1 /* Common tests */ 2 { 3 "map_kptr: BPF_ST imm != 0", 4 .insns = { 5 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 6 BPF_LD_MAP_FD(BPF_REG_6, 0), 7 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 8 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 9 BPF_MOV64_IMM(BPF_REG_0, 0), 10 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 11 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 12 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 13 BPF_EXIT_INSN(), 14 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1), 15 BPF_EXIT_INSN(), 16 }, 17 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 18 .fixup_map_kptr = { 1 }, 19 .result = REJECT, 20 .errstr = "BPF_ST imm must be 0 when storing to kptr at off=0", 21 }, 22 { 23 "map_kptr: size != bpf_size_to_bytes(BPF_DW)", 24 .insns = { 25 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 26 BPF_LD_MAP_FD(BPF_REG_6, 0), 27 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 28 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 29 BPF_MOV64_IMM(BPF_REG_0, 0), 30 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 31 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 32 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 33 BPF_EXIT_INSN(), 34 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0), 35 BPF_EXIT_INSN(), 36 }, 37 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 38 .fixup_map_kptr = { 1 }, 39 .result = REJECT, 40 .errstr = "kptr access size must be BPF_DW", 41 }, 42 { 43 "map_kptr: map_value non-const var_off", 44 .insns = { 45 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 46 BPF_LD_MAP_FD(BPF_REG_6, 0), 47 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 48 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 49 BPF_MOV64_IMM(BPF_REG_0, 0), 50 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 51 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 52 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 53 BPF_EXIT_INSN(), 54 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 55 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 56 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1), 57 BPF_EXIT_INSN(), 58 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 0), 59 BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1), 60 BPF_EXIT_INSN(), 61 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 62 BPF_EXIT_INSN(), 63 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2), 64 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0), 65 BPF_EXIT_INSN(), 66 }, 67 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 68 .fixup_map_kptr = { 1 }, 69 .result = REJECT, 70 .errstr = "kptr access cannot have variable offset", 71 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 72 }, 73 { 74 "map_kptr: bpf_kptr_xchg non-const var_off", 75 .insns = { 76 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 77 BPF_LD_MAP_FD(BPF_REG_6, 0), 78 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 79 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 80 BPF_MOV64_IMM(BPF_REG_0, 0), 81 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 82 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 83 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 84 BPF_EXIT_INSN(), 85 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0), 86 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 87 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1), 88 BPF_EXIT_INSN(), 89 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 0), 90 BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1), 91 BPF_EXIT_INSN(), 92 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 93 BPF_EXIT_INSN(), 94 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2), 95 BPF_MOV64_REG(BPF_REG_1, BPF_REG_3), 96 BPF_MOV64_IMM(BPF_REG_2, 0), 97 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg), 98 BPF_EXIT_INSN(), 99 }, 100 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 101 .fixup_map_kptr = { 1 }, 102 .result = REJECT, 103 .errstr = "R1 doesn't have constant offset. kptr has to be at the constant offset", 104 }, 105 { 106 "map_kptr: unaligned boundary load/store", 107 .insns = { 108 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 109 BPF_LD_MAP_FD(BPF_REG_6, 0), 110 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 111 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 112 BPF_MOV64_IMM(BPF_REG_0, 0), 113 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 114 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 115 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 116 BPF_EXIT_INSN(), 117 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 7), 118 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), 119 BPF_EXIT_INSN(), 120 }, 121 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 122 .fixup_map_kptr = { 1 }, 123 .result = REJECT, 124 .errstr = "kptr access misaligned expected=0 off=7", 125 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 126 }, 127 { 128 "map_kptr: reject var_off != 0", 129 .insns = { 130 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 131 BPF_LD_MAP_FD(BPF_REG_6, 0), 132 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 133 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 134 BPF_MOV64_IMM(BPF_REG_0, 0), 135 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 136 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 137 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 138 BPF_EXIT_INSN(), 139 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 140 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 141 BPF_EXIT_INSN(), 142 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 143 BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1), 144 BPF_EXIT_INSN(), 145 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1), 146 BPF_EXIT_INSN(), 147 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2), 148 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 