REG_4, 8),
2393 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2394 BPF_FUNC_skb_load_bytes),
2395 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2399 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2402 "raw_stack: skb_load_bytes, init",
2404 BPF_MOV64_IMM(BPF_REG_2, 4),
2405 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2406 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2407 BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2408 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2409 BPF_MOV64_IMM(BPF_REG_4, 8),
2410 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2411 BPF_FUNC_skb_load_bytes),
2412 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2416 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2419 "raw_stack: skb_load_bytes, spilled regs around bounds",
2421 BPF_MOV64_IMM(BPF_REG_2, 4),
2422 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2423 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2424 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2425 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2426 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2427 BPF_MOV64_IMM(BPF_REG_4, 8),
2428 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2429 BPF_FUNC_skb_load_bytes),
2430 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2431 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2432 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2433 offsetof(struct __sk_buff, mark)),
2434 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2435 offsetof(struct __sk_buff, priority)),
2436 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2440 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2443 "raw_stack: skb_load_bytes, spilled regs corruption",
2445 BPF_MOV64_IMM(BPF_REG_2, 4),
2446 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2447 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2448 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2449 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2450 BPF_MOV64_IMM(BPF_REG_4, 8),
2451 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2452 BPF_FUNC_skb_load_bytes),
2453 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2454 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2455 offsetof(struct __sk_buff, mark)),
2459 .errstr = "R0 invalid mem access 'inv'",
2460 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2463 "raw_stack: skb_load_bytes, spilled regs corruption 2",
2465 BPF_MOV64_IMM(BPF_REG_2, 4),
2466 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2467 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2468 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2469 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2470 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2471 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2472 BPF_MOV64_IMM(BPF_REG_4, 8),
2473 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2474 BPF_FUNC_skb_load_bytes),
2475 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2476 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2477 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
2478 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2479 offsetof(struct __sk_buff, mark)),
2480 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2481 offsetof(struct __sk_buff, priority)),
2482 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2483 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
2484 offsetof(struct __sk_buff, pkt_type)),
2485 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2489 .errstr = "R3 invalid mem access 'inv'",
2490 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2493 "raw_stack: skb_load_bytes, spilled regs + data",
2495 BPF_MOV64_IMM(BPF_REG_2, 4),
2496 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2497 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2498 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2499 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2500 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8),
2501 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2502 BPF_MOV64_IMM(BPF_REG_4, 8),
2503 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2504 BPF_FUNC_skb_load_bytes),
2505 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2506 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8),
2507 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0),
2508 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2509 offsetof(struct __sk_buff, mark)),
2510 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2511 offsetof(struct __sk_buff, priority)),
2512 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2513 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2517 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2520 "raw_stack: skb_load_bytes, invalid access 1",
2522 BPF_MOV64_IMM(BPF_REG_2, 4),
2523 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2525 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2526 BPF_MOV64_IMM(BPF_REG_4, 8),
2527 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2528 BPF_FUNC_skb_load_bytes),
2529 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2533 .errstr = "invalid stack type R3 off=-513 access_size=8",
2534 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2537 "raw_stack: skb_load_bytes, invalid access 2",
2539 BPF_MOV64_IMM(BPF_REG_2, 4),
2540 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2541 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2542 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2543 BPF_MOV64_IMM(BPF_REG_4, 8),
2544 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2545 BPF_FUNC_skb_load_bytes),
2546 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2550 .errstr = "invalid stack type R3 off=-1 access_size=8",
2551 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2554 "raw_stack: skb_load_bytes, invalid access 3",
2556 BPF_MOV64_IMM(BPF_REG_2, 4),
2557 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2558 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2559 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2560 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2561 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2562 BPF_FUNC_skb_load_bytes),
2563 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2567 .errstr = "R4 min value is negative",
2568 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2571 "raw_stack: skb_load_bytes, invalid access 4",
2573 BPF_MOV64_IMM(BPF_REG_2, 4),
2574 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2575 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2576 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2577 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2578 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2579 BPF_FUNC_skb_load_bytes),
2580 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2584 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
2585 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2588 "raw_stack: skb_load_bytes, invalid access 5",
2590 BPF_MOV64_IMM(BPF_REG_2, 4),
2591 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2593 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2594 BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2595 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2596 BPF_FUNC_skb_load_bytes),
2597 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2601 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
2602 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2605 "raw_stack: skb_load_bytes, invalid access 6",
2607 BPF_MOV64_IMM(BPF_REG_2, 4),
2608 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2610 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2611 BPF_MOV64_IMM(BPF_REG_4, 0),
2612 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2613 BPF_FUNC_skb_load_bytes),
2614 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2618 .errstr = "invalid stack type R3 off=-512 access_size=0",
2619 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2622 "raw_stack: skb_load_bytes, large access",
2624 BPF_MOV64_IMM(BPF_REG_2, 4),
2625 BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2626 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2627 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2628 BPF_MOV64_IMM(BPF_REG_4, 512),
2629 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2630 BPF_FUNC_skb_load_bytes),
2631 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2635 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2638 "context stores via ST",
2640 BPF_MOV64_IMM(BPF_REG_0, 0),
2641 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
2644 .errstr = "BPF_ST stores into R1 context is not allowed",
2646 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2649 "context stores via XADD",
2651 BPF_MOV64_IMM(BPF_REG_0, 0),
2652 BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
2653 BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
2656 .errstr = "BPF_XADD stores into R1 context is not allowed",
2658 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2661 "direct packet access: test1",
2663 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2664 offsetof(struct __sk_buff, data)),
2665 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2666 offsetof(struct __sk_buff, data_end)),
2667 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2668 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2669 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2670 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2671 BPF_MOV64_IMM(BPF_REG_0, 0),
2675 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2678 "direct packet access: test2",
2680 BPF_MOV64_IMM(BPF_REG_0, 1),
2681 BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
2682 offsetof(struct __sk_buff, data_end)),
2683 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2684 offsetof(struct __sk_buff, data)),
2685 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
2687 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
2688 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
2689 BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
2690 BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
2691 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2692 offsetof(struct __sk_buff, data)),
2693 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
2694 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2695 offsetof(struct __sk_buff, len)),
2696 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
2697 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
2698 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
2699 BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
2700 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2701 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2702 offsetof(struct __sk_buff, data_end)),
2703 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
2704 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
2705 BPF_MOV64_IMM(BPF_REG_0, 0),
2709 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2712 "direct packet access: test3",
2714 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2715 offsetof(struct __sk_buff, data)),
2716 BPF_MOV64_IMM(BPF_REG_0, 0),
2719 .errstr = "invalid bpf_context access off=76",
2721 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2724 "direct packet access: test4 (write)",
2726 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2727 offsetof(struct __sk_buff, data)),
2728 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2729 offsetof(struct __sk_buff, data_end)),
2730 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2732 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2733 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2734 BPF_MOV64_IMM(BPF_REG_0, 0),
2738 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2741 "direct packet access: test5 (pkt_end >= reg, good access)",
2743 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2744 offsetof(struct __sk_buff, data)),
2745 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2746 offsetof(struct __sk_buff, data_end)),
2747 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2748 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2749 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2750 BPF_MOV64_IMM(BPF_REG_0, 1),
2752 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2753 BPF_MOV64_IMM(BPF_REG_0, 0),
2757 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2760 "direct packet access: test6 (pkt_end >= reg, bad access)",
2762 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2763 offsetof(struct __sk_buff, data)),
2764 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2765 offsetof(struct __sk_buff, data_end)),
2766 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2767 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2768 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2769 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2770 BPF_MOV64_IMM(BPF_REG_0, 1),
2772 BPF_MOV64_IMM(BPF_REG_0, 0),
2775 .errstr = "invalid access to packet",
2777 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2780 "direct packet access: test7 (pkt_end >= reg, both accesses)",
2782 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2783 offsetof(struct __sk_buff, data)),
2784 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2785 offsetof(struct __sk_buff, data_end)),
2786 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2788 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2789 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2790 BPF_MOV64_IMM(BPF_REG_0, 1),
2792 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2793 BPF_MOV64_IMM(BPF_REG_0, 0),
2796 .errstr = "invalid access to packet",
2798 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2801 "direct packet access: test8 (double test, variant 1)",
2803 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2804 offsetof(struct __sk_buff, data)),
2805 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2806 offsetof(struct __sk_buff, data_end)),
2807 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2808 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2809 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
2810 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2811 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2812 BPF_MOV64_IMM(BPF_REG_0, 1),
2814 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2815 BPF_MOV64_IMM(BPF_REG_0, 0),
2819 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2822 "direct packet access: test9 (double test, variant 2)",
2824 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2825 offsetof(struct __sk_buff, data)),
2826 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2827 offsetof(struct __sk_buff, data_end)),
2828 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2829 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2830 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2831 BPF_MOV64_IMM(BPF_REG_0, 1),
2833 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2834 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2835 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2836 BPF_MOV64_IMM(BPF_REG_0, 0),
2840 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2843 "direct packet access: test10 (write invalid)",
2845 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2846 offsetof(struct __sk_buff, data)),
2847 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2848 offsetof(struct __sk_buff, data_end)),
2849 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2850 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2851 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
2852 BPF_MOV64_IMM(BPF_REG_0, 0),
2854 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2855 BPF_MOV64_IMM(BPF_REG_0, 0),
2858 .errstr = "invalid access to packet",
2860 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2863 "direct packet access: test11 (shift, good access)",
2865 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2866 offsetof(struct __sk_buff, data)),
2867 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2868 offsetof(struct __sk_buff, data_end)),
2869 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2870 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2871 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2872 BPF_MOV64_IMM(BPF_REG_3, 144),
2873 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2874 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2875 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
2876 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2877 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2878 BPF_MOV64_IMM(BPF_REG_0, 1),
2880 BPF_MOV64_IMM(BPF_REG_0, 0),
2884 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2887 "direct packet access: test12 (and, good access)",
2889 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2890 offsetof(struct __sk_buff, data)),
2891 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2892 offsetof(struct __sk_buff, data_end)),
2893 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2894 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2895 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2896 BPF_MOV64_IMM(BPF_REG_3, 144),
2897 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2898 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2899 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2900 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2901 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2902 BPF_MOV64_IMM(BPF_REG_0, 1),
2904 BPF_MOV64_IMM(BPF_REG_0, 0),
2908 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2911 "direct packet access: test13 (branches, good access)",
2913 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2914 offsetof(struct __sk_buff, data)),
2915 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2916 offsetof(struct __sk_buff, data_end)),
2917 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2918 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2919 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
2920 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2921 offsetof(struct __sk_buff, mark)),
2922 BPF_MOV64_IMM(BPF_REG_4, 1),
2923 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
2924 BPF_MOV64_IMM(BPF_REG_3, 14),
2925 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
2926 BPF_MOV64_IMM(BPF_REG_3, 24),
2927 BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2928 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2929 BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2930 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2931 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2932 BPF_MOV64_IMM(BPF_REG_0, 1),
2934 BPF_MOV64_IMM(BPF_REG_0, 0),
2938 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2941 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
2943 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2944 offsetof(struct __sk_buff, data)),
2945 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2946 offsetof(struct __sk_buff, data_end)),
2947 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2948 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2949 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
2950 BPF_MOV64_IMM(BPF_REG_5, 12),
2951 BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
2952 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2953 BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2954 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
2955 BPF_MOV64_IMM(BPF_REG_0, 1),
2957 BPF_MOV64_IMM(BPF_REG_0, 0),
2961 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2964 "direct packet access: test15 (spill with xadd)",
2966 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2967 offsetof(struct __sk_buff, data)),
2968 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2969 offsetof(struct __sk_buff, data_end)),
2970 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2971 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2972 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2973 BPF_MOV64_IMM(BPF_REG_5, 4096),
2974 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2976 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2977 BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
2978 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
2979 BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
2980 BPF_MOV64_IMM(BPF_REG_0, 0),
2983 .errstr = "R2 invalid mem access 'inv'",
2985 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2988 "direct packet access: test16 (arith on data_end)",
2990 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2991 offsetof(struct __sk_buff, data)),
2992 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2993 offsetof(struct __sk_buff, data_end)),
2994 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2995 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2996 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
2997 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2998 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2999 BPF_MOV64_IMM(BPF_REG_0, 0),
3002 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3004 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3007 "direct packet access: test17 (pruning, alignment)",
3009 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3010 offsetof(struct __sk_buff, data)),
3011 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3012 offsetof(struct __sk_buff, data_end)),
3013 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3014 offsetof(struct __sk_buff, mark)),
3015 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3016 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3017 BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3018 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3019 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3020 BPF_MOV64_IMM(BPF_REG_0, 0),
3022 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3025 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3027 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3028 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3031 "direct packet access: test18 (imm += pkt_ptr, 1)",
3033 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3034 offsetof(struct __sk_buff, data)),
3035 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3036 offsetof(struct __sk_buff, data_end)),
3037 BPF_MOV64_IMM(BPF_REG_0, 8),
3038 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3039 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3040 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3041 BPF_MOV64_IMM(BPF_REG_0, 0),
3045 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3048 "direct packet access: test19 (imm += pkt_ptr, 2)",
3050 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3051 offsetof(struct __sk_buff, data)),
3052 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3053 offsetof(struct __sk_buff, data_end)),
3054 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3055 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3056 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3057 BPF_MOV64_IMM(BPF_REG_4, 4),
3058 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3059 BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3060 BPF_MOV64_IMM(BPF_REG_0, 0),
3064 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3067 "direct packet access: test20 (x += pkt_ptr, 1)",
3069 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3070 offsetof(struct __sk_buff, data)),
3071 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3072 offsetof(struct __sk_buff, data_end)),
3073 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3074 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3075 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3076 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3077 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3078 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3079 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3081 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3082 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3083 BPF_MOV64_IMM(BPF_REG_0, 0),
3086 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3090 "direct packet access: test21 (x += pkt_ptr, 2)",
3092 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3093 offsetof(struct __sk_buff, data)),
3094 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3095 offsetof(struct __sk_buff, data_end)),
3096 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3098 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3099 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3100 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3101 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3102 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3103 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3104 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3105 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3106 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3107 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3108 BPF_MOV64_IMM(BPF_REG_0, 0),
