0001 {
0002 "skb->sk: no NULL check",
0003 .insns = {
0004 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0005 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
0006 BPF_MOV64_IMM(BPF_REG_0, 0),
0007 BPF_EXIT_INSN(),
0008 },
0009 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0010 .result = REJECT,
0011 .errstr = "invalid mem access 'sock_common_or_null'",
0012 },
0013 {
0014 "skb->sk: sk->family [non fullsock field]",
0015 .insns = {
0016 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0017 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0018 BPF_MOV64_IMM(BPF_REG_0, 0),
0019 BPF_EXIT_INSN(),
0020 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, offsetof(struct bpf_sock, family)),
0021 BPF_MOV64_IMM(BPF_REG_0, 0),
0022 BPF_EXIT_INSN(),
0023 },
0024 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0025 .result = ACCEPT,
0026 },
0027 {
0028 "skb->sk: sk->type [fullsock field]",
0029 .insns = {
0030 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0031 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0032 BPF_MOV64_IMM(BPF_REG_0, 0),
0033 BPF_EXIT_INSN(),
0034 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, offsetof(struct bpf_sock, type)),
0035 BPF_MOV64_IMM(BPF_REG_0, 0),
0036 BPF_EXIT_INSN(),
0037 },
0038 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0039 .result = REJECT,
0040 .errstr = "invalid sock_common access",
0041 },
0042 {
0043 "bpf_sk_fullsock(skb->sk): no !skb->sk check",
0044 .insns = {
0045 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0046 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0047 BPF_MOV64_IMM(BPF_REG_0, 0),
0048 BPF_EXIT_INSN(),
0049 },
0050 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0051 .result = REJECT,
0052 .errstr = "type=sock_common_or_null expected=sock_common",
0053 },
0054 {
0055 "sk_fullsock(skb->sk): no NULL check on ret",
0056 .insns = {
0057 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0058 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0059 BPF_MOV64_IMM(BPF_REG_0, 0),
0060 BPF_EXIT_INSN(),
0061 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0062 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)),
0063 BPF_MOV64_IMM(BPF_REG_0, 0),
0064 BPF_EXIT_INSN(),
0065 },
0066 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0067 .result = REJECT,
0068 .errstr = "invalid mem access 'sock_or_null'",
0069 },
0070 {
0071 "sk_fullsock(skb->sk): sk->type [fullsock field]",
0072 .insns = {
0073 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0074 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0075 BPF_MOV64_IMM(BPF_REG_0, 0),
0076 BPF_EXIT_INSN(),
0077 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0078 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0079 BPF_MOV64_IMM(BPF_REG_0, 0),
0080 BPF_EXIT_INSN(),
0081 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)),
0082 BPF_MOV64_IMM(BPF_REG_0, 0),
0083 BPF_EXIT_INSN(),
0084 },
0085 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0086 .result = ACCEPT,
0087 },
0088 {
0089 "sk_fullsock(skb->sk): sk->family [non fullsock field]",
0090 .insns = {
0091 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0092 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0093 BPF_MOV64_IMM(BPF_REG_0, 0),
0094 BPF_EXIT_INSN(),
0095 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0096 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0097 BPF_EXIT_INSN(),
0098 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, family)),
0099 BPF_MOV64_IMM(BPF_REG_0, 0),
0100 BPF_EXIT_INSN(),
0101 },
0102 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0103 .result = ACCEPT,
0104 },
0105 {
0106 "sk_fullsock(skb->sk): sk->state [narrow load]",
0107 .insns = {
0108 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0109 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0110 BPF_MOV64_IMM(BPF_REG_0, 0),
0111 BPF_EXIT_INSN(),
0112 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0113 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0114 BPF_MOV64_IMM(BPF_REG_0, 0),
0115 BPF_EXIT_INSN(),
0116 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, state)),
0117 BPF_MOV64_IMM(BPF_REG_0, 0),
0118 BPF_EXIT_INSN(),
0119 },
0120 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0121 .result = ACCEPT,
0122 },
0123 {
0124 "sk_fullsock(skb->sk): sk->dst_port [word load] (backward compatibility)",
0125 .insns = {
