0001
0002 {
0003 "map_kptr: BPF_ST imm != 0",
0004 .insns = {
0005 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0006 BPF_LD_MAP_FD(BPF_REG_6, 0),
0007 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0008 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0009 BPF_MOV64_IMM(BPF_REG_0, 0),
0010 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0011 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0012 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0013 BPF_EXIT_INSN(),
0014 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
0015 BPF_EXIT_INSN(),
0016 },
0017 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0018 .fixup_map_kptr = { 1 },
0019 .result = REJECT,
0020 .errstr = "BPF_ST imm must be 0 when storing to kptr at off=0",
0021 },
0022 {
0023 "map_kptr: size != bpf_size_to_bytes(BPF_DW)",
0024 .insns = {
0025 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0026 BPF_LD_MAP_FD(BPF_REG_6, 0),
0027 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0028 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0029 BPF_MOV64_IMM(BPF_REG_0, 0),
0030 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0031 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0032 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0033 BPF_EXIT_INSN(),
0034 BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
0035 BPF_EXIT_INSN(),
0036 },
0037 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0038 .fixup_map_kptr = { 1 },
0039 .result = REJECT,
0040 .errstr = "kptr access size must be BPF_DW",
0041 },
0042 {
0043 "map_kptr: map_value non-const var_off",
0044 .insns = {
0045 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0046 BPF_LD_MAP_FD(BPF_REG_6, 0),
0047 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0048 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0049 BPF_MOV64_IMM(BPF_REG_0, 0),
0050 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0051 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0052 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0053 BPF_EXIT_INSN(),
0054 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
0055 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
0056 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
0057 BPF_EXIT_INSN(),
0058 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 0),
0059 BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1),
0060 BPF_EXIT_INSN(),
0061 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
0062 BPF_EXIT_INSN(),
0063 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
0064 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
0065 BPF_EXIT_INSN(),
0066 },
0067 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0068 .fixup_map_kptr = { 1 },
0069 .result = REJECT,
0070 .errstr = "kptr access cannot have variable offset",
0071 },
0072 {
0073 "map_kptr: bpf_kptr_xchg non-const var_off",
0074 .insns = {
0075 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0076 BPF_LD_MAP_FD(BPF_REG_6, 0),
0077 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0078 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0079 BPF_MOV64_IMM(BPF_REG_0, 0),
0080 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0081 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0082 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0083 BPF_EXIT_INSN(),
0084 BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
0085 BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
0086 BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
0087 BPF_EXIT_INSN(),
0088 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2, 0),
0089 BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1),
0090 BPF_EXIT_INSN(),
0091 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
0092 BPF_EXIT_INSN(),
0093 BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
0094 BPF_MOV64_REG(BPF_REG_1, BPF_REG_3),
0095 BPF_MOV64_IMM(BPF_REG_2, 0),
0096 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
0097 BPF_EXIT_INSN(),
0098 },
0099 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0100 .fixup_map_kptr = { 1 },
0101 .result = REJECT,
0102 .errstr = "R1 doesn't have constant offset. kptr has to be at the constant offset",
0103 },
0104 {
0105 "map_kptr: unaligned boundary load/store",
0106 .insns = {
0107 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0108 BPF_LD_MAP_FD(BPF_REG_6, 0),
0109 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0110 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0111 BPF_MOV64_IMM(BPF_REG_0, 0),
0112 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0113 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0114 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0115 BPF_EXIT_INSN(),
0116 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 7),
0117 BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
0118 BPF_EXIT_INSN(),
0119 },
0120 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0121 .fixup_map_kptr = { 1 },
0122 .result = REJECT,
0123 .errstr = "kptr access misaligned expected=0 off=7",
0124 },
0125 {
0126 "map_kptr: reject var_off != 0",
0127 .insns = {
0128 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0129 BPF_LD_MAP_FD(BPF_REG_6, 0),
0130 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0131 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0132 BPF_MOV64_IMM(BPF_REG_0, 0),
0133 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0134 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0135 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0136 BPF_EXIT_INSN(),
0137 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
0138 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
0139 BPF_EXIT_INSN(),
0140 BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
0141 BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 1),
0142 BPF_EXIT_INSN(),
0143 BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
0144 BPF_EXIT_INSN(),
0145 BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
0146 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
0147 BPF_EXIT_INSN(),
0148 },
0149 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0150 .fixup_map_kptr = { 1 },
0151 .result = REJECT,
0152 .errstr = "variable untrusted_ptr_ access var_off=(0x0; 0x7) disallowed",
0153 },
0154
0155 {
0156 "map_kptr: unref: reject btf_struct_ids_match == false",
0157 .insns = {
