18c2ecf20Sopenharmony_ci{ 28c2ecf20Sopenharmony_ci "leak pointer into ctx 1", 38c2ecf20Sopenharmony_ci .insns = { 48c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 58c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 68c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, cb[0])), 78c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_2, 0), 88c2ecf20Sopenharmony_ci BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2, 98c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, cb[0])), 108c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 118c2ecf20Sopenharmony_ci }, 128c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 2 }, 138c2ecf20Sopenharmony_ci .errstr_unpriv = "R2 leaks addr into mem", 148c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 158c2ecf20Sopenharmony_ci .result = REJECT, 168c2ecf20Sopenharmony_ci .errstr = "BPF_XADD stores into R1 ctx is not allowed", 178c2ecf20Sopenharmony_ci}, 188c2ecf20Sopenharmony_ci{ 198c2ecf20Sopenharmony_ci "leak pointer into ctx 2", 208c2ecf20Sopenharmony_ci .insns = { 218c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 228c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 238c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, cb[0])), 248c2ecf20Sopenharmony_ci BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10, 258c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, cb[0])), 268c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 278c2ecf20Sopenharmony_ci }, 288c2ecf20Sopenharmony_ci .errstr_unpriv = "R10 leaks addr into mem", 298c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 308c2ecf20Sopenharmony_ci .result = REJECT, 318c2ecf20Sopenharmony_ci .errstr = "BPF_XADD stores into R1 ctx is not allowed", 328c2ecf20Sopenharmony_ci}, 338c2ecf20Sopenharmony_ci{ 348c2ecf20Sopenharmony_ci "leak pointer into ctx 3", 358c2ecf20Sopenharmony_ci .insns = { 368c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 378c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_2, 0), 388c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 398c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, cb[0])), 408c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 418c2ecf20Sopenharmony_ci }, 428c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 1 }, 438c2ecf20Sopenharmony_ci .errstr_unpriv = "R2 leaks addr into ctx", 448c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 458c2ecf20Sopenharmony_ci .result = ACCEPT, 468c2ecf20Sopenharmony_ci}, 478c2ecf20Sopenharmony_ci{ 488c2ecf20Sopenharmony_ci "leak pointer into map val", 498c2ecf20Sopenharmony_ci .insns = { 508c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 518c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 528c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 538c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 548c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 558c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), 568c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 578c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_3, 0), 588c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0), 598c2ecf20Sopenharmony_ci BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0), 608c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 618c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 628c2ecf20Sopenharmony_ci }, 638c2ecf20Sopenharmony_ci .fixup_map_hash_8b = { 4 }, 648c2ecf20Sopenharmony_ci .errstr_unpriv = "R6 leaks addr into mem", 658c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 668c2ecf20Sopenharmony_ci .result = ACCEPT, 678c2ecf20Sopenharmony_ci}, 68