3111 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3115 "direct packet access: test22 (x += pkt_ptr, 3)",
3117 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3118 offsetof(struct __sk_buff, data)),
3119 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3120 offsetof(struct __sk_buff, data_end)),
3121 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3122 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3123 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3124 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3125 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3126 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3127 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3128 BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3129 BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3130 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3131 BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3132 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3133 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3134 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3135 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3136 BPF_MOV64_IMM(BPF_REG_2, 1),
3137 BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3138 BPF_MOV64_IMM(BPF_REG_0, 0),
3141 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3145 "direct packet access: test23 (x += pkt_ptr, 4)",
3147 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3148 offsetof(struct __sk_buff, data)),
3149 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3150 offsetof(struct __sk_buff, data_end)),
3151 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3152 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3153 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3154 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3155 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3156 BPF_MOV64_IMM(BPF_REG_0, 31),
3157 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3158 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3159 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3160 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3161 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3162 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3163 BPF_MOV64_IMM(BPF_REG_0, 0),
3166 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3168 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3171 "direct packet access: test24 (x += pkt_ptr, 5)",
3173 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3174 offsetof(struct __sk_buff, data)),
3175 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3176 offsetof(struct __sk_buff, data_end)),
3177 BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3178 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3179 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3180 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3181 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3182 BPF_MOV64_IMM(BPF_REG_0, 64),
3183 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3184 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3185 BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3186 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3187 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3188 BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3189 BPF_MOV64_IMM(BPF_REG_0, 0),
3192 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3196 "direct packet access: test25 (marking on <, good access)",
3198 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3199 offsetof(struct __sk_buff, data)),
3200 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3201 offsetof(struct __sk_buff, data_end)),
3202 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3203 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3204 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3205 BPF_MOV64_IMM(BPF_REG_0, 0),
3207 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3208 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3211 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3214 "direct packet access: test26 (marking on <, bad access)",
3216 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3217 offsetof(struct __sk_buff, data)),
3218 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3219 offsetof(struct __sk_buff, data_end)),
3220 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3221 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3222 BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3223 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3224 BPF_MOV64_IMM(BPF_REG_0, 0),
3226 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3229 .errstr = "invalid access to packet",
3230 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3233 "direct packet access: test27 (marking on <=, good access)",
3235 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3236 offsetof(struct __sk_buff, data)),
3237 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3238 offsetof(struct __sk_buff, data_end)),
3239 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3240 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3241 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3242 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3243 BPF_MOV64_IMM(BPF_REG_0, 1),
3247 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3250 "direct packet access: test28 (marking on <=, bad access)",
3252 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3253 offsetof(struct __sk_buff, data)),
3254 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3255 offsetof(struct __sk_buff, data_end)),
3256 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3257 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3258 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3259 BPF_MOV64_IMM(BPF_REG_0, 1),
3261 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3262 BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3265 .errstr = "invalid access to packet",
3266 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3269 "helper access to packet: test1, valid packet_ptr range",
3271 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3272 offsetof(struct xdp_md, data)),
3273 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3274 offsetof(struct xdp_md, data_end)),
3275 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3276 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3277 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3278 BPF_LD_MAP_FD(BPF_REG_1, 0),
3279 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3280 BPF_MOV64_IMM(BPF_REG_4, 0),
3281 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3282 BPF_FUNC_map_update_elem),
3283 BPF_MOV64_IMM(BPF_REG_0, 0),
3286 .fixup_map1 = { 5 },
3287 .result_unpriv = ACCEPT,
3289 .prog_type = BPF_PROG_TYPE_XDP,
3292 "helper access to packet: test2, unchecked packet_ptr",
3294 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3295 offsetof(struct xdp_md, data)),
3296 BPF_LD_MAP_FD(BPF_REG_1, 0),
3297 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3298 BPF_FUNC_map_lookup_elem),
3299 BPF_MOV64_IMM(BPF_REG_0, 0),
3302 .fixup_map1 = { 1 },
3304 .errstr = "invalid access to packet",
3305 .prog_type = BPF_PROG_TYPE_XDP,
3308 "helper access to packet: test3, variable add",
3310 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3311 offsetof(struct xdp_md, data)),
3312 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3313 offsetof(struct xdp_md, data_end)),
3314 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3315 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3316 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3317 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3318 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3319 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3320 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3321 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3322 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3323 BPF_LD_MAP_FD(BPF_REG_1, 0),
3324 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3325 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3326 BPF_FUNC_map_lookup_elem),
3327 BPF_MOV64_IMM(BPF_REG_0, 0),
3330 .fixup_map1 = { 11 },
3332 .prog_type = BPF_PROG_TYPE_XDP,
3335 "helper access to packet: test4, packet_ptr with bad range",
3337 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3338 offsetof(struct xdp_md, data)),
3339 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3340 offsetof(struct xdp_md, data_end)),
3341 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3342 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3343 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3344 BPF_MOV64_IMM(BPF_REG_0, 0),
3346 BPF_LD_MAP_FD(BPF_REG_1, 0),
3347 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3348 BPF_FUNC_map_lookup_elem),
3349 BPF_MOV64_IMM(BPF_REG_0, 0),
3352 .fixup_map1 = { 7 },
3354 .errstr = "invalid access to packet",
3355 .prog_type = BPF_PROG_TYPE_XDP,
3358 "helper access to packet: test5, packet_ptr with too short range",
3360 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3361 offsetof(struct xdp_md, data)),
3362 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3363 offsetof(struct xdp_md, data_end)),
3364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3365 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3366 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3367 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3368 BPF_LD_MAP_FD(BPF_REG_1, 0),
3369 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3370 BPF_FUNC_map_lookup_elem),
3371 BPF_MOV64_IMM(BPF_REG_0, 0),
3374 .fixup_map1 = { 6 },
3376 .errstr = "invalid access to packet",
3377 .prog_type = BPF_PROG_TYPE_XDP,
3380 "helper access to packet: test6, cls valid packet_ptr range",
3382 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3383 offsetof(struct __sk_buff, data)),
3384 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3385 offsetof(struct __sk_buff, data_end)),
3386 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3388 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3389 BPF_LD_MAP_FD(BPF_REG_1, 0),
3390 BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3391 BPF_MOV64_IMM(BPF_REG_4, 0),
3392 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3393 BPF_FUNC_map_update_elem),
3394 BPF_MOV64_IMM(BPF_REG_0, 0),
3397 .fixup_map1 = { 5 },
3399 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3402 "helper access to packet: test7, cls unchecked packet_ptr",
3404 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3405 offsetof(struct __sk_buff, data)),
3406 BPF_LD_MAP_FD(BPF_REG_1, 0),
3407 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3408 BPF_FUNC_map_lookup_elem),
3409 BPF_MOV64_IMM(BPF_REG_0, 0),
3412 .fixup_map1 = { 1 },
3414 .errstr = "invalid access to packet",
3415 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3418 "helper access to packet: test8, cls variable add",
3420 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3421 offsetof(struct __sk_buff, data)),
3422 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3423 offsetof(struct __sk_buff, data_end)),
3424 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3425 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3426 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3427 BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3428 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3429 BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3430 BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3431 BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3432 BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3433 BPF_LD_MAP_FD(BPF_REG_1, 0),
3434 BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3435 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3436 BPF_FUNC_map_lookup_elem),
3437 BPF_MOV64_IMM(BPF_REG_0, 0),
3440 .fixup_map1 = { 11 },
3442 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3445 "helper access to packet: test9, cls packet_ptr with bad range",
3447 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3448 offsetof(struct __sk_buff, data)),
3449 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3450 offsetof(struct __sk_buff, data_end)),
3451 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3452 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3453 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3454 BPF_MOV64_IMM(BPF_REG_0, 0),
3456 BPF_LD_MAP_FD(BPF_REG_1, 0),
3457 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3458 BPF_FUNC_map_lookup_elem),
3459 BPF_MOV64_IMM(BPF_REG_0, 0),
3462 .fixup_map1 = { 7 },
3464 .errstr = "invalid access to packet",
3465 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3468 "helper access to packet: test10, cls packet_ptr with too short range",
3470 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3471 offsetof(struct __sk_buff, data)),
3472 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3473 offsetof(struct __sk_buff, data_end)),
3474 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3475 BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3476 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3477 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3478 BPF_LD_MAP_FD(BPF_REG_1, 0),
3479 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3480 BPF_FUNC_map_lookup_elem),
3481 BPF_MOV64_IMM(BPF_REG_0, 0),
3484 .fixup_map1 = { 6 },
3486 .errstr = "invalid access to packet",
3487 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3490 "helper access to packet: test11, cls unsuitable helper 1",
3492 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3493 offsetof(struct __sk_buff, data)),
3494 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3495 offsetof(struct __sk_buff, data_end)),
3496 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3497 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3498 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
3499 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
3500 BPF_MOV64_IMM(BPF_REG_2, 0),
3501 BPF_MOV64_IMM(BPF_REG_4, 42),
3502 BPF_MOV64_IMM(BPF_REG_5, 0),
3503 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3504 BPF_FUNC_skb_store_bytes),
3505 BPF_MOV64_IMM(BPF_REG_0, 0),
3509 .errstr = "helper access to the packet",
3510 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3513 "helper access to packet: test12, cls unsuitable helper 2",
3515 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3516 offsetof(struct __sk_buff, data)),
3517 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3518 offsetof(struct __sk_buff, data_end)),
3519 BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
3521 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
3522 BPF_MOV64_IMM(BPF_REG_2, 0),
3523 BPF_MOV64_IMM(BPF_REG_4, 4),
3524 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3525 BPF_FUNC_skb_load_bytes),
3526 BPF_MOV64_IMM(BPF_REG_0, 0),
3530 .errstr = "helper access to the packet",
3531 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3534 "helper access to packet: test13, cls helper ok",
3536 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3537 offsetof(struct __sk_buff, data)),
3538 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3539 offsetof(struct __sk_buff, data_end)),
3540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3541 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3542 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3543 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3544 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3545 BPF_MOV64_IMM(BPF_REG_2, 4),
3546 BPF_MOV64_IMM(BPF_REG_3, 0),
3547 BPF_MOV64_IMM(BPF_REG_4, 0),
3548 BPF_MOV64_IMM(BPF_REG_5, 0),
3549 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3550 BPF_FUNC_csum_diff),
3551 BPF_MOV64_IMM(BPF_REG_0, 0),
3555 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3558 "helper access to packet: test14, cls helper ok sub",
3560 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3561 offsetof(struct __sk_buff, data)),
3562 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3563 offsetof(struct __sk_buff, data_end)),
3564 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3565 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3566 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3567 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3568 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
3569 BPF_MOV64_IMM(BPF_REG_2, 4),
3570 BPF_MOV64_IMM(BPF_REG_3, 0),
3571 BPF_MOV64_IMM(BPF_REG_4, 0),
3572 BPF_MOV64_IMM(BPF_REG_5, 0),
3573 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3574 BPF_FUNC_csum_diff),
3575 BPF_MOV64_IMM(BPF_REG_0, 0),
3579 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3582 "helper access to packet: test15, cls helper fail sub",
3584 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3585 offsetof(struct __sk_buff, data)),
3586 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3587 offsetof(struct __sk_buff, data_end)),
3588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3589 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3591 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3592 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
3593 BPF_MOV64_IMM(BPF_REG_2, 4),
3594 BPF_MOV64_IMM(BPF_REG_3, 0),
3595 BPF_MOV64_IMM(BPF_REG_4, 0),
3596 BPF_MOV64_IMM(BPF_REG_5, 0),
3597 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3598 BPF_FUNC_csum_diff),
3599 BPF_MOV64_IMM(BPF_REG_0, 0),
3603 .errstr = "invalid access to packet",
3604 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3607 "helper access to packet: test16, cls helper fail range 1",
3609 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3610 offsetof(struct __sk_buff, data)),
3611 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3612 offsetof(struct __sk_buff, data_end)),
3613 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3614 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3616 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3617 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3618 BPF_MOV64_IMM(BPF_REG_2, 8),
3619 BPF_MOV64_IMM(BPF_REG_3, 0),
3620 BPF_MOV64_IMM(BPF_REG_4, 0),
3621 BPF_MOV64_IMM(BPF_REG_5, 0),
3622 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3623 BPF_FUNC_csum_diff),
3624 BPF_MOV64_IMM(BPF_REG_0, 0),
3628 .errstr = "invalid access to packet",
3629 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3632 "helper access to packet: test17, cls helper fail range 2",
3634 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3635 offsetof(struct __sk_buff, data)),
3636 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3637 offsetof(struct __sk_buff, data_end)),
3638 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3639 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3640 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3641 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3642 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3643 BPF_MOV64_IMM(BPF_REG_2, -9),
3644 BPF_MOV64_IMM(BPF_REG_3, 0),
3645 BPF_MOV64_IMM(BPF_REG_4, 0),
3646 BPF_MOV64_IMM(BPF_REG_5, 0),
3647 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3648 BPF_FUNC_csum_diff),
3649 BPF_MOV64_IMM(BPF_REG_0, 0),
3653 .errstr = "R2 min value is negative",
3654 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3657 "helper access to packet: test18, cls helper fail range 3",
3659 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3660 offsetof(struct __sk_buff, data)),
3661 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3662 offsetof(struct __sk_buff, data_end)),
3663 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3664 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3665 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3666 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3667 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3668 BPF_MOV64_IMM(BPF_REG_2, ~0),
3669 BPF_MOV64_IMM(BPF_REG_3, 0),
3670 BPF_MOV64_IMM(BPF_REG_4, 0),
3671 BPF_MOV64_IMM(BPF_REG_5, 0),
3672 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3673 BPF_FUNC_csum_diff),
3674 BPF_MOV64_IMM(BPF_REG_0, 0),
3678 .errstr = "R2 min value is negative",
3679 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3682 "helper access to packet: test19, cls helper fail range zero",
3684 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3685 offsetof(struct __sk_buff, data)),
3686 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3687 offsetof(struct __sk_buff, data_end)),
3688 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3689 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3690 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3691 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3692 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3693 BPF_MOV64_IMM(BPF_REG_2, 0),
3694 BPF_MOV64_IMM(BPF_REG_3, 0),
3695 BPF_MOV64_IMM(BPF_REG_4, 0),
3696 BPF_MOV64_IMM(BPF_REG_5, 0),
3697 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3698 BPF_FUNC_csum_diff),
3699 BPF_MOV64_IMM(BPF_REG_0, 0),
3703 .errstr = "invalid access to packet",
3704 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3707 "helper access to packet: test20, pkt end as input",
3709 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3710 offsetof(struct __sk_buff, data)),
3711 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3712 offsetof(struct __sk_buff, data_end)),
3713 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3714 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3715 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3716 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3717 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
3718 BPF_MOV64_IMM(BPF_REG_2, 4),
3719 BPF_MOV64_IMM(BPF_REG_3, 0),
3720 BPF_MOV64_IMM(BPF_REG_4, 0),
3721 BPF_MOV64_IMM(BPF_REG_5, 0),
3722 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3723 BPF_FUNC_csum_diff),
3724 BPF_MOV64_IMM(BPF_REG_0, 0),
3728 .errstr = "R1 type=pkt_end expected=fp",
3729 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3732 "helper access to packet: test21, wrong reg",
3734 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3735 offsetof(struct __sk_buff, data)),
3736 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3737 offsetof(struct __sk_buff, data_end)),
3738 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3739 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3740 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3741 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3742 BPF_MOV64_IMM(BPF_REG_2, 4),
3743 BPF_MOV64_IMM(BPF_REG_3, 0),
3744 BPF_MOV64_IMM(BPF_REG_4, 0),
3745 BPF_MOV64_IMM(BPF_REG_5, 0),
3746 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3747 BPF_FUNC_csum_diff),
3748 BPF_MOV64_IMM(BPF_REG_0, 0),
3752 .errstr = "invalid access to packet",
3753 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3756 "valid map access into an array with a constant",
3758 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3759 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3760 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3761 BPF_LD_MAP_FD(BPF_REG_1, 0),
3762 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3763 BPF_FUNC_map_lookup_elem),
3764 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3765 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3766 offsetof(struct test_val, foo)),
3769 .fixup_map2 = { 3 },
3770 .errstr_unpriv = "R0 leaks addr",
3771 .result_unpriv = REJECT,
3775 "valid map access into an array with a register",
3777 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3778 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3779 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3780 BPF_LD_MAP_FD(BPF_REG_1, 0),
3781 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3782 BPF_FUNC_map_lookup_elem),
3783 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3784 BPF_MOV64_IMM(BPF_REG_1, 4),
3785 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3786 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3787 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3788 offsetof(struct test_val, foo)),
3791 .fixup_map2 = { 3 },
3792 .errstr_unpriv = "R0 leaks addr",
3793 .result_unpriv = REJECT,
3795 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3798 "valid map access into an array with a variable",
3800 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3801 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3802 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3803 BPF_LD_MAP_FD(BPF_REG_1, 0),
3804 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3805 BPF_FUNC_map_lookup_elem),
3806 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3807 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3808 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
