root/tools/testing/selftests/bpf/verifier/ctx_skb.c

/* [<][>][^][v][top][bottom][index][help] */
   1 {
   2         "access skb fields ok",
   3         .insns = {
   4         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
   5                     offsetof(struct __sk_buff, len)),
   6         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
   7         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
   8                     offsetof(struct __sk_buff, mark)),
   9         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
  10         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
  11                     offsetof(struct __sk_buff, pkt_type)),
  12         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
  13         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
  14                     offsetof(struct __sk_buff, queue_mapping)),
  15         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
  16         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
  17                     offsetof(struct __sk_buff, protocol)),
  18         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
  19         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
  20                     offsetof(struct __sk_buff, vlan_present)),
  21         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
  22         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
  23                     offsetof(struct __sk_buff, vlan_tci)),
  24         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
  25         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
  26                     offsetof(struct __sk_buff, napi_id)),
  27         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
  28         BPF_EXIT_INSN(),
  29         },
  30         .result = ACCEPT,
  31 },
  32 {
  33         "access skb fields bad1",
  34         .insns = {
  35         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
  36         BPF_EXIT_INSN(),
  37         },
  38         .errstr = "invalid bpf_context access",
  39         .result = REJECT,
  40 },
  41 {
  42         "access skb fields bad2",
  43         .insns = {
  44         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
  45         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
  46         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
  47         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
  48         BPF_LD_MAP_FD(BPF_REG_1, 0),
  49         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
  50         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
  51         BPF_EXIT_INSN(),
  52         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
  53         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
  54                     offsetof(struct __sk_buff, pkt_type)),
  55         BPF_EXIT_INSN(),
  56         },
  57         .fixup_map_hash_8b = { 4 },
  58         .errstr = "different pointers",
  59         .errstr_unpriv = "R1 pointer comparison",
  60         .result = REJECT,
  61 },
  62 {
  63         "access skb fields bad3",
  64         .insns = {
  65         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
  66         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
  67                     offsetof(struct __sk_buff, pkt_type)),
  68         BPF_EXIT_INSN(),
  69         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
  70         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
  71         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
  72         BPF_LD_MAP_FD(BPF_REG_1, 0),
  73         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
  74         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
  75         BPF_EXIT_INSN(),
  76         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
  77         BPF_JMP_IMM(BPF_JA, 0, 0, -12),
  78         },
  79         .fixup_map_hash_8b = { 6 },
  80         .errstr = "different pointers",
  81         .errstr_unpriv = "R1 pointer comparison",
  82         .result = REJECT,
  83 },
  84 {
  85         "access skb fields bad4",
  86         .insns = {
  87         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
  88         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
  89                     offsetof(struct __sk_buff, len)),
  90         BPF_MOV64_IMM(BPF_REG_0, 0),
  91         BPF_EXIT_INSN(),
  92         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
  93         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
  94         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
  95         BPF_LD_MAP_FD(BPF_REG_1, 0),
  96         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
  97         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
  98         BPF_EXIT_INSN(),
  99         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
 100         BPF_JMP_IMM(BPF_JA, 0, 0, -13),
 101         },
 102         .fixup_map_hash_8b = { 7 },
 103         .errstr = "different pointers",
 104         .errstr_unpriv = "R1 pointer comparison",
 105         .result = REJECT,
 106 },
 107 {
 108         "invalid access __sk_buff family",
 109         .insns = {
 110         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 111                     offsetof(struct __sk_buff, family)),
 112         BPF_EXIT_INSN(),
 113         },
 114         .errstr = "invalid bpf_context access",
 115         .result = REJECT,
 116 },
 117 {
 118         "invalid access __sk_buff remote_ip4",
 119         .insns = {
