18c2ecf20Sopenharmony_ci{ 28c2ecf20Sopenharmony_ci "reference tracking: leak potential reference", 38c2ecf20Sopenharmony_ci .insns = { 48c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 58c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), /* leak reference */ 68c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 78c2ecf20Sopenharmony_ci }, 88c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 98c2ecf20Sopenharmony_ci .errstr = "Unreleased reference", 108c2ecf20Sopenharmony_ci .result = REJECT, 118c2ecf20Sopenharmony_ci}, 128c2ecf20Sopenharmony_ci{ 138c2ecf20Sopenharmony_ci "reference tracking: leak potential reference to sock_common", 148c2ecf20Sopenharmony_ci .insns = { 158c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(skc_lookup_tcp), 168c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), /* leak reference */ 178c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 188c2ecf20Sopenharmony_ci }, 198c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 208c2ecf20Sopenharmony_ci .errstr = "Unreleased reference", 218c2ecf20Sopenharmony_ci .result = REJECT, 228c2ecf20Sopenharmony_ci}, 238c2ecf20Sopenharmony_ci{ 248c2ecf20Sopenharmony_ci "reference tracking: leak potential reference on stack", 258c2ecf20Sopenharmony_ci .insns = { 268c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 278c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 288c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 298c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0), 308c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 318c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 328c2ecf20Sopenharmony_ci }, 338c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 348c2ecf20Sopenharmony_ci .errstr = "Unreleased reference", 358c2ecf20Sopenharmony_ci .result = REJECT, 368c2ecf20Sopenharmony_ci}, 378c2ecf20Sopenharmony_ci{ 388c2ecf20Sopenharmony_ci "reference tracking: leak potential reference on stack 2", 398c2ecf20Sopenharmony_ci .insns = { 408c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 418c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 428c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 438c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0), 448c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 458c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0), 468c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 478c2ecf20Sopenharmony_ci }, 488c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 498c2ecf20Sopenharmony_ci .errstr = "Unreleased reference", 508c2ecf20Sopenharmony_ci .result = REJECT, 518c2ecf20Sopenharmony_ci}, 528c2ecf20Sopenharmony_ci{ 538c2ecf20Sopenharmony_ci "reference tracking: zero potential reference", 548c2ecf20Sopenharmony_ci .insns = { 558c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 568c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), /* leak reference */ 578c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 588c2ecf20Sopenharmony_ci }, 598c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 608c2ecf20Sopenharmony_ci .errstr = "Unreleased reference", 618c2ecf20Sopenharmony_ci .result = REJECT, 628c2ecf20Sopenharmony_ci}, 638c2ecf20Sopenharmony_ci{ 648c2ecf20Sopenharmony_ci "reference tracking: zero potential reference to sock_common", 658c2ecf20Sopenharmony_ci .insns = { 668c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(skc_lookup_tcp), 678c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), /* leak reference */ 688c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 698c2ecf20Sopenharmony_ci }, 708c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 718c2ecf20Sopenharmony_ci .errstr = "Unreleased reference", 728c2ecf20Sopenharmony_ci .result = REJECT, 738c2ecf20Sopenharmony_ci}, 748c2ecf20Sopenharmony_ci{ 758c2ecf20Sopenharmony_ci "reference tracking: copy and zero potential references", 768c2ecf20Sopenharmony_ci .insns = { 778c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 788c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 798c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 808c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_7, 0), /* leak reference */ 818c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 828c2ecf20Sopenharmony_ci }, 838c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 848c2ecf20Sopenharmony_ci .errstr = "Unreleased reference", 858c2ecf20Sopenharmony_ci .result = REJECT, 868c2ecf20Sopenharmony_ci}, 878c2ecf20Sopenharmony_ci{ 888c2ecf20Sopenharmony_ci "reference tracking: release reference without check", 898c2ecf20Sopenharmony_ci .insns = { 908c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 918c2ecf20Sopenharmony_ci /* reference in r0 may be NULL */ 928c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 938c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 0), 948c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 958c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 968c2ecf20Sopenharmony_ci }, 978c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 988c2ecf20Sopenharmony_ci .errstr = "type=sock_or_null expected=sock", 998c2ecf20Sopenharmony_ci .result = REJECT, 1008c2ecf20Sopenharmony_ci}, 1018c2ecf20Sopenharmony_ci{ 1028c2ecf20Sopenharmony_ci "reference tracking: release reference to sock_common without check", 1038c2ecf20Sopenharmony_ci .insns = { 1048c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(skc_lookup_tcp), 1058c2ecf20Sopenharmony_ci /* reference in r0 may be NULL */ 1068c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 1078c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 0), 1088c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 1098c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1108c2ecf20Sopenharmony_ci }, 1118c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1128c2ecf20Sopenharmony_ci .errstr = "type=sock_common_or_null expected=sock", 1138c2ecf20Sopenharmony_ci .result = REJECT, 1148c2ecf20Sopenharmony_ci}, 1158c2ecf20Sopenharmony_ci{ 1168c2ecf20Sopenharmony_ci "reference tracking: release reference", 1178c2ecf20Sopenharmony_ci .insns = { 1188c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 1198c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 1208c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 1218c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 1228c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1238c2ecf20Sopenharmony_ci }, 