0126 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0127 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0128 BPF_MOV64_IMM(BPF_REG_0, 0),
0129 BPF_EXIT_INSN(),
0130 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0131 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0132 BPF_MOV64_IMM(BPF_REG_0, 0),
0133 BPF_EXIT_INSN(),
0134 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port)),
0135 BPF_MOV64_IMM(BPF_REG_0, 0),
0136 BPF_EXIT_INSN(),
0137 },
0138 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0139 .result = ACCEPT,
0140 },
0141 {
0142 "sk_fullsock(skb->sk): sk->dst_port [half load]",
0143 .insns = {
0144 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0145 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0146 BPF_MOV64_IMM(BPF_REG_0, 0),
0147 BPF_EXIT_INSN(),
0148 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0149 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0150 BPF_MOV64_IMM(BPF_REG_0, 0),
0151 BPF_EXIT_INSN(),
0152 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port)),
0153 BPF_MOV64_IMM(BPF_REG_0, 0),
0154 BPF_EXIT_INSN(),
0155 },
0156 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0157 .result = ACCEPT,
0158 },
0159 {
0160 "sk_fullsock(skb->sk): sk->dst_port [half load] (invalid)",
0161 .insns = {
0162 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0163 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0164 BPF_MOV64_IMM(BPF_REG_0, 0),
0165 BPF_EXIT_INSN(),
0166 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0167 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0168 BPF_MOV64_IMM(BPF_REG_0, 0),
0169 BPF_EXIT_INSN(),
0170 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2),
0171 BPF_MOV64_IMM(BPF_REG_0, 0),
0172 BPF_EXIT_INSN(),
0173 },
0174 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0175 .result = REJECT,
0176 .errstr = "invalid sock access",
0177 },
0178 {
0179 "sk_fullsock(skb->sk): sk->dst_port [byte load]",
0180 .insns = {
0181 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0182 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0183 BPF_MOV64_IMM(BPF_REG_0, 0),
0184 BPF_EXIT_INSN(),
0185 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0186 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0187 BPF_MOV64_IMM(BPF_REG_0, 0),
0188 BPF_EXIT_INSN(),
0189 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port)),
0190 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1),
0191 BPF_MOV64_IMM(BPF_REG_0, 0),
0192 BPF_EXIT_INSN(),
0193 },
0194 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0195 .result = ACCEPT,
0196 },
0197 {
0198 "sk_fullsock(skb->sk): sk->dst_port [byte load] (invalid)",
0199 .insns = {
0200 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0201 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0202 BPF_MOV64_IMM(BPF_REG_0, 0),
0203 BPF_EXIT_INSN(),
0204 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0205 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0206 BPF_MOV64_IMM(BPF_REG_0, 0),
0207 BPF_EXIT_INSN(),
0208 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2),
0209 BPF_MOV64_IMM(BPF_REG_0, 0),
0210 BPF_EXIT_INSN(),
0211 },
0212 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0213 .result = REJECT,
0214 .errstr = "invalid sock access",
0215 },
0216 {
0217 "sk_fullsock(skb->sk): past sk->dst_port [half load] (invalid)",
0218 .insns = {
0219 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0220 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0221 BPF_MOV64_IMM(BPF_REG_0, 0),
0222 BPF_EXIT_INSN(),
0223 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0224 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0225 BPF_MOV64_IMM(BPF_REG_0, 0),
0226 BPF_EXIT_INSN(),
0227 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_sock, dst_port)),
0228 BPF_MOV64_IMM(BPF_REG_0, 0),
0229 BPF_EXIT_INSN(),
0230 },
0231 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0232 .result = REJECT,
0233 .errstr = "invalid sock access",
0234 },
0235 {
0236 "sk_fullsock(skb->sk): sk->dst_ip6 [load 2nd byte]",
0237 .insns = {
0238 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0239 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0240 BPF_MOV64_IMM(BPF_REG_0, 0),
0241 BPF_EXIT_INSN(),
0242 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0243 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0244 BPF_MOV64_IMM(BPF_REG_0, 0),
0245 BPF_EXIT_INSN(),
0246 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_ip6[0]) + 1),
