tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1{
2 "calls: invalid kfunc call not eliminated",
3 .insns = {
4 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
5 BPF_MOV64_IMM(BPF_REG_0, 1),
6 BPF_EXIT_INSN(),
7 },
8 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
9 .result = REJECT,
10 .errstr = "invalid kernel function call not eliminated in verifier pass",
11},
12{
13 "calls: invalid kfunc call unreachable",
14 .insns = {
15 BPF_MOV64_IMM(BPF_REG_0, 1),
16 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 0, 2),
17 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
18 BPF_MOV64_IMM(BPF_REG_0, 1),
19 BPF_EXIT_INSN(),
20 },
21 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
22 .result = ACCEPT,
23},
24{
25 "calls: invalid kfunc call: ptr_to_mem to struct with non-scalar",
26 .insns = {
27 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
28 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
29 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
30 BPF_EXIT_INSN(),
31 },
32 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
33 .result = REJECT,
34 .errstr = "arg#0 pointer type STRUCT prog_test_fail1 must point to scalar",
35 .fixup_kfunc_btf_id = {
36 { "bpf_kfunc_call_test_fail1", 2 },
37 },
38},
39{
40 "calls: invalid kfunc call: ptr_to_mem to struct with nesting depth > 4",
41 .insns = {
42 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
43 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
44 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
45 BPF_EXIT_INSN(),
46 },
47 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
48 .result = REJECT,
49 .errstr = "max struct nesting depth exceeded\narg#0 pointer type STRUCT prog_test_fail2",
50 .fixup_kfunc_btf_id = {
51 { "bpf_kfunc_call_test_fail2", 2 },
52 },
53},
54{
55 "calls: invalid kfunc call: ptr_to_mem to struct with FAM",
56 .insns = {
57 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
58 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
59 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
60 BPF_EXIT_INSN(),
61 },
62 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
63 .result = REJECT,
64 .errstr = "arg#0 pointer type STRUCT prog_test_fail3 must point to scalar",
65 .fixup_kfunc_btf_id = {
66 { "bpf_kfunc_call_test_fail3", 2 },
67 },
68},
69{
70 "calls: invalid kfunc call: reg->type != PTR_TO_CTX",
71 .insns = {
72 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
73 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
74 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
75 BPF_EXIT_INSN(),
76 },
77 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
78 .result = REJECT,
79 .errstr = "R1 must have zero offset when passed to release func or trusted arg to kfunc",
80 .fixup_kfunc_btf_id = {
81 { "bpf_kfunc_call_test_pass_ctx", 2 },
82 },
83},
84{
85 "calls: invalid kfunc call: void * not allowed in func proto without mem size arg",
86 .insns = {
87 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
88 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
89 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
90 BPF_EXIT_INSN(),
91 },
92 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
93 .result = REJECT,
94 .errstr = "arg#0 pointer type UNKNOWN must point to scalar",
95 .fixup_kfunc_btf_id = {
96 { "bpf_kfunc_call_test_mem_len_fail1", 2 },
97 },
98},
99{
100 "calls: trigger reg2btf_ids[reg->type] for reg->type > __BPF_REG_TYPE_MAX",
101 .insns = {
102 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
103 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
104 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
105 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
106 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
107 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
108 BPF_EXIT_INSN(),
109 },
110 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
111 .result = REJECT,
112 .errstr = "Possibly NULL pointer passed to trusted arg0",
113 .fixup_kfunc_btf_id = {
114 { "bpf_kfunc_call_test_acquire", 3 },
115 { "bpf_kfunc_call_test_release", 5 },
116 },
117},
118{
119 "calls: invalid kfunc call: reg->off must be zero when passed to release kfunc",
120 .insns = {
121 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
122 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
123 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
124 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
125 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
126 BPF_EXIT_INSN(),
127 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
128 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
129 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
130 BPF_MOV64_IMM(BPF_REG_0, 0),
131 BPF_EXIT_INSN(),
132 },
133 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
134 .result = REJECT,
135 .errstr = "R1 must have zero offset when passed to release func",
136 .fixup_kfunc_btf_id = {
137 { "bpf_kfunc_call_test_acquire", 3 },
138 { "bpf_kfunc_call_memb_release", 8 },
139 },
140},
141{
142 "calls: invalid kfunc call: don't match first member type when passed to release kfunc",
143 .insns = {
144 BPF_MOV64_IMM(BPF_REG_0, 0),
145 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
146 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
147 BPF_EXIT_INSN(),
148 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
149 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
150 BPF_MOV64_IMM(BPF_REG_0, 0),
151 BPF_EXIT_INSN(),
152 },
153 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
154 .result = REJECT,
155 .errstr = "kernel function bpf_kfunc_call_memb1_release args#0 expected pointer",
156 .fixup_kfunc_btf_id = {
157 { "bpf_kfunc_call_memb_acquire", 1 },
158 { "bpf_kfunc_call_memb1_release", 5 },
159 },
160},
161{
162 "calls: invalid kfunc call: PTR_TO_BTF_ID with negative offset",
163 .insns = {
164 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
165 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
166 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
167 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
168 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
169 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
170 BPF_EXIT_INSN(),
171 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
172 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -4),
173 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
174 BPF_MOV64_IMM(BPF_REG_0, 0),
175 BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
176 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
177 BPF_MOV64_IMM(BPF_REG_0, 0),
178 BPF_EXIT_INSN(),
179 },
180 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
181 .fixup_kfunc_btf_id = {
182 { "bpf_kfunc_call_test_acquire", 3 },
183 { "bpf_kfunc_call_test_offset", 9 },
184 { "bpf_kfunc_call_test_release", 12 },
185 },
186 .result_unpriv = REJECT,
187 .result = REJECT,
188 .errstr = "ptr R1 off=-4 disallowed",
189},
190{
191 "calls: invalid kfunc call: PTR_TO_BTF_ID with variable offset",
192 .insns = {
193 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
194 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
195 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
197 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
198 BPF_EXIT_INSN(),
199 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
200 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
201 BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 3),
202 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
203 BPF_MOV64_IMM(BPF_REG_0, 0),
204 BPF_EXIT_INSN(),
205 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 3),
206 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
207 BPF_MOV64_IMM(BPF_REG_0, 0),
208 BPF_EXIT_INSN(),
209 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
210 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
211 BPF_MOV64_IMM(BPF_REG_0, 0),
212 BPF_EXIT_INSN(),
213 },
214 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
215 .fixup_kfunc_btf_id = {
216 { "bpf_kfunc_call_test_acquire", 3 },
217 { "bpf_kfunc_call_test_release", 9 },
218 { "bpf_kfunc_call_test_release", 13 },
219 { "bpf_kfunc_call_test_release", 17 },
220 },
221 .result_unpriv = REJECT,
222 .result = REJECT,
223 .errstr = "variable ptr_ access var_off=(0x0; 0x7) disallowed",
224},
225{
226 "calls: invalid kfunc call: referenced arg needs refcounted PTR_TO_BTF_ID",
227 .insns = {
228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
230 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
231 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
232 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
233 BPF_EXIT_INSN(),
234 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
235 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
236 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
237 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 16),
238 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
239 BPF_MOV64_IMM(BPF_REG_0, 0),
240 BPF_EXIT_INSN(),
241 },
242 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
243 .fixup_kfunc_btf_id = {
244 { "bpf_kfunc_call_test_acquire", 3 },
245 { "bpf_kfunc_call_test_ref", 8 },
246 { "bpf_kfunc_call_test_ref", 10 },
247 },
248 .result_unpriv = REJECT,
249 .result = REJECT,
250 .errstr = "R1 must be",
251},
252{
253 "calls: valid kfunc call: referenced arg needs refcounted PTR_TO_BTF_ID",
254 .insns = {
255 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
256 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
257 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
258 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
259 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
260 BPF_EXIT_INSN(),
261 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
262 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
263 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
264 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
265 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
266 BPF_MOV64_IMM(BPF_REG_0, 0),
267 BPF_EXIT_INSN(),
268 },
269 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
270 .fixup_kfunc_btf_id = {
271 { "bpf_kfunc_call_test_acquire", 3 },
272 { "bpf_kfunc_call_test_ref", 8 },
273 { "bpf_kfunc_call_test_release", 10 },
274 },
275 .result_unpriv = REJECT,
276 .result = ACCEPT,
277},
278{
279 "calls: basic sanity",
280 .insns = {
281 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
282 BPF_MOV64_IMM(BPF_REG_0, 1),
283 BPF_EXIT_INSN(),
284 BPF_MOV64_IMM(BPF_REG_0, 2),
285 BPF_EXIT_INSN(),
286 },
287 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
288 .result = ACCEPT,
289},
290{
291 "calls: not on unprivileged",
292 .insns = {
293 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
294 BPF_MOV64_IMM(BPF_REG_0, 1),
295 BPF_EXIT_INSN(),
296 BPF_MOV64_IMM(BPF_REG_0, 2),
297 BPF_EXIT_INSN(),
298 },
299 .errstr_unpriv = "loading/calling other bpf or kernel functions are allowed for",
300 .result_unpriv = REJECT,
301 .result = ACCEPT,
302 .retval = 1,
303},
304{
305 "calls: div by 0 in subprog",
306 .insns = {
307 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
308 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
309 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
310 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
311 offsetof(struct __sk_buff, data_end)),