 120         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 121                     offsetof(struct __sk_buff, remote_ip4)),
 122         BPF_EXIT_INSN(),
 123         },
 124         .errstr = "invalid bpf_context access",
 125         .result = REJECT,
 126 },
 127 {
 128         "invalid access __sk_buff local_ip4",
 129         .insns = {
 130         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 131                     offsetof(struct __sk_buff, local_ip4)),
 132         BPF_EXIT_INSN(),
 133         },
 134         .errstr = "invalid bpf_context access",
 135         .result = REJECT,
 136 },
 137 {
 138         "invalid access __sk_buff remote_ip6",
 139         .insns = {
 140         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 141                     offsetof(struct __sk_buff, remote_ip6)),
 142         BPF_EXIT_INSN(),
 143         },
 144         .errstr = "invalid bpf_context access",
 145         .result = REJECT,
 146 },
 147 {
 148         "invalid access __sk_buff local_ip6",
 149         .insns = {
 150         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 151                     offsetof(struct __sk_buff, local_ip6)),
 152         BPF_EXIT_INSN(),
 153         },
 154         .errstr = "invalid bpf_context access",
 155         .result = REJECT,
 156 },
 157 {
 158         "invalid access __sk_buff remote_port",
 159         .insns = {
 160         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 161                     offsetof(struct __sk_buff, remote_port)),
 162         BPF_EXIT_INSN(),
 163         },
 164         .errstr = "invalid bpf_context access",
 165         .result = REJECT,
 166 },
 167 {
 168         "invalid access __sk_buff remote_port",
 169         .insns = {
 170         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 171                     offsetof(struct __sk_buff, local_port)),
 172         BPF_EXIT_INSN(),
 173         },
 174         .errstr = "invalid bpf_context access",
 175         .result = REJECT,
 176 },
 177 {
 178         "valid access __sk_buff family",
 179         .insns = {
 180         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 181                     offsetof(struct __sk_buff, family)),
 182         BPF_EXIT_INSN(),
 183         },
 184         .result = ACCEPT,
 185         .prog_type = BPF_PROG_TYPE_SK_SKB,
 186 },
 187 {
 188         "valid access __sk_buff remote_ip4",
 189         .insns = {
 190         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 191                     offsetof(struct __sk_buff, remote_ip4)),
 192         BPF_EXIT_INSN(),
 193         },
 194         .result = ACCEPT,
 195         .prog_type = BPF_PROG_TYPE_SK_SKB,
 196 },
 197 {
 198         "valid access __sk_buff local_ip4",
 199         .insns = {
 200         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 201                     offsetof(struct __sk_buff, local_ip4)),
 202         BPF_EXIT_INSN(),
 203         },
 204         .result = ACCEPT,
 205         .prog_type = BPF_PROG_TYPE_SK_SKB,
 206 },
 207 {
 208         "valid access __sk_buff remote_ip6",
 209         .insns = {
 210         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 211                     offsetof(struct __sk_buff, remote_ip6[0])),
 212         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 213                     offsetof(struct __sk_buff, remote_ip6[1])),
 214         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 215                     offsetof(struct __sk_buff, remote_ip6[2])),
 216         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 217                     offsetof(struct __sk_buff, remote_ip6[3])),
 218         BPF_EXIT_INSN(),
 219         },
 220         .result = ACCEPT,
 221         .prog_type = BPF_PROG_TYPE_SK_SKB,
 222 },
 223 {
 224         "valid access __sk_buff local_ip6",
 225         .insns = {
 226         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 227                     offsetof(struct __sk_buff, local_ip6[0])),
 228         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 229                     offsetof(struct __sk_buff, local_ip6[1])),
 230         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 231                     offsetof(struct __sk_buff, local_ip6[2])),
 232         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 233                     offsetof(struct __sk_buff, local_ip6[3])),
 234         BPF_EXIT_INSN(),
 235         },
 236         .result = ACCEPT,
 237         .prog_type = BPF_PROG_TYPE_SK_SKB,
 238 },
 239 {
 240         "valid access __sk_buff remote_port",
 241         .insns = {
 242         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 243                     offsetof(struct __sk_buff, remote_port)),
 244         BPF_EXIT_INSN(),
 245         },
 246         .result = ACCEPT,
 247         .prog_type = BPF_PROG_TYPE_SK_SKB,
 248 },
 249 {
 250         "valid access __sk_buff remote_port",
 251         .insns = {
 252         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 253                     offsetof(struct __sk_buff, local_port)),
 254         BPF_EXIT_INSN(),
 255         },
 256         .result = ACCEPT,
 257         .prog_type = BPF_PROG_TYPE_SK_SKB,
 258 },
 259 {
 260         "invalid access of tc_classid for SK_SKB",
 261         .insns = {
 262         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 263                     offsetof(struct __sk_buff, tc_classid)),
 264         BPF_EXIT_INSN(),
 265         },
 266         .result = REJECT,
 267         .prog_type = BPF_PROG_TYPE_SK_SKB,
 268         .errstr = "invalid bpf_context access",