0158 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0159 BPF_LD_MAP_FD(BPF_REG_6, 0),
0160 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0161 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0162 BPF_MOV64_IMM(BPF_REG_0, 0),
0163 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0164 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0165 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0166 BPF_EXIT_INSN(),
0167 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
0168 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
0169 BPF_EXIT_INSN(),
0170 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 4),
0171 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
0172 BPF_EXIT_INSN(),
0173 },
0174 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0175 .fixup_map_kptr = { 1 },
0176 .result = REJECT,
0177 .errstr = "invalid kptr access, R1 type=untrusted_ptr_prog_test_ref_kfunc expected=ptr_prog_test",
0178 },
0179 {
0180 "map_kptr: unref: loaded pointer marked as untrusted",
0181 .insns = {
0182 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0183 BPF_LD_MAP_FD(BPF_REG_6, 0),
0184 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0185 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0186 BPF_MOV64_IMM(BPF_REG_0, 0),
0187 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0188 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0189 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0190 BPF_EXIT_INSN(),
0191 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
0192 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
0193 BPF_EXIT_INSN(),
0194 },
0195 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0196 .fixup_map_kptr = { 1 },
0197 .result = REJECT,
0198 .errstr = "R0 invalid mem access 'untrusted_ptr_or_null_'",
0199 },
0200 {
0201 "map_kptr: unref: correct in kernel type size",
0202 .insns = {
0203 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0204 BPF_LD_MAP_FD(BPF_REG_6, 0),
0205 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0206 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0207 BPF_MOV64_IMM(BPF_REG_0, 0),
0208 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0209 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0210 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0211 BPF_EXIT_INSN(),
0212 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
0213 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0214 BPF_EXIT_INSN(),
0215 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 32),
0216 BPF_EXIT_INSN(),
0217 },
0218 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0219 .fixup_map_kptr = { 1 },
0220 .result = REJECT,
0221 .errstr = "access beyond struct prog_test_ref_kfunc at off 32 size 8",
0222 },
0223 {
0224 "map_kptr: unref: inherit PTR_UNTRUSTED on struct walk",
0225 .insns = {
0226 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0227 BPF_LD_MAP_FD(BPF_REG_6, 0),
0228 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0229 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0230 BPF_MOV64_IMM(BPF_REG_0, 0),
0231 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0232 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0233 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0234 BPF_EXIT_INSN(),
0235 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
0236 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0237 BPF_EXIT_INSN(),
0238 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 16),
0239 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_this_cpu_ptr),
0240 BPF_EXIT_INSN(),
0241 },
0242 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0243 .fixup_map_kptr = { 1 },
0244 .result = REJECT,
0245 .errstr = "R1 type=untrusted_ptr_ expected=percpu_ptr_",
0246 },
0247 {
0248 "map_kptr: unref: no reference state created",
0249 .insns = {
0250 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0251 BPF_LD_MAP_FD(BPF_REG_6, 0),
0252 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0253 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0254 BPF_MOV64_IMM(BPF_REG_0, 0),
0255 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0256 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0257 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0258 BPF_EXIT_INSN(),
0259 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
0260 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0261 BPF_EXIT_INSN(),
0262 BPF_EXIT_INSN(),
0263 },
0264 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0265 .fixup_map_kptr = { 1 },
0266 .result = ACCEPT,
0267 },
0268 {
0269 "map_kptr: unref: bpf_kptr_xchg rejected",
0270 .insns = {
0271 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0272 BPF_LD_MAP_FD(BPF_REG_6, 0),
0273 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0274 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0275 BPF_MOV64_IMM(BPF_REG_0, 0),
0276 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0277 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0278 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0279 BPF_EXIT_INSN(),
0280 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0281 BPF_MOV64_IMM(BPF_REG_2, 0),
0282 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
0283 BPF_MOV64_IMM(BPF_REG_0, 0),
0284 BPF_EXIT_INSN(),
0285 },
0286 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0287 .fixup_map_kptr = { 1 },
0288 .result = REJECT,
0289 .errstr = "off=0 kptr isn't referenced kptr",
0290 },
0291 {
0292 "map_kptr: unref: bpf_kfunc_call_test_kptr_get rejected",
0293 .insns = {
0294 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0295 BPF_LD_MAP_FD(BPF_REG_6, 0),
0296 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0297 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0298 BPF_MOV64_IMM(BPF_REG_0, 0),
0299 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0300 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0301 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0302 BPF_EXIT_INSN(),
0303 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0304 BPF_MOV64_IMM(BPF_REG_2, 0),
0305 BPF_MOV64_IMM(BPF_REG_3, 0),
0306 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
0307 BPF_MOV64_IMM(BPF_REG_0, 0),
0308 BPF_EXIT_INSN(),
0309 },
0310 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0311 .fixup_map_kptr = { 1 },
0312 .result = REJECT,
0313 .errstr = "arg#0 no referenced kptr at map value offset=0",