312 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
313 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
314 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
315 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
316 BPF_MOV64_IMM(BPF_REG_0, 1),
317 BPF_EXIT_INSN(),
318 BPF_MOV32_IMM(BPF_REG_2, 0),
319 BPF_MOV32_IMM(BPF_REG_3, 1),
320 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
321 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
322 offsetof(struct __sk_buff, data)),
323 BPF_EXIT_INSN(),
324 },
325 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
326 .result = ACCEPT,
327 .retval = 1,
328},
329{
330 "calls: multiple ret types in subprog 1",
331 .insns = {
332 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
333 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
334 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
335 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
336 offsetof(struct __sk_buff, data_end)),
337 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
338 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
339 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
340 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
341 BPF_MOV64_IMM(BPF_REG_0, 1),
342 BPF_EXIT_INSN(),
343 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
344 offsetof(struct __sk_buff, data)),
345 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
346 BPF_MOV32_IMM(BPF_REG_0, 42),
347 BPF_EXIT_INSN(),
348 },
349 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
350 .result = REJECT,
351 .errstr = "R0 invalid mem access 'scalar'",
352},
353{
354 "calls: multiple ret types in subprog 2",
355 .insns = {
356 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
357 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
358 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
359 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
360 offsetof(struct __sk_buff, data_end)),
361 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
363 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
364 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
365 BPF_MOV64_IMM(BPF_REG_0, 1),
366 BPF_EXIT_INSN(),
367 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
368 offsetof(struct __sk_buff, data)),
369 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
370 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
371 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
372 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
373 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
374 BPF_LD_MAP_FD(BPF_REG_1, 0),
375 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
376 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
377 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
378 offsetof(struct __sk_buff, data)),
379 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
380 BPF_EXIT_INSN(),
381 },
382 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
383 .fixup_map_hash_8b = { 16 },
384 .result = REJECT,
385 .errstr = "R0 min value is outside of the allowed memory range",
386},
387{
388 "calls: overlapping caller/callee",
389 .insns = {
390 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
391 BPF_MOV64_IMM(BPF_REG_0, 1),
392 BPF_EXIT_INSN(),
393 },
394 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
395 .errstr = "last insn is not an exit or jmp",
396 .result = REJECT,
397},
398{
399 "calls: wrong recursive calls",
400 .insns = {
401 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
402 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
403 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
404 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
405 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
406 BPF_MOV64_IMM(BPF_REG_0, 1),
407 BPF_EXIT_INSN(),
408 },
409 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
410 .errstr = "jump out of range",
411 .result = REJECT,
412},
413{
414 "calls: wrong src reg",
415 .insns = {
416 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 3, 0, 0),
417 BPF_MOV64_IMM(BPF_REG_0, 1),
418 BPF_EXIT_INSN(),
419 },
420 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
421 .errstr = "BPF_CALL uses reserved fields",
422 .result = REJECT,
423},
424{
425 "calls: wrong off value",
426 .insns = {
427 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
428 BPF_MOV64_IMM(BPF_REG_0, 1),
429 BPF_EXIT_INSN(),
430 BPF_MOV64_IMM(BPF_REG_0, 2),
431 BPF_EXIT_INSN(),
432 },
433 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
434 .errstr = "BPF_CALL uses reserved fields",
435 .result = REJECT,
436},
437{
438 "calls: jump back loop",
439 .insns = {
440 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
441 BPF_MOV64_IMM(BPF_REG_0, 1),
442 BPF_EXIT_INSN(),
443 },
444 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
445 .errstr = "the call stack of 9 frames is too deep",
446 .result = REJECT,
447},
448{
449 "calls: conditional call",
450 .insns = {
451 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
452 offsetof(struct __sk_buff, mark)),
453 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
454 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
455 BPF_MOV64_IMM(BPF_REG_0, 1),
456 BPF_EXIT_INSN(),
457 BPF_MOV64_IMM(BPF_REG_0, 2),
458 BPF_EXIT_INSN(),
459 },
460 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
461 .errstr = "jump out of range",
462 .result = REJECT,
463},
464{
465 "calls: conditional call 2",
466 .insns = {
467 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
468 offsetof(struct __sk_buff, mark)),
469 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
470 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
471 BPF_MOV64_IMM(BPF_REG_0, 1),
472 BPF_EXIT_INSN(),
473 BPF_MOV64_IMM(BPF_REG_0, 2),
474 BPF_EXIT_INSN(),
475 BPF_MOV64_IMM(BPF_REG_0, 3),
476 BPF_EXIT_INSN(),
477 },
478 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
479 .result = ACCEPT,
480},
481{
482 "calls: conditional call 3",
483 .insns = {
484 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
485 offsetof(struct __sk_buff, mark)),
486 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
487 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
488 BPF_MOV64_IMM(BPF_REG_0, 1),
489 BPF_EXIT_INSN(),
490 BPF_MOV64_IMM(BPF_REG_0, 1),
491 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
492 BPF_MOV64_IMM(BPF_REG_0, 3),
493 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
494 },
495 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
496 .errstr_unpriv = "back-edge from insn",
497 .result_unpriv = REJECT,
498 .result = ACCEPT,
499 .retval = 1,
500},
501{
502 "calls: conditional call 4",
503 .insns = {
504 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
505 offsetof(struct __sk_buff, mark)),
506 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
507 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
508 BPF_MOV64_IMM(BPF_REG_0, 1),
509 BPF_EXIT_INSN(),
510 BPF_MOV64_IMM(BPF_REG_0, 1),
511 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
512 BPF_MOV64_IMM(BPF_REG_0, 3),
513 BPF_EXIT_INSN(),
514 },
515 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
516 .result = ACCEPT,
517},
518{
519 "calls: conditional call 5",
520 .insns = {
521 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
522 offsetof(struct __sk_buff, mark)),
523 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
524 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
525 BPF_MOV64_IMM(BPF_REG_0, 1),
526 BPF_EXIT_INSN(),
527 BPF_MOV64_IMM(BPF_REG_0, 1),
528 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
529 BPF_MOV64_IMM(BPF_REG_0, 3),
530 BPF_EXIT_INSN(),
531 },
532 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
533 .result = ACCEPT,
534 .retval = 1,
535},
536{
537 "calls: conditional call 6",
538 .insns = {
539 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
540 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
541 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
542 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
543 BPF_EXIT_INSN(),
544 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
545 offsetof(struct __sk_buff, mark)),
546 BPF_EXIT_INSN(),
547 },
548 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
549 .errstr = "infinite loop detected",
550 .result = REJECT,
551},
552{
553 "calls: using r0 returned by callee",
554 .insns = {
555 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
556 BPF_EXIT_INSN(),
557 BPF_MOV64_IMM(BPF_REG_0, 2),
558 BPF_EXIT_INSN(),
559 },
560 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
561 .result = ACCEPT,
562},
563{
564 "calls: using uninit r0 from callee",
565 .insns = {
566 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
567 BPF_EXIT_INSN(),
568 BPF_EXIT_INSN(),
569 },
570 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
571 .errstr = "!read_ok",
572 .result = REJECT,
573},
574{
575 "calls: callee is using r1",
576 .insns = {
577 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
578 BPF_EXIT_INSN(),
579 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
580 offsetof(struct __sk_buff, len)),
581 BPF_EXIT_INSN(),
582 },
583 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
584 .result = ACCEPT,
585 .retval = TEST_DATA_LEN,
586},
587{
588 "calls: callee using args1",
589 .insns = {
590 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
591 BPF_EXIT_INSN(),
592 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
593 BPF_EXIT_INSN(),
594 },
595 .errstr_unpriv = "allowed for",
596 .result_unpriv = REJECT,
597 .result = ACCEPT,
598 .retval = POINTER_VALUE,
599},
600{
601 "calls: callee using wrong args2",
602 .insns = {
603 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
604 BPF_EXIT_INSN(),
605 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
606 BPF_EXIT_INSN(),
607 },
608 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
609 .errstr = "R2 !read_ok",
610 .result = REJECT,
611},
612{
613 "calls: callee using two args",
614 .insns = {
615 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
616 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
617 offsetof(struct __sk_buff, len)),
618 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
619 offsetof(struct __sk_buff, len)),
620 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
621 BPF_EXIT_INSN(),
622 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
623 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
624 BPF_EXIT_INSN(),
625 },
626 .errstr_unpriv = "allowed for",
627 .result_unpriv = REJECT,
628 .result = ACCEPT,
629 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
630},
631{
632 "calls: callee changing pkt pointers",
633 .insns = {
634 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, offsetof(struct xdp_md, data)),
635 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
636 offsetof(struct xdp_md, data_end)),
637 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
638 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
639 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
640 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
641 /* clear_all_pkt_pointers() has to walk all frames
642 * to make sure that pkt pointers in the caller
643 * are cleared when callee is calling a helper that
644 * adjusts packet size
645 */
646 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
647 BPF_MOV32_IMM(BPF_REG_0, 0),
648 BPF_EXIT_INSN(),
649 BPF_MOV64_IMM(BPF_REG_2, 0),
