1 {
2 "calls: basic sanity",
3 .insns = {
4 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
5 BPF_MOV64_IMM(BPF_REG_0, 1),
6 BPF_EXIT_INSN(),
7 BPF_MOV64_IMM(BPF_REG_0, 2),
8 BPF_EXIT_INSN(),
9 },
10 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
11 .result = ACCEPT,
12 },
13 {
14 "calls: not on unpriviledged",
15 .insns = {
16 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
17 BPF_MOV64_IMM(BPF_REG_0, 1),
18 BPF_EXIT_INSN(),
19 BPF_MOV64_IMM(BPF_REG_0, 2),
20 BPF_EXIT_INSN(),
21 },
22 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
23 .result_unpriv = REJECT,
24 .result = ACCEPT,
25 .retval = 1,
26 },
27 {
28 "calls: div by 0 in subprog",
29 .insns = {
30 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
31 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
32 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
33 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
34 offsetof(struct __sk_buff, data_end)),
35 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
36 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
37 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
38 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
39 BPF_MOV64_IMM(BPF_REG_0, 1),
40 BPF_EXIT_INSN(),
41 BPF_MOV32_IMM(BPF_REG_2, 0),
42 BPF_MOV32_IMM(BPF_REG_3, 1),
43 BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
44 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
45 offsetof(struct __sk_buff, data)),
46 BPF_EXIT_INSN(),
47 },
48 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
49 .result = ACCEPT,
50 .retval = 1,
51 },
52 {
53 "calls: multiple ret types in subprog 1",
54 .insns = {
55 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
56 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
57 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
58 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
59 offsetof(struct __sk_buff, data_end)),
60 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
61 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
62 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
63 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
64 BPF_MOV64_IMM(BPF_REG_0, 1),
65 BPF_EXIT_INSN(),
66 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
67 offsetof(struct __sk_buff, data)),
68 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
69 BPF_MOV32_IMM(BPF_REG_0, 42),
70 BPF_EXIT_INSN(),
71 },
72 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
73 .result = REJECT,
74 .errstr = "R0 invalid mem access 'inv'",
75 },
76 {
77 "calls: multiple ret types in subprog 2",
78 .insns = {
79 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
80 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
81 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
82 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
83 offsetof(struct __sk_buff, data_end)),
84 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
85 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
86 BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
87 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
88 BPF_MOV64_IMM(BPF_REG_0, 1),
89 BPF_EXIT_INSN(),
90 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
91 offsetof(struct __sk_buff, data)),
92 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
93 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
94 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
95 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
96 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
97 BPF_LD_MAP_FD(BPF_REG_1, 0),
98 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
99 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
100 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
101 offsetof(struct __sk_buff, data)),
102 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
103 BPF_EXIT_INSN(),
104 },
105 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
106 .fixup_map_hash_8b = { 16 },
107 .result = REJECT,
108 .errstr = "R0 min value is outside of the array range",
109 },
110 {
111 "calls: overlapping caller/callee",
112 .insns = {
113 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
114 BPF_MOV64_IMM(BPF_REG_0, 1),
115 BPF_EXIT_INSN(),
116 },
117 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
118 .errstr = "last insn is not an exit or jmp",
119 .result = REJECT,
120 },
121 {
122 "calls: wrong recursive calls",
123 .insns = {
124 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
125 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
126 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
127 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
128 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
129 BPF_MOV64_IMM(BPF_REG_0, 1),
130 BPF_EXIT_INSN(),
131 },
132 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
133 .errstr = "jump out of range",
134 .result = REJECT,
135 },
136 {
137 "calls: wrong src reg",
138 .insns = {
139 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
140 BPF_MOV64_IMM(BPF_REG_0, 1),
141 BPF_EXIT_INSN(),
142 },
143 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
144 .errstr = "BPF_CALL uses reserved fields",
145 .result = REJECT,
146 },
147 {
148 "calls: wrong off value",
149 .insns = {
150 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
151 BPF_MOV64_IMM(BPF_REG_0, 1),
152 BPF_EXIT_INSN(),
153 BPF_MOV64_IMM(BPF_REG_0, 2),
154 BPF_EXIT_INSN(),
155 },
156 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
157 .errstr = "BPF_CALL uses reserved fields",
158 .result = REJECT,
159 },
160 {
161 "calls: jump back loop",
162 .insns = {
163 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
164 BPF_MOV64_IMM(BPF_REG_0, 1),
165 BPF_EXIT_INSN(),
166 },
167 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
168 .errstr = "back-edge from insn 0 to 0",
169 .result = REJECT,
170 },
171 {
172 "calls: conditional call",
173 .insns = {
174 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
175 offsetof(struct __sk_buff, mark)),
176 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
177 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
178 BPF_MOV64_IMM(BPF_REG_0, 1),
179 BPF_EXIT_INSN(),
180 BPF_MOV64_IMM(BPF_REG_0, 2),
181 BPF_EXIT_INSN(),
182 },
183 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
184 .errstr = "jump out of range",
185 .result = REJECT,
186 },
187 {
188 "calls: conditional call 2",
189 .insns = {
190 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
191 offsetof(struct __sk_buff, mark)),
192 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
193 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
194 BPF_MOV64_IMM(BPF_REG_0, 1),
195 BPF_EXIT_INSN(),
196 BPF_MOV64_IMM(BPF_REG_0, 2),
197 BPF_EXIT_INSN(),
198 BPF_MOV64_IMM(BPF_REG_0, 3),
199 BPF_EXIT_INSN(),
200 },
201 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
202 .result = ACCEPT,
203 },
204 {
205 "calls: conditional call 3",
206 .insns = {
207 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
208 offsetof(struct __sk_buff, mark)),
209 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
210 BPF_JMP_IMM(BPF_JA, 0, 0, 4),
211 BPF_MOV64_IMM(BPF_REG_0, 1),
212 BPF_EXIT_INSN(),
213 BPF_MOV64_IMM(BPF_REG_0, 1),
214 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
215 BPF_MOV64_IMM(BPF_REG_0, 3),
216 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
217 },
218 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
219 .errstr_unpriv = "back-edge from insn",
220 .result_unpriv = REJECT,
221 .result = ACCEPT,
222 .retval = 1,
223 },
224 {
225 "calls: conditional call 4",
226 .insns = {
227 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
228 offsetof(struct __sk_buff, mark)),
229 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
230 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
231 BPF_MOV64_IMM(BPF_REG_0, 1),
232 BPF_EXIT_INSN(),
233 BPF_MOV64_IMM(BPF_REG_0, 1),
234 BPF_JMP_IMM(BPF_JA, 0, 0, -5),
235 BPF_MOV64_IMM(BPF_REG_0, 3),
236 BPF_EXIT_INSN(),
237 },
238 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
239 .result = ACCEPT,
240 },
241 {
242 "calls: conditional call 5",
243 .insns = {
244 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
245 offsetof(struct __sk_buff, mark)),
246 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
247 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
248 BPF_MOV64_IMM(BPF_REG_0, 1),
249 BPF_EXIT_INSN(),
250 BPF_MOV64_IMM(BPF_REG_0, 1),
251 BPF_JMP_IMM(BPF_JA, 0, 0, -6),
252 BPF_MOV64_IMM(BPF_REG_0, 3),
253 BPF_EXIT_INSN(),
254 },
255 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
256 .result = ACCEPT,
257 .retval = 1,
258 },
259 {
