[thirdparty/linux.git] / tools / testing / selftests / bpf / verifier / stack_ptr.c

{
	"PTR_TO_STACK store/load",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
	BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
	BPF_EXIT_INSN(),
	},
	.result = ACCEPT,
	.retval = 0xfaceb00c,
},
{
	"PTR_TO_STACK store/load - bad alignment on off",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
	BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
	BPF_EXIT_INSN(),
	},
	.result = REJECT,
	.errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
},
{
	"PTR_TO_STACK store/load - bad alignment on reg",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
	BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
	BPF_EXIT_INSN(),
	},
	.result = REJECT,
	.errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
},
{
	"PTR_TO_STACK store/load - out of bounds low",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
	BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
	BPF_EXIT_INSN(),
	},
	.result = REJECT,
	.errstr = "invalid stack off=-79992 size=8",
	.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
},
{
	"PTR_TO_STACK store/load - out of bounds high",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
	BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
	BPF_EXIT_INSN(),
	},
	.result = REJECT,
	.errstr = "invalid stack off=0 size=8",
},
{
	"PTR_TO_STACK check high 1",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
	BPF_EXIT_INSN(),
	},
	.result = ACCEPT,
	.retval = 42,
},
{
	"PTR_TO_STACK check high 2",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
	BPF_EXIT_INSN(),
	},
	.result = ACCEPT,
	.retval = 42,
},
{
	"PTR_TO_STACK check high 3",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
	BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
	BPF_EXIT_INSN(),
	},
	.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
	.result_unpriv = REJECT,
	.result = ACCEPT,
	.retval = 42,
},
{
	"PTR_TO_STACK check high 4",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
	BPF_EXIT_INSN(),
	},
	.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
	.errstr = "invalid stack off=0 size=1",
	.result = REJECT,
},
{
	"PTR_TO_STACK check high 5",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
	BPF_EXIT_INSN(),
	},
	.result = REJECT,
	.errstr = "invalid stack off",
},
{
	"PTR_TO_STACK check high 6",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
	BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
	BPF_EXIT_INSN(),
	},
	.result = REJECT,
	.errstr = "invalid stack off",
},
{
	"PTR_TO_STACK check high 7",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
	BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
	BPF_EXIT_INSN(),
	},
	.result = REJECT,
	.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
	.errstr = "fp pointer offset",
},
{
	"PTR_TO_STACK check low 1",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -512),
	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
	BPF_EXIT_INSN(),
	},
	.result = ACCEPT,
	.retval = 42,
},
{
	"PTR_TO_STACK check low 2",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
	BPF_ST_MEM(BPF_B, BPF_REG_1, 1, 42),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1),
	BPF_EXIT_INSN(),
	},
	.result_unpriv = REJECT,
	.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
	.result = ACCEPT,
	.retval = 42,
},
{
	"PTR_TO_STACK check low 3",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
	BPF_EXIT_INSN(),
	},
	.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
	.errstr = "invalid stack off=-513 size=1",
	.result = REJECT,
},
{
	"PTR_TO_STACK check low 4",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, INT_MIN),
	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
	BPF_EXIT_INSN(),
	},
	.result = REJECT,
	.errstr = "math between fp pointer",
},
{
	"PTR_TO_STACK check low 5",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
	BPF_EXIT_INSN(),
	},
	.result = REJECT,
	.errstr = "invalid stack off",
},
{
	"PTR_TO_STACK check low 6",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
	BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
	BPF_EXIT_INSN(),
	},
	.result = REJECT,
	.errstr = "invalid stack off",
},
{
	"PTR_TO_STACK check low 7",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
	BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
	BPF_EXIT_INSN(),
	},
	.result = REJECT,
	.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
	.errstr = "fp pointer offset",
},
{
	"PTR_TO_STACK mixed reg/k, 1",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
	BPF_MOV64_IMM(BPF_REG_2, -3),
	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
	BPF_EXIT_INSN(),
	},
	.result = ACCEPT,
	.retval = 42,
},
{
	"PTR_TO_STACK mixed reg/k, 2",
	.insns = {
	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
	BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
	BPF_MOV64_IMM(BPF_REG_2, -3),
