1{ 2 "skb->sk: no NULL check", 3 .insns = { 4 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 5 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0), 6 BPF_MOV64_IMM(BPF_REG_0, 0), 7 BPF_EXIT_INSN(), 8 }, 9 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 10 .result = REJECT, 11 .errstr = "invalid mem access 'sock_common_or_null'", 12}, 13{ 14 "skb->sk: sk->family [non fullsock field]", 15 .insns = { 16 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 17 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 18 BPF_MOV64_IMM(BPF_REG_0, 0), 19 BPF_EXIT_INSN(), 20 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, offsetof(struct bpf_sock, family)), 21 BPF_MOV64_IMM(BPF_REG_0, 0), 22 BPF_EXIT_INSN(), 23 }, 24 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 25 .result = ACCEPT, 26}, 27{ 28 "skb->sk: sk->type [fullsock field]", 29 .insns = { 30 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 31 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 32 BPF_MOV64_IMM(BPF_REG_0, 0), 33 BPF_EXIT_INSN(), 34 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, offsetof(struct bpf_sock, type)), 35 BPF_MOV64_IMM(BPF_REG_0, 0), 36 BPF_EXIT_INSN(), 37 }, 38 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 39 .result = REJECT, 40 .errstr = "invalid sock_common access", 41}, 42{ 43 "bpf_sk_fullsock(skb->sk): no !skb->sk check", 44 .insns = { 45 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 46 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 47 BPF_MOV64_IMM(BPF_REG_0, 0), 48 BPF_EXIT_INSN(), 49 }, 50 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 51 .result = REJECT, 52 .errstr = "type=sock_common_or_null expected=sock_common", 53}, 54{ 55 "sk_fullsock(skb->sk): no NULL check on ret", 56 .insns = { 57 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 58 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 59 BPF_MOV64_IMM(BPF_REG_0, 0), 60 BPF_EXIT_INSN(), 61 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 62 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)), 63 BPF_MOV64_IMM(BPF_REG_0, 0), 64 BPF_EXIT_INSN(), 65 }, 66 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 67 .result = REJECT, 68 .errstr = "invalid mem access 'sock_or_null'", 69}, 70{ 71 "sk_fullsock(skb->sk): sk->type [fullsock field]", 72 .insns = { 73 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 74 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 75 BPF_MOV64_IMM(BPF_REG_0, 0), 76 BPF_EXIT_INSN(), 77 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 78 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 79 BPF_MOV64_IMM(BPF_REG_0, 0), 80 BPF_EXIT_INSN(), 81 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)), 82 BPF_MOV64_IMM(BPF_REG_0, 0), 83 BPF_EXIT_INSN(), 84 }, 85 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 86 .result = ACCEPT, 87}, 88{ 89 "sk_fullsock(skb->sk): sk->family [non fullsock field]", 90 .insns = { 91 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 92 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 93 BPF_MOV64_IMM(BPF_REG_0, 0), 94 BPF_EXIT_INSN(), 95 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 96 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 97 BPF_EXIT_INSN(), 98 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, family)), 99 BPF_MOV64_IMM(BPF_REG_0, 0), 100 BPF_EXIT_INSN(), 101 }, 102 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 103 .result = ACCEPT, 104}, 105{ 106 "sk_fullsock(skb->sk): sk->state [narrow load]", 107 .insns = { 108 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 109 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 110 BPF_MOV64_IMM(BPF_REG_0, 0), 111 BPF_EXIT_INSN(), 112 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 113 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 114 BPF_MOV64_IMM(BPF_REG_0, 0), 115 BPF_EXIT_INSN(), 116 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, state)), 117 BPF_MOV64_IMM(BPF_REG_0, 0), 118 BPF_EXIT_INSN(), 119 }, 120 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 121 .result = ACCEPT, 122}, 123{ 124 "sk_fullsock(skb->sk): sk->dst_port [word load] (backward compatibility)", 125 .insns = { 126 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 127 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 128 BPF_MOV64_IMM(BPF_REG_0, 0), 129 BPF_EXIT_INSN(), 