Loading...
Note: File does not exist in v5.4.
1/* Common tests */
2{
3 "map_kptr: BPF_ST imm != 0",
4 .insns = {
5 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6 BPF_LD_MAP_FD(BPF_REG_6, 0),
7 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
8 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
9 BPF_MOV64_IMM(BPF_REG_0, 0),
10 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
12 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
13 BPF_EXIT_INSN(),
14 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
15 BPF_EXIT_INSN(),
16 },
17 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
18 .fixup_map_kptr = { 1 },
19 .result = REJECT,
20 .errstr = "BPF_ST imm must be 0 when storing to kptr at off=0",
21},
22{
23 "map_kptr: size != bpf_size_to_bytes(BPF_DW)",
24 .insns = {
25 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
26 BPF_LD_MAP_FD(BPF_REG_6, 0),
27 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
28 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
29 BPF_MOV64_IMM(BPF_REG_0, 0),
30 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
31 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
32 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
33 BPF_EXIT_INSN(),
34 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
35 BPF_EXIT_INSN(),
36 },
37 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
38 .fixup_map_kptr = { 1 },
39 .result = REJECT,
40 .errstr = "kptr access size must be BPF_DW",
41},
42{
43 "map_kptr: map_value non-const var_off",
44 .insns = {
45 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
46 BPF_LD_MAP_FD(BPF_REG_6, 0),
47 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
48 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
49 BPF_MOV64_IMM(BPF_REG_0, 0),
50 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
51 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
52 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
53 BPF_EXIT_INSN(),
54 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
55 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
56 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
57 BPF_EXIT_INSN(),
58 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 0),
59 BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1),
60 BPF_EXIT_INSN(),
61 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
62 BPF_EXIT_INSN(),
63 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
64 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
65 BPF_EXIT_INSN(),
66 },
67 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
68 .fixup_map_kptr = { 1 },
69 .result = REJECT,
70 .errstr = "kptr access cannot have variable offset",
71 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
72},
73{
74 "map_kptr: bpf_kptr_xchg non-const var_off",
75 .insns = {
76 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
77 BPF_LD_MAP_FD(BPF_REG_6, 0),
78 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
79 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
80 BPF_MOV64_IMM(BPF_REG_0, 0),
81 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
82 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
83 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
84 BPF_EXIT_INSN(),
85 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
86 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
87 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
88 BPF_EXIT_INSN(),
89 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 0),
90 BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1),
91 BPF_EXIT_INSN(),
92 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
93 BPF_EXIT_INSN(),
94 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
95 BPF_MOV64_REG(BPF_REG_1, BPF_REG_3),
96 BPF_MOV64_IMM(BPF_REG_2, 0),
97 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
98 BPF_EXIT_INSN(),
99 },
100 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
101 .fixup_map_kptr = { 1 },
102 .result = REJECT,
103 .errstr = "R1 doesn't have constant offset. kptr has to be at the constant offset",
104},
105{
106 "map_kptr: unaligned boundary load/store",
107 .insns = {
108 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
109 BPF_LD_MAP_FD(BPF_REG_6, 0),
110 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
112 BPF_MOV64_IMM(BPF_REG_0, 0),
113 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
114 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
115 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
116 BPF_EXIT_INSN(),
117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 7),
118 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
119 BPF_EXIT_INSN(),
120 },
121 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
122 .fixup_map_kptr = { 1 },
123 .result = REJECT,
124 .errstr = "kptr access misaligned expected=0 off=7",
125 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
126},
127{
128 "map_kptr: reject var_off != 0",
129 .insns = {
130 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
131 BPF_LD_MAP_FD(BPF_REG_6, 0),
132 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
134 BPF_MOV64_IMM(BPF_REG_0, 0),
135 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
136 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
137 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
138 BPF_EXIT_INSN(),
139 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
140 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
141 BPF_EXIT_INSN(),
142 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
143 BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1),
144 BPF_EXIT_INSN(),
145 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
146 BPF_EXIT_INSN(),
147 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
148 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
