1 {
2 "skb->sk: no NULL check",
3 .insns = {
4 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
5 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
6 BPF_MOV64_IMM(BPF_REG_0, 0),
7 BPF_EXIT_INSN(),
8 },
9 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
10 .result = REJECT,
11 .errstr = "invalid mem access 'sock_common_or_null'",
12 },
13 {
14 "skb->sk: sk->family [non fullsock field]",
15 .insns = {
16 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
17 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
18 BPF_MOV64_IMM(BPF_REG_0, 0),
19 BPF_EXIT_INSN(),
20 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, offsetof(struct bpf_sock, family)),
21 BPF_MOV64_IMM(BPF_REG_0, 0),
22 BPF_EXIT_INSN(),
23 },
24 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
25 .result = ACCEPT,
26 },
27 {
28 "skb->sk: sk->type [fullsock field]",
29 .insns = {
30 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
31 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
32 BPF_MOV64_IMM(BPF_REG_0, 0),
33 BPF_EXIT_INSN(),
34 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, offsetof(struct bpf_sock, type)),
35 BPF_MOV64_IMM(BPF_REG_0, 0),
36 BPF_EXIT_INSN(),
37 },
38 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
39 .result = REJECT,
40 .errstr = "invalid sock_common access",
41 },
42 {
43 "bpf_sk_fullsock(skb->sk): no !skb->sk check",
44 .insns = {
45 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
46 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
47 BPF_MOV64_IMM(BPF_REG_0, 0),
48 BPF_EXIT_INSN(),
49 },
50 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
51 .result = REJECT,
52 .errstr = "type=sock_common_or_null expected=sock_common",
53 },
54 {
55 "sk_fullsock(skb->sk): no NULL check on ret",
56 .insns = {
57 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
58 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
59 BPF_MOV64_IMM(BPF_REG_0, 0),
60 BPF_EXIT_INSN(),
61 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
62 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)),
63 BPF_MOV64_IMM(BPF_REG_0, 0),
64 BPF_EXIT_INSN(),
65 },
66 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
67 .result = REJECT,
68 .errstr = "invalid mem access 'sock_or_null'",
69 },
70 {
71 "sk_fullsock(skb->sk): sk->type [fullsock field]",
72 .insns = {
73 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
74 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
75 BPF_MOV64_IMM(BPF_REG_0, 0),
76 BPF_EXIT_INSN(),
77 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
78 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
79 BPF_MOV64_IMM(BPF_REG_0, 0),
80 BPF_EXIT_INSN(),
81 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)),
82 BPF_MOV64_IMM(BPF_REG_0, 0),
83 BPF_EXIT_INSN(),
84 },
85 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
86 .result = ACCEPT,
87 },
88 {
89 "sk_fullsock(skb->sk): sk->family [non fullsock field]",
90 .insns = {
91 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
92 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
93 BPF_MOV64_IMM(BPF_REG_0, 0),
94 BPF_EXIT_INSN(),
95 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
96 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
97 BPF_EXIT_INSN(),
98 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, family)),
99 BPF_MOV64_IMM(BPF_REG_0, 0),
100 BPF_EXIT_INSN(),
101 },
102 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
103 .result = ACCEPT,
104 },
105 {
106 "sk_fullsock(skb->sk): sk->state [narrow load]",
107 .insns = {
108 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
109 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
110 BPF_MOV64_IMM(BPF_REG_0, 0),
111 BPF_EXIT_INSN(),
112 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
113 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
114 BPF_MOV64_IMM(BPF_REG_0, 0),
115 BPF_EXIT_INSN(),
116 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, state)),
117 BPF_MOV64_IMM(BPF_REG_0, 0),
118 BPF_EXIT_INSN(),
119 },
120 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
121 .result = ACCEPT,
122 },
123 {
124 "sk_fullsock(skb->sk): sk->dst_port [narrow load]",
125 .insns = {
126 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
127 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
128 BPF_MOV64_IMM(BPF_REG_0, 0),
129 BPF_EXIT_INSN(),
130 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
131 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
132 BPF_MOV64_IMM(BPF_REG_0, 0),
133 BPF_EXIT_INSN(),
134 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port)),