650 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_xdp_adjust_head),
651 BPF_EXIT_INSN(),
652 },
653 .result = REJECT,
654 .errstr = "R6 invalid mem access 'scalar'",
655 .prog_type = BPF_PROG_TYPE_XDP,
656 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
657},
658{
659 "calls: ptr null check in subprog",
660 .insns = {
661 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
662 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
663 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
664 BPF_LD_MAP_FD(BPF_REG_1, 0),
665 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
666 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
667 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
668 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
669 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
670 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
671 BPF_EXIT_INSN(),
672 BPF_MOV64_IMM(BPF_REG_0, 0),
673 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
674 BPF_MOV64_IMM(BPF_REG_0, 1),
675 BPF_EXIT_INSN(),
676 },
677 .errstr_unpriv = "loading/calling other bpf or kernel functions are allowed for",
678 .fixup_map_hash_48b = { 3 },
679 .result_unpriv = REJECT,
680 .result = ACCEPT,
681 .retval = 0,
682},
683{
684 "calls: two calls with args",
685 .insns = {
686 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
687 BPF_EXIT_INSN(),
688 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
689 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
690 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
691 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
692 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
693 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
694 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
695 BPF_EXIT_INSN(),
696 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
697 offsetof(struct __sk_buff, len)),
698 BPF_EXIT_INSN(),
699 },
700 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
701 .result = ACCEPT,
702 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
703},
704{
705 "calls: calls with stack arith",
706 .insns = {
707 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
708 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
709 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
710 BPF_EXIT_INSN(),
711 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
712 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
713 BPF_EXIT_INSN(),
714 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
715 BPF_MOV64_IMM(BPF_REG_0, 42),
716 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
717 BPF_EXIT_INSN(),
718 },
719 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
720 .result = ACCEPT,
721 .retval = 42,
722},
723{
724 "calls: calls with misaligned stack access",
725 .insns = {
726 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
727 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
728 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
729 BPF_EXIT_INSN(),
730 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
731 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
732 BPF_EXIT_INSN(),
733 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
734 BPF_MOV64_IMM(BPF_REG_0, 42),
735 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
736 BPF_EXIT_INSN(),
737 },
738 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
739 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
740 .errstr = "misaligned stack access",
741 .result = REJECT,
742},
743{
744 "calls: calls control flow, jump test",
745 .insns = {
746 BPF_MOV64_IMM(BPF_REG_0, 42),
747 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
748 BPF_MOV64_IMM(BPF_REG_0, 43),
749 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
750 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
751 BPF_EXIT_INSN(),
752 },
753 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
754 .result = ACCEPT,
755 .retval = 43,
756},
757{
758 "calls: calls control flow, jump test 2",
759 .insns = {
760 BPF_MOV64_IMM(BPF_REG_0, 42),
761 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
762 BPF_MOV64_IMM(BPF_REG_0, 43),
763 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
764 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
765 BPF_EXIT_INSN(),
766 },
767 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
768 .errstr = "jump out of range from insn 1 to 4",
769 .result = REJECT,
770},
771{
772 "calls: two calls with bad jump",
773 .insns = {
774 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
775 BPF_EXIT_INSN(),
776 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
777 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
778 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
779 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
780 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
781 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
782 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
783 BPF_EXIT_INSN(),
784 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
785 offsetof(struct __sk_buff, len)),
786 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
787 BPF_EXIT_INSN(),
788 },
789 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
790 .errstr = "jump out of range from insn 11 to 9",
791 .result = REJECT,
792},
793{
794 "calls: recursive call. test1",
795 .insns = {
796 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
797 BPF_EXIT_INSN(),
798 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
799 BPF_EXIT_INSN(),
800 },
801 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
802 .errstr = "the call stack of 9 frames is too deep",
803 .result = REJECT,
804},
805{
806 "calls: recursive call. test2",
807 .insns = {
808 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
809 BPF_EXIT_INSN(),
810 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
811 BPF_EXIT_INSN(),
812 },
813 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
814 .errstr = "the call stack of 9 frames is too deep",
815 .result = REJECT,
816},
817{
818 "calls: unreachable code",
819 .insns = {
820 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
821 BPF_EXIT_INSN(),
822 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
823 BPF_EXIT_INSN(),
824 BPF_MOV64_IMM(BPF_REG_0, 0),
825 BPF_EXIT_INSN(),
826 BPF_MOV64_IMM(BPF_REG_0, 0),
827 BPF_EXIT_INSN(),
828 },
829 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
830 .errstr = "unreachable insn 6",
831 .result = REJECT,
832},
833{
834 "calls: invalid call",
835 .insns = {
836 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
837 BPF_EXIT_INSN(),
838 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
839 BPF_EXIT_INSN(),
840 },
841 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
842 .errstr = "invalid destination",
843 .result = REJECT,
844},
845{
846 "calls: invalid call 2",
847 .insns = {
848 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
849 BPF_EXIT_INSN(),
850 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
851 BPF_EXIT_INSN(),
852 },
853 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
854 .errstr = "invalid destination",
855 .result = REJECT,
856},
857{
858 "calls: jumping across function bodies. test1",
859 .insns = {
860 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
861 BPF_MOV64_IMM(BPF_REG_0, 0),
862 BPF_EXIT_INSN(),
863 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
864 BPF_EXIT_INSN(),
865 },
866 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
867 .errstr = "jump out of range",
868 .result = REJECT,
869},
870{
871 "calls: jumping across function bodies. test2",
872 .insns = {
873 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
874 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
875 BPF_MOV64_IMM(BPF_REG_0, 0),
876 BPF_EXIT_INSN(),
877 BPF_EXIT_INSN(),
878 },
879 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
880 .errstr = "jump out of range",
881 .result = REJECT,
882},
883{
884 "calls: call without exit",
885 .insns = {
886 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
887 BPF_EXIT_INSN(),
888 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
889 BPF_EXIT_INSN(),
890 BPF_MOV64_IMM(BPF_REG_0, 0),
891 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
892 },
893 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
894 .errstr = "not an exit",
895 .result = REJECT,
896},
897{
898 "calls: call into middle of ld_imm64",
899 .insns = {
900 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
901 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
902 BPF_MOV64_IMM(BPF_REG_0, 0),
903 BPF_EXIT_INSN(),
904 BPF_LD_IMM64(BPF_REG_0, 0),
905 BPF_EXIT_INSN(),
906 },
907 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
908 .errstr = "last insn",
909 .result = REJECT,
910},
911{
912 "calls: call into middle of other call",
913 .insns = {
914 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
915 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
916 BPF_MOV64_IMM(BPF_REG_0, 0),
917 BPF_EXIT_INSN(),
918 BPF_MOV64_IMM(BPF_REG_0, 0),
919 BPF_MOV64_IMM(BPF_REG_0, 0),
920 BPF_EXIT_INSN(),
921 },
922 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
923 .errstr = "last insn",
924 .result = REJECT,
925},
926{
927 "calls: subprog call with ld_abs in main prog",
928 .insns = {
929 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
930 BPF_LD_ABS(BPF_B, 0),
931 BPF_LD_ABS(BPF_H, 0),
932 BPF_LD_ABS(BPF_W, 0),
933 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
934 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
935 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
936 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
937 BPF_LD_ABS(BPF_B, 0),
938 BPF_LD_ABS(BPF_H, 0),
939 BPF_LD_ABS(BPF_W, 0),
940 BPF_EXIT_INSN(),
941 BPF_MOV64_IMM(BPF_REG_2, 1),
942 BPF_MOV64_IMM(BPF_REG_3, 2),
943 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_vlan_push),
944 BPF_EXIT_INSN(),
945 },
946 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
947 .result = ACCEPT,
948},
949{
950 "calls: two calls with bad fallthrough",
951 .insns = {
952 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
953 BPF_EXIT_INSN(),
954 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
955 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
956 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
957 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
958 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
959 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
960 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
961 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
962 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
963 offsetof(struct __sk_buff, len)),
964 BPF_EXIT_INSN(),
965 },
966 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
967 .errstr = "not an exit",
968 .result = REJECT,
969},
970{
971 "calls: two calls with stack read",
972 .insns = {
973 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
974 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
975 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
976 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
977 BPF_EXIT_INSN(),
978 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
979 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
980 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
981 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
