Merge branch 'bpf-range-marking-fixes'

Daniel Borkmann says: ==================== Two BPF fixes for range marking The set contains two fixes for direct packet access range markings and test cases for all direct packet access patterns that the verifier matches on. They are targeted for net tree, note that once net gets merged into net-next, there will be a minor merge conflict due to signature change of the function find_good_pkt_pointers() as well as data_meta patterns present in net-next tree. You can just add bool false to the data_meta patterns and I will follow-up with properly converting the patterns for data_meta in a similar way. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2017-10-21 19:56:10 -0400
committer: David S. Miller <davem@davemloft.net> 2017-10-21 19:56:10 -0400
commit: d2b2762433435d81fe76be6d16078c436b45cf3b (patch)
tree: 094fc50d34225194618797023ee25e65413a5e0d /tools
parent: 8695a5395661fbb4a4f26c97f801f3800ae4754e (diff)
parent: b37242c773b21edcd566e3bf995fb91d06b9537a (diff)
1 files changed, 480 insertions, 0 deletions
diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index 50e15cedbb7f..64ae21f64489 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -6671,6 +6671,486 @@ static struct bpf_test tests[] = {
                .result = REJECT,
                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
        },
+        {
+                "XDP pkt read, pkt_end mangling, bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_end mangling, bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_data' > pkt_end, good access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_data' > pkt_end, bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_data' > pkt_end, bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_end > pkt_data', good access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_end > pkt_data', bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_end > pkt_data', bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_data' < pkt_end, good access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_data' < pkt_end, bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_data' < pkt_end, bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_end < pkt_data', good access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_end < pkt_data', bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_end < pkt_data', bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_data' >= pkt_end, good access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_end >= pkt_data', good access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_end >= pkt_data', bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_end >= pkt_data', bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_data' <= pkt_end, good access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_end <= pkt_data', good access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_end <= pkt_data', bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_end <= pkt_data', bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
 };
 static int probe_filter_length(const struct bpf_insn *fp)
author	David S. Miller <davem@davemloft.net>	2017-10-21 19:56:10 -0400
committer	David S. Miller <davem@davemloft.net>	2017-10-21 19:56:10 -0400
commit	d2b2762433435d81fe76be6d16078c436b45cf3b (patch)
tree	094fc50d34225194618797023ee25e65413a5e0d /tools
parent	8695a5395661fbb4a4f26c97f801f3800ae4754e (diff)
parent	b37242c773b21edcd566e3bf995fb91d06b9537a (diff)

diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index 50e15cedbb7f..64ae21f64489 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -6671,6 +6671,486 @@ static struct bpf_test tests[] = {
6671	.result = REJECT,	6671	.result = REJECT,
6672	.prog_type = BPF_PROG_TYPE_SCHED_CLS,	6672	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6673	},	6673	},
		6674	{
		6675	"XDP pkt read, pkt_end mangling, bad access 1",
		6676	.insns = {
		6677	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6678	offsetof(struct xdp_md, data)),
		6679	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6680	offsetof(struct xdp_md, data_end)),
		6681	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6682	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6683	BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
		6684	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
		6685	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6686	BPF_MOV64_IMM(BPF_REG_0, 0),
		6687	BPF_EXIT_INSN(),
		6688	},
		6689	.errstr = "R1 offset is outside of the packet",
		6690	.result = REJECT,
		6691	.prog_type = BPF_PROG_TYPE_XDP,
		6692	},
		6693	{
		6694	"XDP pkt read, pkt_end mangling, bad access 2",
		6695	.insns = {
		6696	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6697	offsetof(struct xdp_md, data)),
		6698	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6699	offsetof(struct xdp_md, data_end)),
		6700	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6701	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6702	BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
		6703	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
		6704	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6705	BPF_MOV64_IMM(BPF_REG_0, 0),
		6706	BPF_EXIT_INSN(),
		6707	},
		6708	.errstr = "R1 offset is outside of the packet",
		6709	.result = REJECT,
		6710	.prog_type = BPF_PROG_TYPE_XDP,
		6711	},
		6712	{
		6713	"XDP pkt read, pkt_data' > pkt_end, good access",
		6714	.insns = {
		6715	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6716	offsetof(struct xdp_md, data)),
		6717	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6718	offsetof(struct xdp_md, data_end)),
		6719	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6720	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6721	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