0314 .fixup_kfunc_btf_id = {
0315 { "bpf_kfunc_call_test_kptr_get", 13 },
0316 }
0317 },
0318
0319 {
0320 "map_kptr: ref: loaded pointer marked as untrusted",
0321 .insns = {
0322 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0323 BPF_LD_MAP_FD(BPF_REG_6, 0),
0324 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0325 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0326 BPF_MOV64_IMM(BPF_REG_0, 0),
0327 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0328 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0329 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0330 BPF_EXIT_INSN(),
0331 BPF_MOV64_IMM(BPF_REG_1, 0),
0332 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 8),
0333 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_this_cpu_ptr),
0334 BPF_EXIT_INSN(),
0335 },
0336 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0337 .fixup_map_kptr = { 1 },
0338 .result = REJECT,
0339 .errstr = "R1 type=untrusted_ptr_or_null_ expected=percpu_ptr_",
0340 },
0341 {
0342 "map_kptr: ref: reject off != 0",
0343 .insns = {
0344 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0345 BPF_LD_MAP_FD(BPF_REG_6, 0),
0346 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0347 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0348 BPF_MOV64_IMM(BPF_REG_0, 0),
0349 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0350 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0351 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0352 BPF_EXIT_INSN(),
0353 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
0354 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
0355 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0356 BPF_MOV64_IMM(BPF_REG_2, 0),
0357 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
0358 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0359 BPF_EXIT_INSN(),
0360 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
0361 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
0362 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
0363 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0364 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
0365 BPF_EXIT_INSN(),
0366 },
0367 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0368 .fixup_map_kptr = { 1 },
0369 .result = REJECT,
0370 .errstr = "invalid kptr access, R2 type=ptr_prog_test_ref_kfunc expected=ptr_prog_test_member",
0371 },
0372 {
0373 "map_kptr: ref: reference state created and released on xchg",
0374 .insns = {
0375 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0376 BPF_LD_MAP_FD(BPF_REG_6, 0),
0377 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0378 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0379 BPF_MOV64_IMM(BPF_REG_0, 0),
0380 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0381 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0382 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0383 BPF_EXIT_INSN(),
0384 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
0385 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
0386 BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
0387 BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
0388 BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
0389 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
0390 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0391 BPF_EXIT_INSN(),
0392 BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
0393 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0394 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_kptr_xchg),
0395 BPF_MOV64_IMM(BPF_REG_0, 0),
0396 BPF_EXIT_INSN(),
0397 },
0398 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0399 .fixup_map_kptr = { 1 },
0400 .result = REJECT,
0401 .errstr = "Unreleased reference id=5 alloc_insn=20",
0402 .fixup_kfunc_btf_id = {
0403 { "bpf_kfunc_call_test_acquire", 15 },
0404 }
0405 },
0406 {
0407 "map_kptr: ref: reject STX",
0408 .insns = {
0409 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0410 BPF_LD_MAP_FD(BPF_REG_6, 0),
0411 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0412 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0413 BPF_MOV64_IMM(BPF_REG_0, 0),
0414 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0415 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0416 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0417 BPF_EXIT_INSN(),
0418 BPF_MOV64_REG(BPF_REG_1, 0),
0419 BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
0420 BPF_EXIT_INSN(),
0421 },
0422 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0423 .fixup_map_kptr = { 1 },
0424 .result = REJECT,
0425 .errstr = "store to referenced kptr disallowed",
0426 },
0427 {
0428 "map_kptr: ref: reject ST",
0429 .insns = {
0430 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0431 BPF_LD_MAP_FD(BPF_REG_6, 0),
0432 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0433 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0434 BPF_MOV64_IMM(BPF_REG_0, 0),
0435 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0436 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0437 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0438 BPF_EXIT_INSN(),
0439 BPF_ST_MEM(BPF_DW, BPF_REG_0, 8, 0),
0440 BPF_EXIT_INSN(),
0441 },
0442 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0443 .fixup_map_kptr = { 1 },
0444 .result = REJECT,
0445 .errstr = "store to referenced kptr disallowed",
0446 },
0447 {
0448 "map_kptr: reject helper access to kptr",
0449 .insns = {
0450 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0451 BPF_LD_MAP_FD(BPF_REG_6, 0),
0452 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0453 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0454 BPF_MOV64_IMM(BPF_REG_0, 0),
0455 BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
0456 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
0457 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0458 BPF_EXIT_INSN(),
0459 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0460 BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
0461 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0462 BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_delete_elem),
0463 BPF_EXIT_INSN(),
0464 },
0465 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0466 .fixup_map_kptr = { 1 },
0467 .result = REJECT,
0468 .errstr = "kptr cannot be accessed indirectly by helper",
0469 },