260 "calls: conditional call 6",
261 .insns = {
262 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
263 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
264 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
265 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
266 BPF_EXIT_INSN(),
267 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
268 offsetof(struct __sk_buff, mark)),
269 BPF_EXIT_INSN(),
270 },
271 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
272 .errstr = "infinite loop detected",
273 .result = REJECT,
274 },
275 {
276 "calls: using r0 returned by callee",
277 .insns = {
278 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
279 BPF_EXIT_INSN(),
280 BPF_MOV64_IMM(BPF_REG_0, 2),
281 BPF_EXIT_INSN(),
282 },
283 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
284 .result = ACCEPT,
285 },
286 {
287 "calls: using uninit r0 from callee",
288 .insns = {
289 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
290 BPF_EXIT_INSN(),
291 BPF_EXIT_INSN(),
292 },
293 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
294 .errstr = "!read_ok",
295 .result = REJECT,
296 },
297 {
298 "calls: callee is using r1",
299 .insns = {
300 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
301 BPF_EXIT_INSN(),
302 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
303 offsetof(struct __sk_buff, len)),
304 BPF_EXIT_INSN(),
305 },
306 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
307 .result = ACCEPT,
308 .retval = TEST_DATA_LEN,
309 },
310 {
311 "calls: callee using args1",
312 .insns = {
313 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
314 BPF_EXIT_INSN(),
315 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
316 BPF_EXIT_INSN(),
317 },
318 .errstr_unpriv = "allowed for root only",
319 .result_unpriv = REJECT,
320 .result = ACCEPT,
321 .retval = POINTER_VALUE,
322 },
323 {
324 "calls: callee using wrong args2",
325 .insns = {
326 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
327 BPF_EXIT_INSN(),
328 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
329 BPF_EXIT_INSN(),
330 },
331 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
332 .errstr = "R2 !read_ok",
333 .result = REJECT,
334 },
335 {
336 "calls: callee using two args",
337 .insns = {
338 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
339 BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
340 offsetof(struct __sk_buff, len)),
341 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
342 offsetof(struct __sk_buff, len)),
343 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
344 BPF_EXIT_INSN(),
345 BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
346 BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
347 BPF_EXIT_INSN(),
348 },
349 .errstr_unpriv = "allowed for root only",
350 .result_unpriv = REJECT,
351 .result = ACCEPT,
352 .retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
353 },
354 {
355 "calls: callee changing pkt pointers",
356 .insns = {
357 BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, offsetof(struct xdp_md, data)),
358 BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
359 offsetof(struct xdp_md, data_end)),
360 BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
362 BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
363 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
364
365
366
367
368
369 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
370 BPF_MOV32_IMM(BPF_REG_0, 0),
371 BPF_EXIT_INSN(),
372 BPF_MOV64_IMM(BPF_REG_2, 0),
373 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_xdp_adjust_head),
374 BPF_EXIT_INSN(),
375 },
376 .result = REJECT,
377 .errstr = "R6 invalid mem access 'inv'",
378 .prog_type = BPF_PROG_TYPE_XDP,
379 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
380 },
381 {
382 "calls: ptr null check in subprog",
383 .insns = {
384 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
385 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
386 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
387 BPF_LD_MAP_FD(BPF_REG_1, 0),
388 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
389 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
390 BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
391 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
392 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
393 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
394 BPF_EXIT_INSN(),
395 BPF_MOV64_IMM(BPF_REG_0, 0),
396 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
397 BPF_MOV64_IMM(BPF_REG_0, 1),
398 BPF_EXIT_INSN(),
399 },
400 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
401 .fixup_map_hash_48b = { 3 },
402 .result_unpriv = REJECT,
403 .result = ACCEPT,
404 .retval = 0,
405 },
406 {
407 "calls: two calls with args",
408 .insns = {
409 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
410 BPF_EXIT_INSN(),
411 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
412 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
413 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
414 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
415 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
416 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
417 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
418 BPF_EXIT_INSN(),
419 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
420 offsetof(struct __sk_buff, len)),
421 BPF_EXIT_INSN(),
422 },
423 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
424 .result = ACCEPT,
425 .retval = TEST_DATA_LEN + TEST_DATA_LEN,
426 },
427 {
428 "calls: calls with stack arith",
429 .insns = {
430 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
431 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
432 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
433 BPF_EXIT_INSN(),
434 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
435 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
436 BPF_EXIT_INSN(),
437 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
438 BPF_MOV64_IMM(BPF_REG_0, 42),
439 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
440 BPF_EXIT_INSN(),
441 },
442 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
443 .result = ACCEPT,
444 .retval = 42,
445 },
446 {
447 "calls: calls with misaligned stack access",
448 .insns = {
449 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
450 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
451 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
452 BPF_EXIT_INSN(),
453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
454 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
455 BPF_EXIT_INSN(),
456 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
457 BPF_MOV64_IMM(BPF_REG_0, 42),
458 BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
459 BPF_EXIT_INSN(),
460 },
461 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
462 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
463 .errstr = "misaligned stack access",
464 .result = REJECT,
465 },
466 {
467 "calls: calls control flow, jump test",
468 .insns = {
469 BPF_MOV64_IMM(BPF_REG_0, 42),
470 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
471 BPF_MOV64_IMM(BPF_REG_0, 43),
472 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
473 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
474 BPF_EXIT_INSN(),
475 },
476 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
477 .result = ACCEPT,
478 .retval = 43,
479 },
480 {
481 "calls: calls control flow, jump test 2",
482 .insns = {
483 BPF_MOV64_IMM(BPF_REG_0, 42),
484 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
485 BPF_MOV64_IMM(BPF_REG_0, 43),
486 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
487 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
488 BPF_EXIT_INSN(),
489 },
490 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
491 .errstr = "jump out of range from insn 1 to 4",
492 .result = REJECT,
493 },
494 {
495 "calls: two calls with bad jump",
496 .insns = {
497 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
498 BPF_EXIT_INSN(),
499 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
500 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
501 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
502 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
503 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
504 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
505 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
506 BPF_EXIT_INSN(),
507 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
508 offsetof(struct __sk_buff, len)),
509 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
510 BPF_EXIT_INSN(),
511 },
