1 { 2 "skb->sk: no NULL check", 3 .insns = { 4 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 5 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 6 BPF_MOV64_IMM(BPF_REG_0, 0), 7 BPF_EXIT_INSN(), 8 }, 9 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 10 .result = REJECT, 11 .errstr = "invalid mem access 'sock_common_or_null'", 12 }, 13 { 14 "skb->sk: sk->family [non fullsock field]", 15 .insns = { 16 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 17 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 18 BPF_MOV64_IMM(BPF_REG_0, 0), 19 BPF_EXIT_INSN(), 20 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, offsetof(struct bpf_sock, family)), 21 BPF_MOV64_IMM(BPF_REG_0, 0), 22 BPF_EXIT_INSN(), 23 }, 24 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 25 .result = ACCEPT, 26 }, 27 { 28 "skb->sk: sk->type [fullsock field]", 29 .insns = { 30 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 31 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 32 BPF_MOV64_IMM(BPF_REG_0, 0), 33 BPF_EXIT_INSN(), 34 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, offsetof(struct bpf_sock, type)), 35 BPF_MOV64_IMM(BPF_REG_0, 0), 36 BPF_EXIT_INSN(), 37 }, 38 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 39 .result = REJECT, 40 .errstr = "invalid sock_common access", 41 }, 42 { 43 "bpf_sk_fullsock(skb->sk): no !skb->sk check", 44 .insns = { 45 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 46 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 47 BPF_MOV64_IMM(BPF_REG_0, 0), 48 BPF_EXIT_INSN(), 49 }, 50 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 51 .result = REJECT, 52 .errstr = "type=sock_common_or_null expected=sock_common", 53 }, 54 { 55 "sk_fullsock(skb->sk): no NULL check on ret", 56 .insns = { 57 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 58 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 59 BPF_MOV64_IMM(BPF_REG_0, 0), 60 BPF_EXIT_INSN(), 61 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 62 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)), 63 BPF_MOV64_IMM(BPF_REG_0, 0), 64 BPF_EXIT_INSN(), 65 }, 66 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 67 .result = REJECT, 68 .errstr = "invalid mem access 'sock_or_null'", 69 }, 70 { 71 "sk_fullsock(skb->sk): sk->type [fullsock field]", 72 .insns = { 73 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 74 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 75 BPF_MOV64_IMM(BPF_REG_0, 0), 76 BPF_EXIT_INSN(), 77 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 78 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 79 BPF_MOV64_IMM(BPF_REG_0, 0), 80 BPF_EXIT_INSN(), 81 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)), 82 BPF_MOV64_IMM(BPF_REG_0, 0), 83 BPF_EXIT_INSN(), 84 }, 85 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 86 .result = ACCEPT, 87 }, 88 { 89 "sk_fullsock(skb->sk): sk->family [non fullsock field]", 90 .insns = { 91 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 92 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 93 BPF_MOV64_IMM(BPF_REG_0, 0), 94 BPF_EXIT_INSN(), 95 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 96 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 97 BPF_EXIT_INSN(), 98 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, family)), 99 BPF_MOV64_IMM(BPF_REG_0, 0), 100 BPF_EXIT_INSN(), 101 }, 102 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 103 .result = ACCEPT, 104 }, 105 { 106 "sk_fullsock(skb->sk): sk->state [narrow load]", 107 .insns = { 108 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 109 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 110 BPF_MOV64_IMM(BPF_REG_0, 0), 111 BPF_EXIT_INSN(), 112 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 113 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 114 BPF_MOV64_IMM(BPF_REG_0, 0), 115 BPF_EXIT_INSN(), 116 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, state)), 117 BPF_MOV64_IMM(BPF_REG_0, 0), 118 BPF_EXIT_INSN(), 119 }, 120 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 121 .result = ACCEPT, 122 }, 123 { 124 "sk_fullsock(skb->sk): sk->dst_port [narrow load]", 125 .insns = { 126 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 127 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 128 BPF_MOV64_IMM(BPF_REG_0, 0), 129 BPF_EXIT_INSN(), 130 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 131 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 132 BPF_MOV64_IMM(BPF_REG_0, 0), 133 BPF_EXIT_INSN(), 134 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port)), 135 BPF_MOV64_IMM(BPF_REG_0, 0), 136 BPF_EXIT_INSN(), 137 }, 138 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 