bpf, samples: add test cases for raw stack

This adds test cases mostly around ARG_PTR_TO_RAW_STACK to check the verifier behaviour. [...] #84 raw_stack: no skb_load_bytes OK #85 raw_stack: skb_load_bytes, no init OK #86 raw_stack: skb_load_bytes, init OK #87 raw_stack: skb_load_bytes, spilled regs around bounds OK #88 raw_stack: skb_load_bytes, spilled regs corruption OK #89 raw_stack: skb_load_bytes, spilled regs corruption 2 OK #90 raw_stack: skb_load_bytes, spilled regs + data OK #91 raw_stack: skb_load_bytes, invalid access 1 OK #92 raw_stack: skb_load_bytes, invalid access 2 OK #93 raw_stack: skb_load_bytes, invalid access 3 OK #94 raw_stack: skb_load_bytes, invalid access 4 OK #95 raw_stack: skb_load_bytes, invalid access 5 OK #96 raw_stack: skb_load_bytes, invalid access 6 OK #97 raw_stack: skb_load_bytes, large access OK Summary: 98 PASSED, 0 FAILED Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Daniel Borkmann <daniel@iogearbox.net> 2016-04-12 18:10:54 -0400
committer: David S. Miller <davem@davemloft.net> 2016-04-14 21:40:42 -0400
commit: 3f2050e20e6f3a762eb08397db651dcec9498998 (patch)
tree: 8fe6af71ebb2dca7862b47c7514e27f2a7e12da3 /samples
parent: 02413cabd6b67f1444f153ea85d44076deae2056 (diff)
1 files changed, 268 insertions, 0 deletions
diff --git a/samples/bpf/test_verifier.c b/samples/bpf/test_verifier.c
index 4b51a9039c0d..9eba8d1d9dcc 100644
--- a/samples/bpf/test_verifier.c
+++ b/samples/bpf/test_verifier.c
@@ -309,6 +309,19 @@ static struct bpf_test tests[] = {
                .result_unpriv = REJECT,
        },
        {
+                "check valid spill/fill, skb mark",
+                .insns = {
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
+                        BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
+                                    offsetof(struct __sk_buff, mark)),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .result_unpriv = ACCEPT,
+        },
+        {
                "check corrupted spill/fill",
                .insns = {
                        /* spill R1(ctx) into stack */
@@ -1180,6 +1193,261 @@ static struct bpf_test tests[] = {
                .result_unpriv = REJECT,
                .result = ACCEPT,
        },
+        {
+                "raw_stack: no skb_load_bytes",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, 8),
+                        /* Call to skb_load_bytes() omitted. */
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid read from stack off -8+0 size 8",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "raw_stack: skb_load_bytes, no init",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, 8),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "raw_stack: skb_load_bytes, init",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, 8),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "raw_stack: skb_load_bytes, spilled regs around bounds",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
+                        BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), /* spill ctx from R1 */
+                        BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8), /* spill ctx from R1 */
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, 8),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), /* fill ctx into R0 */
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8), /* fill ctx into R2 */
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
+                                    offsetof(struct __sk_buff, mark)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
+                                    offsetof(struct __sk_buff, priority)),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "raw_stack: skb_load_bytes, spilled regs corruption",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
+                        BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), /* spill ctx from R1 */
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, 8),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), /* fill ctx into R0 */
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
+                                    offsetof(struct __sk_buff, mark)),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "R0 invalid mem access 'inv'",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "raw_stack: skb_load_bytes, spilled regs corruption 2",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
+                        BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), /* spill ctx from R1 */
+                        BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0), /* spill ctx from R1 */
+                        BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8), /* spill ctx from R1 */
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, 8),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), /* fill ctx into R0 */
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8), /* fill ctx into R2 */
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0), /* fill ctx into R3 */
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
+                                    offsetof(struct __sk_buff, mark)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
+                                    offsetof(struct __sk_buff, priority)),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