0247 BPF_MOV64_IMM(BPF_REG_0, 0),
0248 BPF_EXIT_INSN(),
0249 },
0250 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0251 .result = ACCEPT,
0252 },
0253 {
0254 "sk_fullsock(skb->sk): sk->type [narrow load]",
0255 .insns = {
0256 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0257 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0258 BPF_MOV64_IMM(BPF_REG_0, 0),
0259 BPF_EXIT_INSN(),
0260 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0261 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0262 BPF_MOV64_IMM(BPF_REG_0, 0),
0263 BPF_EXIT_INSN(),
0264 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)),
0265 BPF_MOV64_IMM(BPF_REG_0, 0),
0266 BPF_EXIT_INSN(),
0267 },
0268 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0269 .result = ACCEPT,
0270 },
0271 {
0272 "sk_fullsock(skb->sk): sk->protocol [narrow load]",
0273 .insns = {
0274 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0275 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0276 BPF_MOV64_IMM(BPF_REG_0, 0),
0277 BPF_EXIT_INSN(),
0278 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0279 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0280 BPF_MOV64_IMM(BPF_REG_0, 0),
0281 BPF_EXIT_INSN(),
0282 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, protocol)),
0283 BPF_MOV64_IMM(BPF_REG_0, 0),
0284 BPF_EXIT_INSN(),
0285 },
0286 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0287 .result = ACCEPT,
0288 },
0289 {
0290 "sk_fullsock(skb->sk): beyond last field",
0291 .insns = {
0292 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0293 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0294 BPF_MOV64_IMM(BPF_REG_0, 0),
0295 BPF_EXIT_INSN(),
0296 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0297 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0298 BPF_MOV64_IMM(BPF_REG_0, 0),
0299 BPF_EXIT_INSN(),
0300 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_sock, rx_queue_mapping)),
0301 BPF_MOV64_IMM(BPF_REG_0, 0),
0302 BPF_EXIT_INSN(),
0303 },
0304 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0305 .result = REJECT,
0306 .errstr = "invalid sock access",
0307 },
0308 {
0309 "bpf_tcp_sock(skb->sk): no !skb->sk check",
0310 .insns = {
0311 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0312 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
0313 BPF_MOV64_IMM(BPF_REG_0, 0),
0314 BPF_EXIT_INSN(),
0315 },
0316 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0317 .result = REJECT,
0318 .errstr = "type=sock_common_or_null expected=sock_common",
0319 },
0320 {
0321 "bpf_tcp_sock(skb->sk): no NULL check on ret",
0322 .insns = {
0323 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0324 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0325 BPF_MOV64_IMM(BPF_REG_0, 0),
0326 BPF_EXIT_INSN(),
0327 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
0328 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_tcp_sock, snd_cwnd)),
0329 BPF_MOV64_IMM(BPF_REG_0, 0),
0330 BPF_EXIT_INSN(),
0331 },
0332 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0333 .result = REJECT,
0334 .errstr = "invalid mem access 'tcp_sock_or_null'",
0335 },
0336 {
0337 "bpf_tcp_sock(skb->sk): tp->snd_cwnd",
0338 .insns = {
0339 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0340 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0341 BPF_MOV64_IMM(BPF_REG_0, 0),
0342 BPF_EXIT_INSN(),
0343 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
0344 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0345 BPF_EXIT_INSN(),
0346 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_tcp_sock, snd_cwnd)),
0347 BPF_MOV64_IMM(BPF_REG_0, 0),
0348 BPF_EXIT_INSN(),
0349 },
0350 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0351 .result = ACCEPT,
0352 },
0353 {
0354 "bpf_tcp_sock(skb->sk): tp->bytes_acked",
0355 .insns = {
0356 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0357 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0358 BPF_MOV64_IMM(BPF_REG_0, 0),
0359 BPF_EXIT_INSN(),
0360 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
0361 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0362 BPF_EXIT_INSN(),
0363 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_tcp_sock, bytes_acked)),
0364 BPF_MOV64_IMM(BPF_REG_0, 0),
0365 BPF_EXIT_INSN(),
0366 },
0367 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0368 .result = ACCEPT,
0369 },
0370 {
0371 "bpf_tcp_sock(skb->sk): beyond last field",
0372 .insns = {