3809 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3810 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3811 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3812 offsetof(struct test_val, foo)),
3815 .fixup_map2 = { 3 },
3816 .errstr_unpriv = "R0 leaks addr",
3817 .result_unpriv = REJECT,
3819 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3822 "valid map access into an array with a signed variable",
3824 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3825 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3827 BPF_LD_MAP_FD(BPF_REG_1, 0),
3828 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3829 BPF_FUNC_map_lookup_elem),
3830 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
3831 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3832 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
3833 BPF_MOV32_IMM(BPF_REG_1, 0),
3834 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3835 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3836 BPF_MOV32_IMM(BPF_REG_1, 0),
3837 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3838 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3839 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3840 offsetof(struct test_val, foo)),
3843 .fixup_map2 = { 3 },
3844 .errstr_unpriv = "R0 leaks addr",
3845 .result_unpriv = REJECT,
3847 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3850 "invalid map access into an array with a constant",
3852 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3853 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3854 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3855 BPF_LD_MAP_FD(BPF_REG_1, 0),
3856 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3857 BPF_FUNC_map_lookup_elem),
3858 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3859 BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
3860 offsetof(struct test_val, foo)),
3863 .fixup_map2 = { 3 },
3864 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
3868 "invalid map access into an array with a register",
3870 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3871 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3872 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3873 BPF_LD_MAP_FD(BPF_REG_1, 0),
3874 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3875 BPF_FUNC_map_lookup_elem),
3876 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3877 BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
3878 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3879 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3880 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3881 offsetof(struct test_val, foo)),
3884 .fixup_map2 = { 3 },
3885 .errstr = "R0 min value is outside of the array range",
3887 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3890 "invalid map access into an array with a variable",
3892 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3893 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3894 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3895 BPF_LD_MAP_FD(BPF_REG_1, 0),
3896 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3897 BPF_FUNC_map_lookup_elem),
3898 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3899 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3900 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3901 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3902 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3903 offsetof(struct test_val, foo)),
3906 .fixup_map2 = { 3 },
3907 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
3909 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3912 "invalid map access into an array with no floor check",
3914 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3915 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3916 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3917 BPF_LD_MAP_FD(BPF_REG_1, 0),
3918 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3919 BPF_FUNC_map_lookup_elem),
3920 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3921 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
3922 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3923 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3924 BPF_MOV32_IMM(BPF_REG_1, 0),
3925 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3926 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3927 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3928 offsetof(struct test_val, foo)),
3931 .fixup_map2 = { 3 },
3932 .errstr_unpriv = "R0 leaks addr",
3933 .errstr = "R0 unbounded memory access",
3934 .result_unpriv = REJECT,
3936 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3939 "invalid map access into an array with a invalid max check",
3941 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3942 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3944 BPF_LD_MAP_FD(BPF_REG_1, 0),
3945 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3946 BPF_FUNC_map_lookup_elem),
3947 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3948 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3949 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
3950 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3951 BPF_MOV32_IMM(BPF_REG_1, 0),
3952 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3953 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3954 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3955 offsetof(struct test_val, foo)),
3958 .fixup_map2 = { 3 },
3959 .errstr_unpriv = "R0 leaks addr",
3960 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
3961 .result_unpriv = REJECT,
3963 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3966 "invalid map access into an array with a invalid max check",
3968 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3969 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3970 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3971 BPF_LD_MAP_FD(BPF_REG_1, 0),
3972 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3973 BPF_FUNC_map_lookup_elem),
3974 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
3975 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
3976 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3977 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3978 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3979 BPF_LD_MAP_FD(BPF_REG_1, 0),
3980 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3981 BPF_FUNC_map_lookup_elem),
3982 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
3983 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
3984 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3985 offsetof(struct test_val, foo)),
3988 .fixup_map2 = { 3, 11 },
3989 .errstr = "R0 pointer += pointer",
3991 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3994 "multiple registers share map_lookup_elem result",
3996 BPF_MOV64_IMM(BPF_REG_1, 10),
3997 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3998 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3999 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4000 BPF_LD_MAP_FD(BPF_REG_1, 0),
4001 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4002 BPF_FUNC_map_lookup_elem),
4003 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4004 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4005 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4008 .fixup_map1 = { 4 },
4010 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4013 "alu ops on ptr_to_map_value_or_null, 1",
4015 BPF_MOV64_IMM(BPF_REG_1, 10),
4016 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4017 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4018 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4019 BPF_LD_MAP_FD(BPF_REG_1, 0),
4020 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4021 BPF_FUNC_map_lookup_elem),
4022 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4023 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4024 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4025 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4026 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4029 .fixup_map1 = { 4 },
4030 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4032 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4035 "alu ops on ptr_to_map_value_or_null, 2",
4037 BPF_MOV64_IMM(BPF_REG_1, 10),
4038 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4039 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4040 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4041 BPF_LD_MAP_FD(BPF_REG_1, 0),
4042 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4043 BPF_FUNC_map_lookup_elem),
4044 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4045 BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4046 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4047 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4050 .fixup_map1 = { 4 },
4051 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4053 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4056 "alu ops on ptr_to_map_value_or_null, 3",
4058 BPF_MOV64_IMM(BPF_REG_1, 10),
4059 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4060 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4061 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4062 BPF_LD_MAP_FD(BPF_REG_1, 0),
4063 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4064 BPF_FUNC_map_lookup_elem),
4065 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4066 BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4067 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4068 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4071 .fixup_map1 = { 4 },
4072 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4074 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4077 "invalid memory access with multiple map_lookup_elem calls",
4079 BPF_MOV64_IMM(BPF_REG_1, 10),
4080 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4081 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4082 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4083 BPF_LD_MAP_FD(BPF_REG_1, 0),
4084 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4085 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4086 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4087 BPF_FUNC_map_lookup_elem),
4088 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4089 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4090 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4091 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4092 BPF_FUNC_map_lookup_elem),
4093 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4094 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4097 .fixup_map1 = { 4 },
4099 .errstr = "R4 !read_ok",
4100 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4103 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4105 BPF_MOV64_IMM(BPF_REG_1, 10),
4106 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4107 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4108 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4109 BPF_LD_MAP_FD(BPF_REG_1, 0),
4110 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4111 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4112 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4113 BPF_FUNC_map_lookup_elem),
4114 BPF_MOV64_IMM(BPF_REG_2, 10),
4115 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4116 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4117 BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4118 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4119 BPF_FUNC_map_lookup_elem),
4120 BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4121 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4122 BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4125 .fixup_map1 = { 4 },
4127 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4130 "invalid map access from else condition",
4132 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4133 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4134 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4135 BPF_LD_MAP_FD(BPF_REG_1, 0),
4136 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4137 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4138 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4139 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4140 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4141 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4142 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4143 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4146 .fixup_map2 = { 3 },
4147 .errstr = "R0 unbounded memory access",
4149 .errstr_unpriv = "R0 leaks addr",
4150 .result_unpriv = REJECT,
4151 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4154 "constant register |= constant should keep constant type",
4156 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4157 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4158 BPF_MOV64_IMM(BPF_REG_2, 34),
4159 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4160 BPF_MOV64_IMM(BPF_REG_3, 0),
4161 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4165 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4168 "constant register |= constant should not bypass stack boundary checks",
4170 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4171 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4172 BPF_MOV64_IMM(BPF_REG_2, 34),
4173 BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4174 BPF_MOV64_IMM(BPF_REG_3, 0),
4175 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4178 .errstr = "invalid stack type R1 off=-48 access_size=58",
4180 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4183 "constant register |= constant register should keep constant type",
4185 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4186 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4187 BPF_MOV64_IMM(BPF_REG_2, 34),
4188 BPF_MOV64_IMM(BPF_REG_4, 13),
4189 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4190 BPF_MOV64_IMM(BPF_REG_3, 0),
4191 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4195 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4198 "constant register |= constant register should not bypass stack boundary checks",
4200 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4201 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4202 BPF_MOV64_IMM(BPF_REG_2, 34),
4203 BPF_MOV64_IMM(BPF_REG_4, 24),
4204 BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4205 BPF_MOV64_IMM(BPF_REG_3, 0),
4206 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4209 .errstr = "invalid stack type R1 off=-48 access_size=58",
4211 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4214 "invalid direct packet write for LWT_IN",
4216 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4217 offsetof(struct __sk_buff, data)),
4218 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4219 offsetof(struct __sk_buff, data_end)),
4220 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4221 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4222 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4223 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4224 BPF_MOV64_IMM(BPF_REG_0, 0),
4227 .errstr = "cannot write into packet",
4229 .prog_type = BPF_PROG_TYPE_LWT_IN,
4232 "invalid direct packet write for LWT_OUT",
4234 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4235 offsetof(struct __sk_buff, data)),
4236 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4237 offsetof(struct __sk_buff, data_end)),
4238 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4239 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4240 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4241 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4242 BPF_MOV64_IMM(BPF_REG_0, 0),
4245 .errstr = "cannot write into packet",
4247 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4250 "direct packet write for LWT_XMIT",
4252 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4253 offsetof(struct __sk_buff, data)),
4254 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4255 offsetof(struct __sk_buff, data_end)),
4256 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4257 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4258 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4259 BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4260 BPF_MOV64_IMM(BPF_REG_0, 0),
4264 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4267 "direct packet read for LWT_IN",
4269 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4270 offsetof(struct __sk_buff, data)),
4271 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4272 offsetof(struct __sk_buff, data_end)),
4273 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4275 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4276 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4277 BPF_MOV64_IMM(BPF_REG_0, 0),
4281 .prog_type = BPF_PROG_TYPE_LWT_IN,
4284 "direct packet read for LWT_OUT",
4286 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4287 offsetof(struct __sk_buff, data)),
4288 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4289 offsetof(struct __sk_buff, data_end)),
4290 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4291 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4292 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4293 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4294 BPF_MOV64_IMM(BPF_REG_0, 0),
4298 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4301 "direct packet read for LWT_XMIT",
4303 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4304 offsetof(struct __sk_buff, data)),
4305 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4306 offsetof(struct __sk_buff, data_end)),
4307 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4308 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4309 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4310 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4311 BPF_MOV64_IMM(BPF_REG_0, 0),
4315 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4318 "overlapping checks for direct packet access",
4320 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4321 offsetof(struct __sk_buff, data)),
4322 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4323 offsetof(struct __sk_buff, data_end)),
4324 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4326 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4327 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4329 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4330 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4331 BPF_MOV64_IMM(BPF_REG_0, 0),
4335 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4338 "invalid access of tc_classid for LWT_IN",
4340 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4341 offsetof(struct __sk_buff, tc_classid)),
4345 .errstr = "invalid bpf_context access",
4348 "invalid access of tc_classid for LWT_OUT",
4350 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4351 offsetof(struct __sk_buff, tc_classid)),
4355 .errstr = "invalid bpf_context access",
4358 "invalid access of tc_classid for LWT_XMIT",
4360 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4361 offsetof(struct __sk_buff, tc_classid)),
4365 .errstr = "invalid bpf_context access",
4368 "leak pointer into ctx 1",
4370 BPF_MOV64_IMM(BPF_REG_0, 0),
4371 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4372 offsetof(struct __sk_buff, cb[0])),
4373 BPF_LD_MAP_FD(BPF_REG_2, 0),
4374 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
4375 offsetof(struct __sk_buff, cb[0])),
4378 .fixup_map1 = { 2 },
4379 .errstr_unpriv = "R2 leaks addr into mem",
4380 .result_unpriv = REJECT,
4382 .errstr = "BPF_XADD stores into R1 context is not allowed",
4385 "leak pointer into ctx 2",
4387 BPF_MOV64_IMM(BPF_REG_0, 0),
4388 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4389 offsetof(struct __sk_buff, cb[0])),
4390 BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
4391 offsetof(struct __sk_buff, cb[0])),
4394 .errstr_unpriv = "R10 leaks addr into mem",
4395 .result_unpriv = REJECT,
4397 .errstr = "BPF_XADD stores into R1 context is not allowed",
4400 "leak pointer into ctx 3",
4402 BPF_MOV64_IMM(BPF_REG_0, 0),
4403 BPF_LD_MAP_FD(BPF_REG_2, 0),
4404 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
4405 offsetof(struct __sk_buff, cb[0])),
4408 .fixup_map1 = { 1 },
4409 .errstr_unpriv = "R2 leaks addr into ctx",
4410 .result_unpriv = REJECT,
4414 "leak pointer into map val",
4416 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
4417 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4418 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4419 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4420 BPF_LD_MAP_FD(BPF_REG_1, 0),
4421 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4422 BPF_FUNC_map_lookup_elem),
4423 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4424 BPF_MOV64_IMM(BPF_REG_3, 0),
4425 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
4426 BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
4427 BPF_MOV64_IMM(BPF_REG_0, 0),
4430 .fixup_map1 = { 4 },
4431 .errstr_unpriv = "R6 leaks addr into mem",
4432 .result_unpriv = REJECT,
4436 "helper access to map: full range",
4438 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4439 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4440 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4441 BPF_LD_MAP_FD(BPF_REG_1, 0),
4442 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4443 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4444 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4445 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4446 BPF_MOV64_IMM(BPF_REG_3, 0),
4447 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4450 .fixup_map2 = { 3 },
4452 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4455 "helper access to map: partial range",
4457 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4458 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4459 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4460 BPF_LD_MAP_FD(BPF_REG_1, 0),
4461 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4462 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4463 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4464 BPF_MOV64_IMM(BPF_REG_2, 8),
4465 BPF_MOV64_IMM(BPF_REG_3, 0),
4466 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4469 .fixup_map2 = { 3 },
4471 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4474 "helper access to map: empty range",
4476 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4477 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4478 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4479 BPF_LD_MAP_FD(BPF_REG_1, 0),
4480 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4481 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4482 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4483 BPF_MOV64_IMM(BPF_REG_2, 0),
4484 BPF_MOV64_IMM(BPF_REG_3, 0),
4485 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4488 .fixup_map2 = { 3 },
4489 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
4491 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4494 "helper access to map: out-of-bound range",
4496 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4497 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4498 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4499 BPF_LD_MAP_FD(BPF_REG_1, 0),
4500 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4501 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4502 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4503 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
4504 BPF_MOV64_IMM(BPF_REG_3, 0),
4505 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4508 .fixup_map2 = { 3 },
4509 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
4511 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4514 "helper access to map: negative range",
4516 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4518 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4519 BPF_LD_MAP_FD(BPF_REG_1, 0),
4520 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4521 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4522 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4523 BPF_MOV64_IMM(BPF_REG_2, -8),
4524 BPF_MOV64_IMM(BPF_REG_3, 0),
4525 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4528 .fixup_map2 = { 3 },
4529 .errstr = "R2 min value is negative",
4531 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4534 "helper access to adjusted map (via const imm): full range",
4536 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4537 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4538 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4539 BPF_LD_MAP_FD(BPF_REG_1, 0),
4540 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4541 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4542 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4543 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4544 offsetof(struct test_val, foo)),