139 .result = ACCEPT, 140 }, 141 { 142 "sk_fullsock(skb->sk): sk->dst_port [load 2nd byte]", 143 .insns = { 144 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 145 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 146 BPF_MOV64_IMM(BPF_REG_0, 0), 147 BPF_EXIT_INSN(), 148 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 149 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 150 BPF_MOV64_IMM(BPF_REG_0, 0), 151 BPF_EXIT_INSN(), 152 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1), 153 BPF_MOV64_IMM(BPF_REG_0, 0), 154 BPF_EXIT_INSN(), 155 }, 156 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 157 .result = REJECT, 158 .errstr = "invalid sock access", 159 }, 160 { 161 "sk_fullsock(skb->sk): sk->dst_ip6 [load 2nd byte]", 162 .insns = { 163 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 164 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 165 BPF_MOV64_IMM(BPF_REG_0, 0), 166 BPF_EXIT_INSN(), 167 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 168 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 169 BPF_MOV64_IMM(BPF_REG_0, 0), 170 BPF_EXIT_INSN(), 171 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_ip6[0]) + 1), 172 BPF_MOV64_IMM(BPF_REG_0, 0), 173 BPF_EXIT_INSN(), 174 }, 175 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 176 .result = ACCEPT, 177 }, 178 { 179 "sk_fullsock(skb->sk): sk->type [narrow load]", 180 .insns = { 181 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 182 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 183 BPF_MOV64_IMM(BPF_REG_0, 0), 184 BPF_EXIT_INSN(), 185 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 186 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 187 BPF_MOV64_IMM(BPF_REG_0, 0), 188 BPF_EXIT_INSN(), 189 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)), 190 BPF_MOV64_IMM(BPF_REG_0, 0), 191 BPF_EXIT_INSN(), 192 }, 193 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 194 .result = ACCEPT, 195 }, 196 { 197 "sk_fullsock(skb->sk): sk->protocol [narrow load]", 198 .insns = { 199 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 200 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 201 BPF_MOV64_IMM(BPF_REG_0, 0), 202 BPF_EXIT_INSN(), 203 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 204 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 205 BPF_MOV64_IMM(BPF_REG_0, 0), 206 BPF_EXIT_INSN(), 207 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, protocol)), 208 BPF_MOV64_IMM(BPF_REG_0, 0), 209 BPF_EXIT_INSN(), 210 }, 211 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 212 .result = ACCEPT, 213 }, 214 { 215 "sk_fullsock(skb->sk): beyond last field", 216 .insns = { 217 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 218 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 219 BPF_MOV64_IMM(BPF_REG_0, 0), 220 BPF_EXIT_INSN(), 221 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 222 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 223 BPF_MOV64_IMM(BPF_REG_0, 0), 224 BPF_EXIT_INSN(), 225 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_sock, rx_queue_mapping)), 226 BPF_MOV64_IMM(BPF_REG_0, 0), 227 BPF_EXIT_INSN(), 228 }, 229 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 230 .result = REJECT, 231 .errstr = "invalid sock access", 232 }, 233 { 234 "bpf_tcp_sock(skb->sk): no !skb->sk check", 235 .insns = { 236 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 237 BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 238 BPF_MOV64_IMM(BPF_REG_0, 0), 239 BPF_EXIT_INSN(), 240 }, 241 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 242 .result = REJECT, 243 .errstr = "type=sock_common_or_null expected=sock_common", 244 }, 245 { 246 "bpf_tcp_sock(skb->sk): no NULL check on ret", 247 .insns = { 248 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 249 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 250 BPF_MOV64_IMM(BPF_REG_0, 0), 251 BPF_EXIT_INSN(), 252 BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 253 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_tcp_sock, snd_cwnd)), 254 BPF_MOV64_IMM(BPF_REG_0, 0), 255 BPF_EXIT_INSN(), 256 }, 257 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 258 .result = REJECT, 259 .errstr = "invalid mem access 'tcp_sock_or_null'", 260 }, 261 { 262 "bpf_tcp_sock(skb->sk): tp->snd_cwnd", 263 .insns = { 264 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 265 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 266 BPF_MOV64_IMM(BPF_REG_0, 0), 267 BPF_EXIT_INSN(), 268 BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 269 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 270 BPF_EXIT_INSN(), 271 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_tcp_sock, snd_cwnd)), 