bpf: add test cases for direct packet access

Add couple of test cases for direct write and the negative size issue, and also adjust the direct packet access test4 since it asserts that writes are not possible, but since we've just added support for writes, we need to invert the verdict to ACCEPT, of course. Summary: 133 PASSED, 0 FAILED. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Daniel Borkmann <daniel@iogearbox.net> 2016-09-19 18:26:14 -0400
committer: David S. Miller <davem@davemloft.net> 2016-09-20 23:32:11 -0400
commit: 7d95b0ab5bbe2dc9bf3fd99c27e80ced5bfa8acf (patch)
tree: fd9fcc0ecbd856e2fd2c186d3b841e19feda90b4 /samples
parent: 36bbef52c7eb646ed6247055a2acd3851e317857 (diff)
1 files changed, 430 insertions, 3 deletions
diff --git a/samples/bpf/test_verifier.c b/samples/bpf/test_verifier.c
index 1f6cc9b6a23b..ac590d4b7f02 100644
--- a/samples/bpf/test_verifier.c
+++ b/samples/bpf/test_verifier.c
@@ -291,6 +291,29 @@ static struct bpf_test tests[] = {
                .result = REJECT,
        },
        {
+                "invalid argument register",
+                .insns = {
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_cgroup_classid),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_cgroup_classid),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 !read_ok",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "non-invalid argument register",
+                .insns = {
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_cgroup_classid),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_cgroup_classid),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
                "check valid spill/fill",
                .insns = {
                        /* spill R1(ctx) into stack */
@@ -1210,6 +1233,54 @@ static struct bpf_test tests[] = {
                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
        },
        {
+                "raw_stack: skb_load_bytes, negative len",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, -8),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid stack type R3",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "raw_stack: skb_load_bytes, negative len 2",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, ~0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid stack type R3",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "raw_stack: skb_load_bytes, zero len",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid stack type R3",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
                "raw_stack: skb_load_bytes, no init",
                .insns = {
                        BPF_MOV64_IMM(BPF_REG_2, 4),
@@ -1511,7 +1582,7 @@ static struct bpf_test tests[] = {
                .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
        },
        {
-                "direct packet access: test4",
+                "direct packet access: test4 (write)",
                .insns = {
                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
                                    offsetof(struct __sk_buff, data)),
@@ -1524,8 +1595,7 @@ static struct bpf_test tests[] = {
                        BPF_MOV64_IMM(BPF_REG_0, 0),
                        BPF_EXIT_INSN(),
                },
-                .errstr = "cannot write",
+                .result = ACCEPT,
-                .result = REJECT,
                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
        },
        {
@@ -1631,6 +1701,26 @@ static struct bpf_test tests[] = {
                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
        },
        {
+                "direct packet access: test10 (write invalid)",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                        BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "invalid access to packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
                "helper access to packet: test1, valid packet_ptr range",
                .insns = {
                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
@@ -1736,6 +1826,343 @@ static struct bpf_test tests[] = {
                .errstr = "invalid access to packet",
                .prog_type = BPF_PROG_TYPE_XDP,
        },
+        {
+                "helper access to packet: test6, cls valid packet_ptr range",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
+                        BPF_MOV64_IMM(BPF_REG_4, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup = {5},
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "helper access to packet: test7, cls unchecked packet_ptr",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup = {1},
+                .result = REJECT,
+                .errstr = "invalid access to packet",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "helper access to packet: test8, cls variable add",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                        offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                        offsetof(struct __sk_buff, data_end)),
+                        BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
+                        BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