135 BPF_MOV64_IMM(BPF_REG_0, 0),
136 BPF_EXIT_INSN(),
137 },
138 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
139 .result = ACCEPT,
140 },
141 {
142 "sk_fullsock(skb->sk): sk->dst_port [load 2nd byte]",
143 .insns = {
144 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
145 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
146 BPF_MOV64_IMM(BPF_REG_0, 0),
147 BPF_EXIT_INSN(),
148 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
149 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
150 BPF_MOV64_IMM(BPF_REG_0, 0),
151 BPF_EXIT_INSN(),
152 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1),
153 BPF_MOV64_IMM(BPF_REG_0, 0),
154 BPF_EXIT_INSN(),
155 },
156 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
157 .result = REJECT,
158 .errstr = "invalid sock access",
159 },
160 {
161 "sk_fullsock(skb->sk): sk->dst_ip6 [load 2nd byte]",
162 .insns = {
163 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
164 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
165 BPF_MOV64_IMM(BPF_REG_0, 0),
166 BPF_EXIT_INSN(),
167 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
168 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
169 BPF_MOV64_IMM(BPF_REG_0, 0),
170 BPF_EXIT_INSN(),
171 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_ip6[0]) + 1),
172 BPF_MOV64_IMM(BPF_REG_0, 0),
173 BPF_EXIT_INSN(),
174 },
175 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
176 .result = ACCEPT,
177 },
178 {
179 "sk_fullsock(skb->sk): sk->type [narrow load]",
180 .insns = {
181 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
182 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
183 BPF_MOV64_IMM(BPF_REG_0, 0),
184 BPF_EXIT_INSN(),
185 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
186 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
187 BPF_MOV64_IMM(BPF_REG_0, 0),
188 BPF_EXIT_INSN(),
189 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)),
190 BPF_MOV64_IMM(BPF_REG_0, 0),
191 BPF_EXIT_INSN(),
192 },
193 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
194 .result = ACCEPT,
195 },
196 {
197 "sk_fullsock(skb->sk): sk->protocol [narrow load]",
198 .insns = {
199 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
200 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
201 BPF_MOV64_IMM(BPF_REG_0, 0),
202 BPF_EXIT_INSN(),
203 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
204 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
205 BPF_MOV64_IMM(BPF_REG_0, 0),
206 BPF_EXIT_INSN(),
207 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, protocol)),
208 BPF_MOV64_IMM(BPF_REG_0, 0),
209 BPF_EXIT_INSN(),
210 },
211 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
212 .result = ACCEPT,
213 },
214 {
215 "sk_fullsock(skb->sk): beyond last field",
216 .insns = {
217 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
218 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
219 BPF_MOV64_IMM(BPF_REG_0, 0),
220 BPF_EXIT_INSN(),
221 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
222 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
223 BPF_MOV64_IMM(BPF_REG_0, 0),
224 BPF_EXIT_INSN(),
225 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_sock, state)),
226 BPF_MOV64_IMM(BPF_REG_0, 0),
227 BPF_EXIT_INSN(),
228 },
229 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
230 .result = REJECT,
231 .errstr = "invalid sock access",
232 },
233 {
234 "bpf_tcp_sock(skb->sk): no !skb->sk check",
235 .insns = {
236 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
237 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
238 BPF_MOV64_IMM(BPF_REG_0, 0),
239 BPF_EXIT_INSN(),
240 },
241 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
242 .result = REJECT,
243 .errstr = "type=sock_common_or_null expected=sock_common",
244 },
245 {
246 "bpf_tcp_sock(skb->sk): no NULL check on ret",
247 .insns = {
248 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
249 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
250 BPF_MOV64_IMM(BPF_REG_0, 0),
251 BPF_EXIT_INSN(),
252 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
253 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_tcp_sock, snd_cwnd)),
254 BPF_MOV64_IMM(BPF_REG_0, 0),
255 BPF_EXIT_INSN(),
256 },
257 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
258 .result = REJECT,
259 .errstr = "invalid mem access 'tcp_sock_or_null'",
260 },
261 {
262 "bpf_tcp_sock(skb->sk): tp->snd_cwnd",
263 .insns = {
264 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
265 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