272 BPF_MOV64_IMM(BPF_REG_0, 0), 273 BPF_EXIT_INSN(), 274 }, 275 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 276 .result = ACCEPT, 277 }, 278 { 279 "bpf_tcp_sock(skb->sk): tp->bytes_acked", 280 .insns = { 281 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 282 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 283 BPF_MOV64_IMM(BPF_REG_0, 0), 284 BPF_EXIT_INSN(), 285 BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 286 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 287 BPF_EXIT_INSN(), 288 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_tcp_sock, bytes_acked)), 289 BPF_MOV64_IMM(BPF_REG_0, 0), 290 BPF_EXIT_INSN(), 291 }, 292 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 293 .result = ACCEPT, 294 }, 295 { 296 "bpf_tcp_sock(skb->sk): beyond last field", 297 .insns = { 298 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 299 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 300 BPF_MOV64_IMM(BPF_REG_0, 0), 301 BPF_EXIT_INSN(), 302 BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 303 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 304 BPF_EXIT_INSN(), 305 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_tcp_sock, bytes_acked)), 306 BPF_MOV64_IMM(BPF_REG_0, 0), 307 BPF_EXIT_INSN(), 308 }, 309 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 310 .result = REJECT, 311 .errstr = "invalid tcp_sock access", 312 }, 313 { 314 "bpf_tcp_sock(bpf_sk_fullsock(skb->sk)): tp->snd_cwnd", 315 .insns = { 316 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 317 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 318 BPF_MOV64_IMM(BPF_REG_0, 0), 319 BPF_EXIT_INSN(), 320 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 321 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 322 BPF_EXIT_INSN(), 323 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 324 BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 325 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 326 BPF_EXIT_INSN(), 327 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_tcp_sock, snd_cwnd)), 328 BPF_MOV64_IMM(BPF_REG_0, 0), 329 BPF_EXIT_INSN(), 330 }, 331 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 332 .result = ACCEPT, 333 }, 334 { 335 "bpf_sk_release(skb->sk)", 336 .insns = { 337 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 338 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 339 BPF_EMIT_CALL(BPF_FUNC_sk_release), 340 BPF_MOV64_IMM(BPF_REG_0, 0), 341 BPF_EXIT_INSN(), 342 }, 343 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 344 .result = REJECT, 345 .errstr = "reference has not been acquired before", 346 }, 347 { 348 "bpf_sk_release(bpf_sk_fullsock(skb->sk))", 349 .insns = { 350 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 351 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 352 BPF_MOV64_IMM(BPF_REG_0, 0), 353 BPF_EXIT_INSN(), 354 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 355 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 356 BPF_EXIT_INSN(), 357 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 358 BPF_EMIT_CALL(BPF_FUNC_sk_release), 359 BPF_MOV64_IMM(BPF_REG_0, 1), 360 BPF_EXIT_INSN(), 361 }, 362 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 363 .result = REJECT, 364 .errstr = "reference has not been acquired before", 365 }, 366 { 367 "bpf_sk_release(bpf_tcp_sock(skb->sk))", 368 .insns = { 369 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 370 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 371 BPF_MOV64_IMM(BPF_REG_0, 0), 372 BPF_EXIT_INSN(), 373 BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 374 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 375 BPF_EXIT_INSN(), 376 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 377 BPF_EMIT_CALL(BPF_FUNC_sk_release), 378 BPF_MOV64_IMM(BPF_REG_0, 1), 379 BPF_EXIT_INSN(), 380 }, 381 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 382 .result = REJECT, 383 .errstr = "reference has not been acquired before", 384 }, 385 { 386 "sk_storage_get(map, skb->sk, NULL, 0): value == NULL", 387 .insns = { 388 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 389 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 390 BPF_MOV64_IMM(BPF_REG_0, 0), 391 BPF_EXIT_INSN(), 392 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 393 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 394 BPF_MOV64_IMM(BPF_REG_0, 0), 395 BPF_EXIT_INSN(), 396 BPF_MOV64_IMM(BPF_REG_4, 0), 397 BPF_MOV64_IMM(BPF_REG_3, 0), 398 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 399 BPF_LD_MAP_FD(BPF_REG_1, 0), 400 BPF_EMIT_CALL(BPF_FUNC_sk_storage_get), 401 BPF_MOV64_IMM(BPF_REG_0, 0), 402 