982 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
983 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
984 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
985 BPF_EXIT_INSN(),
986 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
987 BPF_EXIT_INSN(),
988 },
989 .prog_type = BPF_PROG_TYPE_XDP,
990 .result = ACCEPT,
991},
992{
993 "calls: two calls with stack write",
994 .insns = {
995 /* main prog */
996 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
997 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
998 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
999 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1001 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1002 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
1003 BPF_EXIT_INSN(),
1004
1005 /* subprog 1 */
1006 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1007 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1008 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
1009 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
1010 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1011 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
1012 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
1013 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
1014 /* write into stack frame of main prog */
1015 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1016 BPF_EXIT_INSN(),
1017
1018 /* subprog 2 */
1019 /* read from stack frame of main prog */
1020 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
1021 BPF_EXIT_INSN(),
1022 },
1023 .prog_type = BPF_PROG_TYPE_XDP,
1024 .result = ACCEPT,
1025},
1026{
1027 "calls: stack overflow using two frames (pre-call access)",
1028 .insns = {
1029 /* prog 1 */
1030 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
1031 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
1032 BPF_EXIT_INSN(),
1033
1034 /* prog 2 */
1035 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
1036 BPF_MOV64_IMM(BPF_REG_0, 0),
1037 BPF_EXIT_INSN(),
1038 },
1039 .prog_type = BPF_PROG_TYPE_XDP,
1040 .errstr = "combined stack size",
1041 .result = REJECT,
1042},
1043{
1044 "calls: stack overflow using two frames (post-call access)",
1045 .insns = {
1046 /* prog 1 */
1047 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
1048 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
1049 BPF_EXIT_INSN(),
1050
1051 /* prog 2 */
1052 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
1053 BPF_MOV64_IMM(BPF_REG_0, 0),
1054 BPF_EXIT_INSN(),
1055 },
1056 .prog_type = BPF_PROG_TYPE_XDP,
1057 .errstr = "combined stack size",
1058 .result = REJECT,
1059},
1060{
1061 "calls: stack depth check using three frames. test1",
1062 .insns = {
1063 /* main */
1064 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
1065 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
1066 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
1067 BPF_MOV64_IMM(BPF_REG_0, 0),
1068 BPF_EXIT_INSN(),
1069 /* A */
1070 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
1071 BPF_EXIT_INSN(),
1072 /* B */
1073 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
1074 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
1075 BPF_EXIT_INSN(),
1076 },
1077 .prog_type = BPF_PROG_TYPE_XDP,
1078 /* stack_main=32, stack_A=256, stack_B=64
1079 * and max(main+A, main+A+B) < 512
1080 */
1081 .result = ACCEPT,
1082},
1083{
1084 "calls: stack depth check using three frames. test2",
1085 .insns = {
1086 /* main */
1087 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
1088 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
1089 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
1090 BPF_MOV64_IMM(BPF_REG_0, 0),
1091 BPF_EXIT_INSN(),
1092 /* A */
1093 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
1094 BPF_EXIT_INSN(),
1095 /* B */
1096 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
1097 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
1098 BPF_EXIT_INSN(),
1099 },
1100 .prog_type = BPF_PROG_TYPE_XDP,
1101 /* stack_main=32, stack_A=64, stack_B=256
1102 * and max(main+A, main+A+B) < 512
1103 */
1104 .result = ACCEPT,
1105},
1106{
1107 "calls: stack depth check using three frames. test3",
1108 .insns = {
1109 /* main */
1110 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1111 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
1112 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1113 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
1114 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
1115 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
1116 BPF_MOV64_IMM(BPF_REG_0, 0),
1117 BPF_EXIT_INSN(),
1118 /* A */
1119 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
1120 BPF_EXIT_INSN(),
1121 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
1122 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
1123 /* B */
1124 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
1125 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
1126 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
1127 BPF_EXIT_INSN(),
1128 },
1129 .prog_type = BPF_PROG_TYPE_XDP,
1130 /* stack_main=64, stack_A=224, stack_B=256
1131 * and max(main+A, main+A+B) > 512
1132 */
1133 .errstr = "combined stack",
1134 .result = REJECT,
1135},
1136{
1137 "calls: stack depth check using three frames. test4",
1138 /* void main(void) {
1139 * func1(0);
1140 * func1(1);
1141 * func2(1);
1142 * }
1143 * void func1(int alloc_or_recurse) {
1144 * if (alloc_or_recurse) {
1145 * frame_pointer[-300] = 1;
1146 * } else {
1147 * func2(alloc_or_recurse);
1148 * }
1149 * }
1150 * void func2(int alloc_or_recurse) {
1151 * if (alloc_or_recurse) {
1152 * frame_pointer[-300] = 1;
1153 * }
1154 * }
1155 */
1156 .insns = {
1157 /* main */
1158 BPF_MOV64_IMM(BPF_REG_1, 0),
1159 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
1160 BPF_MOV64_IMM(BPF_REG_1, 1),
1161 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
1162 BPF_MOV64_IMM(BPF_REG_1, 1),
1163 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
1164 BPF_MOV64_IMM(BPF_REG_0, 0),
1165 BPF_EXIT_INSN(),
1166 /* A */
1167 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1168 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
1169 BPF_EXIT_INSN(),
1170 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
1171 BPF_EXIT_INSN(),
1172 /* B */
1173 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1174 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
1175 BPF_EXIT_INSN(),
1176 },
1177 .prog_type = BPF_PROG_TYPE_XDP,
1178 .result = REJECT,
1179 .errstr = "combined stack",
1180},
1181{
1182 "calls: stack depth check using three frames. test5",
1183 .insns = {
1184 /* main */
1185 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
1186 BPF_EXIT_INSN(),
1187 /* A */
1188 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
1189 BPF_EXIT_INSN(),
1190 /* B */
1191 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
1192 BPF_EXIT_INSN(),
1193 /* C */
1194 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
1195 BPF_EXIT_INSN(),
1196 /* D */
1197 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
1198 BPF_EXIT_INSN(),
1199 /* E */
1200 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
1201 BPF_EXIT_INSN(),
1202 /* F */
1203 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
1204 BPF_EXIT_INSN(),
1205 /* G */
1206 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
1207 BPF_EXIT_INSN(),
1208 /* H */
1209 BPF_MOV64_IMM(BPF_REG_0, 0),
1210 BPF_EXIT_INSN(),
1211 },
1212 .prog_type = BPF_PROG_TYPE_XDP,
1213 .errstr = "call stack",
1214 .result = REJECT,
1215},
1216{
1217 "calls: stack depth check in dead code",
1218 .insns = {
1219 /* main */
1220 BPF_MOV64_IMM(BPF_REG_1, 0),
1221 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
1222 BPF_EXIT_INSN(),
1223 /* A */
1224 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1225 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2), /* call B */
1226 BPF_MOV64_IMM(BPF_REG_0, 0),
1227 BPF_EXIT_INSN(),
1228 /* B */
1229 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
1230 BPF_EXIT_INSN(),
1231 /* C */
1232 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
1233 BPF_EXIT_INSN(),
1234 /* D */
1235 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
1236 BPF_EXIT_INSN(),
1237 /* E */
1238 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
1239 BPF_EXIT_INSN(),
1240 /* F */
1241 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
1242 BPF_EXIT_INSN(),
1243 /* G */
1244 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
1245 BPF_EXIT_INSN(),
1246 /* H */
1247 BPF_MOV64_IMM(BPF_REG_0, 0),
1248 BPF_EXIT_INSN(),
1249 },
1250 .prog_type = BPF_PROG_TYPE_XDP,
1251 .errstr = "call stack",
1252 .result = REJECT,
1253},
1254{
1255 "calls: spill into caller stack frame",
1256 .insns = {
1257 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1258 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1259 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1260 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1261 BPF_EXIT_INSN(),
1262 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
1263 BPF_MOV64_IMM(BPF_REG_0, 0),
1264 BPF_EXIT_INSN(),
1265 },
1266 .prog_type = BPF_PROG_TYPE_XDP,
1267 .errstr = "cannot spill",
1268 .result = REJECT,
1269},
1270{
1271 "calls: write into caller stack frame",
1272 .insns = {
1273 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1275 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1276 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1277 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1278 BPF_EXIT_INSN(),
1279 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
1280 BPF_MOV64_IMM(BPF_REG_0, 0),
1281 BPF_EXIT_INSN(),
1282 },
1283 .prog_type = BPF_PROG_TYPE_XDP,
1284 .result = ACCEPT,
1285 .retval = 42,
1286},
1287{
1288 "calls: write into callee stack frame",
1289 .insns = {
1290 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1291 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
1292 BPF_EXIT_INSN(),
1293 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
1294 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
1295 BPF_EXIT_INSN(),
1296 },
1297 .prog_type = BPF_PROG_TYPE_XDP,
1298 .errstr = "cannot return stack pointer",
1299 .result = REJECT,
1300},
1301{
1302 "calls: two calls with stack write and void return",
1303 .insns = {
1304 /* main prog */
1305 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1306 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1307 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1308 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1309 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1310 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1311 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
1312 BPF_EXIT_INSN(),
1313
1314 /* subprog 1 */
1315 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1316 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1317 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
1318 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
1319 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1320 BPF_EXIT_INSN(),
1321
1322 /* subprog 2 */
1323 /* write into stack frame of main prog */
1324 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
1325 BPF_EXIT_INSN(), /* void return */
1326 },
1327 .prog_type = BPF_PROG_TYPE_XDP,
1328 .result = ACCEPT,
1329},
1330{
1331 "calls: ambiguous return value",
