bpf: add various verifier test cases for self-tests

		.off   = OFF,					\

		.imm   = 0 })

/* Atomic memory add, *(uint *)(dst_reg + off16) += src_reg */

#define BPF_STX_XADD(SIZE, DST, SRC, OFF)			\

	((struct bpf_insn) {					\

		.code  = BPF_STX | BPF_SIZE(SIZE) | BPF_XADD,	\

		.dst_reg = DST,					\

		.src_reg = SRC,					\

		.off   = OFF,					\

		.imm   = 0 })

/* Memory store, *(uint *) (dst_reg + off16) = imm32 */

#define BPF_ST_MEM(SIZE, DST, OFF, IMM)				\

LIBDIR := ../../../lib

BPFDIR := $(LIBDIR)/bpf

APIDIR := ../../../include/uapi

GENDIR := ../../../../include/generated

GENHDR := $(GENDIR)/autoconf.h

CFLAGS += -Wall -O2 -I../../../include/uapi -I$(LIBDIR)

ifneq ($(wildcard $(GENHDR)),)

  GENFLAGS := -DHAVE_GENHDR

endif

CFLAGS += -Wall -O2 -I$(APIDIR) -I$(LIBDIR) -I$(GENDIR) $(GENFLAGS)

LDLIBS += -lcap

TEST_GEN_PROGS = test_verifier test_tag test_maps test_lru_map test_lpm_map

#include <bpf/bpf.h>

#ifdef HAVE_GENHDR

# include "autoconf.h"

#else

# if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)

#  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1

# endif

#endif

#include "../../../include/linux/filter.h"

#ifndef ARRAY_SIZE

#define MAX_INSNS	512

#define MAX_FIXUPS	8

#define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS	(1 << 0)

struct bpf_test {

	const char *descr;

	struct bpf_insn	insns[MAX_INSNS];

		REJECT

	} result, result_unpriv;

	enum bpf_prog_type prog_type;

	uint8_t flags;

};