1248c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1258c2ecf20Sopenharmony_ci .result = ACCEPT, 1268c2ecf20Sopenharmony_ci}, 1278c2ecf20Sopenharmony_ci{ 1288c2ecf20Sopenharmony_ci "reference tracking: release reference to sock_common", 1298c2ecf20Sopenharmony_ci .insns = { 1308c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(skc_lookup_tcp), 1318c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 1328c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 1338c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 1348c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1358c2ecf20Sopenharmony_ci }, 1368c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1378c2ecf20Sopenharmony_ci .result = ACCEPT, 1388c2ecf20Sopenharmony_ci}, 1398c2ecf20Sopenharmony_ci{ 1408c2ecf20Sopenharmony_ci "reference tracking: release reference 2", 1418c2ecf20Sopenharmony_ci .insns = { 1428c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 1438c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 1448c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 1458c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1468c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 1478c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1488c2ecf20Sopenharmony_ci }, 1498c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1508c2ecf20Sopenharmony_ci .result = ACCEPT, 1518c2ecf20Sopenharmony_ci}, 1528c2ecf20Sopenharmony_ci{ 1538c2ecf20Sopenharmony_ci "reference tracking: release reference twice", 1548c2ecf20Sopenharmony_ci .insns = { 1558c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 1568c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 1578c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 1588c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 1598c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 1608c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 1618c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 1628c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1638c2ecf20Sopenharmony_ci }, 1648c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1658c2ecf20Sopenharmony_ci .errstr = "type=inv expected=sock", 1668c2ecf20Sopenharmony_ci .result = REJECT, 1678c2ecf20Sopenharmony_ci}, 1688c2ecf20Sopenharmony_ci{ 1698c2ecf20Sopenharmony_ci "reference tracking: release reference twice inside branch", 1708c2ecf20Sopenharmony_ci .insns = { 1718c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 1728c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 1738c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 1748c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), /* goto end */ 1758c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 1768c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 1778c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 1788c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1798c2ecf20Sopenharmony_ci }, 1808c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 1818c2ecf20Sopenharmony_ci .errstr = "type=inv expected=sock", 1828c2ecf20Sopenharmony_ci .result = REJECT, 1838c2ecf20Sopenharmony_ci}, 1848c2ecf20Sopenharmony_ci{ 1858c2ecf20Sopenharmony_ci "reference tracking: alloc, check, free in one subbranch", 1868c2ecf20Sopenharmony_ci .insns = { 1878c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 1888c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, data)), 1898c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 1908c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, data_end)), 1918c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 1928c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16), 1938c2ecf20Sopenharmony_ci /* if (offsetof(skb, mark) > data_len) exit; */ 1948c2ecf20Sopenharmony_ci BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1), 1958c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 1968c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2, 1978c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, mark)), 1988c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 1998c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 1), /* mark == 0? */ 2008c2ecf20Sopenharmony_ci /* Leak reference in R0 */ 2018c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 2028c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */ 2038c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 2048c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 2058c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 2068c2ecf20Sopenharmony_ci }, 2078c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2088c2ecf20Sopenharmony_ci .errstr = "Unreleased reference", 2098c2ecf20Sopenharmony_ci .result = REJECT, 2108c2ecf20Sopenharmony_ci .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 2118c2ecf20Sopenharmony_ci}, 2128c2ecf20Sopenharmony_ci{ 2138c2ecf20Sopenharmony_ci "reference tracking: alloc, check, free in both subbranches", 2148c2ecf20Sopenharmony_ci .insns = { 2158c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 2168c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, data)), 2178c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 2188c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, data_end)), 2198c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 2208c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16), 2218c2ecf20Sopenharmony_ci /* if (offsetof(skb, mark) > data_len) exit; */ 2228c2ecf20Sopenharmony_ci BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1), 2238c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 2248c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2, 2258c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, mark)), 2268c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 2278c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 4), /* mark == 0? */ 2288c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */ 2298c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 2308c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 2318c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 2328c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */ 2338c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 2348c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 2358c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 2368c2ecf20Sopenharmony_ci }, 2378c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2388c2ecf20Sopenharmony_ci .result = ACCEPT, 2398c2ecf20Sopenharmony_ci .