 269 },
 270 {
 271         "invalid access of skb->mark for SK_SKB",
 272         .insns = {
 273         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 274                     offsetof(struct __sk_buff, mark)),
 275         BPF_EXIT_INSN(),
 276         },
 277         .result =  REJECT,
 278         .prog_type = BPF_PROG_TYPE_SK_SKB,
 279         .errstr = "invalid bpf_context access",
 280 },
 281 {
 282         "check skb->mark is not writeable by SK_SKB",
 283         .insns = {
 284         BPF_MOV64_IMM(BPF_REG_0, 0),
 285         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
 286                     offsetof(struct __sk_buff, mark)),
 287         BPF_EXIT_INSN(),
 288         },
 289         .result =  REJECT,
 290         .prog_type = BPF_PROG_TYPE_SK_SKB,
 291         .errstr = "invalid bpf_context access",
 292 },
 293 {
 294         "check skb->tc_index is writeable by SK_SKB",
 295         .insns = {
 296         BPF_MOV64_IMM(BPF_REG_0, 0),
 297         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
 298                     offsetof(struct __sk_buff, tc_index)),
 299         BPF_EXIT_INSN(),
 300         },
 301         .result = ACCEPT,
 302         .prog_type = BPF_PROG_TYPE_SK_SKB,
 303 },
 304 {
 305         "check skb->priority is writeable by SK_SKB",
 306         .insns = {
 307         BPF_MOV64_IMM(BPF_REG_0, 0),
 308         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
 309                     offsetof(struct __sk_buff, priority)),
 310         BPF_EXIT_INSN(),
 311         },
 312         .result = ACCEPT,
 313         .prog_type = BPF_PROG_TYPE_SK_SKB,
 314 },
 315 {
 316         "direct packet read for SK_SKB",
 317         .insns = {
 318         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
 319                     offsetof(struct __sk_buff, data)),
 320         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
 321                     offsetof(struct __sk_buff, data_end)),
 322         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
 323         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
 324         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
 325         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
 326         BPF_MOV64_IMM(BPF_REG_0, 0),
 327         BPF_EXIT_INSN(),
 328         },
 329         .result = ACCEPT,
 330         .prog_type = BPF_PROG_TYPE_SK_SKB,
 331 },
 332 {
 333         "direct packet write for SK_SKB",
 334         .insns = {
 335         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
 336                     offsetof(struct __sk_buff, data)),
 337         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
 338                     offsetof(struct __sk_buff, data_end)),
 339         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
 340         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
 341         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
 342         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
 343         BPF_MOV64_IMM(BPF_REG_0, 0),
 344         BPF_EXIT_INSN(),
 345         },
 346         .result = ACCEPT,
 347         .prog_type = BPF_PROG_TYPE_SK_SKB,
 348 },
 349 {
 350         "overlapping checks for direct packet access SK_SKB",
 351         .insns = {
 352         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
 353                     offsetof(struct __sk_buff, data)),
 354         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
 355                     offsetof(struct __sk_buff, data_end)),
 356         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
 357         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
 358         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
 359         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
 360         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
 361         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
 362         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
 363         BPF_MOV64_IMM(BPF_REG_0, 0),
 364         BPF_EXIT_INSN(),
 365         },
 366         .result = ACCEPT,
 367         .prog_type = BPF_PROG_TYPE_SK_SKB,
 368 },
 369 {
 370         "check skb->mark is not writeable by sockets",
 371         .insns = {
 372         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
 373                     offsetof(struct __sk_buff, mark)),
 374         BPF_EXIT_INSN(),
 375         },
 376         .errstr = "invalid bpf_context access",
 377         .errstr_unpriv = "R1 leaks addr",
 378         .result = REJECT,
 379 },
 380 {
 381         "check skb->tc_index is not writeable by sockets",
 382         .insns = {
 383         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
 384                     offsetof(struct __sk_buff, tc_index)),
 385         BPF_EXIT_INSN(),
 386         },
 387         .errstr = "invalid bpf_context access",
 388         .errstr_unpriv = "R1 leaks addr",
 389         .result = REJECT,
 390 },
 391 {
 392         "check cb access: byte",
 393         .insns = {
 394         BPF_MOV64_IMM(BPF_REG_0, 0),
 395         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 396                     offsetof(struct __sk_buff, cb[0])),
 397         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 398                     offsetof(struct __sk_buff, cb[0]) + 1),
 399         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 400                     offsetof(struct __sk_buff, cb[0]) + 2),
 401         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 402                     offsetof(struct __sk_buff, cb[0]) + 3),