	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
	BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_5, -6),
	BPF_EXIT_INSN(),
	},
	.result = ACCEPT,
	.retval = 42,
},
{
	"PTR_TO_STACK mixed reg/k, 3",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
	BPF_MOV64_IMM(BPF_REG_2, -3),
	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
	BPF_EXIT_INSN(),
	},
	.result = ACCEPT,
	.retval = -3,
},
{
	"PTR_TO_STACK reg",
	.insns = {
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	BPF_MOV64_IMM(BPF_REG_2, -3),
	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
	BPF_EXIT_INSN(),
	},
	.result_unpriv = REJECT,
	.errstr_unpriv = "invalid stack off=0 size=1",
	.result = ACCEPT,
	.retval = 42,
},
{
	"stack pointer arithmetic",
	.insns = {
	BPF_MOV64_IMM(BPF_REG_1, 4),
	BPF_JMP_IMM(BPF_JA, 0, 0, 0),
	BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
	BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
	BPF_ST_MEM(0, BPF_REG_2, 4, 0),
	BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
	BPF_ST_MEM(0, BPF_REG_2, 4, 0),
	BPF_MOV64_IMM(BPF_REG_0, 0),
	BPF_EXIT_INSN(),
	},
	.result = ACCEPT,
},
{
	"store PTR_TO_STACK in R10 to array map using BPF_B",
	.insns = {
	/* Load pointer to map. */
	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
	BPF_LD_MAP_FD(BPF_REG_1, 0),
	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
	BPF_MOV64_IMM(BPF_REG_0, 2),
	BPF_EXIT_INSN(),
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
	/* Copy R10 to R9. */
	BPF_MOV64_REG(BPF_REG_9, BPF_REG_10),
	/* Pollute other registers with unaligned values. */
	BPF_MOV64_IMM(BPF_REG_2, -1),
	BPF_MOV64_IMM(BPF_REG_3, -1),
	BPF_MOV64_IMM(BPF_REG_4, -1),
	BPF_MOV64_IMM(BPF_REG_5, -1),
	BPF_MOV64_IMM(BPF_REG_6, -1),
	BPF_MOV64_IMM(BPF_REG_7, -1),
	BPF_MOV64_IMM(BPF_REG_8, -1),
	/* Store both R9 and R10 with BPF_B and read back. */
	BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_10, 0),
	BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_1, 0),
	BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_9, 0),
	BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_1, 0),
	/* Should read back as same value. */
	BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_3, 2),
	BPF_MOV64_IMM(BPF_REG_0, 1),
	BPF_EXIT_INSN(),
	BPF_MOV64_IMM(BPF_REG_0, 42),
	BPF_EXIT_INSN(),
	},
	.fixup_map_array_48b = { 3 },
	.result = ACCEPT,
	.retval = 42,
	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
},
Commit	Line	Data
40f2fbd5 JK	1	{
	2	"PTR_TO_STACK store/load",
	3	.insns = {
	4	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	5	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
	6	BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
	7	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
	8	BPF_EXIT_INSN(),
	9	},
	10	.result = ACCEPT,
	11	.retval = 0xfaceb00c,
	12	},
	13	{
	14	"PTR_TO_STACK store/load - bad alignment on off",
	15	.insns = {
	16	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	17	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
	18	BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
	19	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
	20	BPF_EXIT_INSN(),
	21	},
	22	.result = REJECT,
	23	.errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
	24	},
	25	{
	26	"PTR_TO_STACK store/load - bad alignment on reg",
	27	.insns = {
	28	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	29	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
	30	BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
	31	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
	32	BPF_EXIT_INSN(),
	33	},
	34	.result = REJECT,
	35	.errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
	36	},
	37	{
	38	"PTR_TO_STACK store/load - out of bounds low",
	39	.insns = {
	40	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	41	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
	42	BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
	43	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
	44	BPF_EXIT_INSN(),
	45	},
	46	.result = REJECT,
	47	.errstr = "invalid stack off=-79992 size=8",
	48	.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
	49	},
	50	{
	51	"PTR_TO_STACK store/load - out of bounds high",
	52	.insns = {
	53	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
	54	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
	55	BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
	56	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
	57	BPF_EXIT_INSN(),
	58	},
	59	.result = REJECT,
	60	.errstr = "invalid stack off=0 size=8",
	61	},
	62	{
	63	"PTR_TO_STACK check high 1",
	64	.insns = {
65	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
66	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
67	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
68	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
69	BPF_EXIT_INSN(),
