1 {
2 	"multiple registers share map_lookup_elem result",
3 	.insns = {
4 	BPF_MOV64_IMM(BPF_REG_1, 10),
5 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
6 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8 	BPF_LD_MAP_FD(BPF_REG_1, 0),
9 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
10 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
11 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
12 	BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
13 	BPF_EXIT_INSN(),
14 	},
15 	.fixup_map_hash_8b = { 4 },
16 	.result = ACCEPT,
17 	.prog_type = BPF_PROG_TYPE_SCHED_CLS
18 },
19 {
20 	"alu ops on ptr_to_map_value_or_null, 1",
21 	.insns = {
22 	BPF_MOV64_IMM(BPF_REG_1, 10),
23 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
24 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
25 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
26 	BPF_LD_MAP_FD(BPF_REG_1, 0),
27 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
28 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
29 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
30 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
31 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
32 	BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
33 	BPF_EXIT_INSN(),
34 	},
35 	.fixup_map_hash_8b = { 4 },
36 	.errstr = "R4 pointer arithmetic on map_value_or_null",
37 	.result = REJECT,
38 	.prog_type = BPF_PROG_TYPE_SCHED_CLS
39 },
40 {
41 	"alu ops on ptr_to_map_value_or_null, 2",
42 	.insns = {
43 	BPF_MOV64_IMM(BPF_REG_1, 10),
44 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
45 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
46 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
47 	BPF_LD_MAP_FD(BPF_REG_1, 0),
48 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
49 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
50 	BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
51 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
52 	BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
53 	BPF_EXIT_INSN(),
54 	},
55 	.fixup_map_hash_8b = { 4 },
56 	.errstr = "R4 pointer arithmetic on map_value_or_null",
57 	.result = REJECT,
58 	.prog_type = BPF_PROG_TYPE_SCHED_CLS
59 },
60 {
61 	"alu ops on ptr_to_map_value_or_null, 3",
62 	.insns = {
63 	BPF_MOV64_IMM(BPF_REG_1, 10),
64 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
65 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
66 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
67 	BPF_LD_MAP_FD(BPF_REG_1, 0),
68 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
69 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
70 	BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
71 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
72 	BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
73 	BPF_EXIT_INSN(),
74 	},
75 	.fixup_map_hash_8b = { 4 },
76 	.errstr = "R4 pointer arithmetic on map_value_or_null",
77 	.result = REJECT,
78 	.prog_type = BPF_PROG_TYPE_SCHED_CLS
79 },
80 {
81 	"invalid memory access with multiple map_lookup_elem calls",
82 	.insns = {
83 	BPF_MOV64_IMM(BPF_REG_1, 10),
84 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
85 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
86 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
87 	BPF_LD_MAP_FD(BPF_REG_1, 0),
88 	BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
89 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
90 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
91 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
92 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
93 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
94 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
95 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
96 	BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
97 	BPF_EXIT_INSN(),
98 	},
99 	.fixup_map_hash_8b = { 4 },
100 	.result = REJECT,
101 	.errstr = "R4 !read_ok",
102 	.prog_type = BPF_PROG_TYPE_SCHED_CLS
103 },
104 {
105 	"valid indirect map_lookup_elem access with 2nd lookup in branch",
106 	.insns = {
107 	BPF_MOV64_IMM(BPF_REG_1, 10),
108 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
109 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
110 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
111 	BPF_LD_MAP_FD(BPF_REG_1, 0),
112 	BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
113 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
114 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
115 	BPF_MOV64_IMM(BPF_REG_2, 10),
116 	BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
117 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
118 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
119 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
120 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
121 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
122 	BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
123 	BPF_EXIT_INSN(),
124 	},
125 	.fixup_map_hash_8b = { 4 },
126 	.result = ACCEPT,
127 	.prog_type = BPF_PROG_TYPE_SCHED_CLS
128 },
129 {
130 	"invalid map access from else condition",
131 	.insns = {
132 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
133 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
134 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
135 	BPF_LD_MAP_FD(BPF_REG_1, 0),
136 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
137 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
138 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
139 	BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
140 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
141 	BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
142 	BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
143 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
144 	BPF_EXIT_INSN(),
145 	},
146 	.fixup_map_hash_48b = { 3 },
147 	.errstr = "R0 unbounded memory access",
148 	.result = REJECT,
149 	.errstr_unpriv = "R0 leaks addr",
150 	.result_unpriv = REJECT,
151 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
152 },
153 {
154 	"map lookup and null branch prediction",
155 	.insns = {
156 	BPF_MOV64_IMM(BPF_REG_1, 10),
157 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
158 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
159 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
160 	BPF_LD_MAP_FD(BPF_REG_1, 0),
161 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
162 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
163 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 2),
164 	BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 1),
165 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_10, 10),
166 	BPF_EXIT_INSN(),
167 	},
168 	.fixup_map_hash_8b = { 4 },
169 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
170 	.result = ACCEPT,
171 },
172