4545 BPF_MOV64_IMM(BPF_REG_2,
4546 sizeof(struct test_val) -
4547 offsetof(struct test_val, foo)),
4548 BPF_MOV64_IMM(BPF_REG_3, 0),
4549 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4552 .fixup_map2 = { 3 },
4554 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4557 "helper access to adjusted map (via const imm): partial range",
4559 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4560 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4561 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4562 BPF_LD_MAP_FD(BPF_REG_1, 0),
4563 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4564 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4565 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4566 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4567 offsetof(struct test_val, foo)),
4568 BPF_MOV64_IMM(BPF_REG_2, 8),
4569 BPF_MOV64_IMM(BPF_REG_3, 0),
4570 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4573 .fixup_map2 = { 3 },
4575 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4578 "helper access to adjusted map (via const imm): empty range",
4580 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4582 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4583 BPF_LD_MAP_FD(BPF_REG_1, 0),
4584 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4585 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4586 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4587 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4588 offsetof(struct test_val, foo)),
4589 BPF_MOV64_IMM(BPF_REG_2, 0),
4590 BPF_MOV64_IMM(BPF_REG_3, 0),
4591 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4594 .fixup_map2 = { 3 },
4595 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
4597 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4600 "helper access to adjusted map (via const imm): out-of-bound range",
4602 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4604 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4605 BPF_LD_MAP_FD(BPF_REG_1, 0),
4606 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4607 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4608 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4609 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4610 offsetof(struct test_val, foo)),
4611 BPF_MOV64_IMM(BPF_REG_2,
4612 sizeof(struct test_val) -
4613 offsetof(struct test_val, foo) + 8),
4614 BPF_MOV64_IMM(BPF_REG_3, 0),
4615 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4618 .fixup_map2 = { 3 },
4619 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4621 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4624 "helper access to adjusted map (via const imm): negative range (> adjustment)",
4626 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4627 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4628 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4629 BPF_LD_MAP_FD(BPF_REG_1, 0),
4630 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4631 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4632 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4633 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4634 offsetof(struct test_val, foo)),
4635 BPF_MOV64_IMM(BPF_REG_2, -8),
4636 BPF_MOV64_IMM(BPF_REG_3, 0),
4637 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4640 .fixup_map2 = { 3 },
4641 .errstr = "R2 min value is negative",
4643 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4646 "helper access to adjusted map (via const imm): negative range (< adjustment)",
4648 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4649 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4650 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4651 BPF_LD_MAP_FD(BPF_REG_1, 0),
4652 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4653 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4654 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4655 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4656 offsetof(struct test_val, foo)),
4657 BPF_MOV64_IMM(BPF_REG_2, -1),
4658 BPF_MOV64_IMM(BPF_REG_3, 0),
4659 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4662 .fixup_map2 = { 3 },
4663 .errstr = "R2 min value is negative",
4665 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4668 "helper access to adjusted map (via const reg): full range",
4670 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4671 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4672 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4673 BPF_LD_MAP_FD(BPF_REG_1, 0),
4674 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4675 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4676 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4677 BPF_MOV64_IMM(BPF_REG_3,
4678 offsetof(struct test_val, foo)),
4679 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4680 BPF_MOV64_IMM(BPF_REG_2,
4681 sizeof(struct test_val) -
4682 offsetof(struct test_val, foo)),
4683 BPF_MOV64_IMM(BPF_REG_3, 0),
4684 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4687 .fixup_map2 = { 3 },
4689 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4692 "helper access to adjusted map (via const reg): partial range",
4694 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4695 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4696 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4697 BPF_LD_MAP_FD(BPF_REG_1, 0),
4698 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4699 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4700 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4701 BPF_MOV64_IMM(BPF_REG_3,
4702 offsetof(struct test_val, foo)),
4703 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4704 BPF_MOV64_IMM(BPF_REG_2, 8),
4705 BPF_MOV64_IMM(BPF_REG_3, 0),
4706 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4709 .fixup_map2 = { 3 },
4711 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4714 "helper access to adjusted map (via const reg): empty range",
4716 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4717 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4718 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4719 BPF_LD_MAP_FD(BPF_REG_1, 0),
4720 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4721 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4722 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4723 BPF_MOV64_IMM(BPF_REG_3, 0),
4724 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4725 BPF_MOV64_IMM(BPF_REG_2, 0),
4726 BPF_MOV64_IMM(BPF_REG_3, 0),
4727 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4730 .fixup_map2 = { 3 },
4731 .errstr = "R1 min value is outside of the array range",
4733 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4736 "helper access to adjusted map (via const reg): out-of-bound range",
4738 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4739 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4740 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4741 BPF_LD_MAP_FD(BPF_REG_1, 0),
4742 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4743 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4744 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4745 BPF_MOV64_IMM(BPF_REG_3,
4746 offsetof(struct test_val, foo)),
4747 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4748 BPF_MOV64_IMM(BPF_REG_2,
4749 sizeof(struct test_val) -
4750 offsetof(struct test_val, foo) + 8),
4751 BPF_MOV64_IMM(BPF_REG_3, 0),
4752 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4755 .fixup_map2 = { 3 },
4756 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4758 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4761 "helper access to adjusted map (via const reg): negative range (> adjustment)",
4763 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4764 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4765 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4766 BPF_LD_MAP_FD(BPF_REG_1, 0),
4767 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4768 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4769 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4770 BPF_MOV64_IMM(BPF_REG_3,
4771 offsetof(struct test_val, foo)),
4772 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4773 BPF_MOV64_IMM(BPF_REG_2, -8),
4774 BPF_MOV64_IMM(BPF_REG_3, 0),
4775 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4778 .fixup_map2 = { 3 },
4779 .errstr = "R2 min value is negative",
4781 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4784 "helper access to adjusted map (via const reg): negative range (< adjustment)",
4786 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4787 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4788 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4789 BPF_LD_MAP_FD(BPF_REG_1, 0),
4790 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4791 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4792 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4793 BPF_MOV64_IMM(BPF_REG_3,
4794 offsetof(struct test_val, foo)),
4795 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4796 BPF_MOV64_IMM(BPF_REG_2, -1),
4797 BPF_MOV64_IMM(BPF_REG_3, 0),
4798 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4801 .fixup_map2 = { 3 },
4802 .errstr = "R2 min value is negative",
4804 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4807 "helper access to adjusted map (via variable): full range",
4809 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4810 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4811 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4812 BPF_LD_MAP_FD(BPF_REG_1, 0),
4813 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4814 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4815 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4816 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4817 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4818 offsetof(struct test_val, foo), 4),
4819 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4820 BPF_MOV64_IMM(BPF_REG_2,
4821 sizeof(struct test_val) -
4822 offsetof(struct test_val, foo)),
4823 BPF_MOV64_IMM(BPF_REG_3, 0),
4824 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4827 .fixup_map2 = { 3 },
4829 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4832 "helper access to adjusted map (via variable): partial range",
4834 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4835 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4836 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4837 BPF_LD_MAP_FD(BPF_REG_1, 0),
4838 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4839 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4840 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4841 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4842 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4843 offsetof(struct test_val, foo), 4),
4844 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4845 BPF_MOV64_IMM(BPF_REG_2, 8),
4846 BPF_MOV64_IMM(BPF_REG_3, 0),
4847 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4850 .fixup_map2 = { 3 },
4852 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4855 "helper access to adjusted map (via variable): empty range",
4857 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4858 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4859 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4860 BPF_LD_MAP_FD(BPF_REG_1, 0),
4861 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4862 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4863 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4864 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4865 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4866 offsetof(struct test_val, foo), 4),
4867 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4868 BPF_MOV64_IMM(BPF_REG_2, 0),
4869 BPF_MOV64_IMM(BPF_REG_3, 0),
4870 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4873 .fixup_map2 = { 3 },
4874 .errstr = "R1 min value is outside of the array range",
4876 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4879 "helper access to adjusted map (via variable): no max check",
4881 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4882 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4883 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4884 BPF_LD_MAP_FD(BPF_REG_1, 0),
4885 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4886 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4887 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4888 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4889 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4890 BPF_MOV64_IMM(BPF_REG_2, 1),
4891 BPF_MOV64_IMM(BPF_REG_3, 0),
4892 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4895 .fixup_map2 = { 3 },
4896 .errstr = "R1 unbounded memory access",
4898 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4901 "helper access to adjusted map (via variable): wrong max check",
4903 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4904 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4905 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4906 BPF_LD_MAP_FD(BPF_REG_1, 0),
4907 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4908 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4909 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4910 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4911 BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4912 offsetof(struct test_val, foo), 4),
4913 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4914 BPF_MOV64_IMM(BPF_REG_2,
4915 sizeof(struct test_val) -
4916 offsetof(struct test_val, foo) + 1),
4917 BPF_MOV64_IMM(BPF_REG_3, 0),
4918 BPF_EMIT_CALL(BPF_FUNC_probe_read),
4921 .fixup_map2 = { 3 },
4922 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
4924 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4927 "helper access to map: bounds check using <, good access",
4929 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4930 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4931 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4932 BPF_LD_MAP_FD(BPF_REG_1, 0),
4933 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4934 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4935 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4936 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4937 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
4938 BPF_MOV64_IMM(BPF_REG_0, 0),
4940 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4941 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4942 BPF_MOV64_IMM(BPF_REG_0, 0),
4945 .fixup_map2 = { 3 },
4947 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4950 "helper access to map: bounds check using <, bad access",
4952 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4953 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4954 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4955 BPF_LD_MAP_FD(BPF_REG_1, 0),
4956 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4957 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4958 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4959 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4960 BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
4961 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4962 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4963 BPF_MOV64_IMM(BPF_REG_0, 0),
4965 BPF_MOV64_IMM(BPF_REG_0, 0),
4968 .fixup_map2 = { 3 },
4970 .errstr = "R1 unbounded memory access",
4971 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4974 "helper access to map: bounds check using <=, good access",
4976 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4977 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4978 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4979 BPF_LD_MAP_FD(BPF_REG_1, 0),
4980 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4981 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4982 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4983 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4984 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
4985 BPF_MOV64_IMM(BPF_REG_0, 0),
4987 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4988 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4989 BPF_MOV64_IMM(BPF_REG_0, 0),
4992 .fixup_map2 = { 3 },
4994 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4997 "helper access to map: bounds check using <=, bad access",
4999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5001 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5002 BPF_LD_MAP_FD(BPF_REG_1, 0),
5003 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5004 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5005 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5006 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5007 BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5008 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5009 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5010 BPF_MOV64_IMM(BPF_REG_0, 0),
5012 BPF_MOV64_IMM(BPF_REG_0, 0),
5015 .fixup_map2 = { 3 },
5017 .errstr = "R1 unbounded memory access",
5018 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5021 "helper access to map: bounds check using s<, good access",
5023 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5024 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5025 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5026 BPF_LD_MAP_FD(BPF_REG_1, 0),
5027 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5028 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5029 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5030 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5031 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5032 BPF_MOV64_IMM(BPF_REG_0, 0),
5034 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5035 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5036 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5037 BPF_MOV64_IMM(BPF_REG_0, 0),
5040 .fixup_map2 = { 3 },
5042 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5045 "helper access to map: bounds check using s<, good access 2",
5047 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5048 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5049 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5050 BPF_LD_MAP_FD(BPF_REG_1, 0),
5051 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5052 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5053 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5054 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5055 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5056 BPF_MOV64_IMM(BPF_REG_0, 0),
5058 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5059 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5060 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5061 BPF_MOV64_IMM(BPF_REG_0, 0),
5064 .fixup_map2 = { 3 },
5066 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5069 "helper access to map: bounds check using s<, bad access",
5071 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5072 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5073 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5074 BPF_LD_MAP_FD(BPF_REG_1, 0),
5075 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5076 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5077 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5078 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5079 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5080 BPF_MOV64_IMM(BPF_REG_0, 0),
5082 BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5083 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5084 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5085 BPF_MOV64_IMM(BPF_REG_0, 0),
5088 .fixup_map2 = { 3 },
5090 .errstr = "R1 min value is negative",
5091 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5094 "helper access to map: bounds check using s<=, good access",
5096 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5097 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5098 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5099 BPF_LD_MAP_FD(BPF_REG_1, 0),
5100 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5101 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5102 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5103 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5104 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5105 BPF_MOV64_IMM(BPF_REG_0, 0),
5107 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5108 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5109 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5110 BPF_MOV64_IMM(BPF_REG_0, 0),
5113 .fixup_map2 = { 3 },
5115 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5118 "helper access to map: bounds check using s<=, good access 2",
5120 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5121 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5122 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5123 BPF_LD_MAP_FD(BPF_REG_1, 0),
5124 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5125 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5126 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5127 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5128 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5129 BPF_MOV64_IMM(BPF_REG_0, 0),
5131 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5132 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5133 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5134 BPF_MOV64_IMM(BPF_REG_0, 0),
5137 .fixup_map2 = { 3 },
5139 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5142 "helper access to map: bounds check using s<=, bad access",
5144 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5145 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5146 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5147 BPF_LD_MAP_FD(BPF_REG_1, 0),
5148 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5149 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5150 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5151 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5152 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5153 BPF_MOV64_IMM(BPF_REG_0, 0),
5155 BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5156 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5157 BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5158 BPF_MOV64_IMM(BPF_REG_0, 0),
5161 .fixup_map2 = { 3 },
5163 .errstr = "R1 min value is negative",
5164 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5167 "map element value is preserved across register spilling",
5169 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5170 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5171 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5172 BPF_LD_MAP_FD(BPF_REG_1, 0),
5173 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5174 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5175 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5176 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5177 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5178 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5179 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5180 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5183 .fixup_map2 = { 3 },
5184 .errstr_unpriv = "R0 leaks addr",
5186 .result_unpriv = REJECT,
5189 "map element value or null is marked on register spilling",
5191 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5192 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5193 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5194 BPF_LD_MAP_FD(BPF_REG_1, 0),
5195 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5196 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5197 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
5198 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5199 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5200 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5201 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5204 .fixup_map2 = { 3 },
5205 .errstr_unpriv = "R0 leaks addr",
5207 .result_unpriv = REJECT,
5210 "map element value store of cleared call register",
5212 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5213 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5214 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5215 BPF_LD_MAP_FD(BPF_REG_1, 0),
5216 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5217 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5218 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
5221 .fixup_map2 = { 3 },
5222 .errstr_unpriv = "R1 !read_ok",
5223 .errstr = "R1 !read_ok",
5225 .result_unpriv = REJECT,
5228 "map element value with unaligned store",
5230 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5231 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5232 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5233 BPF_LD_MAP_FD(BPF_REG_1, 0),