0373 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0374 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0375 BPF_MOV64_IMM(BPF_REG_0, 0),
0376 BPF_EXIT_INSN(),
0377 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
0378 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0379 BPF_EXIT_INSN(),
0380 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_tcp_sock, bytes_acked)),
0381 BPF_MOV64_IMM(BPF_REG_0, 0),
0382 BPF_EXIT_INSN(),
0383 },
0384 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0385 .result = REJECT,
0386 .errstr = "invalid tcp_sock access",
0387 },
0388 {
0389 "bpf_tcp_sock(bpf_sk_fullsock(skb->sk)): tp->snd_cwnd",
0390 .insns = {
0391 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0392 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0393 BPF_MOV64_IMM(BPF_REG_0, 0),
0394 BPF_EXIT_INSN(),
0395 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0396 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0397 BPF_EXIT_INSN(),
0398 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0399 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
0400 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0401 BPF_EXIT_INSN(),
0402 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_tcp_sock, snd_cwnd)),
0403 BPF_MOV64_IMM(BPF_REG_0, 0),
0404 BPF_EXIT_INSN(),
0405 },
0406 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
0407 .result = ACCEPT,
0408 },
0409 {
0410 "bpf_sk_release(skb->sk)",
0411 .insns = {
0412 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0413 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
0414 BPF_EMIT_CALL(BPF_FUNC_sk_release),
0415 BPF_MOV64_IMM(BPF_REG_0, 0),
0416 BPF_EXIT_INSN(),
0417 },
0418 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0419 .result = REJECT,
0420 .errstr = "R1 must be referenced when passed to release function",
0421 },
0422 {
0423 "bpf_sk_release(bpf_sk_fullsock(skb->sk))",
0424 .insns = {
0425 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0426 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0427 BPF_MOV64_IMM(BPF_REG_0, 0),
0428 BPF_EXIT_INSN(),
0429 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0430 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0431 BPF_EXIT_INSN(),
0432 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0433 BPF_EMIT_CALL(BPF_FUNC_sk_release),
0434 BPF_MOV64_IMM(BPF_REG_0, 1),
0435 BPF_EXIT_INSN(),
0436 },
0437 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0438 .result = REJECT,
0439 .errstr = "R1 must be referenced when passed to release function",
0440 },
0441 {
0442 "bpf_sk_release(bpf_tcp_sock(skb->sk))",
0443 .insns = {
0444 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0445 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0446 BPF_MOV64_IMM(BPF_REG_0, 0),
0447 BPF_EXIT_INSN(),
0448 BPF_EMIT_CALL(BPF_FUNC_tcp_sock),
0449 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0450 BPF_EXIT_INSN(),
0451 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0452 BPF_EMIT_CALL(BPF_FUNC_sk_release),
0453 BPF_MOV64_IMM(BPF_REG_0, 1),
0454 BPF_EXIT_INSN(),
0455 },
0456 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0457 .result = REJECT,
0458 .errstr = "R1 must be referenced when passed to release function",
0459 },
0460 {
0461 "sk_storage_get(map, skb->sk, NULL, 0): value == NULL",
0462 .insns = {
0463 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0464 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0465 BPF_MOV64_IMM(BPF_REG_0, 0),
0466 BPF_EXIT_INSN(),
0467 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0468 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0469 BPF_MOV64_IMM(BPF_REG_0, 0),
0470 BPF_EXIT_INSN(),
0471 BPF_MOV64_IMM(BPF_REG_4, 0),
0472 BPF_MOV64_IMM(BPF_REG_3, 0),
0473 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0474 BPF_LD_MAP_FD(BPF_REG_1, 0),
0475 BPF_EMIT_CALL(BPF_FUNC_sk_storage_get),
0476 BPF_MOV64_IMM(BPF_REG_0, 0),
0477 BPF_EXIT_INSN(),
0478 },
0479 .fixup_sk_storage_map = { 11 },
0480 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0481 .result = ACCEPT,
0482 },
0483 {
0484 "sk_storage_get(map, skb->sk, 1, 1): value == 1",
0485 .insns = {
0486 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0487 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0488 BPF_MOV64_IMM(BPF_REG_0, 0),
0489 BPF_EXIT_INSN(),
0490 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0491 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0492 BPF_MOV64_IMM(BPF_REG_0, 0),