		6722	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6723	BPF_MOV64_IMM(BPF_REG_0, 0),
		6724	BPF_EXIT_INSN(),
		6725	},
		6726	.result = ACCEPT,
		6727	.prog_type = BPF_PROG_TYPE_XDP,
		6728	},
		6729	{
		6730	"XDP pkt read, pkt_data' > pkt_end, bad access 1",
		6731	.insns = {
		6732	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6733	offsetof(struct xdp_md, data)),
		6734	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6735	offsetof(struct xdp_md, data_end)),
		6736	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6737	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6738	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
		6739	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
		6740	BPF_MOV64_IMM(BPF_REG_0, 0),
		6741	BPF_EXIT_INSN(),
		6742	},
		6743	.errstr = "R1 offset is outside of the packet",
		6744	.result = REJECT,
		6745	.prog_type = BPF_PROG_TYPE_XDP,
		6746	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		6747	},
		6748	{
		6749	"XDP pkt read, pkt_data' > pkt_end, bad access 2",
		6750	.insns = {
		6751	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6752	offsetof(struct xdp_md, data)),
		6753	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6754	offsetof(struct xdp_md, data_end)),
		6755	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6756	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6757	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
		6758	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6759	BPF_MOV64_IMM(BPF_REG_0, 0),
		6760	BPF_EXIT_INSN(),
		6761	},
		6762	.errstr = "R1 offset is outside of the packet",
		6763	.result = REJECT,
		6764	.prog_type = BPF_PROG_TYPE_XDP,
		6765	},
		6766	{
		6767	"XDP pkt read, pkt_end > pkt_data', good access",
		6768	.insns = {
		6769	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6770	offsetof(struct xdp_md, data)),
		6771	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6772	offsetof(struct xdp_md, data_end)),
		6773	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6774	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6775	BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
		6776	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
		6777	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
		6778	BPF_MOV64_IMM(BPF_REG_0, 0),
		6779	BPF_EXIT_INSN(),
		6780	},
		6781	.result = ACCEPT,
		6782	.prog_type = BPF_PROG_TYPE_XDP,
		6783	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		6784	},
		6785	{
		6786	"XDP pkt read, pkt_end > pkt_data', bad access 1",
		6787	.insns = {
		6788	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6789	offsetof(struct xdp_md, data)),
		6790	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6791	offsetof(struct xdp_md, data_end)),
		6792	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6793	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6794	BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
		6795	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
		6796	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6797	BPF_MOV64_IMM(BPF_REG_0, 0),
		6798	BPF_EXIT_INSN(),
		6799	},
		6800	.errstr = "R1 offset is outside of the packet",
		6801	.result = REJECT,
		6802	.prog_type = BPF_PROG_TYPE_XDP,
		6803	},
		6804	{
		6805	"XDP pkt read, pkt_end > pkt_data', bad access 2",
		6806	.insns = {
		6807	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6808	offsetof(struct xdp_md, data)),
		6809	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6810	offsetof(struct xdp_md, data_end)),
		6811	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6812	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6813	BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
		6814	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6815	BPF_MOV64_IMM(BPF_REG_0, 0),
		6816	BPF_EXIT_INSN(),
		6817	},
		6818	.errstr = "R1 offset is outside of the packet",
		6819	.result = REJECT,
		6820	.prog_type = BPF_PROG_TYPE_XDP,
		6821	},
		6822	{
		6823	"XDP pkt read, pkt_data' < pkt_end, good access",
		6824	.insns = {
		6825	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6826	offsetof(struct xdp_md, data)),
		6827	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6828	offsetof(struct xdp_md, data_end)),
		6829	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6830	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6831	BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
		6832	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
		6833	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
		6834	BPF_MOV64_IMM(BPF_REG_0, 0),
		6835	BPF_EXIT_INSN(),
		6836	},
		6837	.result = ACCEPT,
		6838	.prog_type = BPF_PROG_TYPE_XDP,
		6839	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		6840	},
		6841	{
		6842	"XDP pkt read, pkt_data' < pkt_end, bad access 1",
		6843	.insns = {
		6844	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6845	offsetof(struct xdp_md, data)),
		6846	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6847	offsetof(struct xdp_md, data_end)),
		6848	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6849	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6850	BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
		6851	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
		6852	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6853	BPF_MOV64_IMM(BPF_REG_0, 0),
		6854	BPF_EXIT_INSN(),
		6855	},
		6856	.errstr = "R1 offset is outside of the packet",
		6857	.result = REJECT,
		6858	.prog_type = BPF_PROG_TYPE_XDP,
		6859	},
		6860	{
		6861	"XDP pkt read, pkt_data' < pkt_end, bad access 2",
		6862	.insns = {
		6863	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6864	offsetof(struct xdp_md, data)),
		6865	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6866	offsetof(struct xdp_md, data_end)),