5234 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5235 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
5236 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5237 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5238 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
5239 BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
5240 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5241 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
5242 BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
5243 BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
5244 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
5245 BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
5246 BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
5247 BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
5248 BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
5249 BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
5250 BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
5251 BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
5252 BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
5255 .fixup_map2 = { 3 },
5256 .errstr_unpriv = "R0 leaks addr",
5258 .result_unpriv = REJECT,
5259 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5262 "map element value with unaligned load",
5264 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5265 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5266 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5267 BPF_LD_MAP_FD(BPF_REG_1, 0),
5268 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5269 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5270 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5271 BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
5272 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5273 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5274 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
5275 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5276 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
5277 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
5278 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
5279 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5280 BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
5283 .fixup_map2 = { 3 },
5284 .errstr_unpriv = "R0 leaks addr",
5286 .result_unpriv = REJECT,
5287 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5290 "map element value illegal alu op, 1",
5292 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5293 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5294 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5295 BPF_LD_MAP_FD(BPF_REG_1, 0),
5296 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5297 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5298 BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
5299 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5302 .fixup_map2 = { 3 },
5303 .errstr = "R0 bitwise operator &= on pointer",
5307 "map element value illegal alu op, 2",
5309 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5310 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5311 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5312 BPF_LD_MAP_FD(BPF_REG_1, 0),
5313 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5314 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5315 BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
5316 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5319 .fixup_map2 = { 3 },
5320 .errstr = "R0 32-bit pointer arithmetic prohibited",
5324 "map element value illegal alu op, 3",
5326 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5327 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5328 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5329 BPF_LD_MAP_FD(BPF_REG_1, 0),
5330 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5331 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5332 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
5333 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5336 .fixup_map2 = { 3 },
5337 .errstr = "R0 pointer arithmetic with /= operator",
5341 "map element value illegal alu op, 4",
5343 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5344 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5345 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5346 BPF_LD_MAP_FD(BPF_REG_1, 0),
5347 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5348 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5349 BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
5350 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5353 .fixup_map2 = { 3 },
5354 .errstr_unpriv = "R0 pointer arithmetic prohibited",
5355 .errstr = "invalid mem access 'inv'",
5357 .result_unpriv = REJECT,
5360 "map element value illegal alu op, 5",
5362 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5363 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5364 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5365 BPF_LD_MAP_FD(BPF_REG_1, 0),
5366 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5367 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5368 BPF_MOV64_IMM(BPF_REG_3, 4096),
5369 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5370 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5371 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5372 BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
5373 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
5374 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5377 .fixup_map2 = { 3 },
5378 .errstr = "R0 invalid mem access 'inv'",
5382 "map element value is preserved across register spilling",
5384 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5385 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5386 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5387 BPF_LD_MAP_FD(BPF_REG_1, 0),
5388 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5389 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5390 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
5391 offsetof(struct test_val, foo)),
5392 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5393 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5394 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5395 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5396 BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5397 BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5400 .fixup_map2 = { 3 },
5401 .errstr_unpriv = "R0 leaks addr",
5403 .result_unpriv = REJECT,
5404 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5407 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
5409 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5410 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5411 BPF_MOV64_IMM(BPF_REG_0, 0),
5412 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5413 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5414 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5415 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5416 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5417 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5418 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5419 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5420 BPF_MOV64_IMM(BPF_REG_2, 16),
5421 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5422 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5423 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5424 BPF_MOV64_IMM(BPF_REG_4, 0),
5425 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5426 BPF_MOV64_IMM(BPF_REG_3, 0),
5427 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5428 BPF_MOV64_IMM(BPF_REG_0, 0),
5432 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5435 "helper access to variable memory: stack, bitwise AND, zero included",
5437 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5439 BPF_MOV64_IMM(BPF_REG_2, 16),
5440 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5441 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5442 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5443 BPF_MOV64_IMM(BPF_REG_3, 0),
5444 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5447 .errstr = "invalid stack type R1 off=-64 access_size=0",
5449 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5452 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
5454 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5455 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5456 BPF_MOV64_IMM(BPF_REG_2, 16),
5457 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5458 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5459 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
5460 BPF_MOV64_IMM(BPF_REG_4, 0),
5461 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5462 BPF_MOV64_IMM(BPF_REG_3, 0),
5463 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5464 BPF_MOV64_IMM(BPF_REG_0, 0),
5467 .errstr = "invalid stack type R1 off=-64 access_size=65",
5469 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5472 "helper access to variable memory: stack, JMP, correct bounds",
5474 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5475 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5476 BPF_MOV64_IMM(BPF_REG_0, 0),
5477 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5478 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5479 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5480 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5481 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5482 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5483 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5484 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5485 BPF_MOV64_IMM(BPF_REG_2, 16),
5486 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5487 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5488 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
5489 BPF_MOV64_IMM(BPF_REG_4, 0),
5490 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5491 BPF_MOV64_IMM(BPF_REG_3, 0),
5492 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5493 BPF_MOV64_IMM(BPF_REG_0, 0),
5497 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5500 "helper access to variable memory: stack, JMP (signed), correct bounds",
5502 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5503 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5504 BPF_MOV64_IMM(BPF_REG_0, 0),
5505 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5506 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5507 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5508 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5509 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5510 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5511 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5512 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5513 BPF_MOV64_IMM(BPF_REG_2, 16),
5514 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5515 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5516 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
5517 BPF_MOV64_IMM(BPF_REG_4, 0),
5518 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5519 BPF_MOV64_IMM(BPF_REG_3, 0),
5520 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5521 BPF_MOV64_IMM(BPF_REG_0, 0),
5525 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5528 "helper access to variable memory: stack, JMP, bounds + offset",
5530 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5531 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5532 BPF_MOV64_IMM(BPF_REG_2, 16),
5533 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5534 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5535 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
5536 BPF_MOV64_IMM(BPF_REG_4, 0),
5537 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
5538 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5539 BPF_MOV64_IMM(BPF_REG_3, 0),
5540 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5541 BPF_MOV64_IMM(BPF_REG_0, 0),
5544 .errstr = "invalid stack type R1 off=-64 access_size=65",
5546 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5549 "helper access to variable memory: stack, JMP, wrong max",
5551 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5552 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5553 BPF_MOV64_IMM(BPF_REG_2, 16),
5554 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5555 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5556 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
5557 BPF_MOV64_IMM(BPF_REG_4, 0),
5558 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5559 BPF_MOV64_IMM(BPF_REG_3, 0),
5560 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5561 BPF_MOV64_IMM(BPF_REG_0, 0),
5564 .errstr = "invalid stack type R1 off=-64 access_size=65",
5566 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5569 "helper access to variable memory: stack, JMP, no max check",
5571 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5572 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5573 BPF_MOV64_IMM(BPF_REG_2, 16),
5574 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5575 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5576 BPF_MOV64_IMM(BPF_REG_4, 0),
5577 BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5578 BPF_MOV64_IMM(BPF_REG_3, 0),
5579 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5580 BPF_MOV64_IMM(BPF_REG_0, 0),
5583 /* because max wasn't checked, signed min is negative */
5584 .errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
5586 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5589 "helper access to variable memory: stack, JMP, no min check",
5591 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5593 BPF_MOV64_IMM(BPF_REG_2, 16),
5594 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5595 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5596 BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
5597 BPF_MOV64_IMM(BPF_REG_3, 0),
5598 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5599 BPF_MOV64_IMM(BPF_REG_0, 0),
5602 .errstr = "invalid stack type R1 off=-64 access_size=0",
5604 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5607 "helper access to variable memory: stack, JMP (signed), no min check",
5609 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5610 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5611 BPF_MOV64_IMM(BPF_REG_2, 16),
5612 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5613 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5614 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
5615 BPF_MOV64_IMM(BPF_REG_3, 0),
5616 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5617 BPF_MOV64_IMM(BPF_REG_0, 0),
5620 .errstr = "R2 min value is negative",
5622 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5625 "helper access to variable memory: map, JMP, correct bounds",
5627 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5628 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5629 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5630 BPF_LD_MAP_FD(BPF_REG_1, 0),
5631 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5632 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5633 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5634 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5635 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5636 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5637 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5638 sizeof(struct test_val), 4),
5639 BPF_MOV64_IMM(BPF_REG_4, 0),
5640 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5641 BPF_MOV64_IMM(BPF_REG_3, 0),
5642 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5643 BPF_MOV64_IMM(BPF_REG_0, 0),
5646 .fixup_map2 = { 3 },
5648 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5651 "helper access to variable memory: map, JMP, wrong max",
5653 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5654 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5655 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5656 BPF_LD_MAP_FD(BPF_REG_1, 0),
5657 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5658 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5659 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5660 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5661 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5662 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5663 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5664 sizeof(struct test_val) + 1, 4),
5665 BPF_MOV64_IMM(BPF_REG_4, 0),
5666 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5667 BPF_MOV64_IMM(BPF_REG_3, 0),
5668 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5669 BPF_MOV64_IMM(BPF_REG_0, 0),
5672 .fixup_map2 = { 3 },
5673 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
5675 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5678 "helper access to variable memory: map adjusted, JMP, correct bounds",
5680 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5681 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5682 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5683 BPF_LD_MAP_FD(BPF_REG_1, 0),
5684 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5685 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5686 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5687 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5688 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5689 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5690 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5691 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5692 sizeof(struct test_val) - 20, 4),
5693 BPF_MOV64_IMM(BPF_REG_4, 0),
5694 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5695 BPF_MOV64_IMM(BPF_REG_3, 0),
5696 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5697 BPF_MOV64_IMM(BPF_REG_0, 0),
5700 .fixup_map2 = { 3 },
5702 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5705 "helper access to variable memory: map adjusted, JMP, wrong max",
5707 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5709 BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5710 BPF_LD_MAP_FD(BPF_REG_1, 0),
5711 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5712 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5713 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5714 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5715 BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5716 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5717 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5718 BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5719 sizeof(struct test_val) - 19, 4),
5720 BPF_MOV64_IMM(BPF_REG_4, 0),
5721 BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5722 BPF_MOV64_IMM(BPF_REG_3, 0),
5723 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5724 BPF_MOV64_IMM(BPF_REG_0, 0),
5727 .fixup_map2 = { 3 },
5728 .errstr = "R1 min value is outside of the array range",
5730 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5733 "helper access to variable memory: size = 0 allowed on NULL",
5735 BPF_MOV64_IMM(BPF_REG_1, 0),
5736 BPF_MOV64_IMM(BPF_REG_2, 0),
5737 BPF_MOV64_IMM(BPF_REG_3, 0),
5738 BPF_MOV64_IMM(BPF_REG_4, 0),
5739 BPF_MOV64_IMM(BPF_REG_5, 0),
5740 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5744 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5747 "helper access to variable memory: size > 0 not allowed on NULL",
5749 BPF_MOV64_IMM(BPF_REG_1, 0),
5750 BPF_MOV64_IMM(BPF_REG_2, 0),
5751 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5752 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5753 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5754 BPF_MOV64_IMM(BPF_REG_3, 0),
5755 BPF_MOV64_IMM(BPF_REG_4, 0),
5756 BPF_MOV64_IMM(BPF_REG_5, 0),
5757 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5760 .errstr = "R1 type=inv expected=fp",
5762 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5765 "helper access to variable memory: size = 0 not allowed on != NULL",
5767 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5768 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5769 BPF_MOV64_IMM(BPF_REG_2, 0),
5770 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5771 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
5772 BPF_MOV64_IMM(BPF_REG_3, 0),
5773 BPF_MOV64_IMM(BPF_REG_4, 0),
5774 BPF_MOV64_IMM(BPF_REG_5, 0),
5775 BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5778 .errstr = "invalid stack type R1 off=-8 access_size=0",
5780 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
5783 "helper access to variable memory: 8 bytes leak",
5785 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5786 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5787 BPF_MOV64_IMM(BPF_REG_0, 0),
5788 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5789 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5790 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5791 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5792 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5793 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5794 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5795 BPF_MOV64_IMM(BPF_REG_2, 0),
5796 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5797 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5798 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
5799 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5800 BPF_MOV64_IMM(BPF_REG_3, 0),
5801 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5802 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5805 .errstr = "invalid indirect read from stack off -64+32 size 64",
5807 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5810 "helper access to variable memory: 8 bytes no leak (init memory)",
5812 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5813 BPF_MOV64_IMM(BPF_REG_0, 0),
5814 BPF_MOV64_IMM(BPF_REG_0, 0),
5815 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5816 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5817 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5818 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5819 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5820 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5821 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5822 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5823 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5824 BPF_MOV64_IMM(BPF_REG_2, 0),
5825 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
5826 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
5827 BPF_MOV64_IMM(BPF_REG_3, 0),
5828 BPF_EMIT_CALL(BPF_FUNC_probe_read),
5829 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5833 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5836 "invalid and of negative number",
5838 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5839 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5840 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5841 BPF_LD_MAP_FD(BPF_REG_1, 0),
5842 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5843 BPF_FUNC_map_lookup_elem),
5844 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5845 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
5846 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
5847 BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5848 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5849 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5850 offsetof(struct test_val, foo)),
5853 .fixup_map2 = { 3 },
5854 .errstr = "R0 max value is outside of the array range",
5856 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5859 "invalid range check",
5861 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5862 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5863 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5864 BPF_LD_MAP_FD(BPF_REG_1, 0),
5865 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5866 BPF_FUNC_map_lookup_elem),
5867 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
5868 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5869 BPF_MOV64_IMM(BPF_REG_9, 1),
5870 BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
5871 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
5872 BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
5873 BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
5874 BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
5875 BPF_MOV32_IMM(BPF_REG_3, 1),
5876 BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
5877 BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
5878 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
5879 BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
5880 BPF_MOV64_REG(BPF_REG_0, 0),
5883 .fixup_map2 = { 3 },
5884 .errstr = "R0 max value is outside of the array range",
5886 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5889 "map in map access",