0493 BPF_EXIT_INSN(),
0494 BPF_MOV64_IMM(BPF_REG_4, 1),
0495 BPF_MOV64_IMM(BPF_REG_3, 1),
0496 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0497 BPF_LD_MAP_FD(BPF_REG_1, 0),
0498 BPF_EMIT_CALL(BPF_FUNC_sk_storage_get),
0499 BPF_MOV64_IMM(BPF_REG_0, 0),
0500 BPF_EXIT_INSN(),
0501 },
0502 .fixup_sk_storage_map = { 11 },
0503 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0504 .result = REJECT,
0505 .errstr = "R3 type=scalar expected=fp",
0506 },
0507 {
0508 "sk_storage_get(map, skb->sk, &stack_value, 1): stack_value",
0509 .insns = {
0510 BPF_MOV64_IMM(BPF_REG_2, 0),
0511 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
0512 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0513 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0514 BPF_MOV64_IMM(BPF_REG_0, 0),
0515 BPF_EXIT_INSN(),
0516 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0517 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0518 BPF_MOV64_IMM(BPF_REG_0, 0),
0519 BPF_EXIT_INSN(),
0520 BPF_MOV64_IMM(BPF_REG_4, 1),
0521 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
0522 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8),
0523 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0524 BPF_LD_MAP_FD(BPF_REG_1, 0),
0525 BPF_EMIT_CALL(BPF_FUNC_sk_storage_get),
0526 BPF_MOV64_IMM(BPF_REG_0, 0),
0527 BPF_EXIT_INSN(),
0528 },
0529 .fixup_sk_storage_map = { 14 },
0530 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0531 .result = ACCEPT,
0532 },
0533 {
0534 "sk_storage_get(map, skb->sk, &stack_value, 1): partially init stack_value",
0535 .insns = {
0536 BPF_MOV64_IMM(BPF_REG_2, 0),
0537 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8),
0538 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0539 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0540 BPF_MOV64_IMM(BPF_REG_0, 0),
0541 BPF_EXIT_INSN(),
0542 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
0543 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
0544 BPF_MOV64_IMM(BPF_REG_0, 0),
0545 BPF_EXIT_INSN(),
0546 BPF_MOV64_IMM(BPF_REG_4, 1),
0547 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
0548 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8),
0549 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
0550 BPF_LD_MAP_FD(BPF_REG_1, 0),
0551 BPF_EMIT_CALL(BPF_FUNC_sk_storage_get),
0552 BPF_MOV64_IMM(BPF_REG_0, 0),
0553 BPF_EXIT_INSN(),
0554 },
0555 .fixup_sk_storage_map = { 14 },
0556 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0557 .result = REJECT,
0558 .errstr = "invalid indirect read from stack",
0559 },
0560 {
0561 "bpf_map_lookup_elem(smap, &key)",
0562 .insns = {
0563 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0),
0564 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0565 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0566 BPF_LD_MAP_FD(BPF_REG_1, 0),
0567 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0568 BPF_MOV64_IMM(BPF_REG_0, 0),
0569 BPF_EXIT_INSN(),
0570 },
0571 .fixup_sk_storage_map = { 3 },
0572 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0573 .result = REJECT,
0574 .errstr = "cannot pass map_type 24 into func bpf_map_lookup_elem",
0575 },
0576 {
0577 "bpf_map_lookup_elem(xskmap, &key); xs->queue_id",
0578 .insns = {
0579 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
0580 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
0582 BPF_LD_MAP_FD(BPF_REG_1, 0),
0583 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0584 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0585 BPF_EXIT_INSN(),
0586 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_xdp_sock, queue_id)),
0587 BPF_MOV64_IMM(BPF_REG_0, 0),
0588 BPF_EXIT_INSN(),
0589 },
0590 .fixup_map_xskmap = { 3 },
0591 .prog_type = BPF_PROG_TYPE_XDP,
0592 .result = ACCEPT,
0593 },
0594 {
0595 "bpf_map_lookup_elem(sockmap, &key)",
0596 .insns = {
0597 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0),
0598 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0599 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0600 BPF_LD_MAP_FD(BPF_REG_1, 0),
0601 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0602 BPF_MOV64_IMM(BPF_REG_0, 0),
0603 BPF_EXIT_INSN(),
0604 },
0605 .fixup_map_sockmap = { 3 },
0606 .prog_type = BPF_PROG_TYPE_SK_SKB,
0607 .result = REJECT,
0608 .errstr = "Unreleased reference id=2 alloc_insn=5",
0609 },
0610 {
0611 "bpf_map_lookup_elem(sockhash, &key)",
0612 .insns = {
0613 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0),