512 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
513 .errstr = "jump out of range from insn 11 to 9",
514 .result = REJECT,
515 },
516 {
517 "calls: recursive call. test1",
518 .insns = {
519 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
520 BPF_EXIT_INSN(),
521 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
522 BPF_EXIT_INSN(),
523 },
524 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
525 .errstr = "back-edge",
526 .result = REJECT,
527 },
528 {
529 "calls: recursive call. test2",
530 .insns = {
531 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
532 BPF_EXIT_INSN(),
533 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
534 BPF_EXIT_INSN(),
535 },
536 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
537 .errstr = "back-edge",
538 .result = REJECT,
539 },
540 {
541 "calls: unreachable code",
542 .insns = {
543 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
544 BPF_EXIT_INSN(),
545 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
546 BPF_EXIT_INSN(),
547 BPF_MOV64_IMM(BPF_REG_0, 0),
548 BPF_EXIT_INSN(),
549 BPF_MOV64_IMM(BPF_REG_0, 0),
550 BPF_EXIT_INSN(),
551 },
552 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
553 .errstr = "unreachable insn 6",
554 .result = REJECT,
555 },
556 {
557 "calls: invalid call",
558 .insns = {
559 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
560 BPF_EXIT_INSN(),
561 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
562 BPF_EXIT_INSN(),
563 },
564 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
565 .errstr = "invalid destination",
566 .result = REJECT,
567 },
568 {
569 "calls: invalid call 2",
570 .insns = {
571 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
572 BPF_EXIT_INSN(),
573 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
574 BPF_EXIT_INSN(),
575 },
576 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
577 .errstr = "invalid destination",
578 .result = REJECT,
579 },
580 {
581 "calls: jumping across function bodies. test1",
582 .insns = {
583 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
584 BPF_MOV64_IMM(BPF_REG_0, 0),
585 BPF_EXIT_INSN(),
586 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
587 BPF_EXIT_INSN(),
588 },
589 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
590 .errstr = "jump out of range",
591 .result = REJECT,
592 },
593 {
594 "calls: jumping across function bodies. test2",
595 .insns = {
596 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
597 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
598 BPF_MOV64_IMM(BPF_REG_0, 0),
599 BPF_EXIT_INSN(),
600 BPF_EXIT_INSN(),
601 },
602 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
603 .errstr = "jump out of range",
604 .result = REJECT,
605 },
606 {
607 "calls: call without exit",
608 .insns = {
609 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
610 BPF_EXIT_INSN(),
611 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
612 BPF_EXIT_INSN(),
613 BPF_MOV64_IMM(BPF_REG_0, 0),
614 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
615 },
616 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
617 .errstr = "not an exit",
618 .result = REJECT,
619 },
620 {
621 "calls: call into middle of ld_imm64",
622 .insns = {
623 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
624 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
625 BPF_MOV64_IMM(BPF_REG_0, 0),
626 BPF_EXIT_INSN(),
627 BPF_LD_IMM64(BPF_REG_0, 0),
628 BPF_EXIT_INSN(),
629 },
630 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
631 .errstr = "last insn",
632 .result = REJECT,
633 },
634 {
635 "calls: call into middle of other call",
636 .insns = {
637 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
638 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
639 BPF_MOV64_IMM(BPF_REG_0, 0),
640 BPF_EXIT_INSN(),
641 BPF_MOV64_IMM(BPF_REG_0, 0),
642 BPF_MOV64_IMM(BPF_REG_0, 0),
643 BPF_EXIT_INSN(),
644 },
645 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
646 .errstr = "last insn",
647 .result = REJECT,
648 },
649 {
650 "calls: ld_abs with changing ctx data in callee",
651 .insns = {
652 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
653 BPF_LD_ABS(BPF_B, 0),
654 BPF_LD_ABS(BPF_H, 0),
655 BPF_LD_ABS(BPF_W, 0),
656 BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
657 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
658 BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
659 BPF_LD_ABS(BPF_B, 0),
660 BPF_LD_ABS(BPF_H, 0),
661 BPF_LD_ABS(BPF_W, 0),
662 BPF_EXIT_INSN(),
663 BPF_MOV64_IMM(BPF_REG_2, 1),
664 BPF_MOV64_IMM(BPF_REG_3, 2),
665 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_vlan_push),
666 BPF_EXIT_INSN(),
667 },
668 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
669 .errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
670 .result = REJECT,
671 },
672 {
673 "calls: two calls with bad fallthrough",
674 .insns = {
675 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
676 BPF_EXIT_INSN(),
677 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
678 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
679 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
680 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
681 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
682 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
683 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
684 BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
685 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
686 offsetof(struct __sk_buff, len)),
687 BPF_EXIT_INSN(),
688 },
689 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
690 .errstr = "not an exit",
691 .result = REJECT,
692 },
693 {
694 "calls: two calls with stack read",
695 .insns = {
696 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
697 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
698 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
699 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
700 BPF_EXIT_INSN(),
701 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
702 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
703 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
704 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
705 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
706 BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
707 BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
708 BPF_EXIT_INSN(),
709 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
710 BPF_EXIT_INSN(),
711 },
712 .prog_type = BPF_PROG_TYPE_XDP,
713 .result = ACCEPT,
714 },
715 {
716 "calls: two calls with stack write",
717 .insns = {
718
719 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
720 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
721 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
722 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
723 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
724 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
725 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
726 BPF_EXIT_INSN(),
727
728
729 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
730 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
731 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
732 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
733 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
734 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
735 BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
736 BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
737
738 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
739 BPF_EXIT_INSN(),
740
741
742
743 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
744 BPF_EXIT_INSN(),
745 },
746 .prog_type = BPF_PROG_TYPE_XDP,
747 .result = ACCEPT,
748 },
749 {
750 "calls: stack overflow using two frames (pre-call access)",
751 .insns = {
752
753 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
754 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
755 BPF_EXIT_INSN(),
756
757
758 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
759 BPF_MOV64_IMM(BPF_REG_0, 0),
760 BPF_EXIT_INSN(),
761 },
762 .prog_type = BPF_PROG_TYPE_XDP,
763 .errstr = "combined stack size",
764 .result = REJECT,
765 },
766 {
767 "calls: stack overflow using two frames (post-call access)",
768 .insns = {
769
770 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
771 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
772 BPF_EXIT_INSN(),
773
774
775 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
776 BPF_MOV64_IMM(BPF_REG_0, 0),
777 BPF_EXIT_INSN(),
778 },
779 .prog_type = BPF_PROG_TYPE_XDP,
780 .errstr = "combined stack size",