1332 .insns = {
1333 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1334 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
1335 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1336 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1337 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1338 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1339 BPF_EXIT_INSN(),
1340 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1341 BPF_MOV64_IMM(BPF_REG_0, 0),
1342 BPF_EXIT_INSN(),
1343 },
1344 .errstr_unpriv = "allowed for",
1345 .result_unpriv = REJECT,
1346 .errstr = "R0 !read_ok",
1347 .result = REJECT,
1348},
1349{
1350 "calls: two calls that return map_value",
1351 .insns = {
1352 /* main prog */
1353 /* pass fp-16, fp-8 into a function */
1354 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1355 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1356 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1357 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1358 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
1359
1360 /* fetch map_value_ptr from the stack of this function */
1361 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1362 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1363 /* write into map value */
1364 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1365 /* fetch secound map_value_ptr from the stack */
1366 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
1367 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1368 /* write into map value */
1369 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1370 BPF_MOV64_IMM(BPF_REG_0, 0),
1371 BPF_EXIT_INSN(),
1372
1373 /* subprog 1 */
1374 /* call 3rd function twice */
1375 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1376 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1377 /* first time with fp-8 */
1378 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
1379 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
1380 /* second time with fp-16 */
1381 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1382 BPF_EXIT_INSN(),
1383
1384 /* subprog 2 */
1385 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1386 /* lookup from map */
1387 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1388 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1389 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1390 BPF_LD_MAP_FD(BPF_REG_1, 0),
1391 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1392 /* write map_value_ptr into stack frame of main prog */
1393 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1394 BPF_MOV64_IMM(BPF_REG_0, 0),
1395 BPF_EXIT_INSN(), /* return 0 */
1396 },
1397 .prog_type = BPF_PROG_TYPE_XDP,
1398 .fixup_map_hash_8b = { 23 },
1399 .result = ACCEPT,
1400},
1401{
1402 "calls: two calls that return map_value with bool condition",
1403 .insns = {
1404 /* main prog */
1405 /* pass fp-16, fp-8 into a function */
1406 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1407 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1408 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1409 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1410 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1411 BPF_MOV64_IMM(BPF_REG_0, 0),
1412 BPF_EXIT_INSN(),
1413
1414 /* subprog 1 */
1415 /* call 3rd function twice */
1416 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1417 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1418 /* first time with fp-8 */
1419 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
1420 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
1421 /* fetch map_value_ptr from the stack of this function */
1422 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1423 /* write into map value */
1424 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1425 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
1426 /* second time with fp-16 */
1427 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
1428 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
1429 /* fetch secound map_value_ptr from the stack */
1430 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
1431 /* write into map value */
1432 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1433 BPF_EXIT_INSN(),
1434
1435 /* subprog 2 */
1436 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1437 /* lookup from map */
1438 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1439 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1440 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1441 BPF_LD_MAP_FD(BPF_REG_1, 0),
1442 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1443 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1444 BPF_MOV64_IMM(BPF_REG_0, 0),
1445 BPF_EXIT_INSN(), /* return 0 */
1446 /* write map_value_ptr into stack frame of main prog */
1447 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1448 BPF_MOV64_IMM(BPF_REG_0, 1),
1449 BPF_EXIT_INSN(), /* return 1 */
1450 },
1451 .prog_type = BPF_PROG_TYPE_XDP,
1452 .fixup_map_hash_8b = { 23 },
1453 .result = ACCEPT,
1454},
1455{
1456 "calls: two calls that return map_value with incorrect bool check",
1457 .insns = {
1458 /* main prog */
1459 /* pass fp-16, fp-8 into a function */
1460 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1461 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1462 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1463 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1464 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1465 BPF_MOV64_IMM(BPF_REG_0, 0),
1466 BPF_EXIT_INSN(),
1467
1468 /* subprog 1 */
1469 /* call 3rd function twice */
1470 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1471 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1472 /* first time with fp-8 */
1473 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
1474 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
1475 /* fetch map_value_ptr from the stack of this function */
1476 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1477 /* write into map value */
1478 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1479 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
1480 /* second time with fp-16 */
1481 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
1482 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1483 /* fetch secound map_value_ptr from the stack */
1484 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
1485 /* write into map value */
1486 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1487 BPF_EXIT_INSN(),
1488
1489 /* subprog 2 */
1490 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1491 /* lookup from map */
1492 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1493 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1494 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1495 BPF_LD_MAP_FD(BPF_REG_1, 0),
1496 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1497 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1498 BPF_MOV64_IMM(BPF_REG_0, 0),
1499 BPF_EXIT_INSN(), /* return 0 */
1500 /* write map_value_ptr into stack frame of main prog */
1501 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1502 BPF_MOV64_IMM(BPF_REG_0, 1),
1503 BPF_EXIT_INSN(), /* return 1 */
1504 },
1505 .prog_type = BPF_PROG_TYPE_XDP,
1506 .fixup_map_hash_8b = { 23 },
1507 .result = REJECT,
1508 .errstr = "R0 invalid mem access 'scalar'",
1509 .result_unpriv = REJECT,
1510 .errstr_unpriv = "invalid read from stack R7 off=-16 size=8",
1511},
1512{
1513 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
1514 .insns = {
1515 /* main prog */
1516 /* pass fp-16, fp-8 into a function */
1517 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1518 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1519 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1520 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1521 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1522 BPF_MOV64_IMM(BPF_REG_0, 0),
1523 BPF_EXIT_INSN(),
1524
1525 /* subprog 1 */
1526 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1527 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1528 /* 1st lookup from map */
1529 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1530 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1531 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1532 BPF_LD_MAP_FD(BPF_REG_1, 0),
1533 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1534 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1535 BPF_MOV64_IMM(BPF_REG_8, 0),
1536 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1537 /* write map_value_ptr into stack frame of main prog at fp-8 */
1538 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1539 BPF_MOV64_IMM(BPF_REG_8, 1),
1540
1541 /* 2nd lookup from map */
1542 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
1543 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1544 BPF_LD_MAP_FD(BPF_REG_1, 0),
1545 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
1546 BPF_FUNC_map_lookup_elem),
1547 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1548 BPF_MOV64_IMM(BPF_REG_9, 0),
1549 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1550 /* write map_value_ptr into stack frame of main prog at fp-16 */
1551 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1552 BPF_MOV64_IMM(BPF_REG_9, 1),
1553
1554 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
1555 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
1556 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
1557 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
1558 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
1559 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
1560 BPF_EXIT_INSN(),
1561
1562 /* subprog 2 */
1563 /* if arg2 == 1 do *arg1 = 0 */
1564 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
1565 /* fetch map_value_ptr from the stack of this function */
1566 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
1567 /* write into map value */
1568 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1569
1570 /* if arg4 == 1 do *arg3 = 0 */
1571 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
1572 /* fetch map_value_ptr from the stack of this function */
1573 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
1574 /* write into map value */
1575 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
1576 BPF_EXIT_INSN(),
1577 },
1578 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1579 .fixup_map_hash_8b = { 12, 22 },
1580 .result = REJECT,
1581 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
1582 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1583},
1584{
1585 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
1586 .insns = {
1587 /* main prog */
1588 /* pass fp-16, fp-8 into a function */
1589 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1590 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1591 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1592 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1593 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1594 BPF_MOV64_IMM(BPF_REG_0, 0),
1595 BPF_EXIT_INSN(),
1596
1597 /* subprog 1 */
1598 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1599 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1600 /* 1st lookup from map */
1601 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1602 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1603 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1604 BPF_LD_MAP_FD(BPF_REG_1, 0),
