18c2ecf20Sopenharmony_ci{ 28c2ecf20Sopenharmony_ci "ringbuf: invalid reservation offset 1", 38c2ecf20Sopenharmony_ci .insns = { 48c2ecf20Sopenharmony_ci /* reserve 8 byte ringbuf memory */ 58c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 68c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 78c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 8), 88c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_3, 0), 98c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve), 108c2ecf20Sopenharmony_ci /* store a pointer to the reserved memory in R6 */ 118c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 128c2ecf20Sopenharmony_ci /* check whether the reservation was successful */ 138c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 148c2ecf20Sopenharmony_ci /* spill R6(mem) into the stack */ 158c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 168c2ecf20Sopenharmony_ci /* fill it back in R7 */ 178c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_10, -8), 188c2ecf20Sopenharmony_ci /* should be able to access *(R7) = 0 */ 198c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 0), 208c2ecf20Sopenharmony_ci /* submit the reserved ringbuf memory */ 218c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 228c2ecf20Sopenharmony_ci /* add invalid offset to reserved ringbuf memory */ 238c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xcafe), 248c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 0), 258c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit), 268c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 278c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 288c2ecf20Sopenharmony_ci }, 298c2ecf20Sopenharmony_ci .fixup_map_ringbuf = { 1 }, 308c2ecf20Sopenharmony_ci .result = REJECT, 318c2ecf20Sopenharmony_ci .errstr = "dereference of modified alloc_mem ptr R1", 328c2ecf20Sopenharmony_ci}, 338c2ecf20Sopenharmony_ci{ 348c2ecf20Sopenharmony_ci "ringbuf: invalid reservation offset 2", 358c2ecf20Sopenharmony_ci .insns = { 368c2ecf20Sopenharmony_ci /* reserve 8 byte ringbuf memory */ 378c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 388c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 398c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 8), 408c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_3, 0), 418c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve), 428c2ecf20Sopenharmony_ci /* store a pointer to the reserved memory in R6 */ 438c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), 448c2ecf20Sopenharmony_ci /* check whether the reservation was successful */ 458c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7), 468c2ecf20Sopenharmony_ci /* spill R6(mem) into the stack */ 478c2ecf20Sopenharmony_ci BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8), 488c2ecf20Sopenharmony_ci /* fill it back in R7 */ 498c2ecf20Sopenharmony_ci BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_10, -8), 508c2ecf20Sopenharmony_ci /* add invalid offset to reserved ringbuf memory */ 518c2ecf20Sopenharmony_ci BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 0xcafe), 528c2ecf20Sopenharmony_ci /* should be able to access *(R7) = 0 */ 538c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 0), 548c2ecf20Sopenharmony_ci /* submit the reserved ringbuf memory */ 558c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 568c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 0), 578c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit), 588c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 598c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 608c2ecf20Sopenharmony_ci }, 618c2ecf20Sopenharmony_ci .fixup_map_ringbuf = { 1 }, 628c2ecf20Sopenharmony_ci .result = REJECT, 638c2ecf20Sopenharmony_ci .errstr = "R7 min value is outside of the allowed memory range", 648c2ecf20Sopenharmony_ci}, 658c2ecf20Sopenharmony_ci{ 668c2ecf20Sopenharmony_ci "ringbuf: check passing rb mem to helpers", 678c2ecf20Sopenharmony_ci .insns = { 688c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 698c2ecf20Sopenharmony_ci /* reserve 8 byte ringbuf memory */ 708c2ecf20Sopenharmony_ci BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0), 718c2ecf20Sopenharmony_ci BPF_LD_MAP_FD(BPF_REG_1, 0), 728c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 8), 738c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_3, 0), 748c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve), 758c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 768c2ecf20Sopenharmony_ci /* check whether the reservation was successful */ 778c2ecf20Sopenharmony_ci BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 788c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 798c2ecf20Sopenharmony_ci /* pass allocated ring buffer memory to fib lookup */ 808c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 818c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 828c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_3, 8), 838c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_4, 0), 848c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_fib_lookup), 858c2ecf20Sopenharmony_ci /* submit the ringbuf memory */ 868c2ecf20Sopenharmony_ci BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), 878c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_2, 0), 888c2ecf20Sopenharmony_ci BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit), 898c2ecf20Sopenharmony_ci BPF_MOV64_IMM(BPF_REG_0, 0), 908c2ecf20Sopenharmony_ci BPF_EXIT_INSN(), 918c2ecf20Sopenharmony_ci }, 928c2ecf20Sopenharmony_ci .fixup_map_ringbuf = { 2 }, 938c2ecf20Sopenharmony_ci .prog_type = BPF_PROG_TYPE_XDP, 948c2ecf20Sopenharmony_ci .result = ACCEPT, 958c2ecf20Sopenharmony_ci}, 96