5891 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5892 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5893 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5894 BPF_LD_MAP_FD(BPF_REG_1, 0),
5895 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5896 BPF_FUNC_map_lookup_elem),
5897 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5898 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5899 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5900 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5901 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5902 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5903 BPF_FUNC_map_lookup_elem),
5904 BPF_MOV64_IMM(BPF_REG_0, 0),
5907 .fixup_map_in_map = { 3 },
5911 "invalid inner map pointer",
5913 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5914 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5915 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5916 BPF_LD_MAP_FD(BPF_REG_1, 0),
5917 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5918 BPF_FUNC_map_lookup_elem),
5919 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5920 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5921 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5922 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5923 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5924 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
5925 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5926 BPF_FUNC_map_lookup_elem),
5927 BPF_MOV64_IMM(BPF_REG_0, 0),
5930 .fixup_map_in_map = { 3 },
5931 .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
5935 "forgot null checking on the inner map pointer",
5937 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5938 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5939 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5940 BPF_LD_MAP_FD(BPF_REG_1, 0),
5941 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5942 BPF_FUNC_map_lookup_elem),
5943 BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5944 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5945 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5946 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5947 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5948 BPF_FUNC_map_lookup_elem),
5949 BPF_MOV64_IMM(BPF_REG_0, 0),
5952 .fixup_map_in_map = { 3 },
5953 .errstr = "R1 type=map_value_or_null expected=map_ptr",
5957 "ld_abs: check calling conv, r1",
5959 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5960 BPF_MOV64_IMM(BPF_REG_1, 0),
5961 BPF_LD_ABS(BPF_W, -0x200000),
5962 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5965 .errstr = "R1 !read_ok",
5969 "ld_abs: check calling conv, r2",
5971 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5972 BPF_MOV64_IMM(BPF_REG_2, 0),
5973 BPF_LD_ABS(BPF_W, -0x200000),
5974 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5977 .errstr = "R2 !read_ok",
5981 "ld_abs: check calling conv, r3",
5983 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5984 BPF_MOV64_IMM(BPF_REG_3, 0),
5985 BPF_LD_ABS(BPF_W, -0x200000),
5986 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
5989 .errstr = "R3 !read_ok",
5993 "ld_abs: check calling conv, r4",
5995 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5996 BPF_MOV64_IMM(BPF_REG_4, 0),
5997 BPF_LD_ABS(BPF_W, -0x200000),
5998 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6001 .errstr = "R4 !read_ok",
6005 "ld_abs: check calling conv, r5",
6007 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6008 BPF_MOV64_IMM(BPF_REG_5, 0),
6009 BPF_LD_ABS(BPF_W, -0x200000),
6010 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6013 .errstr = "R5 !read_ok",
6017 "ld_abs: check calling conv, r7",
6019 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6020 BPF_MOV64_IMM(BPF_REG_7, 0),
6021 BPF_LD_ABS(BPF_W, -0x200000),
6022 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6028 "ld_ind: check calling conv, r1",
6030 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6031 BPF_MOV64_IMM(BPF_REG_1, 1),
6032 BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
6033 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6036 .errstr = "R1 !read_ok",
6040 "ld_ind: check calling conv, r2",
6042 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6043 BPF_MOV64_IMM(BPF_REG_2, 1),
6044 BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
6045 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6048 .errstr = "R2 !read_ok",
6052 "ld_ind: check calling conv, r3",
6054 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6055 BPF_MOV64_IMM(BPF_REG_3, 1),
6056 BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
6057 BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6060 .errstr = "R3 !read_ok",
6064 "ld_ind: check calling conv, r4",
6066 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6067 BPF_MOV64_IMM(BPF_REG_4, 1),
6068 BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
6069 BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6072 .errstr = "R4 !read_ok",
6076 "ld_ind: check calling conv, r5",
6078 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6079 BPF_MOV64_IMM(BPF_REG_5, 1),
6080 BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
6081 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6084 .errstr = "R5 !read_ok",
6088 "ld_ind: check calling conv, r7",
6090 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6091 BPF_MOV64_IMM(BPF_REG_7, 1),
6092 BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
6093 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6099 "check bpf_perf_event_data->sample_period byte load permitted",
6101 BPF_MOV64_IMM(BPF_REG_0, 0),
6102 #if __BYTE_ORDER == __LITTLE_ENDIAN
6103 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6104 offsetof(struct bpf_perf_event_data, sample_period)),
6106 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6107 offsetof(struct bpf_perf_event_data, sample_period) + 7),
6112 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6115 "check bpf_perf_event_data->sample_period half load permitted",
6117 BPF_MOV64_IMM(BPF_REG_0, 0),
6118 #if __BYTE_ORDER == __LITTLE_ENDIAN
6119 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6120 offsetof(struct bpf_perf_event_data, sample_period)),
6122 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6123 offsetof(struct bpf_perf_event_data, sample_period) + 6),
6128 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6131 "check bpf_perf_event_data->sample_period word load permitted",
6133 BPF_MOV64_IMM(BPF_REG_0, 0),
6134 #if __BYTE_ORDER == __LITTLE_ENDIAN
6135 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6136 offsetof(struct bpf_perf_event_data, sample_period)),
6138 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6139 offsetof(struct bpf_perf_event_data, sample_period) + 4),
6144 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6147 "check bpf_perf_event_data->sample_period dword load permitted",
6149 BPF_MOV64_IMM(BPF_REG_0, 0),
6150 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
6151 offsetof(struct bpf_perf_event_data, sample_period)),
6155 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
6158 "check skb->data half load not permitted",
6160 BPF_MOV64_IMM(BPF_REG_0, 0),
6161 #if __BYTE_ORDER == __LITTLE_ENDIAN
6162 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6163 offsetof(struct __sk_buff, data)),
6165 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6166 offsetof(struct __sk_buff, data) + 2),
6171 .errstr = "invalid bpf_context access",
6174 "check skb->tc_classid half load not permitted for lwt prog",
6176 BPF_MOV64_IMM(BPF_REG_0, 0),
6177 #if __BYTE_ORDER == __LITTLE_ENDIAN
6178 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6179 offsetof(struct __sk_buff, tc_classid)),
6181 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6182 offsetof(struct __sk_buff, tc_classid) + 2),
6187 .errstr = "invalid bpf_context access",
6188 .prog_type = BPF_PROG_TYPE_LWT_IN,
6191 "bounds checks mixing signed and unsigned, positive bounds",
6193 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6194 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6196 BPF_LD_MAP_FD(BPF_REG_1, 0),
6197 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6198 BPF_FUNC_map_lookup_elem),
6199 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6200 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6201 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6202 BPF_MOV64_IMM(BPF_REG_2, 2),
6203 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
6204 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
6205 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6206 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6207 BPF_MOV64_IMM(BPF_REG_0, 0),
6210 .fixup_map1 = { 3 },
6211 .errstr = "unbounded min value",
6215 "bounds checks mixing signed and unsigned",
6217 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6218 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6219 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6220 BPF_LD_MAP_FD(BPF_REG_1, 0),
6221 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6222 BPF_FUNC_map_lookup_elem),
6223 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6224 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6225 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6226 BPF_MOV64_IMM(BPF_REG_2, -1),
6227 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6228 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6229 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6230 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6231 BPF_MOV64_IMM(BPF_REG_0, 0),
6234 .fixup_map1 = { 3 },
6235 .errstr = "unbounded min value",
6239 "bounds checks mixing signed and unsigned, variant 2",
6241 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6242 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6243 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6244 BPF_LD_MAP_FD(BPF_REG_1, 0),
6245 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6246 BPF_FUNC_map_lookup_elem),
6247 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6248 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6249 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6250 BPF_MOV64_IMM(BPF_REG_2, -1),
6251 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6252 BPF_MOV64_IMM(BPF_REG_8, 0),
6253 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
6254 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6255 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6256 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6257 BPF_MOV64_IMM(BPF_REG_0, 0),
6260 .fixup_map1 = { 3 },
6261 .errstr = "unbounded min value",
6265 "bounds checks mixing signed and unsigned, variant 3",
6267 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6268 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6269 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6270 BPF_LD_MAP_FD(BPF_REG_1, 0),
6271 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6272 BPF_FUNC_map_lookup_elem),
6273 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6274 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6275 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6276 BPF_MOV64_IMM(BPF_REG_2, -1),
6277 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
6278 BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
6279 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6280 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6281 BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6282 BPF_MOV64_IMM(BPF_REG_0, 0),
6285 .fixup_map1 = { 3 },
6286 .errstr = "unbounded min value",
6290 "bounds checks mixing signed and unsigned, variant 4",
6292 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6293 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6294 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6295 BPF_LD_MAP_FD(BPF_REG_1, 0),
6296 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6297 BPF_FUNC_map_lookup_elem),
6298 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6299 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6300 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6301 BPF_MOV64_IMM(BPF_REG_2, 1),
6302 BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
6303 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6304 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6305 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6306 BPF_MOV64_IMM(BPF_REG_0, 0),
6309 .fixup_map1 = { 3 },
6313 "bounds checks mixing signed and unsigned, variant 5",
6315 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6316 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6317 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6318 BPF_LD_MAP_FD(BPF_REG_1, 0),
6319 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6320 BPF_FUNC_map_lookup_elem),
6321 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6322 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6323 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6324 BPF_MOV64_IMM(BPF_REG_2, -1),
6325 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6326 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
6327 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
6328 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6329 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6330 BPF_MOV64_IMM(BPF_REG_0, 0),
6333 .fixup_map1 = { 3 },
6334 .errstr = "unbounded min value",
6338 "bounds checks mixing signed and unsigned, variant 6",
6340 BPF_MOV64_IMM(BPF_REG_2, 0),
6341 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
6342 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
6343 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6344 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
6345 BPF_MOV64_IMM(BPF_REG_6, -1),
6346 BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
6347 BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
6348 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
6349 BPF_MOV64_IMM(BPF_REG_5, 0),
6350 BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
6351 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6352 BPF_FUNC_skb_load_bytes),
6353 BPF_MOV64_IMM(BPF_REG_0, 0),
6356 .errstr = "R4 min value is negative, either use unsigned",
6360 "bounds checks mixing signed and unsigned, variant 7",
6362 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6363 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6364 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6365 BPF_LD_MAP_FD(BPF_REG_1, 0),
6366 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6367 BPF_FUNC_map_lookup_elem),
6368 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6369 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6370 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6371 BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
6372 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6373 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6374 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6375 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6376 BPF_MOV64_IMM(BPF_REG_0, 0),
6379 .fixup_map1 = { 3 },
6383 "bounds checks mixing signed and unsigned, variant 8",
6385 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6386 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6388 BPF_LD_MAP_FD(BPF_REG_1, 0),
6389 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6390 BPF_FUNC_map_lookup_elem),
6391 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6392 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6393 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6394 BPF_MOV64_IMM(BPF_REG_2, -1),
6395 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6396 BPF_MOV64_IMM(BPF_REG_0, 0),
6398 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6399 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6400 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6401 BPF_MOV64_IMM(BPF_REG_0, 0),
6404 .fixup_map1 = { 3 },
6405 .errstr = "unbounded min value",
6409 "bounds checks mixing signed and unsigned, variant 9",
6411 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6412 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6413 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6414 BPF_LD_MAP_FD(BPF_REG_1, 0),
6415 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6416 BPF_FUNC_map_lookup_elem),
6417 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6418 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6419 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6420 BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
6421 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6422 BPF_MOV64_IMM(BPF_REG_0, 0),
6424 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6425 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6426 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6427 BPF_MOV64_IMM(BPF_REG_0, 0),
6430 .fixup_map1 = { 3 },
6434 "bounds checks mixing signed and unsigned, variant 10",
6436 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6437 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6438 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6439 BPF_LD_MAP_FD(BPF_REG_1, 0),
6440 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6441 BPF_FUNC_map_lookup_elem),
6442 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6443 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6444 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6445 BPF_MOV64_IMM(BPF_REG_2, 0),
6446 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6447 BPF_MOV64_IMM(BPF_REG_0, 0),
6449 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6450 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6451 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6452 BPF_MOV64_IMM(BPF_REG_0, 0),
6455 .fixup_map1 = { 3 },
6456 .errstr = "unbounded min value",
6460 "bounds checks mixing signed and unsigned, variant 11",
6462 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6463 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6464 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6465 BPF_LD_MAP_FD(BPF_REG_1, 0),
6466 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6467 BPF_FUNC_map_lookup_elem),
6468 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6469 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6470 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6471 BPF_MOV64_IMM(BPF_REG_2, -1),
6472 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6474 BPF_MOV64_IMM(BPF_REG_0, 0),
6476 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6477 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6478 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6479 BPF_MOV64_IMM(BPF_REG_0, 0),
6482 .fixup_map1 = { 3 },
6483 .errstr = "unbounded min value",
6487 "bounds checks mixing signed and unsigned, variant 12",
6489 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6490 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6491 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6492 BPF_LD_MAP_FD(BPF_REG_1, 0),
6493 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6494 BPF_FUNC_map_lookup_elem),
6495 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6496 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6497 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6498 BPF_MOV64_IMM(BPF_REG_2, -6),
6499 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6500 BPF_MOV64_IMM(BPF_REG_0, 0),
6502 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6503 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6504 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6505 BPF_MOV64_IMM(BPF_REG_0, 0),
6508 .fixup_map1 = { 3 },
6509 .errstr = "unbounded min value",
6513 "bounds checks mixing signed and unsigned, variant 13",
6515 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6516 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6517 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6518 BPF_LD_MAP_FD(BPF_REG_1, 0),
6519 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6520 BPF_FUNC_map_lookup_elem),
6521 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6522 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6523 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6524 BPF_MOV64_IMM(BPF_REG_2, 2),
6525 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6526 BPF_MOV64_IMM(BPF_REG_7, 1),
6527 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
6528 BPF_MOV64_IMM(BPF_REG_0, 0),
6530 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
6531 BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
6532 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
6533 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6534 BPF_MOV64_IMM(BPF_REG_0, 0),
6537 .fixup_map1 = { 3 },
6538 .errstr = "unbounded min value",
6542 "bounds checks mixing signed and unsigned, variant 14",
6544 BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
6545 offsetof(struct __sk_buff, mark)),
6546 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6547 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6548 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6549 BPF_LD_MAP_FD(BPF_REG_1, 0),
6550 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6551 BPF_FUNC_map_lookup_elem),
6552 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6553 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6554 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6555 BPF_MOV64_IMM(BPF_REG_2, -1),
6556 BPF_MOV64_IMM(BPF_REG_8, 2),
6557 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
6558 BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
6559 BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6560 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6561 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6562 BPF_MOV64_IMM(BPF_REG_0, 0),
6564 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
6565 BPF_JMP_IMM(BPF_JA, 0, 0, -7),
6567 .fixup_map1 = { 4 },
6568 .errstr = "R0 invalid mem access 'inv'",
6572 "bounds checks mixing signed and unsigned, variant 15",
6574 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6575 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6576 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6577 BPF_LD_MAP_FD(BPF_REG_1, 0),
6578 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6579 BPF_FUNC_map_lookup_elem),
6580 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6581 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6582 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6583 BPF_MOV64_IMM(BPF_REG_2, -6),
6584 BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6585 BPF_MOV64_IMM(BPF_REG_0, 0),
6587 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6588 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
6589 BPF_MOV64_IMM(BPF_REG_0, 0),
6591 BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6592 BPF_MOV64_IMM(BPF_REG_0, 0),
6595 .fixup_map1 = { 3 },
6596 .errstr = "unbounded min value",
6598 .result_unpriv = REJECT,
6601 "subtraction bounds (map value) variant 1",
6603 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6604 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6605 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6606 BPF_LD_MAP_FD(BPF_REG_1, 0),
6607 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6608 BPF_FUNC_map_lookup_elem),
6609 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6610 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6611 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
6612 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
6613 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
6614 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
6615 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
6616 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6617 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6619 BPF_MOV64_IMM(BPF_REG_0, 0),
6622 .fixup_map1 = { 3 },
6623 .errstr = "R0 max value is outside of the array range",
6627 "subtraction bounds (map value) variant 2",
6629 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6630 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6632 BPF_LD_MAP_FD(BPF_REG_1, 0),
6633 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6634 BPF_FUNC_map_lookup_elem),
6635 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6636 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6637 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
6638 BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
6639 BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
6640 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
6641 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6642 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6644 BPF_MOV64_IMM(BPF_REG_0, 0),
6647 .fixup_map1 = { 3 },
6648 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
6649 .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
6653 "bounds check based on zero-extended MOV",
6655 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6656 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6657 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6658 BPF_LD_MAP_FD(BPF_REG_1, 0),