266 BPF_MOV64_IMM(BPF_REG_0, 0),
267 BPF_EXIT_INSN(),
268 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
269 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
270 BPF_EXIT_INSN(),
271 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_tcp_sock, snd_cwnd)),
272 BPF_MOV64_IMM(BPF_REG_0, 0),
273 BPF_EXIT_INSN(),
274 },
275 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
276 .result = ACCEPT,
277 },
278 {
279 "bpf_tcp_sock(skb->sk): tp->bytes_acked",
280 .insns = {
281 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
282 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
283 BPF_MOV64_IMM(BPF_REG_0, 0),
284 BPF_EXIT_INSN(),
285 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
286 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
287 BPF_EXIT_INSN(),
288 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_tcp_sock, bytes_acked)),
289 BPF_MOV64_IMM(BPF_REG_0, 0),
290 BPF_EXIT_INSN(),
291 },
292 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
293 .result = ACCEPT,
294 },
295 {
296 "bpf_tcp_sock(skb->sk): beyond last field",
297 .insns = {
298 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
299 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
300 BPF_MOV64_IMM(BPF_REG_0, 0),
301 BPF_EXIT_INSN(),
302 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
303 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
304 BPF_EXIT_INSN(),
305 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_tcp_sock, bytes_acked)),
306 BPF_MOV64_IMM(BPF_REG_0, 0),
307 BPF_EXIT_INSN(),
308 },
309 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
310 .result = REJECT,
311 .errstr = "invalid tcp_sock access",
312 },
313 {
314 "bpf_tcp_sock(bpf_sk_fullsock(skb->sk)): tp->snd_cwnd",
315 .insns = {
316 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
317 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
318 BPF_MOV64_IMM(BPF_REG_0, 0),
319 BPF_EXIT_INSN(),
320 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
321 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
322 BPF_EXIT_INSN(),
323 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
324 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
325 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
326 BPF_EXIT_INSN(),
327 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_tcp_sock, snd_cwnd)),
328 BPF_MOV64_IMM(BPF_REG_0, 0),
329 BPF_EXIT_INSN(),
330 },
331 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
332 .result = ACCEPT,
333 },
334 {
335 "bpf_sk_release(skb->sk)",
336 .insns = {
337 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
338 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
339 BPF_EMIT_CALL(BPF_FUNC_sk_release),
340 BPF_MOV64_IMM(BPF_REG_0, 0),
341 BPF_EXIT_INSN(),
342 },
343 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
344 .result = REJECT,
345 .errstr = "reference has not been acquired before",
346 },
347 {
348 "bpf_sk_release(bpf_sk_fullsock(skb->sk))",
349 .insns = {
350 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
351 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
352 BPF_MOV64_IMM(BPF_REG_0, 0),
353 BPF_EXIT_INSN(),
354 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
355 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
356 BPF_EXIT_INSN(),
357 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
358 BPF_EMIT_CALL(BPF_FUNC_sk_release),
359 BPF_MOV64_IMM(BPF_REG_0, 1),
360 BPF_EXIT_INSN(),
361 },
362 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
363 .result = REJECT,
364 .errstr = "reference has not been acquired before",
365 },
366 {
367 "bpf_sk_release(bpf_tcp_sock(skb->sk))",
368 .insns = {
369 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
370 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
371 BPF_MOV64_IMM(BPF_REG_0, 0),
372 BPF_EXIT_INSN(),
373 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
374 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
375 BPF_EXIT_INSN(),
376 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
377 BPF_EMIT_CALL(BPF_FUNC_sk_release),
378 BPF_MOV64_IMM(BPF_REG_0, 1),
379 BPF_EXIT_INSN(),
380 },
381 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
382 .result = REJECT,
383 .errstr = "reference has not been acquired before",
384 },
385 {
386 "sk_storage_get(map, skb->sk, NULL, 0): value == NULL",
387 .insns = {
388 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
389 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
390 BPF_MOV64_IMM(BPF_REG_0, 0),
391 BPF_EXIT_INSN(),