0614 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0616 BPF_LD_MAP_FD(BPF_REG_1, 0),
0617 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0618 BPF_MOV64_IMM(BPF_REG_0, 0),
0619 BPF_EXIT_INSN(),
0620 },
0621 .fixup_map_sockhash = { 3 },
0622 .prog_type = BPF_PROG_TYPE_SK_SKB,
0623 .result = REJECT,
0624 .errstr = "Unreleased reference id=2 alloc_insn=5",
0625 },
0626 {
0627 "bpf_map_lookup_elem(sockmap, &key); sk->type [fullsock field]; bpf_sk_release(sk)",
0628 .insns = {
0629 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0),
0630 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0632 BPF_LD_MAP_FD(BPF_REG_1, 0),
0633 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0634 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0635 BPF_EXIT_INSN(),
0636 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0637 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)),
0638 BPF_EMIT_CALL(BPF_FUNC_sk_release),
0639 BPF_EXIT_INSN(),
0640 },
0641 .fixup_map_sockmap = { 3 },
0642 .prog_type = BPF_PROG_TYPE_SK_SKB,
0643 .result = ACCEPT,
0644 },
0645 {
0646 "bpf_map_lookup_elem(sockhash, &key); sk->type [fullsock field]; bpf_sk_release(sk)",
0647 .insns = {
0648 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0),
0649 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
0650 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
0651 BPF_LD_MAP_FD(BPF_REG_1, 0),
0652 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
0653 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
0654 BPF_EXIT_INSN(),
0655 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
0656 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)),
0657 BPF_EMIT_CALL(BPF_FUNC_sk_release),
0658 BPF_EXIT_INSN(),
0659 },
0660 .fixup_map_sockhash = { 3 },
0661 .prog_type = BPF_PROG_TYPE_SK_SKB,
0662 .result = ACCEPT,
0663 },
0664 {
0665 "bpf_sk_select_reuseport(ctx, reuseport_array, &key, flags)",
0666 .insns = {
0667 BPF_MOV64_IMM(BPF_REG_4, 0),
0668 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0),
0669 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
0670 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -4),
0671 BPF_LD_MAP_FD(BPF_REG_2, 0),
0672 BPF_EMIT_CALL(BPF_FUNC_sk_select_reuseport),
0673 BPF_EXIT_INSN(),
0674 },
0675 .fixup_map_reuseport_array = { 4 },
0676 .prog_type = BPF_PROG_TYPE_SK_REUSEPORT,
0677 .result = ACCEPT,
0678 },
0679 {
0680 "bpf_sk_select_reuseport(ctx, sockmap, &key, flags)",
0681 .insns = {
0682 BPF_MOV64_IMM(BPF_REG_4, 0),
0683 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0),
0684 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
0685 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -4),
0686 BPF_LD_MAP_FD(BPF_REG_2, 0),
0687 BPF_EMIT_CALL(BPF_FUNC_sk_select_reuseport),
0688 BPF_EXIT_INSN(),
0689 },
0690 .fixup_map_sockmap = { 4 },
0691 .prog_type = BPF_PROG_TYPE_SK_REUSEPORT,
0692 .result = ACCEPT,
0693 },
0694 {
0695 "bpf_sk_select_reuseport(ctx, sockhash, &key, flags)",
0696 .insns = {
0697 BPF_MOV64_IMM(BPF_REG_4, 0),
0698 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0),
0699 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
0700 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -4),
0701 BPF_LD_MAP_FD(BPF_REG_2, 0),
0702 BPF_EMIT_CALL(BPF_FUNC_sk_select_reuseport),
0703 BPF_EXIT_INSN(),
0704 },
0705 .fixup_map_sockmap = { 4 },
0706 .prog_type = BPF_PROG_TYPE_SK_REUSEPORT,
0707 .result = ACCEPT,
0708 },
0709 {
0710 "mark null check on return value of bpf_skc_to helpers",
0711 .insns = {
0712 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
0713 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
0714 BPF_MOV64_IMM(BPF_REG_0, 0),
0715 BPF_EXIT_INSN(),
0716 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
0717 BPF_EMIT_CALL(BPF_FUNC_skc_to_tcp_sock),
0718 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
0719 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
0720 BPF_EMIT_CALL(BPF_FUNC_skc_to_tcp_request_sock),
0721 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
0722 BPF_JMP_IMM(BPF_JNE, BPF_REG_8, 0, 2),
0723 BPF_MOV64_IMM(BPF_REG_0, 0),
0724 BPF_EXIT_INSN(),
0725 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_7, 0),
0726 BPF_EXIT_INSN(),
0727 },
0728 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
0729 .result = REJECT,
0730 .errstr = "invalid mem access",
0731 .result_unpriv = REJECT,
0732 .errstr_unpriv = "unknown func",
0733 },