781 .result = REJECT,
782 },
783 {
784 "calls: stack depth check using three frames. test1",
785 .insns = {
786
787 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4),
788 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5),
789 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
790 BPF_MOV64_IMM(BPF_REG_0, 0),
791 BPF_EXIT_INSN(),
792
793 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
794 BPF_EXIT_INSN(),
795
796 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3),
797 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
798 BPF_EXIT_INSN(),
799 },
800 .prog_type = BPF_PROG_TYPE_XDP,
801
802
803
804 .result = ACCEPT,
805 },
806 {
807 "calls: stack depth check using three frames. test2",
808 .insns = {
809
810 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4),
811 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5),
812 BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
813 BPF_MOV64_IMM(BPF_REG_0, 0),
814 BPF_EXIT_INSN(),
815
816 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
817 BPF_EXIT_INSN(),
818
819 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3),
820 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
821 BPF_EXIT_INSN(),
822 },
823 .prog_type = BPF_PROG_TYPE_XDP,
824
825
826
827 .result = ACCEPT,
828 },
829 {
830 "calls: stack depth check using three frames. test3",
831 .insns = {
832
833 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
834 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6),
835 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
836 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8),
837 BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
838 BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
839 BPF_MOV64_IMM(BPF_REG_0, 0),
840 BPF_EXIT_INSN(),
841
842 BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
843 BPF_EXIT_INSN(),
844 BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
845 BPF_JMP_IMM(BPF_JA, 0, 0, -3),
846
847 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
848 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6),
849 BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
850 BPF_EXIT_INSN(),
851 },
852 .prog_type = BPF_PROG_TYPE_XDP,
853
854
855
856 .errstr = "combined stack",
857 .result = REJECT,
858 },
859 {
860 "calls: stack depth check using three frames. test4",
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879 .insns = {
880
881 BPF_MOV64_IMM(BPF_REG_1, 0),
882 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6),
883 BPF_MOV64_IMM(BPF_REG_1, 1),
884 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4),
885 BPF_MOV64_IMM(BPF_REG_1, 1),
886 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7),
887 BPF_MOV64_IMM(BPF_REG_0, 0),
888 BPF_EXIT_INSN(),
889
890 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
891 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
892 BPF_EXIT_INSN(),
893 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
894 BPF_EXIT_INSN(),
895
896 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
897 BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
898 BPF_EXIT_INSN(),
899 },
900 .prog_type = BPF_PROG_TYPE_XDP,
901 .result = REJECT,
902 .errstr = "combined stack",
903 },
904 {
905 "calls: stack depth check using three frames. test5",
906 .insns = {
907
908 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
909 BPF_EXIT_INSN(),
910
911 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
912 BPF_EXIT_INSN(),
913
914 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
915 BPF_EXIT_INSN(),
916
917 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
918 BPF_EXIT_INSN(),
919
920 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
921 BPF_EXIT_INSN(),
922
923 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
924 BPF_EXIT_INSN(),
925
926 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
927 BPF_EXIT_INSN(),
928
929 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
930 BPF_EXIT_INSN(),
931
932 BPF_MOV64_IMM(BPF_REG_0, 0),
933 BPF_EXIT_INSN(),
934 },
935 .prog_type = BPF_PROG_TYPE_XDP,
936 .errstr = "call stack",
937 .result = REJECT,
938 },
939 {
940 "calls: stack depth check in dead code",
941 .insns = {
942
943 BPF_MOV64_IMM(BPF_REG_1, 0),
944 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
945 BPF_EXIT_INSN(),
946
947 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
948 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
949 BPF_MOV64_IMM(BPF_REG_0, 0),
950 BPF_EXIT_INSN(),
951
952 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
953 BPF_EXIT_INSN(),
954
955 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
956 BPF_EXIT_INSN(),
957
958 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
959 BPF_EXIT_INSN(),
960
961 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
962 BPF_EXIT_INSN(),
963
964 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
965 BPF_EXIT_INSN(),
966
967 BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
968 BPF_EXIT_INSN(),
969
970 BPF_MOV64_IMM(BPF_REG_0, 0),
971 BPF_EXIT_INSN(),
972 },
973 .prog_type = BPF_PROG_TYPE_XDP,
974 .errstr = "call stack",
975 .result = REJECT,
976 },
977 {
978 "calls: spill into caller stack frame",
979 .insns = {
980 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
981 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
982 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
983 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
984 BPF_EXIT_INSN(),
985 BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
986 BPF_MOV64_IMM(BPF_REG_0, 0),
987 BPF_EXIT_INSN(),
988 },
989 .prog_type = BPF_PROG_TYPE_XDP,
990 .errstr = "cannot spill",
991 .result = REJECT,
992 },
993 {
994 "calls: write into caller stack frame",
995 .insns = {
996 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
997 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
998 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
999 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1000 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1001 BPF_EXIT_INSN(),
1002 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
1003 BPF_MOV64_IMM(BPF_REG_0, 0),
1004 BPF_EXIT_INSN(),
1005 },
1006 .prog_type = BPF_PROG_TYPE_XDP,
1007 .result = ACCEPT,
1008 .retval = 42,
1009 },
1010 {
1011 "calls: write into callee stack frame",
1012 .insns = {
1013 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1014 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
1015 BPF_EXIT_INSN(),
1016 BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
1017 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
1018 BPF_EXIT_INSN(),
1019 },
1020 .prog_type = BPF_PROG_TYPE_XDP,
1021 .errstr = "cannot return stack pointer",
1022 .result = REJECT,
1023 },
1024 {
1025 "calls: two calls with stack write and void return",
1026 .insns = {
1027
1028 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1029 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1030 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1031 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1032 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1033 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1034 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
1035 BPF_EXIT_INSN(),
1036
1037
1038 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1039 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1040 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
1041 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
1042 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1043 BPF_EXIT_INSN(),
1044
1045
1046
1047 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
1048 BPF_EXIT_INSN(),
1049 },
1050 .prog_type = BPF_PROG_TYPE_XDP,
1051 .result = ACCEPT,
1052 },
1053 {
1054 "calls: ambiguous return value",
1055 .insns = {
1056 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1057 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
1058 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1059 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1060 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1061 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1062 BPF_EXIT_INSN(),
1063 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1064 BPF_MOV64_IMM(BPF_REG_0, 0),
1065 BPF_EXIT_INSN(),
1066 },
1067 .errstr_unpriv = "allowed for root only",
1068 .result_unpriv = REJECT,
1069 .errstr = "R0 !read_ok",
1070 .result = REJECT,
1071 },
1072 {
1073 "calls: two calls that return map_value",
1074 .insns = {
1075
1076