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, 2408c2ecf20Sopenharmony_ci}, 2418c2ecf20Sopenharmony_ci{ 2428c2ecf20Sopenharmony_ci "reference tracking in call: free reference in subprog", 2438c2ecf20Sopenharmony_ci .insns = { 2448c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 2458c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */ 2468c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 2478c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 2488c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 2498c2ecf20Sopenharmony_ci 2508c2ecf20Sopenharmony_ci /* subprog 1 */ 2518c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_1), 2528c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1), 2538c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 2548c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 2558c2ecf20Sopenharmony_ci }, 2568c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2578c2ecf20Sopenharmony_ci .result = ACCEPT, 2588c2ecf20Sopenharmony_ci}, 2598c2ecf20Sopenharmony_ci{ 2608c2ecf20Sopenharmony_ci "reference tracking in call: free reference in subprog and outside", 2618c2ecf20Sopenharmony_ci .insns = { 2628c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 2638c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */ 2648c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 2658c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 2668c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 2678c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 2688c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 2698c2ecf20Sopenharmony_ci 2708c2ecf20Sopenharmony_ci /* subprog 1 */ 2718c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_1), 2728c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1), 2738c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 2748c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 2758c2ecf20Sopenharmony_ci }, 2768c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2778c2ecf20Sopenharmony_ci .errstr = "type=inv expected=sock", 2788c2ecf20Sopenharmony_ci .result = REJECT, 2798c2ecf20Sopenharmony_ci}, 2808c2ecf20Sopenharmony_ci{ 2818c2ecf20Sopenharmony_ci "reference tracking in call: alloc & leak reference in subprog", 2828c2ecf20Sopenharmony_ci .insns = { 2838c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 2848c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 2858c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3), 2868c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 2878c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 2888c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 2898c2ecf20Sopenharmony_ci 2908c2ecf20Sopenharmony_ci /* subprog 1 */ 2918c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_4), 2928c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 2938c2ecf20Sopenharmony_ci /* spill unchecked sk_ptr into stack of caller */ 2948c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0), 2958c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 2968c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 2978c2ecf20Sopenharmony_ci }, 2988c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 2998c2ecf20Sopenharmony_ci .errstr = "Unreleased reference", 3008c2ecf20Sopenharmony_ci .result = REJECT, 3018c2ecf20Sopenharmony_ci}, 3028c2ecf20Sopenharmony_ci{ 3038c2ecf20Sopenharmony_ci "reference tracking in call: alloc in subprog, release outside", 3048c2ecf20Sopenharmony_ci .insns = { 3058c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 3068c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4), 3078c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3088c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3098c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 3108c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 3118c2ecf20Sopenharmony_ci 3128c2ecf20Sopenharmony_ci /* subprog 1 */ 3138c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 3148c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), /* return sk */ 3158c2ecf20Sopenharmony_ci }, 3168c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3178c2ecf20Sopenharmony_ci .retval = POINTER_VALUE, 3188c2ecf20Sopenharmony_ci .result = ACCEPT, 3198c2ecf20Sopenharmony_ci}, 3208c2ecf20Sopenharmony_ci{ 3218c2ecf20Sopenharmony_ci "reference tracking in call: sk_ptr leak into caller stack", 3228c2ecf20Sopenharmony_ci .insns = { 3238c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 3248c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 3258c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 3268c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 3278c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 3288c2ecf20Sopenharmony_ci 3298c2ecf20Sopenharmony_ci /* subprog 1 */ 3308c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_5, BPF_REG_10), 3318c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8), 3328c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0), 3338c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5), 3348c2ecf20Sopenharmony_ci /* spill unchecked sk_ptr into stack of caller */ 3358c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_5, BPF_REG_10), 3368c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8), 3378c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0), 3388c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0), 3398c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 3408c2ecf20Sopenharmony_ci 3418c2ecf20Sopenharmony_ci /* subprog 2 */ 3428c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 3438c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 3448c2ecf20Sopenharmony_ci }, 3458c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3468c2ecf20Sopenharmony_ci .errstr = "Unreleased reference", 3478c2ecf20Sopenharmony_ci .result = REJECT, 3488c2ecf20Sopenharmony_ci}, 3498c2ecf20Sopenharmony_ci{ 3508c2ecf20Sopenharmony_ci "reference tracking in call: sk_ptr spill into caller stack", 3518c2ecf20Sopenharmony_ci .insns = { 3528c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_4, BPF_REG_10), 3538c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8), 3548c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), 3558c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 3568c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 3578c2ecf20Sopenharmony_ci 3588c2ecf20Sopenharmony_ci /* subprog 1 */ 3598c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_5, BPF_REG_10), 3608c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8), 