BPF_EXIT_INSN(), 403 }, 404 .fixup_sk_storage_map = { 11 }, 405 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 406 .result = ACCEPT, 407 }, 408 { 409 "sk_storage_get(map, skb->sk, 1, 1): value == 1", 410 .insns = { 411 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 412 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 413 BPF_MOV64_IMM(BPF_REG_0, 0), 414 BPF_EXIT_INSN(), 415 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 416 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 417 BPF_MOV64_IMM(BPF_REG_0, 0), 418 BPF_EXIT_INSN(), 419 BPF_MOV64_IMM(BPF_REG_4, 1), 420 BPF_MOV64_IMM(BPF_REG_3, 1), 421 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 422 BPF_LD_MAP_FD(BPF_REG_1, 0), 423 BPF_EMIT_CALL(BPF_FUNC_sk_storage_get), 424 BPF_MOV64_IMM(BPF_REG_0, 0), 425 BPF_EXIT_INSN(), 426 }, 427 .fixup_sk_storage_map = { 11 }, 428 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 429 .result = REJECT, 430 .errstr = "R3 type=inv expected=fp", 431 }, 432 { 433 "sk_storage_get(map, skb->sk, &stack_value, 1): stack_value", 434 .insns = { 435 BPF_MOV64_IMM(BPF_REG_2, 0), 436 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8), 437 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 438 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 439 BPF_MOV64_IMM(BPF_REG_0, 0), 440 BPF_EXIT_INSN(), 441 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 442 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 443 BPF_MOV64_IMM(BPF_REG_0, 0), 444 BPF_EXIT_INSN(), 445 BPF_MOV64_IMM(BPF_REG_4, 1), 446 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), 447 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8), 448 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 449 BPF_LD_MAP_FD(BPF_REG_1, 0), 450 BPF_EMIT_CALL(BPF_FUNC_sk_storage_get), 451 BPF_MOV64_IMM(BPF_REG_0, 0), 452 BPF_EXIT_INSN(), 453 }, 454 .fixup_sk_storage_map = { 14 }, 455 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 456 .result = ACCEPT, 457 }, 458 { 459 "sk_storage_get(map, skb->sk, &stack_value, 1): partially init stack_value", 460 .insns = { 461 BPF_MOV64_IMM(BPF_REG_2, 0), 462 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8), 463 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 464 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 465 BPF_MOV64_IMM(BPF_REG_0, 0), 466 BPF_EXIT_INSN(), 467 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 468 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 469 BPF_MOV64_IMM(BPF_REG_0, 0), 470 BPF_EXIT_INSN(), 471 BPF_MOV64_IMM(BPF_REG_4, 1), 472 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), 473 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8), 474 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 475 BPF_LD_MAP_FD(BPF_REG_1, 0), 476 BPF_EMIT_CALL(BPF_FUNC_sk_storage_get), 477 BPF_MOV64_IMM(BPF_REG_0, 0), 478 BPF_EXIT_INSN(), 479 }, 480 .fixup_sk_storage_map = { 14 }, 481 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 482 .result = REJECT, 483 .errstr = "invalid indirect read from stack", 484 }, 485 { 486 "bpf_map_lookup_elem(smap, &key)", 487 .insns = { 488 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 489 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 490 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 491 BPF_LD_MAP_FD(BPF_REG_1, 0), 492 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 493 BPF_MOV64_IMM(BPF_REG_0, 0), 494 BPF_EXIT_INSN(), 495 }, 496 .fixup_sk_storage_map = { 3 }, 497 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 498 .result = REJECT, 499 .errstr = "cannot pass map_type 24 into func bpf_map_lookup_elem", 500 }, 501 { 502 "bpf_map_lookup_elem(xskmap, &key); xs->queue_id", 503 .insns = { 504 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0), 505 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 506 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 507 BPF_LD_MAP_FD(BPF_REG_1, 0), 508 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 509 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 510 BPF_EXIT_INSN(), 511 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_xdp_sock, queue_id)), 512 BPF_MOV64_IMM(BPF_REG_0, 0), 513 BPF_EXIT_INSN(), 514 }, 515 .fixup_map_xskmap = { 3 }, 516 .prog_type = BPF_PROG_TYPE_XDP, 517 .result = ACCEPT, 518 }, 519 { 520 "bpf_map_lookup_elem(sockmap, &key)", 521 .insns = { 522 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 523 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 524 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 525 BPF_LD_MAP_FD(BPF_REG_1, 0), 526 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 527 BPF_MOV64_IMM(BPF_REG_0, 0), 528 BPF_EXIT_INSN(), 529 }, 530 .fixup_map_sockmap = { 3 }, 531 .prog_type = BPF_PROG_TYPE_SK_SKB, 532 .result = REJECT, 533 .errstr = "Unreleased reference id=2 alloc_insn=5", 534 }, 535 { 536 "bpf_map_lookup_elem(sockhash, &key)", 537 .insns = { 538 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 539 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 540 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 541 BPF_LD_MAP_FD(BPF_REG_1, 0), 542 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 543 BPF_MOV64_IMM(BPF_REG_0, 0), 544 BPF_EXIT_INSN(), 545 }, 546 .fixup_map_sockhash = { 3 }, 547 .prog_type = BPF_PROG_TYPE_SK_SKB, 548 .result = REJECT, 549 .errstr = "Unreleased reference id=2 alloc_insn=5", 550 }, 551 { 552 "bpf_map_lookup_elem(sockmap, &key); sk->type [fullsock field]; bpf_sk_release(sk)", 553 .insns = { 554 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 555 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 556 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 557 BPF_LD_MAP_FD(BPF_REG_1, 0), 558 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 559 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 560 BPF_EXIT_INSN(), 561 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 562 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)), 563 BPF_EMIT_CALL(BPF_FUNC_sk_release), 564 BPF_EXIT_INSN(), 565 }, 566 .fixup_map_sockmap = { 3 }, 567 .prog_type = BPF_PROG_TYPE_SK_SKB, 568 .result = ACCEPT, 569 }, 570 { 571 "bpf_map_lookup_elem(sockhash, &key); sk->type [fullsock field]; bpf_sk_release(sk)", 572 .insns = { 573 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 574 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 575 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 576 BPF_LD_MAP_FD(BPF_REG_1, 0), 577 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 578 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 579 BPF_EXIT_INSN(), 580 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 581 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)), 582 BPF_EMIT_CALL(BPF_FUNC_sk_release), 583 BPF_EXIT_INSN(), 584 }, 585 .fixup_map_sockhash = { 3 }, 586 .prog_type = BPF_PROG_TYPE_SK_SKB, 587 .result = ACCEPT, 588 }, 589 { 590 "bpf_sk_select_reuseport(ctx, reuseport_array, &key, flags)", 591 .insns = { 592 BPF_MOV64_IMM(BPF_REG_4, 0), 593 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 594 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), 595 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -4), 596 BPF_LD_MAP_FD(BPF_REG_2, 0), 597 BPF_EMIT_CALL(BPF_FUNC_sk_select_reuseport), 598 BPF_EXIT_INSN(), 599 }, 600 .fixup_map_reuseport_array = { 4 }, 601 .prog_type = BPF_PROG_TYPE_SK_REUSEPORT, 602 .result = ACCEPT, 603 }, 604 { 605 "bpf_sk_select_reuseport(ctx, sockmap, &key, flags)", 606 .insns = { 607 BPF_MOV64_IMM(BPF_REG_4, 0), 608 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 609 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), 610 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -4), 611 BPF_LD_MAP_FD(BPF_REG_2, 0), 612 BPF_EMIT_CALL(BPF_FUNC_sk_select_reuseport), 613 BPF_EXIT_INSN(), 614 }, 615 .fixup_map_sockmap = { 4 }, 616 .prog_type = BPF_PROG_TYPE_SK_REUSEPORT, 617 .result = ACCEPT, 618 }, 619 { 620 "bpf_sk_select_reuseport(ctx, sockhash, &key, flags)", 621 .insns = { 622 BPF_MOV64_IMM(BPF_REG_4, 0), 623 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 624 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), 625 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -4), 626 BPF_LD_MAP_FD(BPF_REG_2, 0), 627 BPF_EMIT_CALL(BPF_FUNC_sk_select_reuseport), 628 BPF_EXIT_INSN(), 629 }, 630 .fixup_map_sockmap = { 4 }, 631 .prog_type = BPF_PROG_TYPE_SK_REUSEPORT, 632 .result = ACCEPT, 633 }, 634 { 635 "mark null check on return value of bpf_skc_to helpers", 636 .insns = { 637 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 638 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 639 BPF_MOV64_IMM(BPF_REG_0, 0), 640 BPF_EXIT_INSN(), 641 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 642 BPF_EMIT_CALL(BPF_FUNC_skc_to_tcp_sock), 643 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 644 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 645 BPF_EMIT_CALL(BPF_FUNC_skc_to_tcp_request_sock), 646 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 647 BPF_JMP_IMM(BPF_JNE, BPF_REG_8, 0, 2), 648 BPF_MOV64_IMM(BPF_REG_0, 0), 649 BPF_EXIT_INSN(), 650 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_7, 0), 651 BPF_EXIT_INSN(), 652 }, 653 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 654 .result = REJECT, 655 .errstr = "invalid mem access", 656 .result_unpriv = REJECT, 657 .errstr_unpriv = "unknown func", 658 }, 659