1077 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1078 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1079 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1080 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1081 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
1082
1083
1084 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1085 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1086
1087 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1088
1089 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
1090 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1091
1092 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1093 BPF_MOV64_IMM(BPF_REG_0, 0),
1094 BPF_EXIT_INSN(),
1095
1096
1097
1098 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1099 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1100
1101 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
1102 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
1103
1104 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1105 BPF_EXIT_INSN(),
1106
1107
1108 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1109
1110 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1111 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1112 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1113 BPF_LD_MAP_FD(BPF_REG_1, 0),
1114 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1115
1116 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1117 BPF_MOV64_IMM(BPF_REG_0, 0),
1118 BPF_EXIT_INSN(),
1119 },
1120 .prog_type = BPF_PROG_TYPE_XDP,
1121 .fixup_map_hash_8b = { 23 },
1122 .result = ACCEPT,
1123 },
1124 {
1125 "calls: two calls that return map_value with bool condition",
1126 .insns = {
1127
1128
1129 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1130 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1131 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1132 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1133 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1134 BPF_MOV64_IMM(BPF_REG_0, 0),
1135 BPF_EXIT_INSN(),
1136
1137
1138
1139 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1140 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1141
1142 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
1143 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
1144
1145 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1146
1147 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1148 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
1149
1150 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
1151 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
1152
1153 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
1154
1155 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1156 BPF_EXIT_INSN(),
1157
1158
1159 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1160
1161 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1162 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1163 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1164 BPF_LD_MAP_FD(BPF_REG_1, 0),
1165 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1166 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1167 BPF_MOV64_IMM(BPF_REG_0, 0),
1168 BPF_EXIT_INSN(),
1169
1170 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1171 BPF_MOV64_IMM(BPF_REG_0, 1),
1172 BPF_EXIT_INSN(),
1173 },
1174 .prog_type = BPF_PROG_TYPE_XDP,
1175 .fixup_map_hash_8b = { 23 },
1176 .result = ACCEPT,
1177 },
1178 {
1179 "calls: two calls that return map_value with incorrect bool check",
1180 .insns = {
1181
1182
1183 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1184 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1185 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1186 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1187 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1188 BPF_MOV64_IMM(BPF_REG_0, 0),
1189 BPF_EXIT_INSN(),
1190
1191
1192
1193 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1194 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1195
1196 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
1197 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
1198
1199 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1200
1201 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1202 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
1203
1204 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
1205 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1206
1207 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
1208
1209 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1210 BPF_EXIT_INSN(),
1211
1212
1213 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1214
1215 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1216 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1217 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1218 BPF_LD_MAP_FD(BPF_REG_1, 0),
1219 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1220 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1221 BPF_MOV64_IMM(BPF_REG_0, 0),
1222 BPF_EXIT_INSN(),
1223
1224 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1225 BPF_MOV64_IMM(BPF_REG_0, 1),
1226 BPF_EXIT_INSN(),
1227 },
1228 .prog_type = BPF_PROG_TYPE_XDP,
1229 .fixup_map_hash_8b = { 23 },
1230 .result = REJECT,
1231 .errstr = "invalid read from stack off -16+0 size 8",
1232 },
1233 {
1234 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
1235 .insns = {
1236
1237
1238 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1239 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1240 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1241 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1242 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1243 BPF_MOV64_IMM(BPF_REG_0, 0),
1244 BPF_EXIT_INSN(),
1245
1246
1247 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1248 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1249
1250 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1251 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1252 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1253 BPF_LD_MAP_FD(BPF_REG_1, 0),
1254 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1255 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1256 BPF_MOV64_IMM(BPF_REG_8, 0),
1257 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1258
1259 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1260 BPF_MOV64_IMM(BPF_REG_8, 1),
1261
1262
1263 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1264 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1265 BPF_LD_MAP_FD(BPF_REG_1, 0),
1266 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1267 BPF_FUNC_map_lookup_elem),
1268 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1269 BPF_MOV64_IMM(BPF_REG_9, 0),
1270 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1271
1272 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1273 BPF_MOV64_IMM(BPF_REG_9, 1),
1274
1275
1276 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1277 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
1278 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
1279 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
1280 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1281 BPF_EXIT_INSN(),
1282
1283
1284
1285 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
1286
1287 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
1288
1289 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1290
1291
1292 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
1293
1294 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
1295
1296 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
1297 BPF_EXIT_INSN(),
1298 },
1299 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1300 .fixup_map_hash_8b = { 12, 22 },
1301 .result = REJECT,
1302 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
1303 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1304 },
1305 {
1306 "calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
1307 .insns = {
1308
1309
1310 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1311 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1312 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1313 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1314 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1315 BPF_MOV64_IMM(BPF_REG_0, 0),
1316 BPF_EXIT_INSN(),
1317
1318
1319 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1320 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1321
1322 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1323 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1324 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1325 BPF_LD_MAP_FD(BPF_REG_1, 0),