3618c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0), 3628c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8), 3638c2ecf20Sopenharmony_ci /* spill unchecked sk_ptr into stack of caller */ 3648c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_5, BPF_REG_10), 3658c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8), 3668c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0), 3678c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0), 3688c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 3698c2ecf20Sopenharmony_ci /* now the sk_ptr is verified, free the reference */ 3708c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_4, 0), 3718c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 3728c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 3738c2ecf20Sopenharmony_ci 3748c2ecf20Sopenharmony_ci /* subprog 2 */ 3758c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 3768c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 3778c2ecf20Sopenharmony_ci }, 3788c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3798c2ecf20Sopenharmony_ci .result = ACCEPT, 3808c2ecf20Sopenharmony_ci}, 3818c2ecf20Sopenharmony_ci{ 3828c2ecf20Sopenharmony_ci "reference tracking: allow LD_ABS", 3838c2ecf20Sopenharmony_ci .insns = { 3848c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 3858c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 3868c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 3878c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 3888c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 3898c2ecf20Sopenharmony_ci BPF_LD_ABS(BPF_B, 0), 3908c2ecf20Sopenharmony_ci BPF_LD_ABS(BPF_H, 0), 3918c2ecf20Sopenharmony_ci BPF_LD_ABS(BPF_W, 0), 3928c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 3938c2ecf20Sopenharmony_ci }, 3948c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3958c2ecf20Sopenharmony_ci .result = ACCEPT, 3968c2ecf20Sopenharmony_ci}, 3978c2ecf20Sopenharmony_ci{ 3988c2ecf20Sopenharmony_ci "reference tracking: forbid LD_ABS while holding reference", 3998c2ecf20Sopenharmony_ci .insns = { 4008c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 4018c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 4028c2ecf20Sopenharmony_ci BPF_LD_ABS(BPF_B, 0), 4038c2ecf20Sopenharmony_ci BPF_LD_ABS(BPF_H, 0), 4048c2ecf20Sopenharmony_ci BPF_LD_ABS(BPF_W, 0), 4058c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4068c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 4078c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 4088c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 4098c2ecf20Sopenharmony_ci }, 4108c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4118c2ecf20Sopenharmony_ci .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references", 4128c2ecf20Sopenharmony_ci .result = REJECT, 4138c2ecf20Sopenharmony_ci}, 4148c2ecf20Sopenharmony_ci{ 4158c2ecf20Sopenharmony_ci "reference tracking: allow LD_IND", 4168c2ecf20Sopenharmony_ci .insns = { 4178c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 4188c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 4198c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4208c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 4218c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 4228c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_7, 1), 4238c2ecf20Sopenharmony_ci BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000), 4248c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 4258c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 4268c2ecf20Sopenharmony_ci }, 4278c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4288c2ecf20Sopenharmony_ci .result = ACCEPT, 4298c2ecf20Sopenharmony_ci .retval = 1, 4308c2ecf20Sopenharmony_ci}, 4318c2ecf20Sopenharmony_ci{ 4328c2ecf20Sopenharmony_ci "reference tracking: forbid LD_IND while holding reference", 4338c2ecf20Sopenharmony_ci .insns = { 4348c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 4358c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 4368c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_4, BPF_REG_0), 4378c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_7, 1), 4388c2ecf20Sopenharmony_ci BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000), 4398c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_0, BPF_REG_7), 4408c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_4), 4418c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 4428c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 4438c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 4448c2ecf20Sopenharmony_ci }, 4458c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4468c2ecf20Sopenharmony_ci .errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references", 4478c2ecf20Sopenharmony_ci .result = REJECT, 4488c2ecf20Sopenharmony_ci}, 4498c2ecf20Sopenharmony_ci{ 4508c2ecf20Sopenharmony_ci "reference tracking: check reference or tail call", 4518c2ecf20Sopenharmony_ci .insns = { 4528c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_7, BPF_REG_1), 4538c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 4548c2ecf20Sopenharmony_ci /* if (sk) bpf_sk_release() */ 4558c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4568c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 7), 4578c2ecf20Sopenharmony_ci /* bpf_tail_call() */ 4588c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_3, 3), 4598c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_2, 0), 4608c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 4618c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call), 4628c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 4638c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 4648c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 4658c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 4668c2ecf20Sopenharmony_ci }, 4678c2ecf20Sopenharmony_ci .fixup_prog1 = { 17 }, 4688c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4698c2ecf20Sopenharmony_ci .result = ACCEPT, 4708c2ecf20Sopenharmony_ci}, 4718c2ecf20Sopenharmony_ci{ 4728c2ecf20Sopenharmony_ci "reference tracking: release reference then tail call", 4738c2ecf20Sopenharmony_ci .insns = { 4748c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_7, BPF_REG_1), 4758c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 4768c2ecf20Sopenharmony_ci /* if (sk) bpf_sk_release() */ 4778c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 4788c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 