/* Note we want this to be 64 bit aligned so that the end of our array is

		.result = ACCEPT,

		.prog_type = BPF_PROG_TYPE_SCHED_CLS,

	},

	{

		"direct packet access: test15 (spill with xadd)",

		.insns = {

			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,

				    offsetof(struct __sk_buff, data)),

			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,

				    offsetof(struct __sk_buff, data_end)),

			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),

			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),

			BPF_MOV64_IMM(BPF_REG_5, 4096),

			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),

			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),

			BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),

			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),

			BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),

			BPF_MOV64_IMM(BPF_REG_0, 0),

			BPF_EXIT_INSN(),

		},

		.errstr = "R2 invalid mem access 'inv'",

		.result = REJECT,

		.prog_type = BPF_PROG_TYPE_SCHED_CLS,

	},

	{

		"helper access to packet: test1, valid packet_ptr range",

		.insns = {

		.errstr_unpriv = "R0 pointer arithmetic prohibited",

		.result_unpriv = REJECT,

		.result = ACCEPT,

		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,

	},

	{

		"valid map access into an array with a variable",

		.errstr_unpriv = "R0 pointer arithmetic prohibited",

		.result_unpriv = REJECT,

		.result = ACCEPT,

		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,

	},

	{

		"valid map access into an array with a signed variable",

		.errstr_unpriv = "R0 pointer arithmetic prohibited",

		.result_unpriv = REJECT,

		.result = ACCEPT,

		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,

	},

	{

		"invalid map access into an array with a constant",

		.errstr = "R0 min value is outside of the array range",

		.result_unpriv = REJECT,

		.result = REJECT,

		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,

	},

	{

		"invalid map access into an array with a variable",

		.errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",

		.result_unpriv = REJECT,

		.result = REJECT,

		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,

	},

	{

		"invalid map access into an array with no floor check",

		.errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",

		.result_unpriv = REJECT,

		.result = REJECT,

		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,

	},

	{

		"invalid map access into an array with a invalid max check",

		.errstr = "invalid access to map value, value_size=48 off=44 size=8",

		.result_unpriv = REJECT,

		.result = REJECT,

		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,

	},

	{

		"invalid map access into an array with a invalid max check",

		.errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",

		.result_unpriv = REJECT,

		.result = REJECT,

		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,

	},

	{

		"multiple registers share map_lookup_elem result",

		.result = REJECT,

		.errstr_unpriv = "R0 pointer arithmetic prohibited",

		.result_unpriv = REJECT,

		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,

	},

	{

		"constant register |= constant should keep constant type",

		.result_unpriv = REJECT,

	},

	{

		"map element value (adjusted) is preserved across register spilling",

		"map element value or null is marked on register spilling",

		.insns = {

			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),

			BPF_LD_MAP_FD(BPF_REG_1, 0),

			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),

			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),

			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),

			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),

			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),

			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),

			BPF_EXIT_INSN(),

		},

		.fixup_map2 = { 3 },

		.errstr_unpriv = "R0 leaks addr",

		.result = ACCEPT,

		.result_unpriv = REJECT,

	},

	{

		"map element value store of cleared call register",

		.insns = {

			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),

			BPF_LD_MAP_FD(BPF_REG_1, 0),

			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),

			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),

			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),

			BPF_EXIT_INSN(),

		},

		.fixup_map2 = { 3 },

		.errstr_unpriv = "R1 !read_ok",

		.errstr = "R1 !read_ok",

		.result = REJECT,

		.result_unpriv = REJECT,

	},

	{

		"map element value with unaligned store",

		.insns = {

			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),

			BPF_LD_MAP_FD(BPF_REG_1, 0),

			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),

			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),

			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),

			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),

			BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),

			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),

			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),

			BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),

			BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),

			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),

			BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),

			BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),

			BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),

			BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),

			BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),

			BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),

			BPF_EXIT_INSN(),

		},

		.fixup_map2 = { 3 },

		.errstr_unpriv = "R0 pointer arithmetic prohibited",

		.result = ACCEPT,

		.result_unpriv = REJECT,

		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,

	},

	{

		"map element value with unaligned load",

		.insns = {

			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),

			BPF_LD_MAP_FD(BPF_REG_1, 0),

			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),

			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),

			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),

			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),

			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),

			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),

			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),

			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),

			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),

			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),

			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),

			BPF_EXIT_INSN(),

		},

		.fixup_map2 = { 3 },

		.errstr_unpriv = "R0 pointer arithmetic prohibited",

		.result = ACCEPT,

		.result_unpriv = REJECT,

		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,

	},

	{

		"map element value illegal alu op, 1",

		.insns = {

			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),

			BPF_LD_MAP_FD(BPF_REG_1, 0),

			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),

			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),

			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),

			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),

			BPF_EXIT_INSN(),

		},

		.fixup_map2 = { 3 },

		.errstr_unpriv = "R0 pointer arithmetic prohibited",

		.errstr = "invalid mem access 'inv'",

		.result = REJECT,

		.result_unpriv = REJECT,

	},

	{

		"map element value illegal alu op, 2",

		.insns = {

			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),

			BPF_LD_MAP_FD(BPF_REG_1, 0),

			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),

			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),

			BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),

			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),

			BPF_EXIT_INSN(),

		},

		.fixup_map2 = { 3 },

		.errstr_unpriv = "R0 pointer arithmetic prohibited",

		.errstr = "invalid mem access 'inv'",

		.result = REJECT,

		.result_unpriv = REJECT,

	},

	{

		"map element value illegal alu op, 3",

		.insns = {

			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),

			BPF_LD_MAP_FD(BPF_REG_1, 0),

			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),

			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),

			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),

			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),

			BPF_EXIT_INSN(),

		},

		.fixup_map2 = { 3 },

		.errstr_unpriv = "R0 pointer arithmetic prohibited",

		.errstr = "invalid mem access 'inv'",

		.result = REJECT,

		.result_unpriv = REJECT,

	},

	{

		"map element value illegal alu op, 4",

		.insns = {

			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),

			BPF_LD_MAP_FD(BPF_REG_1, 0),

			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),

			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),

			BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),

			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),

			BPF_EXIT_INSN(),

		},

		.fixup_map2 = { 3 },

		.errstr_unpriv = "R0 pointer arithmetic prohibited",

		.errstr = "invalid mem access 'inv'",

		.result = REJECT,

		.result_unpriv = REJECT,

	},

	{

		"map element value illegal alu op, 5",

		.insns = {

			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),

			BPF_LD_MAP_FD(BPF_REG_1, 0),

			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),

			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),

			BPF_MOV64_IMM(BPF_REG_3, 4096),

			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),

			BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),

			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),

			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),

			BPF_EXIT_INSN(),

		},

		.fixup_map2 = { 3 },

		.errstr_unpriv = "R0 invalid mem access 'inv'",

		.errstr = "R0 invalid mem access 'inv'",

		.result = REJECT,

		.result_unpriv = REJECT,

	},

	{

		"map element value is preserved across register spilling",

		.insns = {

			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),

			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),

		.errstr_unpriv = "R0 pointer arithmetic prohibited",

		.result = ACCEPT,

		.result_unpriv = REJECT,

		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,

	},

	{

		"helper access to variable memory: stack, bitwise AND + JMP, correct bounds",

		.errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",

		.result = REJECT,

		.result_unpriv = REJECT,

		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,

	},

	{

		"invalid range check",

		.errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",

		.result = REJECT,

		.result_unpriv = REJECT,

		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,

	}

};

static void do_test_single(struct bpf_test *test, bool unpriv,

			   int *passes, int *errors)

{

	int fd_prog, expected_ret, reject_from_alignment;

	struct bpf_insn *prog = test->insns;

	int prog_len = probe_filter_length(prog);

	int prog_type = test->prog_type;

	int fd_f1 = -1, fd_f2 = -1, fd_f3 = -1;

	int fd_prog, expected_ret;

	const char *expected_err;

	do_test_fixup(test, prog, &fd_f1, &fd_f2, &fd_f3);

		       test->result_unpriv : test->result;

	expected_err = unpriv && test->errstr_unpriv ?

		       test->errstr_unpriv : test->errstr;

	reject_from_alignment = fd_prog < 0 &&

				(test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&

				strstr(bpf_vlog, "Unknown alignment.");

#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS

	if (reject_from_alignment) {

		printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",

		       strerror(errno));

		goto fail_log;

	}

#endif

	if (expected_ret == ACCEPT) {

		if (fd_prog < 0) {

		if (fd_prog < 0 && !reject_from_alignment) {

			printf("FAIL\nFailed to load prog '%s'!\n",

			       strerror(errno));

			goto fail_log;

			printf("FAIL\nUnexpected success to load!\n");

			goto fail_log;

		}

		if (!strstr(bpf_vlog, expected_err)) {

		if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {

			printf("FAIL\nUnexpected error message!\n");

			goto fail_log;

		}

	}

	(*passes)++;

	printf("OK\n");

	printf("OK%s\n", reject_from_alignment ?

	       " (NOTE: reject due to unknown alignment)" : "");

close_fds:

	close(fd_prog);

	close(fd_f1);