1326 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1327 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1328 BPF_MOV64_IMM(BPF_REG_8, 0),
1329 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1330
1331 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1332 BPF_MOV64_IMM(BPF_REG_8, 1),
1333
1334
1335 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1337 BPF_LD_MAP_FD(BPF_REG_1, 0),
1338 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1339 BPF_FUNC_map_lookup_elem),
1340 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1341 BPF_MOV64_IMM(BPF_REG_9, 0),
1342 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1343
1344 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1345 BPF_MOV64_IMM(BPF_REG_9, 1),
1346
1347
1348 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1349 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
1350 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
1351 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
1352 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1353 BPF_EXIT_INSN(),
1354
1355
1356
1357 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
1358
1359 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
1360
1361 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1362
1363
1364 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
1365
1366 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
1367
1368 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1369 BPF_EXIT_INSN(),
1370 },
1371 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1372 .fixup_map_hash_8b = { 12, 22 },
1373 .result = ACCEPT,
1374 },
1375 {
1376 "calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
1377 .insns = {
1378
1379
1380 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1381 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1382 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1383 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1384 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
1385 BPF_MOV64_IMM(BPF_REG_0, 0),
1386 BPF_EXIT_INSN(),
1387
1388
1389 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1390 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1391
1392 BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
1393 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1394 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
1395 BPF_LD_MAP_FD(BPF_REG_1, 0),
1396 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1397 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1398 BPF_MOV64_IMM(BPF_REG_8, 0),
1399 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1400
1401 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1402 BPF_MOV64_IMM(BPF_REG_8, 1),
1403
1404
1405 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1406 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
1407 BPF_LD_MAP_FD(BPF_REG_1, 0),
1408 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1409 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1410 BPF_MOV64_IMM(BPF_REG_9, 0),
1411 BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1412
1413 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1414 BPF_MOV64_IMM(BPF_REG_9, 1),
1415
1416
1417 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1418 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
1419 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
1420 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
1421 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
1422 BPF_JMP_IMM(BPF_JA, 0, 0, -30),
1423
1424
1425
1426 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
1427
1428 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
1429
1430 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1431
1432
1433 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
1434
1435 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
1436
1437 BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
1438 BPF_JMP_IMM(BPF_JA, 0, 0, -8),
1439 },
1440 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1441 .fixup_map_hash_8b = { 12, 22 },
1442 .result = REJECT,
1443 .errstr = "invalid access to map value, value_size=8 off=2 size=8",
1444 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1445 },
1446 {
1447 "calls: two calls that receive map_value_ptr_or_null via arg. test1",
1448 .insns = {
1449
1450
1451 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1452 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1453 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1454 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1455 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1456 BPF_MOV64_IMM(BPF_REG_0, 0),
1457 BPF_EXIT_INSN(),
1458
1459
1460 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1461 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1462
1463 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1464 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1465 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1466 BPF_LD_MAP_FD(BPF_REG_1, 0),
1467 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1468
1469 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1470 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1471 BPF_MOV64_IMM(BPF_REG_8, 0),
1472 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
1473 BPF_MOV64_IMM(BPF_REG_8, 1),
1474
1475
1476 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1477 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1478 BPF_LD_MAP_FD(BPF_REG_1, 0),
1479 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1480
1481 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1482 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1483 BPF_MOV64_IMM(BPF_REG_9, 0),
1484 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
1485 BPF_MOV64_IMM(BPF_REG_9, 1),
1486
1487
1488 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1489 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
1490 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
1491 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
1492 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1493 BPF_EXIT_INSN(),
1494
1495
1496
1497 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
1498
1499 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
1500
1501 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1502
1503
1504 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
1505
1506 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
1507
1508 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1509 BPF_EXIT_INSN(),
1510 },
1511 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1512 .fixup_map_hash_8b = { 12, 22 },
1513 .result = ACCEPT,
1514 },
1515 {
1516 "calls: two calls that receive map_value_ptr_or_null via arg. test2",
1517 .insns = {
1518
1519
1520 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1521 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1522 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1523 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1524 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1525 BPF_MOV64_IMM(BPF_REG_0, 0),
1526 BPF_EXIT_INSN(),
1527
1528
1529 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1530 BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1531
1532 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1533 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1534 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1535 BPF_LD_MAP_FD(BPF_REG_1, 0),
1536 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1537
1538 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1539 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1540 BPF_MOV64_IMM(BPF_REG_8, 0),
1541 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
1542 BPF_MOV64_IMM(BPF_REG_8, 1),
1543
1544
1545 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1546 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1547 BPF_LD_MAP_FD(BPF_REG_1, 0),
1548 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1549
1550 BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1551 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1552 BPF_MOV64_IMM(BPF_REG_9, 0),
1553 BPF_JMP_IMM(BPF_JA, 0, 0, 1),
1554 BPF_MOV64_IMM(BPF_REG_9, 1),
1555
1556
1557 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1558 BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
1559 BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
1560 BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
1561 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1562 BPF_EXIT_INSN(),
1563
1564
1565
1566 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
1567
1568 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