149 BPF_EXIT_INSN(), 150 }, 151 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 152 .fixup_map_kptr = { 1 }, 153 .result = REJECT, 154 .errstr = "variable untrusted_ptr_ access var_off=(0x0; 0x7) disallowed", 155 }, 156 /* Tests for unreferenced PTR_TO_BTF_ID */ 157 { 158 "map_kptr: unref: reject btf_struct_ids_match == false", 159 .insns = { 160 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 161 BPF_LD_MAP_FD(BPF_REG_6, 0), 162 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 163 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 164 BPF_MOV64_IMM(BPF_REG_0, 0), 165 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 166 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 167 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 168 BPF_EXIT_INSN(), 169 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), 170 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), 171 BPF_EXIT_INSN(), 172 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4), 173 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0), 174 BPF_EXIT_INSN(), 175 }, 176 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 177 .fixup_map_kptr = { 1 }, 178 .result = REJECT, 179 .errstr = "invalid kptr access, R1 type=untrusted_ptr_prog_test_ref_kfunc expected=ptr_prog_test", 180 }, 181 { 182 "map_kptr: unref: loaded pointer marked as untrusted", 183 .insns = { 184 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 185 BPF_LD_MAP_FD(BPF_REG_6, 0), 186 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 187 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 188 BPF_MOV64_IMM(BPF_REG_0, 0), 189 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 190 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 191 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 192 BPF_EXIT_INSN(), 193 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 194 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0), 195 BPF_EXIT_INSN(), 196 }, 197 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 198 .fixup_map_kptr = { 1 }, 199 .result = REJECT, 200 .errstr = "R0 invalid mem access 'untrusted_ptr_or_null_'", 201 }, 202 { 203 "map_kptr: unref: correct in kernel type size", 204 .insns = { 205 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 206 BPF_LD_MAP_FD(BPF_REG_6, 0), 207 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 208 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 209 BPF_MOV64_IMM(BPF_REG_0, 0), 210 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 211 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 212 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 213 BPF_EXIT_INSN(), 214 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 215 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 216 BPF_EXIT_INSN(), 217 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 32), 218 BPF_EXIT_INSN(), 219 }, 220 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 221 .fixup_map_kptr = { 1 }, 222 .result = REJECT, 223 .errstr = "access beyond struct prog_test_ref_kfunc at off 32 size 8", 224 }, 225 { 226 "map_kptr: unref: inherit PTR_UNTRUSTED on struct walk", 227 .insns = { 228 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 229 BPF_LD_MAP_FD(BPF_REG_6, 0), 230 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 231 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 232 BPF_MOV64_IMM(BPF_REG_0, 0), 233 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 234 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 235 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 236 BPF_EXIT_INSN(), 237 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 238 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 239 BPF_EXIT_INSN(), 240 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 16), 241 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_this_cpu_ptr), 242 BPF_EXIT_INSN(), 243 }, 244 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 245 .fixup_map_kptr = { 1 }, 246 .result = REJECT, 247 .errstr = "R1 type=untrusted_ptr_ expected=percpu_ptr_", 248 }, 249 { 250 "map_kptr: unref: no reference state created", 251 .insns = { 252 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 253 BPF_LD_MAP_FD(BPF_REG_6, 0), 254 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 255 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 256 BPF_MOV64_IMM(BPF_REG_0, 0), 257 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 258 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 259 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 260 BPF_EXIT_INSN(), 261 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), 262 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 263 BPF_EXIT_INSN(), 264 BPF_EXIT_INSN(), 265 }, 266 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 267 .fixup_map_kptr = { 1 }, 268 .result = ACCEPT, 269 }, 270 { 271 "map_kptr: unref: bpf_kptr_xchg rejected", 272 .insns = { 273 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 274 BPF_LD_MAP_FD(BPF_REG_6, 0), 275 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 276 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 277 BPF_MOV64_IMM(BPF_REG_0, 0), 278 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 279 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 280 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 281 BPF_EXIT_INSN(), 282 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 283 BPF_MOV64_IMM(BPF_REG_2, 0), 284 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg), 285 BPF_MOV64_IMM(BPF_REG_0, 0), 286 BPF_EXIT_INSN(), 287 }, 288 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 289 .fixup_map_kptr = { 1 }, 290 .result = REJECT, 291 .errstr = "off=0 kptr isn't referenced kptr", 292 }, 293 /* Tests for referenced PTR_TO_BTF_ID */ 294 { 295 "map_kptr: ref: loaded pointer marked as untrusted", 296 .insns = { 297 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 