4798c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 4808c2ecf20Sopenharmony_ci /* bpf_tail_call() */ 4818c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_3, 3), 4828c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_2, 0), 4838c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 4848c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call), 4858c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 4868c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 4878c2ecf20Sopenharmony_ci }, 4888c2ecf20Sopenharmony_ci .fixup_prog1 = { 18 }, 4898c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 4908c2ecf20Sopenharmony_ci .result = ACCEPT, 4918c2ecf20Sopenharmony_ci}, 4928c2ecf20Sopenharmony_ci{ 4938c2ecf20Sopenharmony_ci "reference tracking: leak possible reference over tail call", 4948c2ecf20Sopenharmony_ci .insns = { 4958c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_7, BPF_REG_1), 4968c2ecf20Sopenharmony_ci /* Look up socket and store in REG_6 */ 4978c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 4988c2ecf20Sopenharmony_ci /* bpf_tail_call() */ 4998c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 5008c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_3, 3), 5018c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_2, 0), 5028c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 5038c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call), 5048c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 5058c2ecf20Sopenharmony_ci /* if (sk) bpf_sk_release() */ 5068c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 5078c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 5088c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 5098c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 5108c2ecf20Sopenharmony_ci }, 5118c2ecf20Sopenharmony_ci .fixup_prog1 = { 16 }, 5128c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5138c2ecf20Sopenharmony_ci .errstr = "tail_call would lead to reference leak", 5148c2ecf20Sopenharmony_ci .result = REJECT, 5158c2ecf20Sopenharmony_ci}, 5168c2ecf20Sopenharmony_ci{ 5178c2ecf20Sopenharmony_ci "reference tracking: leak checked reference over tail call", 5188c2ecf20Sopenharmony_ci .insns = { 5198c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_7, BPF_REG_1), 5208c2ecf20Sopenharmony_ci /* Look up socket and store in REG_6 */ 5218c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 5228c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 5238c2ecf20Sopenharmony_ci /* if (!sk) goto end */ 5248c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 5258c2ecf20Sopenharmony_ci /* bpf_tail_call() */ 5268c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_3, 0), 5278c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_2, 0), 5288c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 5298c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_tail_call), 5308c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 5318c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 5328c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 5338c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 5348c2ecf20Sopenharmony_ci }, 5358c2ecf20Sopenharmony_ci .fixup_prog1 = { 17 }, 5368c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5378c2ecf20Sopenharmony_ci .errstr = "tail_call would lead to reference leak", 5388c2ecf20Sopenharmony_ci .result = REJECT, 5398c2ecf20Sopenharmony_ci}, 5408c2ecf20Sopenharmony_ci{ 5418c2ecf20Sopenharmony_ci "reference tracking: mangle and release sock_or_null", 5428c2ecf20Sopenharmony_ci .insns = { 5438c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 5448c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5458c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5), 5468c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1), 5478c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 5488c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 5498c2ecf20Sopenharmony_ci }, 5508c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5518c2ecf20Sopenharmony_ci .errstr = "R1 pointer arithmetic on sock_or_null prohibited", 5528c2ecf20Sopenharmony_ci .result = REJECT, 5538c2ecf20Sopenharmony_ci}, 5548c2ecf20Sopenharmony_ci{ 5558c2ecf20Sopenharmony_ci "reference tracking: mangle and release sock", 5568c2ecf20Sopenharmony_ci .insns = { 5578c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 5588c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 5598c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 5608c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5), 5618c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 5628c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 5638c2ecf20Sopenharmony_ci }, 5648c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5658c2ecf20Sopenharmony_ci .errstr = "R1 pointer arithmetic on sock prohibited", 5668c2ecf20Sopenharmony_ci .result = REJECT, 5678c2ecf20Sopenharmony_ci}, 5688c2ecf20Sopenharmony_ci{ 5698c2ecf20Sopenharmony_ci "reference tracking: access member", 5708c2ecf20Sopenharmony_ci .insns = { 5718c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 5728c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 5738c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 5748c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4), 5758c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 5768c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 5778c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 5788c2ecf20Sopenharmony_ci }, 5798c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5808c2ecf20Sopenharmony_ci .result = ACCEPT, 5818c2ecf20Sopenharmony_ci}, 5828c2ecf20Sopenharmony_ci{ 5838c2ecf20Sopenharmony_ci "reference tracking: write to member", 5848c2ecf20Sopenharmony_ci .insns = { 5858c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 5868c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 5878c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5), 5888c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 5898c2ecf20Sopenharmony_ci BPF_LD_IMM64(BPF_REG_2, 42), 5908c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_2, 5918c2ecf20Sopenharmony_ci offsetof(struct bpf_sock, mark)), 5928c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 5938c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 5948c2ecf20Sopenharmony_ci BPF_LD_IMM64(BPF_REG_0, 0), 5958c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 5968c2ecf20Sopenharmony_ci }, 