1569
1570 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1571
1572
1573 BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
1574
1575 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
1576
1577 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1578 BPF_EXIT_INSN(),
1579 },
1580 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1581 .fixup_map_hash_8b = { 12, 22 },
1582 .result = REJECT,
1583 .errstr = "R0 invalid mem access 'inv'",
1584 },
1585 {
1586 "calls: pkt_ptr spill into caller stack",
1587 .insns = {
1588 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1589 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1590 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1591 BPF_EXIT_INSN(),
1592
1593
1594 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1595 offsetof(struct __sk_buff, data)),
1596 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1597 offsetof(struct __sk_buff, data_end)),
1598 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1599 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1600
1601 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1602 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
1603
1604 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
1605
1606 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
1607 BPF_EXIT_INSN(),
1608 },
1609 .result = ACCEPT,
1610 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1611 .retval = POINTER_VALUE,
1612 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1613 },
1614 {
1615 "calls: pkt_ptr spill into caller stack 2",
1616 .insns = {
1617 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1618 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1619 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
1620
1621 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1622 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
1623 BPF_EXIT_INSN(),
1624
1625
1626 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1627 offsetof(struct __sk_buff, data)),
1628 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1629 offsetof(struct __sk_buff, data_end)),
1630 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1632
1633 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1634 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
1635
1636 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
1637
1638 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
1639 BPF_EXIT_INSN(),
1640 },
1641 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1642 .errstr = "invalid access to packet",
1643 .result = REJECT,
1644 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1645 },
1646 {
1647 "calls: pkt_ptr spill into caller stack 3",
1648 .insns = {
1649 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1650 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1651 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
1652 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1653
1654 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1655 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
1656 BPF_EXIT_INSN(),
1657
1658
1659 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1660 offsetof(struct __sk_buff, data)),
1661 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1662 offsetof(struct __sk_buff, data_end)),
1663 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1664 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1665
1666 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1667 BPF_MOV64_IMM(BPF_REG_5, 0),
1668 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
1669 BPF_MOV64_IMM(BPF_REG_5, 1),
1670
1671 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
1672
1673 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
1674 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
1675 BPF_EXIT_INSN(),
1676 },
1677 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1678 .result = ACCEPT,
1679 .retval = 1,
1680 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1681 },
1682 {
1683 "calls: pkt_ptr spill into caller stack 4",
1684 .insns = {
1685 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1686 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1687 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
1688 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1689
1690 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1691 BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
1692 BPF_EXIT_INSN(),
1693
1694
1695 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1696 offsetof(struct __sk_buff, data)),
1697 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1698 offsetof(struct __sk_buff, data_end)),
1699 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1700 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1701
1702 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1703 BPF_MOV64_IMM(BPF_REG_5, 0),
1704 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
1705 BPF_MOV64_IMM(BPF_REG_5, 1),
1706
1707
1708 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
1709 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
1710 BPF_EXIT_INSN(),
1711 },
1712 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1713 .result = ACCEPT,
1714 .retval = 1,
1715 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1716 },
1717 {
1718 "calls: pkt_ptr spill into caller stack 5",
1719 .insns = {
1720 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1721 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1722 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
1723 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
1724 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1725 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
1726 BPF_EXIT_INSN(),
1727
1728
1729 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1730 offsetof(struct __sk_buff, data)),
1731 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1732 offsetof(struct __sk_buff, data_end)),
1733 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1734 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1735 BPF_MOV64_IMM(BPF_REG_5, 0),
1736 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
1737
1738 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1739 BPF_MOV64_IMM(BPF_REG_5, 1),
1740
1741
1742 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
1743 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
1744 BPF_EXIT_INSN(),
1745 },
1746 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1747 .errstr = "same insn cannot be used with different",
1748 .result = REJECT,
1749 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1750 },
1751 {
1752 "calls: pkt_ptr spill into caller stack 6",
1753 .insns = {
1754 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1755 offsetof(struct __sk_buff, data_end)),
1756 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1757 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1758 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1759 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
1760 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1761 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
1762 BPF_EXIT_INSN(),
1763
1764
1765 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1766 offsetof(struct __sk_buff, data)),
1767 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1768 offsetof(struct __sk_buff, data_end)),
1769 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1770 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1771 BPF_MOV64_IMM(BPF_REG_5, 0),
1772 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
1773
1774 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1775 BPF_MOV64_IMM(BPF_REG_5, 1),
1776
1777
1778 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
1779 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
1780 BPF_EXIT_INSN(),
1781 },
1782 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1783 .errstr = "R4 invalid mem access",
1784 .result = REJECT,
1785 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1786 },
1787 {
1788 "calls: pkt_ptr spill into caller stack 7",
1789 .insns = {
1790 BPF_MOV64_IMM(BPF_REG_2, 0),
1791 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1792 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1793 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1794 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
1795 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1796 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
1797 BPF_EXIT_INSN(),
1798
1799
1800 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1801 offsetof(struct __sk_buff, data)),