130 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 131 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 132 BPF_MOV64_IMM(BPF_REG_0, 0), 133 BPF_EXIT_INSN(), 134 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port)), 135 BPF_MOV64_IMM(BPF_REG_0, 0), 136 BPF_EXIT_INSN(), 137 }, 138 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 139 .result = ACCEPT, 140}, 141{ 142 "sk_fullsock(skb->sk): sk->dst_port [half load]", 143 .insns = { 144 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 145 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 146 BPF_MOV64_IMM(BPF_REG_0, 0), 147 BPF_EXIT_INSN(), 148 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 149 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 150 BPF_MOV64_IMM(BPF_REG_0, 0), 151 BPF_EXIT_INSN(), 152 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port)), 153 BPF_MOV64_IMM(BPF_REG_0, 0), 154 BPF_EXIT_INSN(), 155 }, 156 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 157 .result = ACCEPT, 158}, 159{ 160 "sk_fullsock(skb->sk): sk->dst_port [half load] (invalid)", 161 .insns = { 162 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 163 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 164 BPF_MOV64_IMM(BPF_REG_0, 0), 165 BPF_EXIT_INSN(), 166 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 167 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 168 BPF_MOV64_IMM(BPF_REG_0, 0), 169 BPF_EXIT_INSN(), 170 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2), 171 BPF_MOV64_IMM(BPF_REG_0, 0), 172 BPF_EXIT_INSN(), 173 }, 174 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 175 .result = REJECT, 176 .errstr = "invalid sock access", 177}, 178{ 179 "sk_fullsock(skb->sk): sk->dst_port [byte load]", 180 .insns = { 181 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 182 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 183 BPF_MOV64_IMM(BPF_REG_0, 0), 184 BPF_EXIT_INSN(), 185 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 186 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 187 BPF_MOV64_IMM(BPF_REG_0, 0), 188 BPF_EXIT_INSN(), 189 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port)), 190 BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1), 191 BPF_MOV64_IMM(BPF_REG_0, 0), 192 BPF_EXIT_INSN(), 193 }, 194 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 195 .result = ACCEPT, 196}, 197{ 198 "sk_fullsock(skb->sk): sk->dst_port [byte load] (invalid)", 199 .insns = { 200 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 201 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 202 BPF_MOV64_IMM(BPF_REG_0, 0), 203 BPF_EXIT_INSN(), 204 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 205 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 206 BPF_MOV64_IMM(BPF_REG_0, 0), 207 BPF_EXIT_INSN(), 208 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2), 209 BPF_MOV64_IMM(BPF_REG_0, 0), 210 BPF_EXIT_INSN(), 211 }, 212 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 213 .result = REJECT, 214 .errstr = "invalid sock access", 215}, 216{ 217 "sk_fullsock(skb->sk): past sk->dst_port [half load] (invalid)", 218 .insns = { 219 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 220 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 221 BPF_MOV64_IMM(BPF_REG_0, 0), 222 BPF_EXIT_INSN(), 223 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 224 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 225 BPF_MOV64_IMM(BPF_REG_0, 0), 226 BPF_EXIT_INSN(), 227 BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_sock, dst_port)), 228 BPF_MOV64_IMM(BPF_REG_0, 0), 229 BPF_EXIT_INSN(), 230 }, 231 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 232 .result = REJECT, 233 .errstr = "invalid sock access", 234}, 235{ 236 "sk_fullsock(skb->sk): sk->dst_ip6 [load 2nd byte]", 237 .insns = { 238 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 239 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 240 BPF_MOV64_IMM(BPF_REG_0, 0), 241 BPF_EXIT_INSN(), 242 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 243 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 244 BPF_MOV64_IMM(BPF_REG_0, 0), 245 BPF_EXIT_INSN(), 246 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_ip6[0]) + 1), 247 BPF_MOV64_IMM(BPF_REG_0, 0), 248 BPF_EXIT_INSN(), 249 }, 250 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 