5978c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 5988c2ecf20Sopenharmony_ci .errstr = "cannot write into sock", 5998c2ecf20Sopenharmony_ci .result = REJECT, 6008c2ecf20Sopenharmony_ci}, 6018c2ecf20Sopenharmony_ci{ 6028c2ecf20Sopenharmony_ci "reference tracking: invalid 64-bit access of member", 6038c2ecf20Sopenharmony_ci .insns = { 6048c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 6058c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 6068c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 6078c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0), 6088c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 6098c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 6108c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6118c2ecf20Sopenharmony_ci }, 6128c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6138c2ecf20Sopenharmony_ci .errstr = "invalid sock access off=0 size=8", 6148c2ecf20Sopenharmony_ci .result = REJECT, 6158c2ecf20Sopenharmony_ci}, 6168c2ecf20Sopenharmony_ci{ 6178c2ecf20Sopenharmony_ci "reference tracking: access after release", 6188c2ecf20Sopenharmony_ci .insns = { 6198c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 6208c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 6218c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), 6228c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 6238c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0), 6248c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6258c2ecf20Sopenharmony_ci }, 6268c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6278c2ecf20Sopenharmony_ci .errstr = "!read_ok", 6288c2ecf20Sopenharmony_ci .result = REJECT, 6298c2ecf20Sopenharmony_ci}, 6308c2ecf20Sopenharmony_ci{ 6318c2ecf20Sopenharmony_ci "reference tracking: direct access for lookup", 6328c2ecf20Sopenharmony_ci .insns = { 6338c2ecf20Sopenharmony_ci /* Check that the packet is at least 64B long */ 6348c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 6358c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, data)), 6368c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 6378c2ecf20Sopenharmony_ci offsetof(struct __sk_buff, data_end)), 6388c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_0, BPF_REG_2), 6398c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64), 6408c2ecf20Sopenharmony_ci BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9), 6418c2ecf20Sopenharmony_ci /* sk = sk_lookup_tcp(ctx, skb->data, ...) */ 6428c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)), 6438c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_4, 0), 6448c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_5, 0), 6458c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp), 6468c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 6478c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), 6488c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4), 6498c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 6508c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 6518c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6528c2ecf20Sopenharmony_ci }, 6538c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6548c2ecf20Sopenharmony_ci .result = ACCEPT, 6558c2ecf20Sopenharmony_ci}, 6568c2ecf20Sopenharmony_ci{ 6578c2ecf20Sopenharmony_ci "reference tracking: use ptr from bpf_tcp_sock() after release", 6588c2ecf20Sopenharmony_ci .insns = { 6598c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 6608c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 6618c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6628c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 6638c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 6648c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 6658c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3), 6668c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 6678c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 6688c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6698c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 6708c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 6718c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 6728c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_7, offsetof(struct bpf_tcp_sock, snd_cwnd)), 6738c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6748c2ecf20Sopenharmony_ci }, 6758c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6768c2ecf20Sopenharmony_ci .result = REJECT, 6778c2ecf20Sopenharmony_ci .errstr = "invalid mem access", 6788c2ecf20Sopenharmony_ci}, 6798c2ecf20Sopenharmony_ci{ 6808c2ecf20Sopenharmony_ci "reference tracking: use ptr from bpf_sk_fullsock() after release", 6818c2ecf20Sopenharmony_ci .insns = { 6828c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 6838c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 6848c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6858c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 6868c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 6878c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 6888c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3), 6898c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 6908c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 6918c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6928c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 6938c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 6948c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 6958c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_7, offsetof(struct bpf_sock, type)), 6968c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 6978c2ecf20Sopenharmony_ci }, 6988c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 6998c2ecf20Sopenharmony_ci .result = REJECT, 7008c2ecf20Sopenharmony_ci .errstr = "invalid mem access", 7018c2ecf20Sopenharmony_ci}, 7028c2ecf20Sopenharmony_ci{ 7038c2ecf20Sopenharmony_ci "reference tracking: use ptr from bpf_sk_fullsock(tp) after release", 7048c2ecf20Sopenharmony_ci .insns = { 7058c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 7068c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 7078c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7088c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 7098c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 7108c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 7118c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3), 