392 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
393 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
394 BPF_MOV64_IMM(BPF_REG_0, 0),
395 BPF_EXIT_INSN(),
396 BPF_MOV64_IMM(BPF_REG_4, 0),
397 BPF_MOV64_IMM(BPF_REG_3, 0),
398 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
399 BPF_LD_MAP_FD(BPF_REG_1, 0),
400 BPF_EMIT_CALL(BPF_FUNC_sk_storage_get),
401 BPF_MOV64_IMM(BPF_REG_0, 0),
402 BPF_EXIT_INSN(),
403 },
404 .fixup_sk_storage_map = { 11 },
405 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
406 .result = ACCEPT,
407 },
408 {
409 "sk_storage_get(map, skb->sk, 1, 1): value == 1",
410 .insns = {
411 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
412 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
413 BPF_MOV64_IMM(BPF_REG_0, 0),
414 BPF_EXIT_INSN(),
415 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
416 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
417 BPF_MOV64_IMM(BPF_REG_0, 0),
418 BPF_EXIT_INSN(),
419 BPF_MOV64_IMM(BPF_REG_4, 1),
420 BPF_MOV64_IMM(BPF_REG_3, 1),
421 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
422 BPF_LD_MAP_FD(BPF_REG_1, 0),
423 BPF_EMIT_CALL(BPF_FUNC_sk_storage_get),
424 BPF_MOV64_IMM(BPF_REG_0, 0),
425 BPF_EXIT_INSN(),
426 },
427 .fixup_sk_storage_map = { 11 },
428 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
429 .result = REJECT,
430 .errstr = "R3 type=inv expected=fp",
431 },
432 {
433 "sk_storage_get(map, skb->sk, &stack_value, 1): stack_value",
434 .insns = {
435 BPF_MOV64_IMM(BPF_REG_2, 0),
436 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
437 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
438 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
439 BPF_MOV64_IMM(BPF_REG_0, 0),
440 BPF_EXIT_INSN(),
441 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
442 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
443 BPF_MOV64_IMM(BPF_REG_0, 0),
444 BPF_EXIT_INSN(),
445 BPF_MOV64_IMM(BPF_REG_4, 1),
446 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
447 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8),
448 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
449 BPF_LD_MAP_FD(BPF_REG_1, 0),
450 BPF_EMIT_CALL(BPF_FUNC_sk_storage_get),
451 BPF_MOV64_IMM(BPF_REG_0, 0),
452 BPF_EXIT_INSN(),
453 },
454 .fixup_sk_storage_map = { 14 },
455 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
456 .result = ACCEPT,
457 },
458 {
459 "sk_storage_get(map, skb->sk, &stack_value, 1): partially init stack_value",
460 .insns = {
461 BPF_MOV64_IMM(BPF_REG_2, 0),
462 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8),
463 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
464 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
465 BPF_MOV64_IMM(BPF_REG_0, 0),
466 BPF_EXIT_INSN(),
467 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
468 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
469 BPF_MOV64_IMM(BPF_REG_0, 0),
470 BPF_EXIT_INSN(),
471 BPF_MOV64_IMM(BPF_REG_4, 1),
472 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8),
474 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
475 BPF_LD_MAP_FD(BPF_REG_1, 0),
476 BPF_EMIT_CALL(BPF_FUNC_sk_storage_get),
477 BPF_MOV64_IMM(BPF_REG_0, 0),
478 BPF_EXIT_INSN(),
479 },
480 .fixup_sk_storage_map = { 14 },
481 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
482 .result = REJECT,
483 .errstr = "invalid indirect read from stack",
484 },
485 {
486 "bpf_map_lookup_elem(smap, &key)",
487 .insns = {
488 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0),
489 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
490 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
491 BPF_LD_MAP_FD(BPF_REG_1, 0),
492 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
493 BPF_MOV64_IMM(BPF_REG_0, 0),
494 BPF_EXIT_INSN(),
495 },
496 .fixup_sk_storage_map = { 3 },
497 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
498 .result = REJECT,
499 .errstr = "cannot pass map_type 24 into func bpf_map_lookup_elem",
500 },
501 {
502 "bpf_map_lookup_elem(xskmap, &key); xs->queue_id",
503 .insns = {
504 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
505 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
507 BPF_LD_MAP_FD(BPF_REG_1, 0),
508 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
509 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
510 BPF_EXIT_INSN(),
511 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_xdp_sock, queue_id)),
512 BPF_MOV64_IMM(BPF_REG_0, 0),
513 BPF_EXIT_INSN(),
514 },
515 .fixup_map_xskmap = { 3 },
516 .prog_type = BPF_PROG_TYPE_XDP,
517 .result = ACCEPT,
518 },