		6867	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6868	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6869	BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
		6870	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6871	BPF_MOV64_IMM(BPF_REG_0, 0),
		6872	BPF_EXIT_INSN(),
		6873	},
		6874	.errstr = "R1 offset is outside of the packet",
		6875	.result = REJECT,
		6876	.prog_type = BPF_PROG_TYPE_XDP,
		6877	},
		6878	{
		6879	"XDP pkt read, pkt_end < pkt_data', good access",
		6880	.insns = {
		6881	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6882	offsetof(struct xdp_md, data)),
		6883	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6884	offsetof(struct xdp_md, data_end)),
		6885	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6886	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6887	BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
		6888	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6889	BPF_MOV64_IMM(BPF_REG_0, 0),
		6890	BPF_EXIT_INSN(),
		6891	},
		6892	.result = ACCEPT,
		6893	.prog_type = BPF_PROG_TYPE_XDP,
		6894	},
		6895	{
		6896	"XDP pkt read, pkt_end < pkt_data', bad access 1",
		6897	.insns = {
		6898	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6899	offsetof(struct xdp_md, data)),
		6900	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6901	offsetof(struct xdp_md, data_end)),
		6902	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6903	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6904	BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
		6905	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
		6906	BPF_MOV64_IMM(BPF_REG_0, 0),
		6907	BPF_EXIT_INSN(),
		6908	},
		6909	.errstr = "R1 offset is outside of the packet",
		6910	.result = REJECT,
		6911	.prog_type = BPF_PROG_TYPE_XDP,
		6912	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		6913	},
		6914	{
		6915	"XDP pkt read, pkt_end < pkt_data', bad access 2",
		6916	.insns = {
		6917	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6918	offsetof(struct xdp_md, data)),
		6919	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6920	offsetof(struct xdp_md, data_end)),
		6921	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6922	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6923	BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
		6924	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6925	BPF_MOV64_IMM(BPF_REG_0, 0),
		6926	BPF_EXIT_INSN(),
		6927	},
		6928	.errstr = "R1 offset is outside of the packet",
		6929	.result = REJECT,
		6930	.prog_type = BPF_PROG_TYPE_XDP,
		6931	},
		6932	{
		6933	"XDP pkt read, pkt_data' >= pkt_end, good access",
		6934	.insns = {
		6935	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6936	offsetof(struct xdp_md, data)),
		6937	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6938	offsetof(struct xdp_md, data_end)),
		6939	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6940	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6941	BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
		6942	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
		6943	BPF_MOV64_IMM(BPF_REG_0, 0),
		6944	BPF_EXIT_INSN(),
		6945	},
		6946	.result = ACCEPT,
		6947	.prog_type = BPF_PROG_TYPE_XDP,
		6948	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		6949	},
		6950	{
		6951	"XDP pkt read, pkt_data' >= pkt_end, bad access 1",
		6952	.insns = {
		6953	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6954	offsetof(struct xdp_md, data)),
		6955	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6956	offsetof(struct xdp_md, data_end)),
		6957	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6958	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6959	BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
		6960	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6961	BPF_MOV64_IMM(BPF_REG_0, 0),
		6962	BPF_EXIT_INSN(),
		6963	},
		6964	.errstr = "R1 offset is outside of the packet",
		6965	.result = REJECT,
		6966	.prog_type = BPF_PROG_TYPE_XDP,
		6967	},
		6968	{
		6969	"XDP pkt read, pkt_data' >= pkt_end, bad access 2",
		6970	.insns = {
		6971	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6972	offsetof(struct xdp_md, data)),
		6973	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6974	offsetof(struct xdp_md, data_end)),
		6975	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6976	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6977	BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
		6978	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
		6979	BPF_MOV64_IMM(BPF_REG_0, 0),
		6980	BPF_EXIT_INSN(),
		6981	},
		6982	.errstr = "R1 offset is outside of the packet",
		6983	.result = REJECT,
		6984	.prog_type = BPF_PROG_TYPE_XDP,
		6985	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		6986	},
		6987	{
		6988	"XDP pkt read, pkt_end >= pkt_data', good access",
		6989	.insns = {
		6990	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6991	offsetof(struct xdp_md, data)),
		6992	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6993	offsetof(struct xdp_md, data_end)),
		6994	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6995	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6996	BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
		6997	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
		6998	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6999	BPF_MOV64_IMM(BPF_REG_0, 0),
		7000	BPF_EXIT_INSN(),
		7001	},
		7002	.result = ACCEPT,
		7003	.prog_type = BPF_PROG_TYPE_XDP,
		7004	},
		7005	{
		7006	"XDP pkt read, pkt_end >= pkt_data', bad access 1",
		7007	.insns = {
		7008	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		7009	offsetof(struct xdp_md, data)),
		7010	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		7011	offsetof(struct xdp_md, data_end)),
		7012	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		7013	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		7014	BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