 403         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 404                     offsetof(struct __sk_buff, cb[1])),
 405         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 406                     offsetof(struct __sk_buff, cb[1]) + 1),
 407         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 408                     offsetof(struct __sk_buff, cb[1]) + 2),
 409         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 410                     offsetof(struct __sk_buff, cb[1]) + 3),
 411         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 412                     offsetof(struct __sk_buff, cb[2])),
 413         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 414                     offsetof(struct __sk_buff, cb[2]) + 1),
 415         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 416                     offsetof(struct __sk_buff, cb[2]) + 2),
 417         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 418                     offsetof(struct __sk_buff, cb[2]) + 3),
 419         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 420                     offsetof(struct __sk_buff, cb[3])),
 421         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 422                     offsetof(struct __sk_buff, cb[3]) + 1),
 423         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 424                     offsetof(struct __sk_buff, cb[3]) + 2),
 425         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 426                     offsetof(struct __sk_buff, cb[3]) + 3),
 427         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 428                     offsetof(struct __sk_buff, cb[4])),
 429         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 430                     offsetof(struct __sk_buff, cb[4]) + 1),
 431         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 432                     offsetof(struct __sk_buff, cb[4]) + 2),
 433         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 434                     offsetof(struct __sk_buff, cb[4]) + 3),
 435         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 436                     offsetof(struct __sk_buff, cb[0])),
 437         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 438                     offsetof(struct __sk_buff, cb[0]) + 1),
 439         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 440                     offsetof(struct __sk_buff, cb[0]) + 2),
 441         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 442                     offsetof(struct __sk_buff, cb[0]) + 3),
 443         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 444                     offsetof(struct __sk_buff, cb[1])),
 445         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 446                     offsetof(struct __sk_buff, cb[1]) + 1),
 447         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 448                     offsetof(struct __sk_buff, cb[1]) + 2),
 449         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 450                     offsetof(struct __sk_buff, cb[1]) + 3),
 451         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 452                     offsetof(struct __sk_buff, cb[2])),
 453         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 454                     offsetof(struct __sk_buff, cb[2]) + 1),
 455         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 456                     offsetof(struct __sk_buff, cb[2]) + 2),
 457         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 458                     offsetof(struct __sk_buff, cb[2]) + 3),
 459         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 460                     offsetof(struct __sk_buff, cb[3])),
 461         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 462                     offsetof(struct __sk_buff, cb[3]) + 1),
 463         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 464                     offsetof(struct __sk_buff, cb[3]) + 2),
 465         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 466                     offsetof(struct __sk_buff, cb[3]) + 3),
 467         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 468                     offsetof(struct __sk_buff, cb[4])),
 469         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 470                     offsetof(struct __sk_buff, cb[4]) + 1),
 471         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 472                     offsetof(struct __sk_buff, cb[4]) + 2),
 473         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 474                     offsetof(struct __sk_buff, cb[4]) + 3),
 475         BPF_EXIT_INSN(),
 476         },
 477         .result = ACCEPT,
 478 },
 479 {
 480         "__sk_buff->hash, offset 0, byte store not permitted",
 481         .insns = {
 482         BPF_MOV64_IMM(BPF_REG_0, 0),
 483         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 484                     offsetof(struct __sk_buff, hash)),
 485         BPF_EXIT_INSN(),
 486         },
 487         .errstr = "invalid bpf_context access",
 488         .result = REJECT,
 489 },
 490 {
 491         "__sk_buff->tc_index, offset 3, byte store not permitted",
 492         .insns = {
 493         BPF_MOV64_IMM(BPF_REG_0, 0),
 494         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 495                     offsetof(struct __sk_buff, tc_index) + 3),
 496         BPF_EXIT_INSN(),
 497         },
 498         .errstr = "invalid bpf_context access",
 499         .result = REJECT,