251 .result = ACCEPT, 252}, 253{ 254 "sk_fullsock(skb->sk): sk->type [narrow load]", 255 .insns = { 256 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 257 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 258 BPF_MOV64_IMM(BPF_REG_0, 0), 259 BPF_EXIT_INSN(), 260 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 261 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 262 BPF_MOV64_IMM(BPF_REG_0, 0), 263 BPF_EXIT_INSN(), 264 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)), 265 BPF_MOV64_IMM(BPF_REG_0, 0), 266 BPF_EXIT_INSN(), 267 }, 268 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 269 .result = ACCEPT, 270}, 271{ 272 "sk_fullsock(skb->sk): sk->protocol [narrow load]", 273 .insns = { 274 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 275 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 276 BPF_MOV64_IMM(BPF_REG_0, 0), 277 BPF_EXIT_INSN(), 278 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 279 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 280 BPF_MOV64_IMM(BPF_REG_0, 0), 281 BPF_EXIT_INSN(), 282 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, protocol)), 283 BPF_MOV64_IMM(BPF_REG_0, 0), 284 BPF_EXIT_INSN(), 285 }, 286 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 287 .result = ACCEPT, 288}, 289{ 290 "sk_fullsock(skb->sk): beyond last field", 291 .insns = { 292 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 293 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 294 BPF_MOV64_IMM(BPF_REG_0, 0), 295 BPF_EXIT_INSN(), 296 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 297 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 298 BPF_MOV64_IMM(BPF_REG_0, 0), 299 BPF_EXIT_INSN(), 300 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_sock, rx_queue_mapping)), 301 BPF_MOV64_IMM(BPF_REG_0, 0), 302 BPF_EXIT_INSN(), 303 }, 304 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 305 .result = REJECT, 306 .errstr = "invalid sock access", 307}, 308{ 309 "bpf_tcp_sock(skb->sk): no !skb->sk check", 310 .insns = { 311 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 312 BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 313 BPF_MOV64_IMM(BPF_REG_0, 0), 314 BPF_EXIT_INSN(), 315 }, 316 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 317 .result = REJECT, 318 .errstr = "type=sock_common_or_null expected=sock_common", 319}, 320{ 321 "bpf_tcp_sock(skb->sk): no NULL check on ret", 322 .insns = { 323 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 324 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 325 BPF_MOV64_IMM(BPF_REG_0, 0), 326 BPF_EXIT_INSN(), 327 BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 328 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_tcp_sock, snd_cwnd)), 329 BPF_MOV64_IMM(BPF_REG_0, 0), 330 BPF_EXIT_INSN(), 331 }, 332 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 333 .result = REJECT, 334 .errstr = "invalid mem access 'tcp_sock_or_null'", 335}, 336{ 337 "bpf_tcp_sock(skb->sk): tp->snd_cwnd", 338 .insns = { 339 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 340 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 341 BPF_MOV64_IMM(BPF_REG_0, 0), 342 BPF_EXIT_INSN(), 343 BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 344 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 345 BPF_EXIT_INSN(), 346 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_tcp_sock, snd_cwnd)), 347 BPF_MOV64_IMM(BPF_REG_0, 0), 348 BPF_EXIT_INSN(), 349 }, 350 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 351 .result = ACCEPT, 352}, 353{ 354 "bpf_tcp_sock(skb->sk): tp->bytes_acked", 355 .insns = { 356 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 357 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 358 BPF_MOV64_IMM(BPF_REG_0, 0), 359 BPF_EXIT_INSN(), 360 BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 361 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 362 BPF_EXIT_INSN(), 363 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_tcp_sock, bytes_acked)), 364 BPF_MOV64_IMM(BPF_REG_0, 0), 365 BPF_EXIT_INSN(), 366 }, 367 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 368 .result = ACCEPT, 369}, 370{ 371 "bpf_tcp_sock(skb->sk): beyond last field", 372 .insns = { 373 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 374 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 375 