149 BPF_EXIT_INSN(),
150 },
151 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
152 .fixup_map_kptr = { 1 },
153 .result = REJECT,
154 .errstr = "variable untrusted_ptr_ access var_off=(0x0; 0x7) disallowed",
155},
156/* Tests for unreferenced PTR_TO_BTF_ID */
157{
158 "map_kptr: unref: reject btf_struct_ids_match == false",
159 .insns = {
160 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
161 BPF_LD_MAP_FD(BPF_REG_6, 0),
162 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
163 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
164 BPF_MOV64_IMM(BPF_REG_0, 0),
165 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
166 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
167 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
168 BPF_EXIT_INSN(),
169 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
170 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
171 BPF_EXIT_INSN(),
172 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4),
173 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
174 BPF_EXIT_INSN(),
175 },
176 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
177 .fixup_map_kptr = { 1 },
178 .result = REJECT,
179 .errstr = "invalid kptr access, R1 type=untrusted_ptr_prog_test_ref_kfunc expected=ptr_prog_test",
180},
181{
182 "map_kptr: unref: loaded pointer marked as untrusted",
183 .insns = {
184 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
185 BPF_LD_MAP_FD(BPF_REG_6, 0),
186 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
187 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
188 BPF_MOV64_IMM(BPF_REG_0, 0),
189 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
190 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
191 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
192 BPF_EXIT_INSN(),
193 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
194 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
195 BPF_EXIT_INSN(),
196 },
197 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
198 .fixup_map_kptr = { 1 },
199 .result = REJECT,
200 .errstr = "R0 invalid mem access 'untrusted_ptr_or_null_'",
201},
202{
203 "map_kptr: unref: correct in kernel type size",
204 .insns = {
205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
206 BPF_LD_MAP_FD(BPF_REG_6, 0),
207 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
209 BPF_MOV64_IMM(BPF_REG_0, 0),
210 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
211 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
212 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
213 BPF_EXIT_INSN(),
214 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
215 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
216 BPF_EXIT_INSN(),
217 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 32),
218 BPF_EXIT_INSN(),
219 },
220 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
221 .fixup_map_kptr = { 1 },
222 .result = REJECT,
223 .errstr = "access beyond struct prog_test_ref_kfunc at off 32 size 8",
224},
225{
226 "map_kptr: unref: inherit PTR_UNTRUSTED on struct walk",
227 .insns = {
228 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
229 BPF_LD_MAP_FD(BPF_REG_6, 0),
230 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
231 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
232 BPF_MOV64_IMM(BPF_REG_0, 0),
233 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
234 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
235 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
236 BPF_EXIT_INSN(),
237 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
238 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
239 BPF_EXIT_INSN(),
240 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 16),
241 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_this_cpu_ptr),
242 BPF_EXIT_INSN(),
243 },
244 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
245 .fixup_map_kptr = { 1 },
246 .result = REJECT,
247 .errstr = "R1 type=untrusted_ptr_ expected=percpu_ptr_",
248},
249{
250 "map_kptr: unref: no reference state created",
251 .insns = {
252 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
253 BPF_LD_MAP_FD(BPF_REG_6, 0),
254 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
255 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
256 BPF_MOV64_IMM(BPF_REG_0, 0),
257 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
258 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
259 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
260 BPF_EXIT_INSN(),
261 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
262 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
263 BPF_EXIT_INSN(),
264 BPF_EXIT_INSN(),
265 },
266 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
267 .fixup_map_kptr = { 1 },
268 .result = ACCEPT,
269},
270{
271 "map_kptr: unref: bpf_kptr_xchg rejected",
272 .insns = {
273 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
274 BPF_LD_MAP_FD(BPF_REG_6, 0),
275 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
276 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
277 BPF_MOV64_IMM(BPF_REG_0, 0),
278 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
279 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
280 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
281 BPF_EXIT_INSN(),
282 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
283 BPF_MOV64_IMM(BPF_REG_2, 0),
284 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
285 BPF_MOV64_IMM(BPF_REG_0, 0),
286 BPF_EXIT_INSN(),
287 },
288 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
289 .fixup_map_kptr = { 1 },
290 .result = REJECT,
291 .errstr = "off=0 kptr isn't referenced kptr",
292},
293/* Tests for referenced PTR_TO_BTF_ID */
294{
295 "map_kptr: ref: loaded pointer marked as untrusted",