7128c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 7138c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 7148c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7158c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 7168c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 7178c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 7188c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 7198c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 7208c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 1), 7218c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7228c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6, offsetof(struct bpf_sock, type)), 7238c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7248c2ecf20Sopenharmony_ci }, 7258c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 7268c2ecf20Sopenharmony_ci .result = REJECT, 7278c2ecf20Sopenharmony_ci .errstr = "invalid mem access", 7288c2ecf20Sopenharmony_ci}, 7298c2ecf20Sopenharmony_ci{ 7308c2ecf20Sopenharmony_ci "reference tracking: use sk after bpf_sk_release(tp)", 7318c2ecf20Sopenharmony_ci .insns = { 7328c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 7338c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 7348c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7358c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 7368c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 7378c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 7388c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3), 7398c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 7408c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 7418c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7428c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 7438c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 7448c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6, offsetof(struct bpf_sock, type)), 7458c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7468c2ecf20Sopenharmony_ci }, 7478c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 7488c2ecf20Sopenharmony_ci .result = REJECT, 7498c2ecf20Sopenharmony_ci .errstr = "invalid mem access", 7508c2ecf20Sopenharmony_ci}, 7518c2ecf20Sopenharmony_ci{ 7528c2ecf20Sopenharmony_ci "reference tracking: use ptr from bpf_get_listener_sock() after bpf_sk_release(sk)", 7538c2ecf20Sopenharmony_ci .insns = { 7548c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 7558c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 7568c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7578c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 7588c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 7598c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_get_listener_sock), 7608c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3), 7618c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 7628c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 7638c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7648c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 7658c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 7668c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 7678c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6, offsetof(struct bpf_sock, src_port)), 7688c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7698c2ecf20Sopenharmony_ci }, 7708c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 7718c2ecf20Sopenharmony_ci .result = ACCEPT, 7728c2ecf20Sopenharmony_ci}, 7738c2ecf20Sopenharmony_ci{ 7748c2ecf20Sopenharmony_ci "reference tracking: bpf_sk_release(listen_sk)", 7758c2ecf20Sopenharmony_ci .insns = { 7768c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 7778c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 7788c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7798c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 7808c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 7818c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_get_listener_sock), 7828c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3), 7838c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 7848c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 7858c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7868c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 7878c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 7888c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6, offsetof(struct bpf_sock, type)), 7898c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 7908c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 7918c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 7928c2ecf20Sopenharmony_ci }, 7938c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 7948c2ecf20Sopenharmony_ci .result = REJECT, 7958c2ecf20Sopenharmony_ci .errstr = "reference has not been acquired before", 7968c2ecf20Sopenharmony_ci}, 7978c2ecf20Sopenharmony_ci{ 7988c2ecf20Sopenharmony_ci /* !bpf_sk_fullsock(sk) is checked but !bpf_tcp_sock(sk) is not checked */ 7998c2ecf20Sopenharmony_ci "reference tracking: tp->snd_cwnd after bpf_sk_fullsock(sk) and bpf_tcp_sock(sk)", 8008c2ecf20Sopenharmony_ci .insns = { 8018c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 8028c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 8038c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 8048c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 8058c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 8068c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 8078c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 8088c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 8098c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 8108c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 8118c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0, 3), 8128c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 8138c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 8148c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 8158c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_8, offsetof(struct bpf_tcp_sock, snd_cwnd)), 8168c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 8178c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 8188c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 8198c2ecf20Sopenharmony_ci }, 8208c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 8218c2ecf20Sopenharmony_ci .result = REJECT, 8228c2ecf20Sopenharmony_ci .errstr = "invalid mem access", 8238c2ecf20Sopenharmony_ci}, 