+                        BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
+                        BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup = {11},
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "helper access to packet: test9, cls packet_ptr with bad range",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup = {7},
+                .result = REJECT,
+                .errstr = "invalid access to packet",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "helper access to packet: test10, cls packet_ptr with too short range",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
+                        BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .fixup = {6},
+                .result = REJECT,
+                .errstr = "invalid access to packet",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "helper access to packet: test11, cls unsuitable helper 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
+                        BPF_MOV64_IMM(BPF_REG_2, 0),
+                        BPF_MOV64_IMM(BPF_REG_4, 42),
+                        BPF_MOV64_IMM(BPF_REG_5, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_store_bytes),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "helper access to the packet",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "helper access to packet: test12, cls unsuitable helper 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
+                        BPF_MOV64_IMM(BPF_REG_2, 0),
+                        BPF_MOV64_IMM(BPF_REG_4, 4),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "helper access to the packet",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "helper access to packet: test13, cls helper ok",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_MOV64_IMM(BPF_REG_3, 0),
+                        BPF_MOV64_IMM(BPF_REG_4, 0),
+                        BPF_MOV64_IMM(BPF_REG_5, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_csum_diff),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "helper access to packet: test14, cls helper fail sub",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
+                        BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_MOV64_IMM(BPF_REG_3, 0),
+                        BPF_MOV64_IMM(BPF_REG_4, 0),
+                        BPF_MOV64_IMM(BPF_REG_5, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_csum_diff),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "type=inv expected=fp",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "helper access to packet: test15, cls helper fail range 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_2, 8),
+                        BPF_MOV64_IMM(BPF_REG_3, 0),
+                        BPF_MOV64_IMM(BPF_REG_4, 0),
+                        BPF_MOV64_IMM(BPF_REG_5, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_csum_diff),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid access to packet",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "helper access to packet: test16, cls helper fail range 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_2, -9),
+                        BPF_MOV64_IMM(BPF_REG_3, 0),
+                        BPF_MOV64_IMM(BPF_REG_4, 0),
+                        BPF_MOV64_IMM(BPF_REG_5, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_csum_diff),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid access to packet",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "helper access to packet: test17, cls helper fail range 3",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_2, ~0),
+                        BPF_MOV64_IMM(BPF_REG_3, 0),
+                        BPF_MOV64_IMM(BPF_REG_4, 0),
+                        BPF_MOV64_IMM(BPF_REG_5, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_csum_diff),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid access to packet",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "helper access to packet: test18, cls helper fail range zero",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_2, 0),
+                        BPF_MOV64_IMM(BPF_REG_3, 0),
+                        BPF_MOV64_IMM(BPF_REG_4, 0),
+                        BPF_MOV64_IMM(BPF_REG_5, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_csum_diff),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid access to packet",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "helper access to packet: test19, pkt end as input",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_MOV64_IMM(BPF_REG_3, 0),
+                        BPF_MOV64_IMM(BPF_REG_4, 0),
+                        BPF_MOV64_IMM(BPF_REG_5, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_csum_diff),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "R1 type=pkt_end expected=fp",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "helper access to packet: test20, wrong reg",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
+                                    offsetof(struct __sk_buff, data_end)),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_MOV64_IMM(BPF_REG_3, 0),
+                        BPF_MOV64_IMM(BPF_REG_4, 0),