+                                    offsetof(struct __sk_buff, pkt_type)),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "R3 invalid mem access 'inv'",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "raw_stack: skb_load_bytes, spilled regs + data",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
+                        BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), /* spill ctx from R1 */
+                        BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0), /* spill ctx from R1 */
+                        BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8), /* spill ctx from R1 */
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, 8),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), /* fill ctx into R0 */
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8), /* fill ctx into R2 */
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0), /* fill data into R3 */
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
+                                    offsetof(struct __sk_buff, mark)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
+                                    offsetof(struct __sk_buff, priority)),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
+                        BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "raw_stack: skb_load_bytes, invalid access 1",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, 8),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid stack type R3 off=-513 access_size=8",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "raw_stack: skb_load_bytes, invalid access 2",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, 8),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid stack type R3 off=-1 access_size=8",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "raw_stack: skb_load_bytes, invalid access 3",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid stack type R3 off=-1 access_size=-1",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "raw_stack: skb_load_bytes, invalid access 4",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid stack type R3 off=-1 access_size=2147483647",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "raw_stack: skb_load_bytes, invalid access 5",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid stack type R3 off=-512 access_size=2147483647",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "raw_stack: skb_load_bytes, invalid access 6",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = REJECT,
+                .errstr = "invalid stack type R3 off=-512 access_size=0",
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
+        {
+                "raw_stack: skb_load_bytes, large access",
+                .insns = {
+                        BPF_MOV64_IMM(BPF_REG_2, 4),
+                        BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
+                        BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
+                        BPF_MOV64_IMM(BPF_REG_4, 512),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
+        },
 };
 static int probe_filter_length(struct bpf_insn *fp)
author	Daniel Borkmann <daniel@iogearbox.net>	2016-04-12 18:10:54 -0400
committer	David S. Miller <davem@davemloft.net>	2016-04-14 21:40:42 -0400
commit	3f2050e20e6f3a762eb08397db651dcec9498998 (patch)
tree	8fe6af71ebb2dca7862b47c7514e27f2a7e12da3 /samples
parent	02413cabd6b67f1444f153ea85d44076deae2056 (diff)

diff --git a/samples/bpf/test_verifier.c b/samples/bpf/test_verifier.c index 4b51a9039c0d..9eba8d1d9dcc 100644 --- a/samples/bpf/test_verifier.c +++ b/samples/bpf/test_verifier.c
@@ -309,6 +309,19 @@ static struct bpf_test tests[] = {
309	.result_unpriv = REJECT,	309	.result_unpriv = REJECT,
310	},	310	},
311	{	311	{
		312	"check valid spill/fill, skb mark",
		313	.insns = {
		314	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
		315	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
		316	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
		317	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
		318	offsetof(struct __sk_buff, mark)),
		319	BPF_EXIT_INSN(),
		320	},
		321	.result = ACCEPT,
		322	.result_unpriv = ACCEPT,
		323	},
		324	{
312	"check corrupted spill/fill",	325	"check corrupted spill/fill",
313	.insns = {	326	.insns = {
314	/* spill R1(ctx) into stack */	327	/* spill R1(ctx) into stack */
@@ -1180,6 +1193,261 @@ static struct bpf_test tests[] = {
1180	.result_unpriv = REJECT,	1193	.result_unpriv = REJECT,
1181	.result = ACCEPT,	1194	.result = ACCEPT,
1182	},	1195	},
		1196	{
		1197	"raw_stack: no skb_load_bytes",
		1198	.insns = {
		1199	BPF_MOV64_IMM(BPF_REG_2, 4),
		1200	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1201	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
		1202	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1203	BPF_MOV64_IMM(BPF_REG_4, 8),
		1204	/* Call to skb_load_bytes() omitted. */
		1205	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
		1206	BPF_EXIT_INSN(),
		1207	},
		1208	.result = REJECT,
		1209	.errstr = "invalid read from stack off -8+0 size 8",
		1210	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1211	},
		1212	{
		1213	"raw_stack: skb_load_bytes, no init",
		1214	.insns = {
		1215	BPF_MOV64_IMM(BPF_REG_2, 4),