6659 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6660 BPF_FUNC_map_lookup_elem),
6661 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6662 /* r2 = 0x0000'0000'ffff'ffff */
6663 BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
6665 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
6667 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
6668 /* access at offset 0 */
6669 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6671 BPF_MOV64_IMM(BPF_REG_0, 0),
6674 .fixup_map1 = { 3 },
6678 "bounds check based on sign-extended MOV. test1",
6680 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6681 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6682 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6683 BPF_LD_MAP_FD(BPF_REG_1, 0),
6684 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6685 BPF_FUNC_map_lookup_elem),
6686 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6687 /* r2 = 0xffff'ffff'ffff'ffff */
6688 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
6689 /* r2 = 0xffff'ffff */
6690 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
6691 /* r0 = <oob pointer> */
6692 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
6693 /* access to OOB pointer */
6694 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6696 BPF_MOV64_IMM(BPF_REG_0, 0),
6699 .fixup_map1 = { 3 },
6700 .errstr = "map_value pointer and 4294967295",
6704 "bounds check based on sign-extended MOV. test2",
6706 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6707 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6709 BPF_LD_MAP_FD(BPF_REG_1, 0),
6710 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6711 BPF_FUNC_map_lookup_elem),
6712 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6713 /* r2 = 0xffff'ffff'ffff'ffff */
6714 BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
6715 /* r2 = 0xfff'ffff */
6716 BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
6717 /* r0 = <oob pointer> */
6718 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
6719 /* access to OOB pointer */
6720 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6722 BPF_MOV64_IMM(BPF_REG_0, 0),
6725 .fixup_map1 = { 3 },
6726 .errstr = "R0 min value is outside of the array range",
6730 "bounds check based on reg_off + var_off + insn_off. test1",
6732 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6733 offsetof(struct __sk_buff, mark)),
6734 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6735 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6736 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6737 BPF_LD_MAP_FD(BPF_REG_1, 0),
6738 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6739 BPF_FUNC_map_lookup_elem),
6740 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6741 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
6742 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
6743 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
6744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
6745 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
6746 BPF_MOV64_IMM(BPF_REG_0, 0),
6749 .fixup_map1 = { 4 },
6750 .errstr = "value_size=8 off=1073741825",
6752 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6755 "bounds check based on reg_off + var_off + insn_off. test2",
6757 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6758 offsetof(struct __sk_buff, mark)),
6759 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6760 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6761 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6762 BPF_LD_MAP_FD(BPF_REG_1, 0),
6763 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6764 BPF_FUNC_map_lookup_elem),
6765 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6766 BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
6767 BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
6768 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
6769 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
6770 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
6771 BPF_MOV64_IMM(BPF_REG_0, 0),
6774 .fixup_map1 = { 4 },
6775 .errstr = "value 1073741823",
6777 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
6780 "bounds check after truncation of non-boundary-crossing range",
6782 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6783 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6784 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6785 BPF_LD_MAP_FD(BPF_REG_1, 0),
6786 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6787 BPF_FUNC_map_lookup_elem),
6788 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6789 /* r1 = [0x00, 0xff] */
6790 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6791 BPF_MOV64_IMM(BPF_REG_2, 1),
6792 /* r2 = 0x10'0000'0000 */
6793 BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
6794 /* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
6795 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
6796 /* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
6797 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
6798 /* r1 = [0x00, 0xff] */
6799 BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
6801 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
6803 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6804 /* access at offset 0 */
6805 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6807 BPF_MOV64_IMM(BPF_REG_0, 0),
6810 .fixup_map1 = { 3 },
6814 "bounds check after truncation of boundary-crossing range (1)",
6816 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6817 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6818 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6819 BPF_LD_MAP_FD(BPF_REG_1, 0),
6820 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6821 BPF_FUNC_map_lookup_elem),
6822 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6823 /* r1 = [0x00, 0xff] */
6824 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6825 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
6826 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
6827 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
6828 /* r1 = [0xffff'ff80, 0xffff'ffff] or
6829 * [0x0000'0000, 0x0000'007f]
6831 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
6832 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
6833 /* r1 = [0x00, 0xff] or
6834 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
6836 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
6838 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
6840 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
6841 /* no-op or OOB pointer computation */
6842 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6843 /* potentially OOB access */
6844 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6846 BPF_MOV64_IMM(BPF_REG_0, 0),
6849 .fixup_map1 = { 3 },
6850 /* not actually fully unbounded, but the bound is very high */
6851 .errstr = "R0 unbounded memory access",
6855 "bounds check after truncation of boundary-crossing range (2)",
6857 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6858 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6859 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6860 BPF_LD_MAP_FD(BPF_REG_1, 0),
6861 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6862 BPF_FUNC_map_lookup_elem),
6863 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6864 /* r1 = [0x00, 0xff] */
6865 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6866 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
6867 /* r1 = [0xffff'ff80, 0x1'0000'007f] */
6868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
6869 /* r1 = [0xffff'ff80, 0xffff'ffff] or
6870 * [0x0000'0000, 0x0000'007f]
6871 * difference to previous test: truncation via MOV32
6874 BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
6875 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
6876 /* r1 = [0x00, 0xff] or
6877 * [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
6879 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
6881 * [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
6883 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
6884 /* no-op or OOB pointer computation */
6885 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6886 /* potentially OOB access */
6887 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6889 BPF_MOV64_IMM(BPF_REG_0, 0),
6892 .fixup_map1 = { 3 },
6893 /* not actually fully unbounded, but the bound is very high */
6894 .errstr = "R0 unbounded memory access",
6898 "bounds check after wrapping 32-bit addition",
6900 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6901 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6902 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6903 BPF_LD_MAP_FD(BPF_REG_1, 0),
6904 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6905 BPF_FUNC_map_lookup_elem),
6906 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6907 /* r1 = 0x7fff'ffff */
6908 BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
6909 /* r1 = 0xffff'fffe */
6910 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
6912 BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
6914 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6915 /* access at offset 0 */
6916 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6918 BPF_MOV64_IMM(BPF_REG_0, 0),
6921 .fixup_map1 = { 3 },
6925 "bounds check after shift with oversized count operand",
6927 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6928 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6929 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6930 BPF_LD_MAP_FD(BPF_REG_1, 0),
6931 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6932 BPF_FUNC_map_lookup_elem),
6933 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6934 BPF_MOV64_IMM(BPF_REG_2, 32),
6935 BPF_MOV64_IMM(BPF_REG_1, 1),
6936 /* r1 = (u32)1 << (u32)32 = ? */
6937 BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
6938 /* r1 = [0x0000, 0xffff] */
6939 BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
6940 /* computes unknown pointer, potentially OOB */
6941 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6942 /* potentially OOB access */
6943 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6945 BPF_MOV64_IMM(BPF_REG_0, 0),
6948 .fixup_map1 = { 3 },
6949 .errstr = "R0 max value is outside of the array range",
6953 "bounds check after right shift of maybe-negative number",
6955 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6956 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6957 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6958 BPF_LD_MAP_FD(BPF_REG_1, 0),
6959 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6960 BPF_FUNC_map_lookup_elem),
6961 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6962 /* r1 = [0x00, 0xff] */
6963 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6964 /* r1 = [-0x01, 0xfe] */
6965 BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
6966 /* r1 = 0 or 0xff'ffff'ffff'ffff */
6967 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
6968 /* r1 = 0 or 0xffff'ffff'ffff */
6969 BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
6970 /* computes unknown pointer, potentially OOB */
6971 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6972 /* potentially OOB access */
6973 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6975 BPF_MOV64_IMM(BPF_REG_0, 0),
6978 .fixup_map1 = { 3 },
6979 .errstr = "R0 unbounded memory access",
6983 "bounds check map access with off+size signed 32bit overflow. test1",
6985 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6986 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6987 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6988 BPF_LD_MAP_FD(BPF_REG_1, 0),
6989 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6990 BPF_FUNC_map_lookup_elem),
6991 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
6993 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
6994 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
6998 .fixup_map1 = { 3 },
6999 .errstr = "map_value pointer and 2147483646",
7003 "bounds check map access with off+size signed 32bit overflow. test2",
7005 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7006 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7007 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7008 BPF_LD_MAP_FD(BPF_REG_1, 0),
7009 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7010 BPF_FUNC_map_lookup_elem),
7011 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7014 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7015 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7016 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7020 .fixup_map1 = { 3 },
7021 .errstr = "pointer offset 1073741822",
7022 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7026 "bounds check map access with off+size signed 32bit overflow. test3",
7028 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7029 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7030 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7031 BPF_LD_MAP_FD(BPF_REG_1, 0),
7032 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7033 BPF_FUNC_map_lookup_elem),
7034 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7036 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
7037 BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
7038 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
7042 .fixup_map1 = { 3 },
7043 .errstr = "pointer offset -1073741822",
7044 .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7048 "bounds check map access with off+size signed 32bit overflow. test4",
7050 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7051 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7052 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7053 BPF_LD_MAP_FD(BPF_REG_1, 0),
7054 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7055 BPF_FUNC_map_lookup_elem),
7056 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7058 BPF_MOV64_IMM(BPF_REG_1, 1000000),
7059 BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
7060 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7061 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
7065 .fixup_map1 = { 3 },
7066 .errstr = "map_value pointer and 1000000000000",
7070 "pointer/scalar confusion in state equality check (way 1)",
7072 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7073 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7074 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7075 BPF_LD_MAP_FD(BPF_REG_1, 0),
7076 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7077 BPF_FUNC_map_lookup_elem),
7078 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7079 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7081 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
7085 .fixup_map1 = { 3 },
7087 .result_unpriv = REJECT,
7088 .errstr_unpriv = "R0 leaks addr as return value"
7091 "pointer/scalar confusion in state equality check (way 2)",
7093 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7094 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7095 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7096 BPF_LD_MAP_FD(BPF_REG_1, 0),
7097 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7098 BPF_FUNC_map_lookup_elem),
7099 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
7100 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
7102 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7105 .fixup_map1 = { 3 },
7107 .result_unpriv = REJECT,
7108 .errstr_unpriv = "R0 leaks addr as return value"
7111 "variable-offset ctx access",
7113 /* Get an unknown value */
7114 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7115 /* Make it small and 4-byte aligned */
7116 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7117 /* add it to skb. We now have either &skb->len or
7118 * &skb->pkt_type, but we don't know which
7120 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
7121 /* dereference it */
7122 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7125 .errstr = "variable ctx access var_off=(0x0; 0x4)",
7127 .prog_type = BPF_PROG_TYPE_LWT_IN,
7130 "variable-offset stack access",
7132 /* Fill the top 8 bytes of the stack */
7133 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7134 /* Get an unknown value */
7135 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7136 /* Make it small and 4-byte aligned */
7137 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7138 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
7139 /* add it to fp. We now have either fp-4 or fp-8, but
7140 * we don't know which
7142 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
7143 /* dereference it */
7144 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
7147 .errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
7149 .prog_type = BPF_PROG_TYPE_LWT_IN,
7152 "indirect variable-offset stack access",
7154 /* Fill the top 8 bytes of the stack */
7155 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7156 /* Get an unknown value */
7157 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7158 /* Make it small and 4-byte aligned */
7159 BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7160 BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
7161 /* add it to fp. We now have either fp-4 or fp-8, but
7162 * we don't know which
7164 BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
7165 /* dereference it indirectly */
7166 BPF_LD_MAP_FD(BPF_REG_1, 0),
7167 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7168 BPF_FUNC_map_lookup_elem),
7169 BPF_MOV64_IMM(BPF_REG_0, 0),
7172 .fixup_map1 = { 5 },
7173 .errstr = "variable stack read R2",
7175 .prog_type = BPF_PROG_TYPE_LWT_IN,
7178 "direct stack access with 32-bit wraparound. test1",
7180 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7181 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7182 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7183 BPF_MOV32_IMM(BPF_REG_0, 0),
7184 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7187 .errstr = "fp pointer and 2147483647",
7191 "direct stack access with 32-bit wraparound. test2",
7193 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
7195 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
7196 BPF_MOV32_IMM(BPF_REG_0, 0),
7197 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7200 .errstr = "fp pointer and 1073741823",
7204 "direct stack access with 32-bit wraparound. test3",
7206 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7207 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
7208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
7209 BPF_MOV32_IMM(BPF_REG_0, 0),
7210 BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7213 .errstr = "fp pointer offset 1073741822",
7214 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
7218 "liveness pruning and write screening",
7220 /* Get an unknown value */
7221 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7222 /* branch conditions teach us nothing about R2 */
7223 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
7224 BPF_MOV64_IMM(BPF_REG_0, 0),
7225 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
7226 BPF_MOV64_IMM(BPF_REG_0, 0),
7229 .errstr = "R0 !read_ok",
7231 .prog_type = BPF_PROG_TYPE_LWT_IN,
7234 "varlen_map_value_access pruning",
7236 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7237 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7238 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7239 BPF_LD_MAP_FD(BPF_REG_1, 0),
7240 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7241 BPF_FUNC_map_lookup_elem),
7242 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7243 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7244 BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
7245 BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
7246 BPF_MOV32_IMM(BPF_REG_1, 0),
7247 BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
7248 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7249 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
7250 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7251 offsetof(struct test_val, foo)),
7254 .fixup_map2 = { 3 },
7255 .errstr_unpriv = "R0 leaks addr",
7256 .errstr = "R0 unbounded memory access",
7257 .result_unpriv = REJECT,
7259 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7262 "invalid 64-bit BPF_END",
7264 BPF_MOV32_IMM(BPF_REG_0, 0),
7266 .code = BPF_ALU64 | BPF_END | BPF_TO_LE,
7267 .dst_reg = BPF_REG_0,
7274 .errstr = "BPF_END uses reserved fields",
7278 "arithmetic ops make PTR_TO_CTX unusable",
7280 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
7281 offsetof(struct __sk_buff, data) -
7282 offsetof(struct __sk_buff, mark)),
7283 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7284 offsetof(struct __sk_buff, mark)),
7287 .errstr = "dereference of modified ctx ptr",
7289 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7292 "pkt_end - pkt_start is allowed",
7294 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7295 offsetof(struct __sk_buff, data_end)),
7296 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7297 offsetof(struct __sk_buff, data)),
7298 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
7302 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7305 "XDP pkt read, pkt_end mangling, bad access 1",
7307 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7308 offsetof(struct xdp_md, data)),
7309 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7310 offsetof(struct xdp_md, data_end)),
7311 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7312 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7313 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
7314 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7315 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7316 BPF_MOV64_IMM(BPF_REG_0, 0),
7319 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
7321 .prog_type = BPF_PROG_TYPE_XDP,
7324 "XDP pkt read, pkt_end mangling, bad access 2",
7326 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7327 offsetof(struct xdp_md, data)),
7328 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7329 offsetof(struct xdp_md, data_end)),
7330 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7331 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7332 BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
7333 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7334 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7335 BPF_MOV64_IMM(BPF_REG_0, 0),
7338 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
7340 .prog_type = BPF_PROG_TYPE_XDP,
7343 "XDP pkt read, pkt_data' > pkt_end, good access",
7345 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7346 offsetof(struct xdp_md, data)),
7347 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7348 offsetof(struct xdp_md, data_end)),
7349 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7350 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7351 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7352 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7353 BPF_MOV64_IMM(BPF_REG_0, 0),
7357 .prog_type = BPF_PROG_TYPE_XDP,
7360 "XDP pkt read, pkt_data' > pkt_end, bad access 1",
7362 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7363 offsetof(struct xdp_md, data)),
7364 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7365 offsetof(struct xdp_md, data_end)),
7366 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7367 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7368 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7369 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7370 BPF_MOV64_IMM(BPF_REG_0, 0),
7373 .errstr = "R1 offset is outside of the packet",
7375 .prog_type = BPF_PROG_TYPE_XDP,
7376 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7379 "XDP pkt read, pkt_data' > pkt_end, bad access 2",
7381 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7382 offsetof(struct xdp_md, data)),
7383 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7384 offsetof(struct xdp_md, data_end)),
7385 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7387 BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
7388 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7389 BPF_MOV64_IMM(BPF_REG_0, 0),
7392 .errstr = "R1 offset is outside of the packet",
7394 .prog_type = BPF_PROG_TYPE_XDP,
7397 "XDP pkt read, pkt_end > pkt_data', good access",
7399 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7400 offsetof(struct xdp_md, data)),
7401 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7402 offsetof(struct xdp_md, data_end)),
7403 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7404 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7405 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7406 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7407 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7408 BPF_MOV64_IMM(BPF_REG_0, 0),
7412 .prog_type = BPF_PROG_TYPE_XDP,