70	},
71	.result = ACCEPT,
72	.retval = 42,
73	},
74	{
75	"PTR_TO_STACK check high 2",
76	.insns = {
77	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
78	BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
79	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
80	BPF_EXIT_INSN(),
81	},
82	.result = ACCEPT,
83	.retval = 42,
84	},
85	{
86	"PTR_TO_STACK check high 3",
87	.insns = {
88	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
89	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
90	BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
91	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
92	BPF_EXIT_INSN(),
93	},
94	.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
95	.result_unpriv = REJECT,
96	.result = ACCEPT,
97	.retval = 42,
98	},
99	{
100	"PTR_TO_STACK check high 4",
101	.insns = {
102	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
103	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
104	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
105	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
106	BPF_EXIT_INSN(),
107	},
108	.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
109	.errstr = "invalid stack off=0 size=1",
110	.result = REJECT,
111	},
112	{
113	"PTR_TO_STACK check high 5",
114	.insns = {
115	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
116	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
117	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
118	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
119	BPF_EXIT_INSN(),
120	},
121	.result = REJECT,
122	.errstr = "invalid stack off",
123	},
124	{
125	"PTR_TO_STACK check high 6",
126	.insns = {
127	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
128	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
129	BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
130	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
131	BPF_EXIT_INSN(),
132	},
133	.result = REJECT,
134	.errstr = "invalid stack off",
135	},
136	{
137	"PTR_TO_STACK check high 7",
138	.insns = {
139	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
140	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
141	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
142	BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
143	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
144	BPF_EXIT_INSN(),
145	},
146	.result = REJECT,
147	.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
148	.errstr = "fp pointer offset",
149	},
150	{
151	"PTR_TO_STACK check low 1",
152	.insns = {
153	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
154	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -512),
155	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
156	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
157	BPF_EXIT_INSN(),
158	},
159	.result = ACCEPT,
160	.retval = 42,
161	},
162	{
163	"PTR_TO_STACK check low 2",
164	.insns = {
165	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
166	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
167	BPF_ST_MEM(BPF_B, BPF_REG_1, 1, 42),
168	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1),
169	BPF_EXIT_INSN(),
170	},
171	.result_unpriv = REJECT,
172	.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
173	.result = ACCEPT,
174	.retval = 42,
175	},
176	{
177	"PTR_TO_STACK check low 3",
178	.insns = {
179	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
180	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
181	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
182	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
183	BPF_EXIT_INSN(),
184	},
185	.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
186	.errstr = "invalid stack off=-513 size=1",
187	.result = REJECT,
188	},
189	{
190	"PTR_TO_STACK check low 4",
191	.insns = {
192	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
193	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, INT_MIN),
194	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
195	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
196	BPF_EXIT_INSN(),
197	},
198	.result = REJECT,
199	.errstr = "math between fp pointer",
200	},
201	{
202	"PTR_TO_STACK check low 5",
203	.insns = {
204	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
205	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
206	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
207	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
208	BPF_EXIT_INSN(),
209	},
210	.result = REJECT,
211	.errstr = "invalid stack off",
212	},
213	{
214	"PTR_TO_STACK check low 6",
215	.insns = {
216	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
217	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
218	BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
219	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
220	BPF_EXIT_INSN(),
221	},
222	.result = REJECT,
223	.errstr = "invalid stack off",