+                        BPF_MOV64_IMM(BPF_REG_5, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_csum_diff),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid access to packet",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
 };
 static int probe_filter_length(struct bpf_insn *fp)
author	Daniel Borkmann <daniel@iogearbox.net>	2016-09-19 18:26:14 -0400
committer	David S. Miller <davem@davemloft.net>	2016-09-20 23:32:11 -0400
commit	7d95b0ab5bbe2dc9bf3fd99c27e80ced5bfa8acf (patch)
tree	fd9fcc0ecbd856e2fd2c186d3b841e19feda90b4 /samples
parent	36bbef52c7eb646ed6247055a2acd3851e317857 (diff)

diff --git a/samples/bpf/test_verifier.c b/samples/bpf/test_verifier.c index 1f6cc9b6a23b..ac590d4b7f02 100644 --- a/samples/bpf/test_verifier.c +++ b/samples/bpf/test_verifier.c
@@ -291,6 +291,29 @@ static struct bpf_test tests[] = {
291	.result = REJECT,	291	.result = REJECT,
292	},	292	},
293	{	293	{
		294	"invalid argument register",
		295	.insns = {
		296	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_get_cgroup_classid),
		297	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_get_cgroup_classid),
		298	BPF_EXIT_INSN(),
		299	},
		300	.errstr = "R1 !read_ok",
		301	.result = REJECT,
		302	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		303	},
		304	{
		305	"non-invalid argument register",
		306	.insns = {
		307	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
		308	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_get_cgroup_classid),
		309	BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
		310	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_get_cgroup_classid),
		311	BPF_EXIT_INSN(),
		312	},
		313	.result = ACCEPT,
		314	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		315	},
		316	{
294	"check valid spill/fill",	317	"check valid spill/fill",
295	.insns = {	318	.insns = {
296	/* spill R1(ctx) into stack */	319	/* spill R1(ctx) into stack */
@@ -1210,6 +1233,54 @@ static struct bpf_test tests[] = {
1210	.prog_type = BPF_PROG_TYPE_SCHED_CLS,	1233	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1211	},	1234	},
1212	{	1235	{
		1236	"raw_stack: skb_load_bytes, negative len",
		1237	.insns = {
		1238	BPF_MOV64_IMM(BPF_REG_2, 4),
		1239	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1240	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
		1241	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1242	BPF_MOV64_IMM(BPF_REG_4, -8),
		1243	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1244	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
		1245	BPF_EXIT_INSN(),
		1246	},
		1247	.result = REJECT,
		1248	.errstr = "invalid stack type R3",
		1249	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1250	},
		1251	{
		1252	"raw_stack: skb_load_bytes, negative len 2",
		1253	.insns = {
		1254	BPF_MOV64_IMM(BPF_REG_2, 4),
		1255	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1256	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
		1257	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1258	BPF_MOV64_IMM(BPF_REG_4, ~0),
		1259	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1260	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
		1261	BPF_EXIT_INSN(),
		1262	},
		1263	.result = REJECT,
		1264	.errstr = "invalid stack type R3",
		1265	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1266	},
		1267	{
		1268	"raw_stack: skb_load_bytes, zero len",
		1269	.insns = {
		1270	BPF_MOV64_IMM(BPF_REG_2, 4),
		1271	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1272	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
		1273	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1274	BPF_MOV64_IMM(BPF_REG_4, 0),
		1275	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1276	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
		1277	BPF_EXIT_INSN(),
		1278	},
		1279	.result = REJECT,
		1280	.errstr = "invalid stack type R3",
		1281	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1282	},
		1283	{
1213	"raw_stack: skb_load_bytes, no init",	1284	"raw_stack: skb_load_bytes, no init",
1214	.insns = {	1285	.insns = {
1215	BPF_MOV64_IMM(BPF_REG_2, 4),	1286	BPF_MOV64_IMM(BPF_REG_2, 4),
@@ -1511,7 +1582,7 @@ static struct bpf_test tests[] = {
1511	.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,	1582	.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
1512	},	1583	},
1513	{	1584	{
1514	"direct packet access: test4",	1585	"direct packet access: test4 (write)",
1515	.insns = {	1586	.insns = {
1516	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,	1587	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1517	offsetof(struct __sk_buff, data)),	1588	offsetof(struct __sk_buff, data)),
@@ -1524,8 +1595,7 @@ static struct bpf_test tests[] = {
1524	BPF_MOV64_IMM(BPF_REG_0, 0),	1595	BPF_MOV64_IMM(BPF_REG_0, 0),
1525	BPF_EXIT_INSN(),	1596	BPF_EXIT_INSN(),
1526	},	1597	},
1527	.errstr = "cannot write",	1598	.result = ACCEPT,
1528	.result = REJECT,
1529	.prog_type = BPF_PROG_TYPE_SCHED_CLS,	1599	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1530	},	1600	},
1531	{	1601	{
@@ -1631,6 +1701,26 @@ static struct bpf_test tests[] = {
1631	.prog_type = BPF_PROG_TYPE_SCHED_CLS,	1701	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1632	},	1702	},
1633	{	1703	{
		1704	"direct packet access: test10 (write invalid)",
		1705	.insns = {