1605 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1606 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1607 BPF_MOV64_IMM(BPF_REG_8, 0),
1608 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1609 /* write map_value_ptr into stack frame of main prog at fp-8 */
1610 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1611 BPF_MOV64_IMM(BPF_REG_8, 1),
1612
1613 /* 2nd lookup from map */
1614 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
1615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1616 BPF_LD_MAP_FD(BPF_REG_1, 0),
1617 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
1618 BPF_FUNC_map_lookup_elem),
1619 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1620 BPF_MOV64_IMM(BPF_REG_9, 0),
1621 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1622 /* write map_value_ptr into stack frame of main prog at fp-16 */
1623 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1624 BPF_MOV64_IMM(BPF_REG_9, 1),
1625
1626 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
1627 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
1628 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
1629 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
1630 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
1631 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1), /* 34 */
1632 BPF_EXIT_INSN(),
1633
1634 /* subprog 2 */
1635 /* if arg2 == 1 do *arg1 = 0 */
1636 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
1637 /* fetch map_value_ptr from the stack of this function */
1638 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
1639 /* write into map value */
1640 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1641
1642 /* if arg4 == 1 do *arg3 = 0 */
1643 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
1644 /* fetch map_value_ptr from the stack of this function */
1645 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
1646 /* write into map value */
1647 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1648 BPF_EXIT_INSN(),
1649 },
1650 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1651 .fixup_map_hash_8b = { 12, 22 },
1652 .result = ACCEPT,
1653},
1654{
1655 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
1656 .insns = {
1657 /* main prog */
1658 /* pass fp-16, fp-8 into a function */
1659 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1660 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1661 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1662 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1663 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
1664 BPF_MOV64_IMM(BPF_REG_0, 0),
1665 BPF_EXIT_INSN(),
1666
1667 /* subprog 1 */
1668 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1669 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1670 /* 1st lookup from map */
1671 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
1672 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1673 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
1674 BPF_LD_MAP_FD(BPF_REG_1, 0),
1675 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1676 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1677 BPF_MOV64_IMM(BPF_REG_8, 0),
1678 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1679 /* write map_value_ptr into stack frame of main prog at fp-8 */
1680 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1681 BPF_MOV64_IMM(BPF_REG_8, 1),
1682
1683 /* 2nd lookup from map */
1684 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1685 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
1686 BPF_LD_MAP_FD(BPF_REG_1, 0),
1687 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1688 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1689 BPF_MOV64_IMM(BPF_REG_9, 0), // 26
1690 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1691 /* write map_value_ptr into stack frame of main prog at fp-16 */
1692 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1693 BPF_MOV64_IMM(BPF_REG_9, 1),
1694
1695 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
1696 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
1697 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
1698 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
1699 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
1700 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
1701 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
1702
1703 /* subprog 2 */
1704 /* if arg2 == 1 do *arg1 = 0 */
1705 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
1706 /* fetch map_value_ptr from the stack of this function */
1707 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
1708 /* write into map value */
1709 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1710
1711 /* if arg4 == 1 do *arg3 = 0 */
1712 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
1713 /* fetch map_value_ptr from the stack of this function */
1714 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
1715 /* write into map value */
1716 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
1717 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
1718 },
1719 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1720 .fixup_map_hash_8b = { 12, 22 },
1721 .result = REJECT,
1722 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
1723 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1724},
1725{
1726 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
1727 .insns = {
1728 /* main prog */
1729 /* pass fp-16, fp-8 into a function */
1730 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1731 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1732 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1733 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1734 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1735 BPF_MOV64_IMM(BPF_REG_0, 0),
1736 BPF_EXIT_INSN(),
1737
1738 /* subprog 1 */
1739 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1740 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1741 /* 1st lookup from map */
1742 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1743 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1744 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1745 BPF_LD_MAP_FD(BPF_REG_1, 0),
1746 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1747 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
1748 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1749 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1750 BPF_MOV64_IMM(BPF_REG_8, 0),
1751 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
1752 BPF_MOV64_IMM(BPF_REG_8, 1),
1753
1754 /* 2nd lookup from map */
1755 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1756 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1757 BPF_LD_MAP_FD(BPF_REG_1, 0),
1758 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1759 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
1760 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1761 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1762 BPF_MOV64_IMM(BPF_REG_9, 0),
1763 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
1764 BPF_MOV64_IMM(BPF_REG_9, 1),
1765
1766 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
1767 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1768 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
1769 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
1770 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
1771 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1772 BPF_EXIT_INSN(),
1773
1774 /* subprog 2 */
1775 /* if arg2 == 1 do *arg1 = 0 */
1776 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
1777 /* fetch map_value_ptr from the stack of this function */
1778 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
1779 /* write into map value */
1780 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1781
1782 /* if arg4 == 1 do *arg3 = 0 */
1783 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
1784 /* fetch map_value_ptr from the stack of this function */
1785 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
1786 /* write into map value */
1787 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1788 BPF_EXIT_INSN(),
1789 },
1790 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1791 .fixup_map_hash_8b = { 12, 22 },
1792 .result = ACCEPT,
1793},
1794{
1795 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
1796 .insns = {
1797 /* main prog */
1798 /* pass fp-16, fp-8 into a function */
1799 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1800 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1801 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1802 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1803 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1804 BPF_MOV64_IMM(BPF_REG_0, 0),
1805 BPF_EXIT_INSN(),
1806
1807 /* subprog 1 */
1808 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1809 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1810 /* 1st lookup from map */
1811 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1812 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1813 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1814 BPF_LD_MAP_FD(BPF_REG_1, 0),
1815 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1816 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
1817 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1818 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1819 BPF_MOV64_IMM(BPF_REG_8, 0),
1820 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
1821 BPF_MOV64_IMM(BPF_REG_8, 1),
1822
1823 /* 2nd lookup from map */
1824 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1825 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1826 BPF_LD_MAP_FD(BPF_REG_1, 0),
1827 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1828 /* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
1829 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1830 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1831 BPF_MOV64_IMM(BPF_REG_9, 0),
1832 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
1833 BPF_MOV64_IMM(BPF_REG_9, 1),
1834
1835 /* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
1836 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1837 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
1838 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
1839 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
1840 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1841 BPF_EXIT_INSN(),
1842
1843 /* subprog 2 */
1844 /* if arg2 == 1 do *arg1 = 0 */
1845 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
1846 /* fetch map_value_ptr from the stack of this function */
1847 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
1848 /* write into map value */
1849 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1850
1851 /* if arg4 == 0 do *arg3 = 0 */
1852 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
1853 /* fetch map_value_ptr from the stack of this function */
1854 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
1855 /* write into map value */
1856 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1857 BPF_EXIT_INSN(),
1858 },
1859 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1860 .fixup_map_hash_8b = { 12, 22 },
1861 .result = REJECT,
1862 .errstr = "R0 invalid mem access 'scalar'",
1863},
1864{