BPF_MOV64_IMM(BPF_REG_0, 0), 376 BPF_EXIT_INSN(), 377 BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 378 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 379 BPF_EXIT_INSN(), 380 BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_tcp_sock, bytes_acked)), 381 BPF_MOV64_IMM(BPF_REG_0, 0), 382 BPF_EXIT_INSN(), 383 }, 384 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 385 .result = REJECT, 386 .errstr = "invalid tcp_sock access", 387}, 388{ 389 "bpf_tcp_sock(bpf_sk_fullsock(skb->sk)): tp->snd_cwnd", 390 .insns = { 391 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 392 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 393 BPF_MOV64_IMM(BPF_REG_0, 0), 394 BPF_EXIT_INSN(), 395 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 396 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 397 BPF_EXIT_INSN(), 398 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 399 BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 400 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 401 BPF_EXIT_INSN(), 402 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_tcp_sock, snd_cwnd)), 403 BPF_MOV64_IMM(BPF_REG_0, 0), 404 BPF_EXIT_INSN(), 405 }, 406 .prog_type = BPF_PROG_TYPE_CGROUP_SKB, 407 .result = ACCEPT, 408}, 409{ 410 "bpf_sk_release(skb->sk)", 411 .insns = { 412 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 413 BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1), 414 BPF_EMIT_CALL(BPF_FUNC_sk_release), 415 BPF_MOV64_IMM(BPF_REG_0, 0), 416 BPF_EXIT_INSN(), 417 }, 418 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 419 .result = REJECT, 420 .errstr = "reference has not been acquired before", 421}, 422{ 423 "bpf_sk_release(bpf_sk_fullsock(skb->sk))", 424 .insns = { 425 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 426 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 427 BPF_MOV64_IMM(BPF_REG_0, 0), 428 BPF_EXIT_INSN(), 429 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 430 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 431 BPF_EXIT_INSN(), 432 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 433 BPF_EMIT_CALL(BPF_FUNC_sk_release), 434 BPF_MOV64_IMM(BPF_REG_0, 1), 435 BPF_EXIT_INSN(), 436 }, 437 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 438 .result = REJECT, 439 .errstr = "reference has not been acquired before", 440}, 441{ 442 "bpf_sk_release(bpf_tcp_sock(skb->sk))", 443 .insns = { 444 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 445 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 446 BPF_MOV64_IMM(BPF_REG_0, 0), 447 BPF_EXIT_INSN(), 448 BPF_EMIT_CALL(BPF_FUNC_tcp_sock), 449 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 450 BPF_EXIT_INSN(), 451 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 452 BPF_EMIT_CALL(BPF_FUNC_sk_release), 453 BPF_MOV64_IMM(BPF_REG_0, 1), 454 BPF_EXIT_INSN(), 455 }, 456 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 457 .result = REJECT, 458 .errstr = "reference has not been acquired before", 459}, 460{ 461 "sk_storage_get(map, skb->sk, NULL, 0): value == NULL", 462 .insns = { 463 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 464 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 465 BPF_MOV64_IMM(BPF_REG_0, 0), 466 BPF_EXIT_INSN(), 467 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 468 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 469 BPF_MOV64_IMM(BPF_REG_0, 0), 470 BPF_EXIT_INSN(), 471 BPF_MOV64_IMM(BPF_REG_4, 0), 472 BPF_MOV64_IMM(BPF_REG_3, 0), 473 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 474 BPF_LD_MAP_FD(BPF_REG_1, 0), 475 BPF_EMIT_CALL(BPF_FUNC_sk_storage_get), 476 BPF_MOV64_IMM(BPF_REG_0, 0), 477 BPF_EXIT_INSN(), 478 }, 479 .fixup_sk_storage_map = { 11 }, 480 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 481 .result = ACCEPT, 482}, 483{ 484 "sk_storage_get(map, skb->sk, 1, 1): value == 1", 485 .insns = { 486 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 487 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 488 BPF_MOV64_IMM(BPF_REG_0, 0), 489 BPF_EXIT_INSN(), 490 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 491 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 492 BPF_MOV64_IMM(BPF_REG_0, 0), 493 BPF_EXIT_INSN(), 494 BPF_MOV64_IMM(BPF_REG_4, 1), 495 BPF_MOV64_IMM(BPF_REG_3, 1), 496 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 