		1706	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		1707	offsetof(struct __sk_buff, data)),
		1708	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		1709	offsetof(struct __sk_buff, data_end)),
		1710	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
		1711	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
		1712	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
		1713	BPF_MOV64_IMM(BPF_REG_0, 0),
		1714	BPF_EXIT_INSN(),
		1715	BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
		1716	BPF_MOV64_IMM(BPF_REG_0, 0),
		1717	BPF_EXIT_INSN(),
		1718	},
		1719	.errstr = "invalid access to packet",
		1720	.result = REJECT,
		1721	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1722	},
		1723	{
1634	"helper access to packet: test1, valid packet_ptr range",	1724	"helper access to packet: test1, valid packet_ptr range",
1635	.insns = {	1725	.insns = {
1636	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,	1726	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
@@ -1736,6 +1826,343 @@ static struct bpf_test tests[] = {
1736	.errstr = "invalid access to packet",	1826	.errstr = "invalid access to packet",
1737	.prog_type = BPF_PROG_TYPE_XDP,	1827	.prog_type = BPF_PROG_TYPE_XDP,
1738	},	1828	},
		1829	{
		1830	"helper access to packet: test6, cls valid packet_ptr range",
		1831	.insns = {
		1832	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		1833	offsetof(struct __sk_buff, data)),
		1834	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		1835	offsetof(struct __sk_buff, data_end)),
		1836	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		1837	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		1838	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
		1839	BPF_LD_MAP_FD(BPF_REG_1, 0),
		1840	BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
		1841	BPF_MOV64_IMM(BPF_REG_4, 0),
		1842	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem),
		1843	BPF_MOV64_IMM(BPF_REG_0, 0),
		1844	BPF_EXIT_INSN(),
		1845	},
		1846	.fixup = {5},
		1847	.result = ACCEPT,
		1848	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1849	},
		1850	{
		1851	"helper access to packet: test7, cls unchecked packet_ptr",
		1852	.insns = {
		1853	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		1854	offsetof(struct __sk_buff, data)),
		1855	BPF_LD_MAP_FD(BPF_REG_1, 0),
		1856	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
		1857	BPF_MOV64_IMM(BPF_REG_0, 0),
		1858	BPF_EXIT_INSN(),
		1859	},
		1860	.fixup = {1},
		1861	.result = REJECT,
		1862	.errstr = "invalid access to packet",
		1863	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1864	},
		1865	{
		1866	"helper access to packet: test8, cls variable add",
		1867	.insns = {
		1868	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		1869	offsetof(struct __sk_buff, data)),
		1870	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		1871	offsetof(struct __sk_buff, data_end)),
		1872	BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
		1873	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
		1874	BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
		1875	BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
		1876	BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
		1877	BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
		1878	BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
		1879	BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
		1880	BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
		1881	BPF_LD_MAP_FD(BPF_REG_1, 0),
		1882	BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
		1883	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
		1884	BPF_MOV64_IMM(BPF_REG_0, 0),
		1885	BPF_EXIT_INSN(),
		1886	},
		1887	.fixup = {11},
		1888	.result = ACCEPT,
		1889	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1890	},
		1891	{
		1892	"helper access to packet: test9, cls packet_ptr with bad range",
		1893	.insns = {
		1894	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		1895	offsetof(struct __sk_buff, data)),
		1896	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		1897	offsetof(struct __sk_buff, data_end)),
		1898	BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
		1899	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
		1900	BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
		1901	BPF_MOV64_IMM(BPF_REG_0, 0),
		1902	BPF_EXIT_INSN(),
		1903	BPF_LD_MAP_FD(BPF_REG_1, 0),
		1904	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
		1905	BPF_MOV64_IMM(BPF_REG_0, 0),
		1906	BPF_EXIT_INSN(),
		1907	},
		1908	.fixup = {7},
		1909	.result = REJECT,
		1910	.errstr = "invalid access to packet",
		1911	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1912	},
		1913	{
		1914	"helper access to packet: test10, cls packet_ptr with too short range",
		1915	.insns = {
		1916	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		1917	offsetof(struct __sk_buff, data)),
		1918	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		1919	offsetof(struct __sk_buff, data_end)),
		1920	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
		1921	BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
		1922	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