1865 "calls: pkt_ptr spill into caller stack",
1866 .insns = {
1867 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1868 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1869 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1870 BPF_EXIT_INSN(),
1871
1872 /* subprog 1 */
1873 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1874 offsetof(struct __sk_buff, data)),
1875 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1876 offsetof(struct __sk_buff, data_end)),
1877 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1878 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1879 /* spill unchecked pkt_ptr into stack of caller */
1880 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1881 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
1882 /* now the pkt range is verified, read pkt_ptr from stack */
1883 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
1884 /* write 4 bytes into packet */
1885 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
1886 BPF_EXIT_INSN(),
1887 },
1888 .result = ACCEPT,
1889 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1890 .retval = POINTER_VALUE,
1891 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1892},
1893{
1894 "calls: pkt_ptr spill into caller stack 2",
1895 .insns = {
1896 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1897 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1898 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
1899 /* Marking is still kept, but not in all cases safe. */
1900 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1901 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
1902 BPF_EXIT_INSN(),
1903
1904 /* subprog 1 */
1905 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1906 offsetof(struct __sk_buff, data)),
1907 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1908 offsetof(struct __sk_buff, data_end)),
1909 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1910 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1911 /* spill unchecked pkt_ptr into stack of caller */
1912 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1913 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
1914 /* now the pkt range is verified, read pkt_ptr from stack */
1915 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
1916 /* write 4 bytes into packet */
1917 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
1918 BPF_EXIT_INSN(),
1919 },
1920 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1921 .errstr = "invalid access to packet",
1922 .result = REJECT,
1923 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1924},
1925{
1926 "calls: pkt_ptr spill into caller stack 3",
1927 .insns = {
1928 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1929 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1930 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
1931 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1932 /* Marking is still kept and safe here. */
1933 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1934 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
1935 BPF_EXIT_INSN(),
1936
1937 /* subprog 1 */
1938 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1939 offsetof(struct __sk_buff, data)),
1940 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1941 offsetof(struct __sk_buff, data_end)),
1942 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1943 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1944 /* spill unchecked pkt_ptr into stack of caller */
1945 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1946 BPF_MOV64_IMM(BPF_REG_5, 0),
1947 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
1948 BPF_MOV64_IMM(BPF_REG_5, 1),
1949 /* now the pkt range is verified, read pkt_ptr from stack */
1950 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
1951 /* write 4 bytes into packet */
1952 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
1953 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
1954 BPF_EXIT_INSN(),
1955 },
1956 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1957 .result = ACCEPT,
1958 .retval = 1,
1959 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1960},
1961{
1962 "calls: pkt_ptr spill into caller stack 4",
1963 .insns = {
1964 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1965 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1966 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
1967 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1968 /* Check marking propagated. */
1969 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1970 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
1971 BPF_EXIT_INSN(),
1972
1973 /* subprog 1 */
1974 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1975 offsetof(struct __sk_buff, data)),
1976 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1977 offsetof(struct __sk_buff, data_end)),
1978 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1979 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1980 /* spill unchecked pkt_ptr into stack of caller */
1981 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1982 BPF_MOV64_IMM(BPF_REG_5, 0),
1983 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
1984 BPF_MOV64_IMM(BPF_REG_5, 1),
1985 /* don't read back pkt_ptr from stack here */
1986 /* write 4 bytes into packet */
1987 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
1988 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
1989 BPF_EXIT_INSN(),
1990 },
1991 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1992 .result = ACCEPT,
1993 .retval = 1,
1994 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1995},
1996{
1997 "calls: pkt_ptr spill into caller stack 5",
1998 .insns = {
1999 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2000 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2001 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
2002 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
2003 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
2004 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
2005 BPF_EXIT_INSN(),
2006
2007 /* subprog 1 */
2008 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2009 offsetof(struct __sk_buff, data)),
2010 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2011 offsetof(struct __sk_buff, data_end)),
2012 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2013 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2014 BPF_MOV64_IMM(BPF_REG_5, 0),
2015 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
2016 /* spill checked pkt_ptr into stack of caller */
2017 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2018 BPF_MOV64_IMM(BPF_REG_5, 1),
2019 /* don't read back pkt_ptr from stack here */
2020 /* write 4 bytes into packet */
2021 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
2022 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
2023 BPF_EXIT_INSN(),
2024 },
2025 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2026 .errstr = "same insn cannot be used with different",
2027 .result = REJECT,
2028 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2029},
2030{
2031 "calls: pkt_ptr spill into caller stack 6",
2032 .insns = {
2033 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2034 offsetof(struct __sk_buff, data_end)),
2035 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2036 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2037 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2038 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
2039 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
2040 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
2041 BPF_EXIT_INSN(),
2042
2043 /* subprog 1 */
2044 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2045 offsetof(struct __sk_buff, data)),
2046 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2047 offsetof(struct __sk_buff, data_end)),
2048 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2049 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2050 BPF_MOV64_IMM(BPF_REG_5, 0),
2051 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
2052 /* spill checked pkt_ptr into stack of caller */
2053 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2054 BPF_MOV64_IMM(BPF_REG_5, 1),
2055 /* don't read back pkt_ptr from stack here */
2056 /* write 4 bytes into packet */
2057 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
2058 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
2059 BPF_EXIT_INSN(),
2060 },
2061 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2062 .errstr = "R4 invalid mem access",
2063 .result = REJECT,
2064 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2065},
2066{
2067 "calls: pkt_ptr spill into caller stack 7",
2068 .insns = {
2069 BPF_MOV64_IMM(BPF_REG_2, 0),
2070 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2071 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2072 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2073 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
2074 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
2075 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
2076 BPF_EXIT_INSN(),
2077
2078 /* subprog 1 */
2079 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2080 offsetof(struct __sk_buff, data)),
2081 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2082 offsetof(struct __sk_buff, data_end)),
2083 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2084 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2085 BPF_MOV64_IMM(BPF_REG_5, 0),
2086 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
2087 /* spill checked pkt_ptr into stack of caller */
2088 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2089 BPF_MOV64_IMM(BPF_REG_5, 1),
2090 /* don't read back pkt_ptr from stack here */
2091 /* write 4 bytes into packet */
2092 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
2093 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
2094 BPF_EXIT_INSN(),
2095 },
2096 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2097 .errstr = "R4 invalid mem access",
2098 .result = REJECT,
2099 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2100},
2101{
2102 "calls: pkt_ptr spill into caller stack 8",
2103 .insns = {
2104 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2105 offsetof(struct __sk_buff, data)),
2106 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2107 offsetof(struct __sk_buff, data_end)),
2108 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2109 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2110 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
2111 BPF_EXIT_INSN(),
2112 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2113 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2114 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2115 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
2116 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
2117 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
2118 BPF_EXIT_INSN(),
2119
2120 /* subprog 1 */
2121 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2122 offsetof(struct __sk_buff, data)),
2123 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2124 offsetof(struct __sk_buff, data_end)),
2125 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2126 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2127 BPF_MOV64_IMM(BPF_REG_5, 0),
2128 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