7413 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7416 "XDP pkt read, pkt_end > pkt_data', bad access 1",
7418 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7419 offsetof(struct xdp_md, data)),
7420 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7421 offsetof(struct xdp_md, data_end)),
7422 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7423 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7424 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7425 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7426 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7427 BPF_MOV64_IMM(BPF_REG_0, 0),
7430 .errstr = "R1 offset is outside of the packet",
7432 .prog_type = BPF_PROG_TYPE_XDP,
7435 "XDP pkt read, pkt_end > pkt_data', bad access 2",
7437 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7438 offsetof(struct xdp_md, data)),
7439 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7440 offsetof(struct xdp_md, data_end)),
7441 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7442 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7443 BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7444 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7445 BPF_MOV64_IMM(BPF_REG_0, 0),
7448 .errstr = "R1 offset is outside of the packet",
7450 .prog_type = BPF_PROG_TYPE_XDP,
7453 "XDP pkt read, pkt_data' < pkt_end, good access",
7455 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7456 offsetof(struct xdp_md, data)),
7457 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7458 offsetof(struct xdp_md, data_end)),
7459 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7461 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7462 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7463 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7464 BPF_MOV64_IMM(BPF_REG_0, 0),
7468 .prog_type = BPF_PROG_TYPE_XDP,
7469 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7472 "XDP pkt read, pkt_data' < pkt_end, bad access 1",
7474 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7475 offsetof(struct xdp_md, data)),
7476 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7477 offsetof(struct xdp_md, data_end)),
7478 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7479 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7480 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7481 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7482 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7483 BPF_MOV64_IMM(BPF_REG_0, 0),
7486 .errstr = "R1 offset is outside of the packet",
7488 .prog_type = BPF_PROG_TYPE_XDP,
7491 "XDP pkt read, pkt_data' < pkt_end, bad access 2",
7493 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7494 offsetof(struct xdp_md, data)),
7495 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7496 offsetof(struct xdp_md, data_end)),
7497 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7498 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7499 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7500 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7501 BPF_MOV64_IMM(BPF_REG_0, 0),
7504 .errstr = "R1 offset is outside of the packet",
7506 .prog_type = BPF_PROG_TYPE_XDP,
7509 "XDP pkt read, pkt_end < pkt_data', good access",
7511 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7512 offsetof(struct xdp_md, data)),
7513 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7514 offsetof(struct xdp_md, data_end)),
7515 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7516 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7517 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7518 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7519 BPF_MOV64_IMM(BPF_REG_0, 0),
7523 .prog_type = BPF_PROG_TYPE_XDP,
7526 "XDP pkt read, pkt_end < pkt_data', bad access 1",
7528 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7529 offsetof(struct xdp_md, data)),
7530 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7531 offsetof(struct xdp_md, data_end)),
7532 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7533 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7534 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7535 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7536 BPF_MOV64_IMM(BPF_REG_0, 0),
7539 .errstr = "R1 offset is outside of the packet",
7541 .prog_type = BPF_PROG_TYPE_XDP,
7542 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7545 "XDP pkt read, pkt_end < pkt_data', bad access 2",
7547 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7548 offsetof(struct xdp_md, data)),
7549 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7550 offsetof(struct xdp_md, data_end)),
7551 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7552 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7553 BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
7554 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7555 BPF_MOV64_IMM(BPF_REG_0, 0),
7558 .errstr = "R1 offset is outside of the packet",
7560 .prog_type = BPF_PROG_TYPE_XDP,
7563 "XDP pkt read, pkt_data' >= pkt_end, good access",
7565 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7566 offsetof(struct xdp_md, data)),
7567 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7568 offsetof(struct xdp_md, data_end)),
7569 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7570 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7571 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7572 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7573 BPF_MOV64_IMM(BPF_REG_0, 0),
7577 .prog_type = BPF_PROG_TYPE_XDP,
7578 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7581 "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
7583 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7584 offsetof(struct xdp_md, data)),
7585 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7586 offsetof(struct xdp_md, data_end)),
7587 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7588 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7589 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7590 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7591 BPF_MOV64_IMM(BPF_REG_0, 0),
7594 .errstr = "R1 offset is outside of the packet",
7596 .prog_type = BPF_PROG_TYPE_XDP,
7599 "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
7601 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7602 offsetof(struct xdp_md, data)),
7603 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7604 offsetof(struct xdp_md, data_end)),
7605 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7606 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7607 BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
7608 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7609 BPF_MOV64_IMM(BPF_REG_0, 0),
7612 .errstr = "R1 offset is outside of the packet",
7614 .prog_type = BPF_PROG_TYPE_XDP,
7615 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7618 "XDP pkt read, pkt_end >= pkt_data', good access",
7620 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7621 offsetof(struct xdp_md, data)),
7622 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7623 offsetof(struct xdp_md, data_end)),
7624 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7625 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7626 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7627 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7628 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7629 BPF_MOV64_IMM(BPF_REG_0, 0),
7633 .prog_type = BPF_PROG_TYPE_XDP,
7636 "XDP pkt read, pkt_end >= pkt_data', bad access 1",
7638 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7639 offsetof(struct xdp_md, data)),
7640 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7641 offsetof(struct xdp_md, data_end)),
7642 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7643 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7644 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7645 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7646 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7647 BPF_MOV64_IMM(BPF_REG_0, 0),
7650 .errstr = "R1 offset is outside of the packet",
7652 .prog_type = BPF_PROG_TYPE_XDP,
7653 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7656 "XDP pkt read, pkt_end >= pkt_data', bad access 2",
7658 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7659 offsetof(struct xdp_md, data)),
7660 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7661 offsetof(struct xdp_md, data_end)),
7662 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7663 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7664 BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7665 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7666 BPF_MOV64_IMM(BPF_REG_0, 0),
7669 .errstr = "R1 offset is outside of the packet",
7671 .prog_type = BPF_PROG_TYPE_XDP,
7674 "XDP pkt read, pkt_data' <= pkt_end, good access",
7676 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7677 offsetof(struct xdp_md, data)),
7678 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7679 offsetof(struct xdp_md, data_end)),
7680 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7681 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7682 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7683 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7684 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7685 BPF_MOV64_IMM(BPF_REG_0, 0),
7689 .prog_type = BPF_PROG_TYPE_XDP,
7692 "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
7694 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7695 offsetof(struct xdp_md, data)),
7696 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7697 offsetof(struct xdp_md, data_end)),
7698 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7699 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7700 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7701 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7702 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7703 BPF_MOV64_IMM(BPF_REG_0, 0),
7706 .errstr = "R1 offset is outside of the packet",
7708 .prog_type = BPF_PROG_TYPE_XDP,
7709 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7712 "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
7714 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7715 offsetof(struct xdp_md, data)),
7716 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7717 offsetof(struct xdp_md, data_end)),
7718 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7719 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7720 BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7721 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7722 BPF_MOV64_IMM(BPF_REG_0, 0),
7725 .errstr = "R1 offset is outside of the packet",
7727 .prog_type = BPF_PROG_TYPE_XDP,
7730 "XDP pkt read, pkt_end <= pkt_data', good access",
7732 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7733 offsetof(struct xdp_md, data)),
7734 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7735 offsetof(struct xdp_md, data_end)),
7736 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7737 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7738 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
7739 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7740 BPF_MOV64_IMM(BPF_REG_0, 0),
7744 .prog_type = BPF_PROG_TYPE_XDP,
7745 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7748 "XDP pkt read, pkt_end <= pkt_data', bad access 1",
7750 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7751 offsetof(struct xdp_md, data)),
7752 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7753 offsetof(struct xdp_md, data_end)),
7754 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7755 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7756 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
7757 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7758 BPF_MOV64_IMM(BPF_REG_0, 0),
7761 .errstr = "R1 offset is outside of the packet",
7763 .prog_type = BPF_PROG_TYPE_XDP,
7766 "check deducing bounds from const, 1",
7768 BPF_MOV64_IMM(BPF_REG_0, 1),
7769 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
7770 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7773 .errstr_unpriv = "R1 has pointer with unsupported alu operation",
7774 .errstr = "R0 tried to subtract pointer from scalar",
7778 "check deducing bounds from const, 2",
7780 BPF_MOV64_IMM(BPF_REG_0, 1),
7781 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
7783 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
7785 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
7788 .errstr_unpriv = "R1 has pointer with unsupported alu operation",
7789 .result_unpriv = REJECT,
7793 "check deducing bounds from const, 3",
7795 BPF_MOV64_IMM(BPF_REG_0, 0),
7796 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
7797 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7800 .errstr_unpriv = "R1 has pointer with unsupported alu operation",
7801 .errstr = "R0 tried to subtract pointer from scalar",
7805 "check deducing bounds from const, 4",
7807 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7808 BPF_MOV64_IMM(BPF_REG_0, 0),
7809 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
7811 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
7813 BPF_ALU64_REG(BPF_SUB, BPF_REG_6, BPF_REG_0),
7816 .errstr_unpriv = "R6 has pointer with unsupported alu operation",
7817 .result_unpriv = REJECT,
7821 "check deducing bounds from const, 5",
7823 BPF_MOV64_IMM(BPF_REG_0, 0),
7824 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
7825 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7828 .errstr_unpriv = "R1 has pointer with unsupported alu operation",
7829 .errstr = "R0 tried to subtract pointer from scalar",
7833 "check deducing bounds from const, 6",
7835 BPF_MOV64_IMM(BPF_REG_0, 0),
7836 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
7838 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7841 .errstr_unpriv = "R1 has pointer with unsupported alu operation",
7842 .errstr = "R0 tried to subtract pointer from scalar",
7846 "check deducing bounds from const, 7",
7848 BPF_MOV64_IMM(BPF_REG_0, ~0),
7849 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
7850 BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
7851 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7852 offsetof(struct __sk_buff, mark)),
7855 .errstr_unpriv = "R1 has pointer with unsupported alu operation",
7856 .errstr = "dereference of modified ctx ptr",
7860 "check deducing bounds from const, 8",
7862 BPF_MOV64_IMM(BPF_REG_0, ~0),
7863 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
7864 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7865 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7866 offsetof(struct __sk_buff, mark)),
7869 .errstr_unpriv = "R1 has pointer with unsupported alu operation",
7870 .errstr = "dereference of modified ctx ptr",
7874 "check deducing bounds from const, 9",
7876 BPF_MOV64_IMM(BPF_REG_0, 0),
7877 BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
7878 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7881 .errstr_unpriv = "R1 has pointer with unsupported alu operation",
7882 .errstr = "R0 tried to subtract pointer from scalar",
7886 "check deducing bounds from const, 10",
7888 BPF_MOV64_IMM(BPF_REG_0, 0),
7889 BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
7890 /* Marks reg as unknown. */
7891 BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
7892 BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7895 .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
7899 "XDP pkt read, pkt_end <= pkt_data', bad access 2",
7901 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7902 offsetof(struct xdp_md, data)),
7903 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7904 offsetof(struct xdp_md, data_end)),
7905 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7906 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7907 BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
7908 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7909 BPF_MOV64_IMM(BPF_REG_0, 0),
7912 .errstr = "R1 offset is outside of the packet",
7914 .prog_type = BPF_PROG_TYPE_XDP,
7915 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7918 "xadd/w check unaligned stack",
7920 BPF_MOV64_IMM(BPF_REG_0, 1),
7921 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7922 BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
7923 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
7927 .errstr = "misaligned stack access off",
7928 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7931 "xadd/w check unaligned map",
7933 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7934 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7935 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7936 BPF_LD_MAP_FD(BPF_REG_1, 0),
7937 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7938 BPF_FUNC_map_lookup_elem),
7939 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7941 BPF_MOV64_IMM(BPF_REG_1, 1),
7942 BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
7943 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
7946 .fixup_map1 = { 3 },
7948 .errstr = "misaligned value access off",
7949 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7952 "xadd/w check unaligned pkt",
7954 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7955 offsetof(struct xdp_md, data)),
7956 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7957 offsetof(struct xdp_md, data_end)),
7958 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7959 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7960 BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
7961 BPF_MOV64_IMM(BPF_REG_0, 99),
7962 BPF_JMP_IMM(BPF_JA, 0, 0, 6),
7963 BPF_MOV64_IMM(BPF_REG_0, 1),
7964 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
7965 BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
7966 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
7967 BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
7968 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
7972 .errstr = "BPF_XADD stores into R2 packet",
7973 .prog_type = BPF_PROG_TYPE_XDP,
7976 "pass unmodified ctx pointer to helper",
7978 BPF_MOV64_IMM(BPF_REG_2, 0),
7979 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7980 BPF_FUNC_csum_update),
7981 BPF_MOV64_IMM(BPF_REG_0, 0),
7984 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7988 "pass modified ctx pointer to helper, 1",
7990 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
7991 BPF_MOV64_IMM(BPF_REG_2, 0),
7992 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7993 BPF_FUNC_csum_update),
7994 BPF_MOV64_IMM(BPF_REG_0, 0),
7997 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
7999 .errstr = "dereference of modified ctx ptr",
8002 "pass modified ctx pointer to helper, 2",
8004 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
8005 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8006 BPF_FUNC_get_socket_cookie),
8007 BPF_MOV64_IMM(BPF_REG_0, 0),
8010 .result_unpriv = REJECT,
8012 .errstr_unpriv = "dereference of modified ctx ptr",
8013 .errstr = "dereference of modified ctx ptr",
8016 "pass modified ctx pointer to helper, 3",
8018 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
8019 BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
8020 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
8021 BPF_MOV64_IMM(BPF_REG_2, 0),
8022 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8023 BPF_FUNC_csum_update),
8024 BPF_MOV64_IMM(BPF_REG_0, 0),
8027 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
8029 .errstr = "variable ctx access var_off=(0x0; 0x4)",
8033 static int probe_filter_length(const struct bpf_insn *fp)
8037 for (len = MAX_INSNS - 1; len > 0; --len)
8038 if (fp[len].code != 0 || fp[len].imm != 0)
8043 static int create_map(uint32_t size_value, uint32_t max_elem)
8047 fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
8048 size_value, max_elem, BPF_F_NO_PREALLOC);
8050 printf("Failed to create hash map '%s'!\n", strerror(errno));
8055 static int create_prog_array(void)
8059 fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
8062 printf("Failed to create prog array '%s'!\n", strerror(errno));
8067 static int create_map_in_map(void)
8069 int inner_map_fd, outer_map_fd;
8071 inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
8073 if (inner_map_fd < 0) {
8074 printf("Failed to create array '%s'!\n", strerror(errno));
8075 return inner_map_fd;
8078 outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS,
8079 sizeof(int), inner_map_fd, 1, 0);
8080 if (outer_map_fd < 0)
8081 printf("Failed to create array of maps '%s'!\n",
8084 close(inner_map_fd);
8086 return outer_map_fd;
8089 static char bpf_vlog[32768];
8091 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
8094 int *fixup_map1 = test->fixup_map1;
8095 int *fixup_map2 = test->fixup_map2;
8096 int *fixup_prog = test->fixup_prog;
8097 int *fixup_map_in_map = test->fixup_map_in_map;
8099 /* Allocating HTs with 1 elem is fine here, since we only test
8100 * for verifier and not do a runtime lookup, so the only thing
8101 * that really matters is value size in this case.
8104 map_fds[0] = create_map(sizeof(long long), 1);
8106 prog[*fixup_map1].imm = map_fds[0];
8108 } while (*fixup_map1);
8112 map_fds[1] = create_map(sizeof(struct test_val), 1);
8114 prog[*fixup_map2].imm = map_fds[1];
8116 } while (*fixup_map2);
8120 map_fds[2] = create_prog_array();
8122 prog[*fixup_prog].imm = map_fds[2];
8124 } while (*fixup_prog);
8127 if (*fixup_map_in_map) {
8128 map_fds[3] = create_map_in_map();
8130 prog[*fixup_map_in_map].imm = map_fds[3];
8132 } while (*fixup_map_in_map);
8136 static void do_test_single(struct bpf_test *test, bool unpriv,
8137 int *passes, int *errors)
8139 int fd_prog, expected_ret, reject_from_alignment;
8140 struct bpf_insn *prog = test->insns;
8141 int prog_len = probe_filter_length(prog);
8142 int prog_type = test->prog_type;
8143 int map_fds[MAX_NR_MAPS];
8144 const char *expected_err;
8147 for (i = 0; i < MAX_NR_MAPS; i++)
8150 do_test_fixup(test, prog, map_fds);
8152 fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
8153 prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
8154 "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
8156 expected_ret = unpriv && test->result_unpriv != UNDEF ?
8157 test->result_unpriv : test->result;
8158 expected_err = unpriv && test->errstr_unpriv ?
8159 test->errstr_unpriv : test->errstr;
8161 reject_from_alignment = fd_prog < 0 &&
8162 (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
8163 strstr(bpf_vlog, "misaligned");
8164 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
8165 if (reject_from_alignment) {
8166 printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
8171 if (expected_ret == ACCEPT) {
8172 if (fd_prog < 0 && !reject_from_alignment) {
8173 printf("FAIL\nFailed to load prog '%s'!\n",
8179 printf("FAIL\nUnexpected success to load!\n");
8182 if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
8183 printf("FAIL\nUnexpected error message!\n");
8189 printf("OK%s\n", reject_from_alignment ?
8190 " (NOTE: reject due to unknown alignment)" : "");
8193 for (i = 0; i < MAX_NR_MAPS; i++)
8199 printf("%s", bpf_vlog);
8203 static bool is_admin(void)
8206 cap_flag_value_t sysadmin = CAP_CLEAR;
8207 const cap_value_t cap_val = CAP_SYS_ADMIN;
8209 #ifdef CAP_IS_SUPPORTED
8210 if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
8211 perror("cap_get_flag");
8215 caps = cap_get_proc();
8217 perror("cap_get_proc");
8220 if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
8221 perror("cap_get_flag");
8224 return (sysadmin == CAP_SET);
8227 static int set_admin(bool admin)
8230 const cap_value_t cap_val = CAP_SYS_ADMIN;
8233 caps = cap_get_proc();
8235 perror("cap_get_proc");
8238 if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
8239 admin ? CAP_SET : CAP_CLEAR)) {
8240 perror("cap_set_flag");
8243 if (cap_set_proc(caps)) {
8244 perror("cap_set_proc");
8254 static int do_test(bool unpriv, unsigned int from, unsigned int to)
8256 int i, passes = 0, errors = 0;
8258 for (i = from; i < to; i++) {
8259 struct bpf_test *test = &tests[i];
8261 /* Program types that are not supported by non-root we
8264 if (!test->prog_type) {
8267 printf("#%d/u %s ", i, test->descr);
8268 do_test_single(test, true, &passes, &errors);
8274 printf("#%d/p %s ", i, test->descr);
8275 do_test_single(test, false, &passes, &errors);
8279 printf("Summary: %d PASSED, %d FAILED\n", passes, errors);
8280 return errors ? EXIT_FAILURE : EXIT_SUCCESS;
8283 int main(int argc, char **argv)
8285 struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY };
8286 struct rlimit rlim = { 1 << 20, 1 << 20 };
8287 unsigned int from = 0, to = ARRAY_SIZE(tests);
8288 bool unpriv = !is_admin();
8291 unsigned int l = atoi(argv[argc - 2]);
8292 unsigned int u = atoi(argv[argc - 1]);
8294 if (l < to && u < to) {
8298 } else if (argc == 2) {
8299 unsigned int t = atoi(argv[argc - 1]);
8307 setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf);
8308 return do_test(unpriv, from, to);
projects / releases.git / blob