		1216	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1217	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
		1218	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1219	BPF_MOV64_IMM(BPF_REG_4, 8),
		1220	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1221	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
		1222	BPF_EXIT_INSN(),
		1223	},
		1224	.result = ACCEPT,
		1225	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1226	},
		1227	{
		1228	"raw_stack: skb_load_bytes, init",
		1229	.insns = {
		1230	BPF_MOV64_IMM(BPF_REG_2, 4),
		1231	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1232	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
		1233	BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
		1234	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1235	BPF_MOV64_IMM(BPF_REG_4, 8),
		1236	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1237	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
		1238	BPF_EXIT_INSN(),
		1239	},
		1240	.result = ACCEPT,
		1241	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1242	},
		1243	{
		1244	"raw_stack: skb_load_bytes, spilled regs around bounds",
		1245	.insns = {
		1246	BPF_MOV64_IMM(BPF_REG_2, 4),
		1247	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1248	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
		1249	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), /* spill ctx from R1 */
		1250	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), /* spill ctx from R1 */
		1251	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1252	BPF_MOV64_IMM(BPF_REG_4, 8),
		1253	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1254	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), /* fill ctx into R0 */
		1255	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), /* fill ctx into R2 */
		1256	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
		1257	offsetof(struct __sk_buff, mark)),
		1258	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
		1259	offsetof(struct __sk_buff, priority)),
		1260	BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
		1261	BPF_EXIT_INSN(),
		1262	},
		1263	.result = ACCEPT,
		1264	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1265	},
		1266	{
		1267	"raw_stack: skb_load_bytes, spilled regs corruption",
		1268	.insns = {
		1269	BPF_MOV64_IMM(BPF_REG_2, 4),
		1270	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1271	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
		1272	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), /* spill ctx from R1 */
		1273	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1274	BPF_MOV64_IMM(BPF_REG_4, 8),
		1275	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1276	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0), /* fill ctx into R0 */
		1277	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
		1278	offsetof(struct __sk_buff, mark)),
		1279	BPF_EXIT_INSN(),
		1280	},
		1281	.result = REJECT,
		1282	.errstr = "R0 invalid mem access 'inv'",
		1283	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1284	},
		1285	{
		1286	"raw_stack: skb_load_bytes, spilled regs corruption 2",
		1287	.insns = {
		1288	BPF_MOV64_IMM(BPF_REG_2, 4),
		1289	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1290	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
		1291	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), /* spill ctx from R1 */
		1292	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), /* spill ctx from R1 */
		1293	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), /* spill ctx from R1 */
		1294	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1295	BPF_MOV64_IMM(BPF_REG_4, 8),
		1296	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1297	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), /* fill ctx into R0 */
		1298	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), /* fill ctx into R2 */
		1299	BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), /* fill ctx into R3 */
		1300	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
		1301	offsetof(struct __sk_buff, mark)),
		1302	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
		1303	offsetof(struct __sk_buff, priority)),
		1304	BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
		1305	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
		1306	offsetof(struct __sk_buff, pkt_type)),
		1307	BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
		1308	BPF_EXIT_INSN(),
		1309	},
		1310	.result = REJECT,
		1311	.errstr = "R3 invalid mem access 'inv'",
		1312	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1313	},
		1314	{
		1315	"raw_stack: skb_load_bytes, spilled regs + data",
		1316	.insns = {
		1317	BPF_MOV64_IMM(BPF_REG_2, 4),
		1318	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1319	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
		1320	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8), /* spill ctx from R1 */
		1321	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0), /* spill ctx from R1 */
		1322	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 8), /* spill ctx from R1 */
		1323	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1324	BPF_MOV64_IMM(BPF_REG_4, 8),
		1325	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1326	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8), /* fill ctx into R0 */