 500 },
 501 {
 502         "check skb->hash byte load permitted",
 503         .insns = {
 504         BPF_MOV64_IMM(BPF_REG_0, 0),
 505 #if __BYTE_ORDER == __LITTLE_ENDIAN
 506         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 507                     offsetof(struct __sk_buff, hash)),
 508 #else
 509         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 510                     offsetof(struct __sk_buff, hash) + 3),
 511 #endif
 512         BPF_EXIT_INSN(),
 513         },
 514         .result = ACCEPT,
 515 },
 516 {
 517         "check skb->hash byte load permitted 1",
 518         .insns = {
 519         BPF_MOV64_IMM(BPF_REG_0, 0),
 520         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 521                     offsetof(struct __sk_buff, hash) + 1),
 522         BPF_EXIT_INSN(),
 523         },
 524         .result = ACCEPT,
 525 },
 526 {
 527         "check skb->hash byte load permitted 2",
 528         .insns = {
 529         BPF_MOV64_IMM(BPF_REG_0, 0),
 530         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 531                     offsetof(struct __sk_buff, hash) + 2),
 532         BPF_EXIT_INSN(),
 533         },
 534         .result = ACCEPT,
 535 },
 536 {
 537         "check skb->hash byte load permitted 3",
 538         .insns = {
 539         BPF_MOV64_IMM(BPF_REG_0, 0),
 540 #if __BYTE_ORDER == __LITTLE_ENDIAN
 541         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 542                     offsetof(struct __sk_buff, hash) + 3),
 543 #else
 544         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
 545                     offsetof(struct __sk_buff, hash)),
 546 #endif
 547         BPF_EXIT_INSN(),
 548         },
 549         .result = ACCEPT,
 550 },
 551 {
 552         "check cb access: byte, wrong type",
 553         .insns = {
 554         BPF_MOV64_IMM(BPF_REG_0, 0),
 555         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
 556                     offsetof(struct __sk_buff, cb[0])),
 557         BPF_EXIT_INSN(),
 558         },
 559         .errstr = "invalid bpf_context access",
 560         .result = REJECT,
 561         .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
 562 },
 563 {
 564         "check cb access: half",
 565         .insns = {
 566         BPF_MOV64_IMM(BPF_REG_0, 0),
 567         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
 568                     offsetof(struct __sk_buff, cb[0])),
 569         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
 570                     offsetof(struct __sk_buff, cb[0]) + 2),
 571         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
 572                     offsetof(struct __sk_buff, cb[1])),
 573         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
 574                     offsetof(struct __sk_buff, cb[1]) + 2),
 575         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
 576                     offsetof(struct __sk_buff, cb[2])),
 577         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
 578                     offsetof(struct __sk_buff, cb[2]) + 2),
 579         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
 580                     offsetof(struct __sk_buff, cb[3])),
 581         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
 582                     offsetof(struct __sk_buff, cb[3]) + 2),
 583         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
 584                     offsetof(struct __sk_buff, cb[4])),
 585         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
 586                     offsetof(struct __sk_buff, cb[4]) + 2),
 587         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 588                     offsetof(struct __sk_buff, cb[0])),
 589         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 590                     offsetof(struct __sk_buff, cb[0]) + 2),
 591         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 592                     offsetof(struct __sk_buff, cb[1])),
 593         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 594                     offsetof(struct __sk_buff, cb[1]) + 2),
 595         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 596                     offsetof(struct __sk_buff, cb[2])),
 597         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 598                     offsetof(struct __sk_buff, cb[2]) + 2),
 599         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 600                     offsetof(struct __sk_buff, cb[3])),
 601         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 602                     offsetof(struct __sk_buff, cb[3]) + 2),
 603         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 604                     offsetof(struct __sk_buff, cb[4])),
 605         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 606                     offsetof(struct __sk_buff, cb[4]) + 2),
 607         BPF_EXIT_INSN(),
 608         },
 609         .result = ACCEPT,
 610 },
 611 {
 612         "check cb access: half, unaligned",
 613         .insns = {
 614         BPF_MOV64_IMM(BPF_REG_0, 0),
 615         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
 616                     offsetof(struct __sk_buff, cb[0]) + 1),
 617         BPF_EXIT_INSN(),
 618         },
 619         .errstr = "misaligned context access",
 620         .result = REJECT,
 621         .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
 622 },
 623 {
 624         "check __sk_buff->hash, offset 0, half store not permitted",
 625         .insns = {
 626         BPF_MOV64_IMM(BPF_REG_0, 0),