497 BPF_LD_MAP_FD(BPF_REG_1, 0), 498 BPF_EMIT_CALL(BPF_FUNC_sk_storage_get), 499 BPF_MOV64_IMM(BPF_REG_0, 0), 500 BPF_EXIT_INSN(), 501 }, 502 .fixup_sk_storage_map = { 11 }, 503 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 504 .result = REJECT, 505 .errstr = "R3 type=inv expected=fp", 506}, 507{ 508 "sk_storage_get(map, skb->sk, &stack_value, 1): stack_value", 509 .insns = { 510 BPF_MOV64_IMM(BPF_REG_2, 0), 511 BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8), 512 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 513 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 514 BPF_MOV64_IMM(BPF_REG_0, 0), 515 BPF_EXIT_INSN(), 516 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 517 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 518 BPF_MOV64_IMM(BPF_REG_0, 0), 519 BPF_EXIT_INSN(), 520 BPF_MOV64_IMM(BPF_REG_4, 1), 521 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), 522 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8), 523 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 524 BPF_LD_MAP_FD(BPF_REG_1, 0), 525 BPF_EMIT_CALL(BPF_FUNC_sk_storage_get), 526 BPF_MOV64_IMM(BPF_REG_0, 0), 527 BPF_EXIT_INSN(), 528 }, 529 .fixup_sk_storage_map = { 14 }, 530 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 531 .result = ACCEPT, 532}, 533{ 534 "sk_storage_get(map, skb->sk, &stack_value, 1): partially init stack_value", 535 .insns = { 536 BPF_MOV64_IMM(BPF_REG_2, 0), 537 BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8), 538 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 539 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 540 BPF_MOV64_IMM(BPF_REG_0, 0), 541 BPF_EXIT_INSN(), 542 BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), 543 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), 544 BPF_MOV64_IMM(BPF_REG_0, 0), 545 BPF_EXIT_INSN(), 546 BPF_MOV64_IMM(BPF_REG_4, 1), 547 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), 548 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8), 549 BPF_MOV64_REG(BPF_REG_2, BPF_REG_0), 550 BPF_LD_MAP_FD(BPF_REG_1, 0), 551 BPF_EMIT_CALL(BPF_FUNC_sk_storage_get), 552 BPF_MOV64_IMM(BPF_REG_0, 0), 553 BPF_EXIT_INSN(), 554 }, 555 .fixup_sk_storage_map = { 14 }, 556 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 557 .result = REJECT, 558 .errstr = "invalid indirect read from stack", 559}, 560{ 561 "bpf_map_lookup_elem(smap, &key)", 562 .insns = { 563 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 564 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 565 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 566 BPF_LD_MAP_FD(BPF_REG_1, 0), 567 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 568 BPF_MOV64_IMM(BPF_REG_0, 0), 569 BPF_EXIT_INSN(), 570 }, 571 .fixup_sk_storage_map = { 3 }, 572 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 573 .result = REJECT, 574 .errstr = "cannot pass map_type 24 into func bpf_map_lookup_elem", 575}, 576{ 577 "bpf_map_lookup_elem(xskmap, &key); xs->queue_id", 578 .insns = { 579 BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0), 580 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 581 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8), 582 BPF_LD_MAP_FD(BPF_REG_1, 0), 583 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 584 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 585 BPF_EXIT_INSN(), 586 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_xdp_sock, queue_id)), 587 BPF_MOV64_IMM(BPF_REG_0, 0), 588 BPF_EXIT_INSN(), 589 }, 590 .fixup_map_xskmap = { 3 }, 591 .prog_type = BPF_PROG_TYPE_XDP, 592 .result = ACCEPT, 593}, 594{ 595 "bpf_map_lookup_elem(sockmap, &key)", 596 .insns = { 597 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 598 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 599 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 600 BPF_LD_MAP_FD(BPF_REG_1, 0), 601 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 602 BPF_MOV64_IMM(BPF_REG_0, 0), 603 BPF_EXIT_INSN(), 604 }, 605 .fixup_map_sockmap = { 3 }, 606 .prog_type = BPF_PROG_TYPE_SK_SKB, 607 .result = REJECT, 608 .errstr = "Unreleased reference id=2 alloc_insn=5", 609}, 610{ 611 "bpf_map_lookup_elem(sockhash, &key)", 612 .insns = { 613 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 614 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 615 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 