		1923	BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
		1924	BPF_LD_MAP_FD(BPF_REG_1, 0),
		1925	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
		1926	BPF_MOV64_IMM(BPF_REG_0, 0),
		1927	BPF_EXIT_INSN(),
		1928	},
		1929	.fixup = {6},
		1930	.result = REJECT,
		1931	.errstr = "invalid access to packet",
		1932	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1933	},
		1934	{
		1935	"helper access to packet: test11, cls unsuitable helper 1",
		1936	.insns = {
		1937	BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
		1938	offsetof(struct __sk_buff, data)),
		1939	BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
		1940	offsetof(struct __sk_buff, data_end)),
		1941	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
		1942	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1943	BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
		1944	BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
		1945	BPF_MOV64_IMM(BPF_REG_2, 0),
		1946	BPF_MOV64_IMM(BPF_REG_4, 42),
		1947	BPF_MOV64_IMM(BPF_REG_5, 0),
		1948	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_store_bytes),
		1949	BPF_MOV64_IMM(BPF_REG_0, 0),
		1950	BPF_EXIT_INSN(),
		1951	},
		1952	.result = REJECT,
		1953	.errstr = "helper access to the packet",
		1954	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1955	},
		1956	{
		1957	"helper access to packet: test12, cls unsuitable helper 2",
		1958	.insns = {
		1959	BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
		1960	offsetof(struct __sk_buff, data)),
		1961	BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
		1962	offsetof(struct __sk_buff, data_end)),
		1963	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1964	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
		1965	BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
		1966	BPF_MOV64_IMM(BPF_REG_2, 0),
		1967	BPF_MOV64_IMM(BPF_REG_4, 4),
		1968	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1969	BPF_MOV64_IMM(BPF_REG_0, 0),
		1970	BPF_EXIT_INSN(),
		1971	},
		1972	.result = REJECT,
		1973	.errstr = "helper access to the packet",
		1974	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1975	},
		1976	{
		1977	"helper access to packet: test13, cls helper ok",
		1978	.insns = {
		1979	BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
		1980	offsetof(struct __sk_buff, data)),
		1981	BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
		1982	offsetof(struct __sk_buff, data_end)),
		1983	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
		1984	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
		1985	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
		1986	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
		1987	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
		1988	BPF_MOV64_IMM(BPF_REG_2, 4),
		1989	BPF_MOV64_IMM(BPF_REG_3, 0),
		1990	BPF_MOV64_IMM(BPF_REG_4, 0),
		1991	BPF_MOV64_IMM(BPF_REG_5, 0),
		1992	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_csum_diff),
		1993	BPF_MOV64_IMM(BPF_REG_0, 0),
		1994	BPF_EXIT_INSN(),
		1995	},
		1996	.result = ACCEPT,
		1997	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1998	},
		1999	{
		2000	"helper access to packet: test14, cls helper fail sub",
		2001	.insns = {
		2002	BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
		2003	offsetof(struct __sk_buff, data)),
		2004	BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
		2005	offsetof(struct __sk_buff, data_end)),
		2006	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
		2007	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
		2008	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
		2009	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
		2010	BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
		2011	BPF_MOV64_IMM(BPF_REG_2, 4),
		2012	BPF_MOV64_IMM(BPF_REG_3, 0),
		2013	BPF_MOV64_IMM(BPF_REG_4, 0),
		2014	BPF_MOV64_IMM(BPF_REG_5, 0),
		2015	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_csum_diff),
		2016	BPF_MOV64_IMM(BPF_REG_0, 0),
		2017	BPF_EXIT_INSN(),
		2018	},
		2019	.result = REJECT,
		2020	.errstr = "type=inv expected=fp",
		2021	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		2022	},
		2023	{
		2024	"helper access to packet: test15, cls helper fail range 1",
		2025	.insns = {
		2026	BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
		2027	offsetof(struct __sk_buff, data)),
		2028	BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
		2029	offsetof(struct __sk_buff, data_end)),
		2030	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
		2031	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
		2032	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
		2033	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
		2034	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
		2035	BPF_MOV64_IMM(BPF_REG_2, 8),
		2036	BPF_MOV64_IMM(BPF_REG_3, 0),
		2037	BPF_MOV64_IMM(BPF_REG_4, 0),
		2038	BPF_MOV64_IMM(BPF_REG_5, 0),
		2039	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_csum_diff),
		2040	BPF_MOV64_IMM(BPF_REG_0, 0),
		2041	BPF_EXIT_INSN(),
		2042	},
		2043	.result = REJECT,
		2044	.errstr = "invalid access to packet",
		2045	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		2046	},
		2047	{