8248c2ecf20Sopenharmony_ci{ 8258c2ecf20Sopenharmony_ci "reference tracking: branch tracking valid pointer null comparison", 8268c2ecf20Sopenharmony_ci .insns = { 8278c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 8288c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 8298c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_3, 1), 8308c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 1), 8318c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_3, 0), 8328c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 2), 8338c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 8348c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 8358c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 8368c2ecf20Sopenharmony_ci }, 8378c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 8388c2ecf20Sopenharmony_ci .result = ACCEPT, 8398c2ecf20Sopenharmony_ci}, 8408c2ecf20Sopenharmony_ci{ 8418c2ecf20Sopenharmony_ci "reference tracking: branch tracking valid pointer value comparison", 8428c2ecf20Sopenharmony_ci .insns = { 8438c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 8448c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 8458c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_3, 1), 8468c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 4), 8478c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_3, 0), 8488c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 1234, 2), 8498c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 8508c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 8518c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 8528c2ecf20Sopenharmony_ci }, 8538c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 8548c2ecf20Sopenharmony_ci .errstr = "Unreleased reference", 8558c2ecf20Sopenharmony_ci .result = REJECT, 8568c2ecf20Sopenharmony_ci}, 8578c2ecf20Sopenharmony_ci{ 8588c2ecf20Sopenharmony_ci "reference tracking: bpf_sk_release(btf_tcp_sock)", 8598c2ecf20Sopenharmony_ci .insns = { 8608c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 8618c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 8628c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 8638c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 8648c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 8658c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_skc_to_tcp_sock), 8668c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3), 8678c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 8688c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 8698c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 8708c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 8718c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 8728c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 8738c2ecf20Sopenharmony_ci }, 8748c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 8758c2ecf20Sopenharmony_ci .result = ACCEPT, 8768c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 8778c2ecf20Sopenharmony_ci .errstr_unpriv = "unknown func", 8788c2ecf20Sopenharmony_ci}, 8798c2ecf20Sopenharmony_ci{ 8808c2ecf20Sopenharmony_ci "reference tracking: use ptr from bpf_skc_to_tcp_sock() after release", 8818c2ecf20Sopenharmony_ci .insns = { 8828c2ecf20Sopenharmony_ci BPF_SK_LOOKUP(sk_lookup_tcp), 8838c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 8848c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 8858c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 8868c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 8878c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_skc_to_tcp_sock), 8888c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 3), 8898c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 8908c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 8918c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 8928c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 8938c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 8948c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_sk_release), 8958c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_7, 0), 8968c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 8978c2ecf20Sopenharmony_ci }, 8988c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_SCHED_CLS, 8998c2ecf20Sopenharmony_ci .result = REJECT, 9008c2ecf20Sopenharmony_ci .errstr = "invalid mem access", 9018c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 9028c2ecf20Sopenharmony_ci .errstr_unpriv = "unknown func", 9038c2ecf20Sopenharmony_ci}, 9048c2ecf20Sopenharmony_ci{ 9058c2ecf20Sopenharmony_ci "reference tracking: try to leak released ptr reg", 9068c2ecf20Sopenharmony_ci .insns = { 9078c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 9088c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4), 9098c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 9108c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 9118c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 9128c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 9138c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 9148c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 9158c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_9, BPF_REG_0), 9168c2ecf20Sopenharmony_ci 9178c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 9188c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 9198c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 8), 9208c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_3, 0), 9218c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_ringbuf_reserve), 9228c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 9238c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 9248c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 9258c2ecf20Sopenharmony_ci 9268c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_8), 9278c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 0), 9288c2ecf20Sopenharmony_ci BPF_EMIT_CALL(BPF_FUNC_ringbuf_discard), 9298c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 9308c2ecf20Sopenharmony_ci 9318c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_9, BPF_REG_8, 0), 9328c2ecf20Sopenharmony_ci BPF_EXIT_INSN() 9338c2ecf20Sopenharmony_ci }, 9348c2ecf20Sopenharmony_ci .fixup_map_array_48b = { 4 }, 9358c2ecf20Sopenharmony_ci .fixup_map_ringbuf = { 11 }, 9368c2ecf20Sopenharmony_ci .result = ACCEPT, 9378c2ecf20Sopenharmony_ci .result_unpriv = REJECT, 9388c2ecf20Sopenharmony_ci .errstr_unpriv = "R8 !read_ok" 9398c2ecf20Sopenharmony_ci}, 940