616 BPF_LD_MAP_FD(BPF_REG_1, 0), 617 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 618 BPF_MOV64_IMM(BPF_REG_0, 0), 619 BPF_EXIT_INSN(), 620 }, 621 .fixup_map_sockhash = { 3 }, 622 .prog_type = BPF_PROG_TYPE_SK_SKB, 623 .result = REJECT, 624 .errstr = "Unreleased reference id=2 alloc_insn=5", 625}, 626{ 627 "bpf_map_lookup_elem(sockmap, &key); sk->type [fullsock field]; bpf_sk_release(sk)", 628 .insns = { 629 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 630 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 631 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 632 BPF_LD_MAP_FD(BPF_REG_1, 0), 633 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 634 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 635 BPF_EXIT_INSN(), 636 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 637 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)), 638 BPF_EMIT_CALL(BPF_FUNC_sk_release), 639 BPF_EXIT_INSN(), 640 }, 641 .fixup_map_sockmap = { 3 }, 642 .prog_type = BPF_PROG_TYPE_SK_SKB, 643 .result = ACCEPT, 644}, 645{ 646 "bpf_map_lookup_elem(sockhash, &key); sk->type [fullsock field]; bpf_sk_release(sk)", 647 .insns = { 648 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 649 BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), 650 BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), 651 BPF_LD_MAP_FD(BPF_REG_1, 0), 652 BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), 653 BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), 654 BPF_EXIT_INSN(), 655 BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), 656 BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, type)), 657 BPF_EMIT_CALL(BPF_FUNC_sk_release), 658 BPF_EXIT_INSN(), 659 }, 660 .fixup_map_sockhash = { 3 }, 661 .prog_type = BPF_PROG_TYPE_SK_SKB, 662 .result = ACCEPT, 663}, 664{ 665 "bpf_sk_select_reuseport(ctx, reuseport_array, &key, flags)", 666 .insns = { 667 BPF_MOV64_IMM(BPF_REG_4, 0), 668 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 669 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), 670 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -4), 671 BPF_LD_MAP_FD(BPF_REG_2, 0), 672 BPF_EMIT_CALL(BPF_FUNC_sk_select_reuseport), 673 BPF_EXIT_INSN(), 674 }, 675 .fixup_map_reuseport_array = { 4 }, 676 .prog_type = BPF_PROG_TYPE_SK_REUSEPORT, 677 .result = ACCEPT, 678}, 679{ 680 "bpf_sk_select_reuseport(ctx, sockmap, &key, flags)", 681 .insns = { 682 BPF_MOV64_IMM(BPF_REG_4, 0), 683 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 684 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), 685 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -4), 686 BPF_LD_MAP_FD(BPF_REG_2, 0), 687 BPF_EMIT_CALL(BPF_FUNC_sk_select_reuseport), 688 BPF_EXIT_INSN(), 689 }, 690 .fixup_map_sockmap = { 4 }, 691 .prog_type = BPF_PROG_TYPE_SK_REUSEPORT, 692 .result = ACCEPT, 693}, 694{ 695 "bpf_sk_select_reuseport(ctx, sockhash, &key, flags)", 696 .insns = { 697 BPF_MOV64_IMM(BPF_REG_4, 0), 698 BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0), 699 BPF_MOV64_REG(BPF_REG_3, BPF_REG_10), 700 BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -4), 701 BPF_LD_MAP_FD(BPF_REG_2, 0), 702 BPF_EMIT_CALL(BPF_FUNC_sk_select_reuseport), 703 BPF_EXIT_INSN(), 704 }, 705 .fixup_map_sockmap = { 4 }, 706 .prog_type = BPF_PROG_TYPE_SK_REUSEPORT, 707 .result = ACCEPT, 708}, 709{ 710 "mark null check on return value of bpf_skc_to helpers", 711 .insns = { 712 BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), 713 BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), 714 BPF_MOV64_IMM(BPF_REG_0, 0), 715 BPF_EXIT_INSN(), 716 BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), 717 BPF_EMIT_CALL(BPF_FUNC_skc_to_tcp_sock), 718 BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), 719 BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), 720 BPF_EMIT_CALL(BPF_FUNC_skc_to_tcp_request_sock), 721 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), 722 BPF_JMP_IMM(BPF_JNE, BPF_REG_8, 0, 2), 723 BPF_MOV64_IMM(BPF_REG_0, 0), 724 BPF_EXIT_INSN(), 725 BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_7, 0), 726 BPF_EXIT_INSN(), 727 }, 728 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 729 .result = REJECT, 730 .errstr = "invalid mem access", 731 .result_unpriv = REJECT, 732 .errstr_unpriv = "unknown func", 733}, 734