2129 /* spill checked pkt_ptr into stack of caller */
2130 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2131 BPF_MOV64_IMM(BPF_REG_5, 1),
2132 /* don't read back pkt_ptr from stack here */
2133 /* write 4 bytes into packet */
2134 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
2135 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
2136 BPF_EXIT_INSN(),
2137 },
2138 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2139 .result = ACCEPT,
2140 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2141},
2142{
2143 "calls: pkt_ptr spill into caller stack 9",
2144 .insns = {
2145 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2146 offsetof(struct __sk_buff, data)),
2147 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2148 offsetof(struct __sk_buff, data_end)),
2149 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2150 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2151 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
2152 BPF_EXIT_INSN(),
2153 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2154 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2155 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2156 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
2157 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
2158 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
2159 BPF_EXIT_INSN(),
2160
2161 /* subprog 1 */
2162 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2163 offsetof(struct __sk_buff, data)),
2164 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2165 offsetof(struct __sk_buff, data_end)),
2166 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2167 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2168 BPF_MOV64_IMM(BPF_REG_5, 0),
2169 /* spill unchecked pkt_ptr into stack of caller */
2170 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2171 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
2172 BPF_MOV64_IMM(BPF_REG_5, 1),
2173 /* don't read back pkt_ptr from stack here */
2174 /* write 4 bytes into packet */
2175 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
2176 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
2177 BPF_EXIT_INSN(),
2178 },
2179 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2180 .errstr = "invalid access to packet",
2181 .result = REJECT,
2182 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2183},
2184{
2185 "calls: caller stack init to zero or map_value_or_null",
2186 .insns = {
2187 BPF_MOV64_IMM(BPF_REG_0, 0),
2188 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
2189 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2190 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2191 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
2192 /* fetch map_value_or_null or const_zero from stack */
2193 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
2194 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2195 /* store into map_value */
2196 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
2197 BPF_EXIT_INSN(),
2198
2199 /* subprog 1 */
2200 /* if (ctx == 0) return; */
2201 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
2202 /* else bpf_map_lookup() and *(fp - 8) = r0 */
2203 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2204 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2205 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2206 BPF_LD_MAP_FD(BPF_REG_1, 0),
2207 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2208 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
2209 /* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
2210 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
2211 BPF_EXIT_INSN(),
2212 },
2213 .fixup_map_hash_8b = { 13 },
2214 .result = ACCEPT,
2215 .prog_type = BPF_PROG_TYPE_XDP,
2216},
2217{
2218 "calls: stack init to zero and pruning",
2219 .insns = {
2220 /* first make allocated_stack 16 byte */
2221 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
2222 /* now fork the execution such that the false branch
2223 * of JGT insn will be verified second and it skisp zero
2224 * init of fp-8 stack slot. If stack liveness marking
2225 * is missing live_read marks from call map_lookup
2226 * processing then pruning will incorrectly assume
2227 * that fp-8 stack slot was unused in the fall-through
2228 * branch and will accept the program incorrectly
2229 */
2230 BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32),
2231 BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 2, 2),
2232 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2233 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2234 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2235 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2236 BPF_LD_MAP_FD(BPF_REG_1, 0),
2237 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
2238 BPF_MOV64_IMM(BPF_REG_0, 0),
2239 BPF_EXIT_INSN(),
2240 },
2241 .fixup_map_hash_48b = { 7 },
2242 .errstr_unpriv = "invalid indirect read from stack R2 off -8+0 size 8",
2243 .result_unpriv = REJECT,
2244 /* in privileged mode reads from uninitialized stack locations are permitted */
2245 .result = ACCEPT,
2246},
2247{
2248 "calls: ctx read at start of subprog",
2249 .insns = {
2250 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
2251 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
2252 BPF_JMP_REG(BPF_JSGT, BPF_REG_0, BPF_REG_0, 0),
2253 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2254 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
2255 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
2256 BPF_EXIT_INSN(),
2257 BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
2258 BPF_MOV64_IMM(BPF_REG_0, 0),
2259 BPF_EXIT_INSN(),
2260 },
2261 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2262 .errstr_unpriv = "loading/calling other bpf or kernel functions are allowed for",
2263 .result_unpriv = REJECT,
2264 .result = ACCEPT,
2265},
2266{
2267 "calls: cross frame pruning",
2268 .insns = {
2269 /* r8 = !!random();
2270 * call pruner()
2271 * if (r8)
2272 * do something bad;
2273 */
2274 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
2275 BPF_MOV64_IMM(BPF_REG_8, 0),
2276 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
2277 BPF_MOV64_IMM(BPF_REG_8, 1),
2278 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2279 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
2280 BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 1, 1),
2281 BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
2282 BPF_MOV64_IMM(BPF_REG_0, 0),
2283 BPF_EXIT_INSN(),
2284 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2285 BPF_EXIT_INSN(),
2286 },
2287 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2288 .errstr_unpriv = "loading/calling other bpf or kernel functions are allowed for",
2289 .errstr = "!read_ok",
2290 .result = REJECT,
2291},
2292{
2293 "calls: cross frame pruning - liveness propagation",
2294 .insns = {
2295 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
2296 BPF_MOV64_IMM(BPF_REG_8, 0),
2297 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
2298 BPF_MOV64_IMM(BPF_REG_8, 1),
2299 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
2300 BPF_MOV64_IMM(BPF_REG_9, 0),
2301 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
2302 BPF_MOV64_IMM(BPF_REG_9, 1),
2303 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
2304 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
2305 BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 1, 1),
2306 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_2, 0),
2307 BPF_MOV64_IMM(BPF_REG_0, 0),
2308 BPF_EXIT_INSN(),
2309 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2310 BPF_EXIT_INSN(),
2311 },
2312 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2313 .errstr_unpriv = "loading/calling other bpf or kernel functions are allowed for",
2314 .errstr = "!read_ok",
2315 .result = REJECT,
2316},
2317/* Make sure that verifier.c:states_equal() considers IDs from all
2318 * frames when building 'idmap' for check_ids().
2319 */
2320{
2321 "calls: check_ids() across call boundary",
2322 .insns = {
2323 /* Function main() */
2324 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2325 /* fp[-24] = map_lookup_elem(...) ; get a MAP_VALUE_PTR_OR_NULL with some ID */
2326 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2327 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2328 BPF_LD_MAP_FD(BPF_REG_1,
2329 0),
2330 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
2331 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_0, -24),
2332 /* fp[-32] = map_lookup_elem(...) ; get a MAP_VALUE_PTR_OR_NULL with some ID */
2333 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2334 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2335 BPF_LD_MAP_FD(BPF_REG_1,
2336 0),
2337 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
2338 BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_0, -32),
2339 /* call foo(&fp[-24], &fp[-32]) ; both arguments have IDs in the current
2340 * ; stack frame
2341 */
2342 BPF_MOV64_REG(BPF_REG_1, BPF_REG_FP),
2343 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -24),
2344 BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
2345 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
2346 BPF_CALL_REL(2),
2347 /* exit 0 */
2348 BPF_MOV64_IMM(BPF_REG_0, 0),
2349 BPF_EXIT_INSN(),
2350 /* Function foo()
2351 *
2352 * r9 = &frame[0].fp[-24] ; save arguments in the callee saved registers,
2353 * r8 = &frame[0].fp[-32] ; arguments are pointers to pointers to map value
2354 */
2355 BPF_MOV64_REG(BPF_REG_9, BPF_REG_1),
2356 BPF_MOV64_REG(BPF_REG_8, BPF_REG_2),
2357 /* r7 = ktime_get_ns() */
2358 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
2359 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
2360 /* r6 = ktime_get_ns() */
2361 BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
2362 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
2363 /* if r6 > r7 goto +1 ; no new information about the state is derived from
2364 * ; this check, thus produced verifier states differ
2365 * ; only in 'insn_idx'
2366 * r9 = r8
2367 */
2368 BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 1),
2369 BPF_MOV64_REG(BPF_REG_9, BPF_REG_8),
2370 /* r9 = *r9 ; verifier get's to this point via two paths:
2371 * ; (I) one including r9 = r8, verified first;
2372 * ; (II) one excluding r9 = r8, verified next.
2373 * ; After load of *r9 to r9 the frame[0].fp[-24].id == r9.id.
2374 * ; Suppose that checkpoint is created here via path (I).
2375 * ; When verifying via (II) the r9.id must be compared against
2376 * ; frame[0].fp[-24].id, otherwise (I) and (II) would be
2377 * ; incorrectly deemed equivalent.
2378 * if r9 == 0 goto <exit>
2379 */
2380 BPF_LDX_MEM(BPF_DW, BPF_REG_9, BPF_REG_9, 0),
2381 BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 0, 1),
2382 /* r8 = *r8 ; read map value via r8, this is not safe
2383 * r0 = *r8 ; because r8 might be not equal to r9.
2384 */
2385 BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_8, 0),
2386 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_8, 0),
2387 /* exit 0 */
2388 BPF_MOV64_IMM(BPF_REG_0, 0),
2389 BPF_EXIT_INSN(),
2390 },
2391 .flags = BPF_F_TEST_STATE_FREQ,
2392 .fixup_map_hash_8b = { 3, 9 },
2393 .result = REJECT,
2394 .errstr = "R8 invalid mem access 'map_value_or_null'",
2395 .result_unpriv = REJECT,
2396 .errstr_unpriv = "",
2397 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
2398},