 627         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
 628                     offsetof(struct __sk_buff, hash)),
 629         BPF_EXIT_INSN(),
 630         },
 631         .errstr = "invalid bpf_context access",
 632         .result = REJECT,
 633 },
 634 {
 635         "check __sk_buff->tc_index, offset 2, half store not permitted",
 636         .insns = {
 637         BPF_MOV64_IMM(BPF_REG_0, 0),
 638         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
 639                     offsetof(struct __sk_buff, tc_index) + 2),
 640         BPF_EXIT_INSN(),
 641         },
 642         .errstr = "invalid bpf_context access",
 643         .result = REJECT,
 644 },
 645 {
 646         "check skb->hash half load permitted",
 647         .insns = {
 648         BPF_MOV64_IMM(BPF_REG_0, 0),
 649 #if __BYTE_ORDER == __LITTLE_ENDIAN
 650         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 651                     offsetof(struct __sk_buff, hash)),
 652 #else
 653         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 654                     offsetof(struct __sk_buff, hash) + 2),
 655 #endif
 656         BPF_EXIT_INSN(),
 657         },
 658         .result = ACCEPT,
 659 },
 660 {
 661         "check skb->hash half load permitted 2",
 662         .insns = {
 663         BPF_MOV64_IMM(BPF_REG_0, 0),
 664 #if __BYTE_ORDER == __LITTLE_ENDIAN
 665         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 666                     offsetof(struct __sk_buff, hash) + 2),
 667 #else
 668         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 669                     offsetof(struct __sk_buff, hash)),
 670 #endif
 671         BPF_EXIT_INSN(),
 672         },
 673         .result = ACCEPT,
 674 },
 675 {
 676         "check skb->hash half load not permitted, unaligned 1",
 677         .insns = {
 678         BPF_MOV64_IMM(BPF_REG_0, 0),
 679 #if __BYTE_ORDER == __LITTLE_ENDIAN
 680         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 681                     offsetof(struct __sk_buff, hash) + 1),
 682 #else
 683         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 684                     offsetof(struct __sk_buff, hash) + 3),
 685 #endif
 686         BPF_EXIT_INSN(),
 687         },
 688         .errstr = "invalid bpf_context access",
 689         .result = REJECT,
 690         .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
 691 },
 692 {
 693         "check skb->hash half load not permitted, unaligned 3",
 694         .insns = {
 695         BPF_MOV64_IMM(BPF_REG_0, 0),
 696 #if __BYTE_ORDER == __LITTLE_ENDIAN
 697         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 698                     offsetof(struct __sk_buff, hash) + 3),
 699 #else
 700         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 701                     offsetof(struct __sk_buff, hash) + 1),
 702 #endif
 703         BPF_EXIT_INSN(),
 704         },
 705         .errstr = "invalid bpf_context access",
 706         .result = REJECT,
 707         .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
 708 },
 709 {
 710         "check cb access: half, wrong type",
 711         .insns = {
 712         BPF_MOV64_IMM(BPF_REG_0, 0),
 713         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
 714                     offsetof(struct __sk_buff, cb[0])),
 715         BPF_EXIT_INSN(),
 716         },
 717         .errstr = "invalid bpf_context access",
 718         .result = REJECT,
 719         .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
 720 },
 721 {
 722         "check cb access: word",
 723         .insns = {
 724         BPF_MOV64_IMM(BPF_REG_0, 0),
 725         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
 726                     offsetof(struct __sk_buff, cb[0])),
 727         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
 728                     offsetof(struct __sk_buff, cb[1])),
 729         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
 730                     offsetof(struct __sk_buff, cb[2])),
 731         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
 732                     offsetof(struct __sk_buff, cb[3])),
 733         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
 734                     offsetof(struct __sk_buff, cb[4])),
 735         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 736                     offsetof(struct __sk_buff, cb[0])),
 737         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 738                     offsetof(struct __sk_buff, cb[1])),
 739         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 740                     offsetof(struct __sk_buff, cb[2])),
 741         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 742                     offsetof(struct __sk_buff, cb[3])),
 743         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 744                     offsetof(struct __sk_buff, cb[4])),
 745         BPF_EXIT_INSN(),
 746         },
 747         .result = ACCEPT,
 748 },
 749 {
 750         "check cb access: word, unaligned 1",
 751         .insns = {
 752         BPF_MOV64_IMM(BPF_REG_0, 0),
 753         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
 754                     offsetof(struct __sk_buff, cb[0]) + 2),
 755         BPF_EXIT_INSN(),
 756         },
 757         .errstr = "misaligned context access",
 758         .result = REJECT,
 759         .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
 760 },
 761 {
 762         "check cb access: word, unaligned 2",
 763         .insns = {
 764         BPF_MOV64_IMM(BPF_REG_0, 0),