298 BPF_LD_MAP_FD(BPF_REG_6, 0), 299 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 300 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 301 BPF_MOV64_IMM(BPF_REG_0, 0), 302 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 303 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 304 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 305 BPF_EXIT_INSN(), 306 BPF_MOV64_IMM(BPF_REG_1, 0), 307 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 8), 308 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_this_cpu_ptr), 309 BPF_EXIT_INSN(), 310 }, 311 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 312 .fixup_map_kptr = { 1 }, 313 .result = REJECT, 314 .errstr = "R1 type=rcu_ptr_or_null_ expected=percpu_ptr_", 315 }, 316 { 317 "map_kptr: ref: reject off != 0", 318 .insns = { 319 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 320 BPF_LD_MAP_FD(BPF_REG_6, 0), 321 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 322 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 323 BPF_MOV64_IMM(BPF_REG_0, 0), 324 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 325 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 326 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 327 BPF_EXIT_INSN(), 328 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 329 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 330 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 331 BPF_MOV64_IMM(BPF_REG_2, 0), 332 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg), 333 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 334 BPF_EXIT_INSN(), 335 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 336 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8), 337 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 338 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 339 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg), 340 BPF_EXIT_INSN(), 341 }, 342 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 343 .fixup_map_kptr = { 1 }, 344 .result = REJECT, 345 .errstr = "invalid kptr access, R2 type=ptr_prog_test_ref_kfunc expected=ptr_prog_test_member", 346 }, 347 { 348 "map_kptr: ref: reference state created and released on xchg", 349 .insns = { 350 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 351 BPF_LD_MAP_FD(BPF_REG_6, 0), 352 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 354 BPF_MOV64_IMM(BPF_REG_0, 0), 355 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 356 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 357 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 358 BPF_EXIT_INSN(), 359 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8), 360 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 361 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), 362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), 363 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0), 364 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0), 365 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 366 BPF_EXIT_INSN(), 367 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 368 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 369 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg), 370 BPF_MOV64_IMM(BPF_REG_0, 0), 371 BPF_EXIT_INSN(), 372 }, 373 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 374 .fixup_map_kptr = { 1 }, 375 .result = REJECT, 376 .errstr = "Unreleased reference id=5 alloc_insn=20", 377 .fixup_kfunc_btf_id = { 378 { "bpf_kfunc_call_test_acquire", 15 }, 379 } 380 }, 381 { 382 "map_kptr: ref: reject STX", 383 .insns = { 384 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 385 BPF_LD_MAP_FD(BPF_REG_6, 0), 386 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 388 BPF_MOV64_IMM(BPF_REG_0, 0), 389 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 390 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 391 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 392 BPF_EXIT_INSN(), 393 BPF_MOV64_REG(BPF_REG_1, 0), 394 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8), 395 BPF_EXIT_INSN(), 396 }, 397 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 398 .fixup_map_kptr = { 1 }, 399 .result = REJECT, 400 .errstr = "store to referenced kptr disallowed", 401 }, 402 { 403 "map_kptr: ref: reject ST", 404 .insns = { 405 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 406 BPF_LD_MAP_FD(BPF_REG_6, 0), 407 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 408 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 409 BPF_MOV64_IMM(BPF_REG_0, 0), 410 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 411 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 412 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 413 BPF_EXIT_INSN(), 414 BPF_ST_MEM(BPF_DW, BPF_REG_0, 8, 0), 415 BPF_EXIT_INSN(), 416 }, 417 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 418 .fixup_map_kptr = { 1 }, 419 .result = REJECT, 420 .errstr = "store to referenced kptr disallowed", 421 }, 422 { 423 "map_kptr: reject helper access to kptr", 424 .insns = { 425 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 426 BPF_LD_MAP_FD(BPF_REG_6, 0), 427 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 428 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 429 BPF_MOV64_IMM(BPF_REG_0, 0), 430 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0), 431 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 432 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 433 BPF_EXIT_INSN(), 434 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 435 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), 436 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 437 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_delete_elem), 438 BPF_EXIT_INSN(), 439 }, 440 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 441 .fixup_map_kptr = { 1 }, 442 .result = REJECT, 443 .errstr = "kptr cannot be accessed indirectly by helper", 444 }, 445