		7015	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
		7016	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
		7017	BPF_MOV64_IMM(BPF_REG_0, 0),
		7018	BPF_EXIT_INSN(),
		7019	},
		7020	.errstr = "R1 offset is outside of the packet",
		7021	.result = REJECT,
		7022	.prog_type = BPF_PROG_TYPE_XDP,
		7023	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		7024	},
		7025	{
		7026	"XDP pkt read, pkt_end >= pkt_data', bad access 2",
		7027	.insns = {
		7028	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		7029	offsetof(struct xdp_md, data)),
		7030	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		7031	offsetof(struct xdp_md, data_end)),
		7032	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		7033	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		7034	BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
		7035	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		7036	BPF_MOV64_IMM(BPF_REG_0, 0),
		7037	BPF_EXIT_INSN(),
		7038	},
		7039	.errstr = "R1 offset is outside of the packet",
		7040	.result = REJECT,
		7041	.prog_type = BPF_PROG_TYPE_XDP,
		7042	},
		7043	{
		7044	"XDP pkt read, pkt_data' <= pkt_end, good access",
		7045	.insns = {
		7046	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		7047	offsetof(struct xdp_md, data)),
		7048	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		7049	offsetof(struct xdp_md, data_end)),
		7050	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		7051	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		7052	BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
		7053	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
		7054	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		7055	BPF_MOV64_IMM(BPF_REG_0, 0),
		7056	BPF_EXIT_INSN(),
		7057	},
		7058	.result = ACCEPT,
		7059	.prog_type = BPF_PROG_TYPE_XDP,
		7060	},
		7061	{
		7062	"XDP pkt read, pkt_data' <= pkt_end, bad access 1",
		7063	.insns = {
		7064	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		7065	offsetof(struct xdp_md, data)),
		7066	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		7067	offsetof(struct xdp_md, data_end)),
		7068	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		7069	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		7070	BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
		7071	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
		7072	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
		7073	BPF_MOV64_IMM(BPF_REG_0, 0),
		7074	BPF_EXIT_INSN(),
		7075	},
		7076	.errstr = "R1 offset is outside of the packet",
		7077	.result = REJECT,
		7078	.prog_type = BPF_PROG_TYPE_XDP,
		7079	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		7080	},
		7081	{
		7082	"XDP pkt read, pkt_data' <= pkt_end, bad access 2",
		7083	.insns = {
		7084	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		7085	offsetof(struct xdp_md, data)),
		7086	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		7087	offsetof(struct xdp_md, data_end)),
		7088	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		7089	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		7090	BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
		7091	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		7092	BPF_MOV64_IMM(BPF_REG_0, 0),
		7093	BPF_EXIT_INSN(),
		7094	},
		7095	.errstr = "R1 offset is outside of the packet",
		7096	.result = REJECT,
		7097	.prog_type = BPF_PROG_TYPE_XDP,
		7098	},
		7099	{
		7100	"XDP pkt read, pkt_end <= pkt_data', good access",
		7101	.insns = {
		7102	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		7103	offsetof(struct xdp_md, data)),
		7104	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		7105	offsetof(struct xdp_md, data_end)),
		7106	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		7107	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		7108	BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
		7109	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
		7110	BPF_MOV64_IMM(BPF_REG_0, 0),
		7111	BPF_EXIT_INSN(),
		7112	},
		7113	.result = ACCEPT,
		7114	.prog_type = BPF_PROG_TYPE_XDP,
		7115	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		7116	},
		7117	{
		7118	"XDP pkt read, pkt_end <= pkt_data', bad access 1",
		7119	.insns = {
		7120	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		7121	offsetof(struct xdp_md, data)),
		7122	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		7123	offsetof(struct xdp_md, data_end)),
		7124	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		7125	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		7126	BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
		7127	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		7128	BPF_MOV64_IMM(BPF_REG_0, 0),
		7129	BPF_EXIT_INSN(),
		7130	},
		7131	.errstr = "R1 offset is outside of the packet",
		7132	.result = REJECT,
		7133	.prog_type = BPF_PROG_TYPE_XDP,
		7134	},
		7135	{
		7136	"XDP pkt read, pkt_end <= pkt_data', bad access 2",
		7137	.insns = {
		7138	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		7139	offsetof(struct xdp_md, data)),
		7140	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		7141	offsetof(struct xdp_md, data_end)),
		7142	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		7143	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		7144	BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
		7145	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
		7146	BPF_MOV64_IMM(BPF_REG_0, 0),
		7147	BPF_EXIT_INSN(),
		7148	},
		7149	.errstr = "R1 offset is outside of the packet",
		7150	.result = REJECT,
		7151	.prog_type = BPF_PROG_TYPE_XDP,
		7152	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		7153	},
6674	};	7154	};
6675		7155
6676	static int probe_filter_length(const struct bpf_insn *fp)	7156	static int probe_filter_length(const struct bpf_insn *fp)