 765         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
 766                     offsetof(struct __sk_buff, cb[4]) + 1),
 767         BPF_EXIT_INSN(),
 768         },
 769         .errstr = "misaligned context access",
 770         .result = REJECT,
 771         .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
 772 },
 773 {
 774         "check cb access: word, unaligned 3",
 775         .insns = {
 776         BPF_MOV64_IMM(BPF_REG_0, 0),
 777         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
 778                     offsetof(struct __sk_buff, cb[4]) + 2),
 779         BPF_EXIT_INSN(),
 780         },
 781         .errstr = "misaligned context access",
 782         .result = REJECT,
 783         .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
 784 },
 785 {
 786         "check cb access: word, unaligned 4",
 787         .insns = {
 788         BPF_MOV64_IMM(BPF_REG_0, 0),
 789         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
 790                     offsetof(struct __sk_buff, cb[4]) + 3),
 791         BPF_EXIT_INSN(),
 792         },
 793         .errstr = "misaligned context access",
 794         .result = REJECT,
 795         .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
 796 },
 797 {
 798         "check cb access: double",
 799         .insns = {
 800         BPF_MOV64_IMM(BPF_REG_0, 0),
 801         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
 802                     offsetof(struct __sk_buff, cb[0])),
 803         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
 804                     offsetof(struct __sk_buff, cb[2])),
 805         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
 806                     offsetof(struct __sk_buff, cb[0])),
 807         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
 808                     offsetof(struct __sk_buff, cb[2])),
 809         BPF_EXIT_INSN(),
 810         },
 811         .result = ACCEPT,
 812 },
 813 {
 814         "check cb access: double, unaligned 1",
 815         .insns = {
 816         BPF_MOV64_IMM(BPF_REG_0, 0),
 817         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
 818                     offsetof(struct __sk_buff, cb[1])),
 819         BPF_EXIT_INSN(),
 820         },
 821         .errstr = "misaligned context access",
 822         .result = REJECT,
 823         .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
 824 },
 825 {
 826         "check cb access: double, unaligned 2",
 827         .insns = {
 828         BPF_MOV64_IMM(BPF_REG_0, 0),
 829         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
 830                     offsetof(struct __sk_buff, cb[3])),
 831         BPF_EXIT_INSN(),
 832         },
 833         .errstr = "misaligned context access",
 834         .result = REJECT,
 835         .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
 836 },
 837 {
 838         "check cb access: double, oob 1",
 839         .insns = {
 840         BPF_MOV64_IMM(BPF_REG_0, 0),
 841         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
 842                     offsetof(struct __sk_buff, cb[4])),
 843         BPF_EXIT_INSN(),
 844         },
 845         .errstr = "invalid bpf_context access",
 846         .result = REJECT,
 847 },
 848 {
 849         "check cb access: double, oob 2",
 850         .insns = {
 851         BPF_MOV64_IMM(BPF_REG_0, 0),
 852         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
 853                     offsetof(struct __sk_buff, cb[4])),
 854         BPF_EXIT_INSN(),
 855         },
 856         .errstr = "invalid bpf_context access",
 857         .result = REJECT,
 858 },
 859 {
 860         "check __sk_buff->ifindex dw store not permitted",
 861         .insns = {
 862         BPF_MOV64_IMM(BPF_REG_0, 0),
 863         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
 864                     offsetof(struct __sk_buff, ifindex)),
 865         BPF_EXIT_INSN(),
 866         },
 867         .errstr = "invalid bpf_context access",
 868         .result = REJECT,
 869 },
 870 {
 871         "check __sk_buff->ifindex dw load not permitted",
 872         .insns = {
 873         BPF_MOV64_IMM(BPF_REG_0, 0),
 874         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
 875                     offsetof(struct __sk_buff, ifindex)),
 876         BPF_EXIT_INSN(),
 877         },
 878         .errstr = "invalid bpf_context access",
 879         .result = REJECT,
 880 },
 881 {
 882         "check cb access: double, wrong type",
 883         .insns = {
 884         BPF_MOV64_IMM(BPF_REG_0, 0),
 885         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
 886                     offsetof(struct __sk_buff, cb[0])),
 887         BPF_EXIT_INSN(),
 888         },
 889         .errstr = "invalid bpf_context access",
 890         .result = REJECT,
 891         .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
 892 },
 893 {
 894         "check out of range skb->cb access",
 895         .insns = {
 896         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 897                     offsetof(struct __sk_buff, cb[0]) + 256),
 898         BPF_EXIT_INSN(),
 899         },
 900         .errstr = "invalid bpf_context access",
 901         .errstr_unpriv = "",
 902         .result = REJECT,
 903         .prog_type = BPF_PROG_TYPE_SCHED_ACT,
 904 },
 905 {
 906         "write skb fields from socket prog",
 907         .insns = {
 908         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 909                     offsetof(struct __sk_buff, cb[4])),
 910         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