		2048	"helper access to packet: test16, cls helper fail range 2",
		2049	.insns = {
		2050	BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
		2051	offsetof(struct __sk_buff, data)),
		2052	BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
		2053	offsetof(struct __sk_buff, data_end)),
		2054	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
		2055	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
		2056	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
		2057	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
		2058	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
		2059	BPF_MOV64_IMM(BPF_REG_2, -9),
		2060	BPF_MOV64_IMM(BPF_REG_3, 0),
		2061	BPF_MOV64_IMM(BPF_REG_4, 0),
		2062	BPF_MOV64_IMM(BPF_REG_5, 0),
		2063	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_csum_diff),
		2064	BPF_MOV64_IMM(BPF_REG_0, 0),
		2065	BPF_EXIT_INSN(),
		2066	},
		2067	.result = REJECT,
		2068	.errstr = "invalid access to packet",
		2069	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		2070	},
		2071	{
		2072	"helper access to packet: test17, cls helper fail range 3",
		2073	.insns = {
		2074	BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
		2075	offsetof(struct __sk_buff, data)),
		2076	BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
		2077	offsetof(struct __sk_buff, data_end)),
		2078	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
		2079	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
		2080	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
		2081	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
		2082	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
		2083	BPF_MOV64_IMM(BPF_REG_2, ~0),
		2084	BPF_MOV64_IMM(BPF_REG_3, 0),
		2085	BPF_MOV64_IMM(BPF_REG_4, 0),
		2086	BPF_MOV64_IMM(BPF_REG_5, 0),
		2087	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_csum_diff),
		2088	BPF_MOV64_IMM(BPF_REG_0, 0),
		2089	BPF_EXIT_INSN(),
		2090	},
		2091	.result = REJECT,
		2092	.errstr = "invalid access to packet",
		2093	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		2094	},
		2095	{
		2096	"helper access to packet: test18, cls helper fail range zero",
		2097	.insns = {
		2098	BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
		2099	offsetof(struct __sk_buff, data)),
		2100	BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
		2101	offsetof(struct __sk_buff, data_end)),
		2102	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
		2103	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
		2104	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
		2105	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
		2106	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
		2107	BPF_MOV64_IMM(BPF_REG_2, 0),
		2108	BPF_MOV64_IMM(BPF_REG_3, 0),
		2109	BPF_MOV64_IMM(BPF_REG_4, 0),
		2110	BPF_MOV64_IMM(BPF_REG_5, 0),
		2111	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_csum_diff),
		2112	BPF_MOV64_IMM(BPF_REG_0, 0),
		2113	BPF_EXIT_INSN(),
		2114	},
		2115	.result = REJECT,
		2116	.errstr = "invalid access to packet",
		2117	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		2118	},
		2119	{
		2120	"helper access to packet: test19, pkt end as input",
		2121	.insns = {
		2122	BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
		2123	offsetof(struct __sk_buff, data)),
		2124	BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
		2125	offsetof(struct __sk_buff, data_end)),
		2126	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
		2127	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
		2128	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
		2129	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
		2130	BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
		2131	BPF_MOV64_IMM(BPF_REG_2, 4),
		2132	BPF_MOV64_IMM(BPF_REG_3, 0),
		2133	BPF_MOV64_IMM(BPF_REG_4, 0),
		2134	BPF_MOV64_IMM(BPF_REG_5, 0),
		2135	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_csum_diff),
		2136	BPF_MOV64_IMM(BPF_REG_0, 0),
		2137	BPF_EXIT_INSN(),
		2138	},
		2139	.result = REJECT,
		2140	.errstr = "R1 type=pkt_end expected=fp",
		2141	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		2142	},
		2143	{
		2144	"helper access to packet: test20, wrong reg",
		2145	.insns = {
		2146	BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
		2147	offsetof(struct __sk_buff, data)),
		2148	BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
		2149	offsetof(struct __sk_buff, data_end)),
		2150	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
		2151	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
		2152	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
		2153	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
		2154	BPF_MOV64_IMM(BPF_REG_2, 4),
		2155	BPF_MOV64_IMM(BPF_REG_3, 0),
		2156	BPF_MOV64_IMM(BPF_REG_4, 0),
		2157	BPF_MOV64_IMM(BPF_REG_5, 0),
		2158	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_csum_diff),
		2159	BPF_MOV64_IMM(BPF_REG_0, 0),
		2160	BPF_EXIT_INSN(),
		2161	},
		2162	.result = REJECT,
		2163	.errstr = "invalid access to packet",
		2164	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		2165	},
1739	};	2166	};
1740		2167
1741	static int probe_filter_length(struct bpf_insn *fp)	2168	static int probe_filter_length(struct bpf_insn *fp)