		1327	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 8), /* fill ctx into R2 */
		1328	BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6, 0), /* fill data into R3 */
		1329	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
		1330	offsetof(struct __sk_buff, mark)),
		1331	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
		1332	offsetof(struct __sk_buff, priority)),
		1333	BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
		1334	BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
		1335	BPF_EXIT_INSN(),
		1336	},
		1337	.result = ACCEPT,
		1338	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1339	},
		1340	{
		1341	"raw_stack: skb_load_bytes, invalid access 1",
		1342	.insns = {
		1343	BPF_MOV64_IMM(BPF_REG_2, 4),
		1344	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1345	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
		1346	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1347	BPF_MOV64_IMM(BPF_REG_4, 8),
		1348	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1349	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
		1350	BPF_EXIT_INSN(),
		1351	},
		1352	.result = REJECT,
		1353	.errstr = "invalid stack type R3 off=-513 access_size=8",
		1354	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1355	},
		1356	{
		1357	"raw_stack: skb_load_bytes, invalid access 2",
		1358	.insns = {
		1359	BPF_MOV64_IMM(BPF_REG_2, 4),
		1360	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1361	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
		1362	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1363	BPF_MOV64_IMM(BPF_REG_4, 8),
		1364	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1365	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
		1366	BPF_EXIT_INSN(),
		1367	},
		1368	.result = REJECT,
		1369	.errstr = "invalid stack type R3 off=-1 access_size=8",
		1370	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1371	},
		1372	{
		1373	"raw_stack: skb_load_bytes, invalid access 3",
		1374	.insns = {
		1375	BPF_MOV64_IMM(BPF_REG_2, 4),
		1376	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1377	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
		1378	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1379	BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
		1380	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1381	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
		1382	BPF_EXIT_INSN(),
		1383	},
		1384	.result = REJECT,
		1385	.errstr = "invalid stack type R3 off=-1 access_size=-1",
		1386	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1387	},
		1388	{
		1389	"raw_stack: skb_load_bytes, invalid access 4",
		1390	.insns = {
		1391	BPF_MOV64_IMM(BPF_REG_2, 4),
		1392	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1393	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
		1394	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1395	BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
		1396	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1397	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
		1398	BPF_EXIT_INSN(),
		1399	},
		1400	.result = REJECT,
		1401	.errstr = "invalid stack type R3 off=-1 access_size=2147483647",
		1402	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1403	},
		1404	{
		1405	"raw_stack: skb_load_bytes, invalid access 5",
		1406	.insns = {
		1407	BPF_MOV64_IMM(BPF_REG_2, 4),
		1408	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1409	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
		1410	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1411	BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
		1412	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1413	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
		1414	BPF_EXIT_INSN(),
		1415	},
		1416	.result = REJECT,
		1417	.errstr = "invalid stack type R3 off=-512 access_size=2147483647",
		1418	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1419	},
		1420	{
		1421	"raw_stack: skb_load_bytes, invalid access 6",
		1422	.insns = {
		1423	BPF_MOV64_IMM(BPF_REG_2, 4),
		1424	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1425	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
		1426	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1427	BPF_MOV64_IMM(BPF_REG_4, 0),
		1428	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1429	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
		1430	BPF_EXIT_INSN(),
		1431	},
		1432	.result = REJECT,
		1433	.errstr = "invalid stack type R3 off=-512 access_size=0",
		1434	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1435	},
		1436	{
		1437	"raw_stack: skb_load_bytes, large access",
		1438	.insns = {
		1439	BPF_MOV64_IMM(BPF_REG_2, 4),
		1440	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
		1441	BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
		1442	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
		1443	BPF_MOV64_IMM(BPF_REG_4, 512),
		1444	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),
		1445	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
		1446	BPF_EXIT_INSN(),
		1447	},
		1448	.result = ACCEPT,
		1449	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
		1450	},
1183	};	1451	};
1184		1452
1185	static int probe_filter_length(struct bpf_insn *fp)	1453	static int probe_filter_length(struct bpf_insn *fp)