 911         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 912                     offsetof(struct __sk_buff, mark)),
 913         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 914                     offsetof(struct __sk_buff, tc_index)),
 915         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
 916         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
 917                     offsetof(struct __sk_buff, cb[0])),
 918         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
 919                     offsetof(struct __sk_buff, cb[2])),
 920         BPF_EXIT_INSN(),
 921         },
 922         .result = ACCEPT,
 923         .errstr_unpriv = "R1 leaks addr",
 924         .result_unpriv = REJECT,
 925 },
 926 {
 927         "write skb fields from tc_cls_act prog",
 928         .insns = {
 929         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 930                     offsetof(struct __sk_buff, cb[0])),
 931         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
 932                     offsetof(struct __sk_buff, mark)),
 933         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 934                     offsetof(struct __sk_buff, tc_index)),
 935         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
 936                     offsetof(struct __sk_buff, tc_index)),
 937         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
 938                     offsetof(struct __sk_buff, cb[3])),
 939         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
 940                     offsetof(struct __sk_buff, tstamp)),
 941         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
 942                     offsetof(struct __sk_buff, tstamp)),
 943         BPF_EXIT_INSN(),
 944         },
 945         .errstr_unpriv = "",
 946         .result_unpriv = REJECT,
 947         .result = ACCEPT,
 948         .prog_type = BPF_PROG_TYPE_SCHED_CLS,
 949 },
 950 {
 951         "check skb->data half load not permitted",
 952         .insns = {
 953         BPF_MOV64_IMM(BPF_REG_0, 0),
 954 #if __BYTE_ORDER == __LITTLE_ENDIAN
 955         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 956                     offsetof(struct __sk_buff, data)),
 957 #else
 958         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
 959                     offsetof(struct __sk_buff, data) + 2),
 960 #endif
 961         BPF_EXIT_INSN(),
 962         },
 963         .result = REJECT,
 964         .errstr = "invalid bpf_context access",
 965 },
 966 {
 967         "read gso_segs from CGROUP_SKB",
 968         .insns = {
 969         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
 970                     offsetof(struct __sk_buff, gso_segs)),
 971         BPF_MOV64_IMM(BPF_REG_0, 0),
 972         BPF_EXIT_INSN(),
 973         },
 974         .result = ACCEPT,
 975         .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
 976 },
 977 {
 978         "read gso_segs from CGROUP_SKB",
 979         .insns = {
 980         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
 981                     offsetof(struct __sk_buff, gso_segs)),
 982         BPF_MOV64_IMM(BPF_REG_0, 0),
 983         BPF_EXIT_INSN(),
 984         },
 985         .result = ACCEPT,
 986         .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
 987 },
 988 {
 989         "write gso_segs from CGROUP_SKB",
 990         .insns = {
 991         BPF_MOV64_IMM(BPF_REG_0, 0),
 992         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
 993                     offsetof(struct __sk_buff, gso_segs)),
 994         BPF_MOV64_IMM(BPF_REG_0, 0),
 995         BPF_EXIT_INSN(),
 996         },
 997         .result = REJECT,
 998         .result_unpriv = REJECT,
 999         .errstr = "invalid bpf_context access off=164 size=4",
1000         .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
1001 },
1002 {
1003         "read gso_segs from CLS",
1004         .insns = {
1005         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1006                     offsetof(struct __sk_buff, gso_segs)),
1007         BPF_MOV64_IMM(BPF_REG_0, 0),
1008         BPF_EXIT_INSN(),
1009         },
1010         .result = ACCEPT,
1011         .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1012 },
1013 {
1014         "check wire_len is not readable by sockets",
1015         .insns = {
1016                 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1017                             offsetof(struct __sk_buff, wire_len)),
1018                 BPF_EXIT_INSN(),
1019         },
1020         .errstr = "invalid bpf_context access",
1021         .result = REJECT,
1022 },
1023 {
1024         "check wire_len is readable by tc classifier",
1025         .insns = {
1026                 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1027                             offsetof(struct __sk_buff, wire_len)),
1028                 BPF_EXIT_INSN(),
1029         },
1030         .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1031         .result = ACCEPT,
1032 },
1033 {
1034         "check wire_len is not writable by tc classifier",
1035         .insns = {
1036                 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1037                             offsetof(struct __sk_buff, wire_len)),
1038                 BPF_EXIT_INSN(),
1039         },
1040         .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1041         .errstr = "invalid bpf_context access",
1042         .errstr_unpriv = "R1 leaks addr",
1043         .result = REJECT,
1044 },

/* [<][>][^][v][top][bottom][index][help] */