296 .insns = {
297 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
298 BPF_LD_MAP_FD(BPF_REG_6, 0),
299 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
300 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
301 BPF_MOV64_IMM(BPF_REG_0, 0),
302 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
303 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
304 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
305 BPF_EXIT_INSN(),
306 BPF_MOV64_IMM(BPF_REG_1, 0),
307 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 8),
308 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_this_cpu_ptr),
309 BPF_EXIT_INSN(),
310 },
311 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
312 .fixup_map_kptr = { 1 },
313 .result = REJECT,
314 .errstr = "R1 type=rcu_ptr_or_null_ expected=percpu_ptr_",
315},
316{
317 "map_kptr: ref: reject off != 0",
318 .insns = {
319 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
320 BPF_LD_MAP_FD(BPF_REG_6, 0),
321 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
322 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
323 BPF_MOV64_IMM(BPF_REG_0, 0),
324 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
325 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
326 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
327 BPF_EXIT_INSN(),
328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
329 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
330 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
331 BPF_MOV64_IMM(BPF_REG_2, 0),
332 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
333 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
334 BPF_EXIT_INSN(),
335 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
337 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
338 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
339 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
340 BPF_EXIT_INSN(),
341 },
342 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
343 .fixup_map_kptr = { 1 },
344 .result = REJECT,
345 .errstr = "invalid kptr access, R2 type=ptr_prog_test_ref_kfunc expected=ptr_prog_test_member",
346},
347{
348 "map_kptr: ref: reference state created and released on xchg",
349 .insns = {
350 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
351 BPF_LD_MAP_FD(BPF_REG_6, 0),
352 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
354 BPF_MOV64_IMM(BPF_REG_0, 0),
355 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
356 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
357 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
358 BPF_EXIT_INSN(),
359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
360 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
361 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
363 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
364 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
365 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
366 BPF_EXIT_INSN(),
367 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
368 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
369 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
370 BPF_MOV64_IMM(BPF_REG_0, 0),
371 BPF_EXIT_INSN(),
372 },
373 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
374 .fixup_map_kptr = { 1 },
375 .result = REJECT,
376 .errstr = "Unreleased reference id=5 alloc_insn=20",
377 .fixup_kfunc_btf_id = {
378 { "bpf_kfunc_call_test_acquire", 15 },
379 }
380},
381{
382 "map_kptr: ref: reject STX",
383 .insns = {
384 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
385 BPF_LD_MAP_FD(BPF_REG_6, 0),
386 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
388 BPF_MOV64_IMM(BPF_REG_0, 0),
389 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
390 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
391 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
392 BPF_EXIT_INSN(),
393 BPF_MOV64_REG(BPF_REG_1, 0),
394 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
395 BPF_EXIT_INSN(),
396 },
397 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
398 .fixup_map_kptr = { 1 },
399 .result = REJECT,
400 .errstr = "store to referenced kptr disallowed",
401},
402{
403 "map_kptr: ref: reject ST",
404 .insns = {
405 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
406 BPF_LD_MAP_FD(BPF_REG_6, 0),
407 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
409 BPF_MOV64_IMM(BPF_REG_0, 0),
410 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
411 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
412 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
413 BPF_EXIT_INSN(),
414 BPF_ST_MEM(BPF_DW, BPF_REG_0, 8, 0),
415 BPF_EXIT_INSN(),
416 },
417 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
418 .fixup_map_kptr = { 1 },
419 .result = REJECT,
420 .errstr = "store to referenced kptr disallowed",
421},
422{
423 "map_kptr: reject helper access to kptr",
424 .insns = {
425 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
426 BPF_LD_MAP_FD(BPF_REG_6, 0),
427 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
428 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
429 BPF_MOV64_IMM(BPF_REG_0, 0),
430 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
431 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
432 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
433 BPF_EXIT_INSN(),
434 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
436 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
437 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_delete_elem),
438 BPF_EXIT_INSN(),
439 },
440 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
441 .fixup_map_kptr = { 1 },
442 .result = REJECT,
443 .errstr = "kptr cannot be accessed indirectly by helper",
444},