224	},
225	{
226	"PTR_TO_STACK check low 7",
227	.insns = {
228	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
229	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
230	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
231	BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
232	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
233	BPF_EXIT_INSN(),
234	},
235	.result = REJECT,
236	.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
237	.errstr = "fp pointer offset",
238	},
239	{
240	"PTR_TO_STACK mixed reg/k, 1",
241	.insns = {
242	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
243	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
244	BPF_MOV64_IMM(BPF_REG_2, -3),
245	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
246	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
247	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
248	BPF_EXIT_INSN(),
249	},
250	.result = ACCEPT,
251	.retval = 42,
252	},
253	{
254	"PTR_TO_STACK mixed reg/k, 2",
255	.insns = {
256	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
257	BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
258	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
259	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
260	BPF_MOV64_IMM(BPF_REG_2, -3),
261	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
262	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
263	BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
264	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_5, -6),
265	BPF_EXIT_INSN(),
266	},
267	.result = ACCEPT,
268	.retval = 42,
269	},
270	{
271	"PTR_TO_STACK mixed reg/k, 3",
272	.insns = {
273	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
274	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
275	BPF_MOV64_IMM(BPF_REG_2, -3),
276	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
277	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
278	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
279	BPF_EXIT_INSN(),
280	},
281	.result = ACCEPT,
282	.retval = -3,
283	},
284	{
285	"PTR_TO_STACK reg",
286	.insns = {
287	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
288	BPF_MOV64_IMM(BPF_REG_2, -3),
289	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
290	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
291	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
292	BPF_EXIT_INSN(),
293	},
294	.result_unpriv = REJECT,
295	.errstr_unpriv = "invalid stack off=0 size=1",
296	.result = ACCEPT,
297	.retval = 42,
298	},
299	{
300	"stack pointer arithmetic",
301	.insns = {
302	BPF_MOV64_IMM(BPF_REG_1, 4),
303	BPF_JMP_IMM(BPF_JA, 0, 0, 0),
304	BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
305	BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
306	BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
307	BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
308	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
309	BPF_ST_MEM(0, BPF_REG_2, 4, 0),
310	BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
311	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
312	BPF_ST_MEM(0, BPF_REG_2, 4, 0),
313	BPF_MOV64_IMM(BPF_REG_0, 0),
314	BPF_EXIT_INSN(),
315	},
316	.result = ACCEPT,
317	},
d2b6c3ab LN	318	{
	319	"store PTR_TO_STACK in R10 to array map using BPF_B",
	320	.insns = {
	321	/* Load pointer to map. */
	322	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
	323	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
	324	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
	325	BPF_LD_MAP_FD(BPF_REG_1, 0),
	326	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
	327	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
	328	BPF_MOV64_IMM(BPF_REG_0, 2),
	329	BPF_EXIT_INSN(),
	330	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
	331	/* Copy R10 to R9. */
	332	BPF_MOV64_REG(BPF_REG_9, BPF_REG_10),
	333	/* Pollute other registers with unaligned values. */
	334	BPF_MOV64_IMM(BPF_REG_2, -1),
	335	BPF_MOV64_IMM(BPF_REG_3, -1),
	336	BPF_MOV64_IMM(BPF_REG_4, -1),
	337	BPF_MOV64_IMM(BPF_REG_5, -1),
	338	BPF_MOV64_IMM(BPF_REG_6, -1),
	339	BPF_MOV64_IMM(BPF_REG_7, -1),
	340	BPF_MOV64_IMM(BPF_REG_8, -1),
	341	/* Store both R9 and R10 with BPF_B and read back. */
	342	BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_10, 0),
	343	BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_1, 0),
	344	BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_9, 0),
	345	BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_1, 0),
	346	/* Should read back as same value. */
	347	BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_3, 2),
	348	BPF_MOV64_IMM(BPF_REG_0, 1),
	349	BPF_EXIT_INSN(),
	350	BPF_MOV64_IMM(BPF_REG_0, 42),
	351	BPF_EXIT_INSN(),
	352	},
	353	.fixup_map_array_48b = { 3 },
	354	.result = ACCEPT,
	355	.retval = 42,
	356	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
	357	},