1802 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1803 offsetof(struct __sk_buff, data_end)),
1804 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1805 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1806 BPF_MOV64_IMM(BPF_REG_5, 0),
1807 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
1808
1809 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1810 BPF_MOV64_IMM(BPF_REG_5, 1),
1811
1812
1813 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
1814 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
1815 BPF_EXIT_INSN(),
1816 },
1817 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1818 .errstr = "R4 invalid mem access",
1819 .result = REJECT,
1820 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1821 },
1822 {
1823 "calls: pkt_ptr spill into caller stack 8",
1824 .insns = {
1825 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1826 offsetof(struct __sk_buff, data)),
1827 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1828 offsetof(struct __sk_buff, data_end)),
1829 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1830 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1831 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
1832 BPF_EXIT_INSN(),
1833 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1834 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1835 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1836 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
1837 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1838 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
1839 BPF_EXIT_INSN(),
1840
1841
1842 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1843 offsetof(struct __sk_buff, data)),
1844 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1845 offsetof(struct __sk_buff, data_end)),
1846 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1847 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1848 BPF_MOV64_IMM(BPF_REG_5, 0),
1849 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
1850
1851 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1852 BPF_MOV64_IMM(BPF_REG_5, 1),
1853
1854
1855 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
1856 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
1857 BPF_EXIT_INSN(),
1858 },
1859 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1860 .result = ACCEPT,
1861 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1862 },
1863 {
1864 "calls: pkt_ptr spill into caller stack 9",
1865 .insns = {
1866 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1867 offsetof(struct __sk_buff, data)),
1868 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1869 offsetof(struct __sk_buff, data_end)),
1870 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1871 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1872 BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
1873 BPF_EXIT_INSN(),
1874 BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1875 BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1876 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1877 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
1878 BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1879 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
1880 BPF_EXIT_INSN(),
1881
1882
1883 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1884 offsetof(struct __sk_buff, data)),
1885 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1886 offsetof(struct __sk_buff, data_end)),
1887 BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1888 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1889 BPF_MOV64_IMM(BPF_REG_5, 0),
1890
1891 BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1892 BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
1893 BPF_MOV64_IMM(BPF_REG_5, 1),
1894
1895
1896 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
1897 BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
1898 BPF_EXIT_INSN(),
1899 },
1900 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1901 .errstr = "invalid access to packet",
1902 .result = REJECT,
1903 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1904 },
1905 {
1906 "calls: caller stack init to zero or map_value_or_null",
1907 .insns = {
1908 BPF_MOV64_IMM(BPF_REG_0, 0),
1909 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
1910 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1911 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1912 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
1913
1914 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1915 BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1916
1917 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
1918 BPF_EXIT_INSN(),
1919
1920
1921
1922 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
1923
1924 BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
1925 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1926 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1927 BPF_LD_MAP_FD(BPF_REG_1, 0),
1928 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1929 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1930
1931 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1932 BPF_EXIT_INSN(),
1933 },
1934 .fixup_map_hash_8b = { 13 },
1935 .result = ACCEPT,
1936 .prog_type = BPF_PROG_TYPE_XDP,
1937 },
1938 {
1939 "calls: stack init to zero and pruning",
1940 .insns = {
1941
1942 BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
1943
1944
1945
1946
1947
1948
1949
1950
1951 BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
1952 BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1953 BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1954 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1955 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1956 BPF_LD_MAP_FD(BPF_REG_1, 0),
1957 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1958 BPF_EXIT_INSN(),
1959 },
1960 .fixup_map_hash_48b = { 6 },
1961 .errstr = "invalid indirect read from stack off -8+0 size 8",
1962 .result = REJECT,
1963 .prog_type = BPF_PROG_TYPE_XDP,
1964 },
1965 {
1966 "calls: ctx read at start of subprog",
1967 .insns = {
1968 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1969 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
1970 BPF_JMP_REG(BPF_JSGT, BPF_REG_0, BPF_REG_0, 0),
1971 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1972 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1973 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1974 BPF_EXIT_INSN(),
1975 BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
1976 BPF_MOV64_IMM(BPF_REG_0, 0),
1977 BPF_EXIT_INSN(),
1978 },
1979 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
1980 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
1981 .result_unpriv = REJECT,
1982 .result = ACCEPT,
1983 },
1984 {
1985 "calls: cross frame pruning",
1986 .insns = {
1987
1988
1989
1990
1991
1992 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
1993 BPF_MOV64_IMM(BPF_REG_8, 0),
1994 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1995 BPF_MOV64_IMM(BPF_REG_8, 1),
1996 BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
1997 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
1998 BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 1, 1),
1999 BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
2000 BPF_MOV64_IMM(BPF_REG_0, 0),
2001 BPF_EXIT_INSN(),
2002 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2003 BPF_EXIT_INSN(),
2004 },
2005 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2006 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
2007 .errstr = "!read_ok",
2008 .result = REJECT,
2009 },
2010 {
2011 "calls: cross frame pruning - liveness propagation",
2012 .insns = {
2013 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
2014 BPF_MOV64_IMM(BPF_REG_8, 0),
2015 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
2016 BPF_MOV64_IMM(BPF_REG_8, 1),
2017 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
2018 BPF_MOV64_IMM(BPF_REG_9, 0),
2019 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
2020 BPF_MOV64_IMM(BPF_REG_9, 1),
2021 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
2022 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
2023 BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 1, 1),
2024 BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_2, 0),
2025 BPF_MOV64_IMM(BPF_REG_0, 0),
2026 BPF_EXIT_INSN(),
2027 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2028 BPF_EXIT_INSN(),
2029 },
2030 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2031 .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
2032 .errstr = "!read_ok",
2033 .result = REJECT,
2034 },