1// SPDX-License-Identifier: GPL-2.0
2/* Converted from tools/testing/selftests/bpf/verifier/value_adj_spill.c */
3
4#include <linux/bpf.h>
5#include <bpf/bpf_helpers.h>
6#include "bpf_misc.h"
7
8#define MAX_ENTRIES 11
9
10struct test_val {
11	unsigned int index;
12	int foo[MAX_ENTRIES];
13};
14
15struct {
16	__uint(type, BPF_MAP_TYPE_HASH);
17	__uint(max_entries, 1);
18	__type(key, long long);
19	__type(value, struct test_val);
20} map_hash_48b SEC(".maps");
21
22SEC("socket")
23__description("map element value is preserved across register spilling")
24__success __failure_unpriv __msg_unpriv("R0 leaks addr")
25__retval(0)
26__naked void is_preserved_across_register_spilling(void)
27{
28	asm volatile ("					\
29	r2 = r10;					\
30	r2 += -8;					\
31	r1 = 0;						\
32	*(u64*)(r2 + 0) = r1;				\
33	r1 = %[map_hash_48b] ll;			\
34	call %[bpf_map_lookup_elem];			\
35	if r0 == 0 goto l0_%=;				\
36	r1 = 42;					\
37	*(u64*)(r0 + 0) = r1;				\
38	r1 = r10;					\
39	r1 += -184;					\
40	*(u64*)(r1 + 0) = r0;				\
41	r3 = *(u64*)(r1 + 0);				\
42	r1 = 42;					\
43	*(u64*)(r3 + 0) = r1;				\
44l0_%=:	exit;						\
45"	:
46	: __imm(bpf_map_lookup_elem),
47	  __imm_addr(map_hash_48b)
48	: __clobber_all);
49}
50
51SEC("socket")
52__description("map element value or null is marked on register spilling")
53__success __failure_unpriv __msg_unpriv("R0 leaks addr")
54__retval(0)
55__naked void is_marked_on_register_spilling(void)
56{
57	asm volatile ("					\
58	r2 = r10;					\
59	r2 += -8;					\
60	r1 = 0;						\
61	*(u64*)(r2 + 0) = r1;				\
62	r1 = %[map_hash_48b] ll;			\
63	call %[bpf_map_lookup_elem];			\
64	r1 = r10;					\
65	r1 += -152;					\
66	*(u64*)(r1 + 0) = r0;				\
67	if r0 == 0 goto l0_%=;				\
68	r3 = *(u64*)(r1 + 0);				\
69	r1 = 42;					\
70	*(u64*)(r3 + 0) = r1;				\
71l0_%=:	exit;						\
72"	:
73	: __imm(bpf_map_lookup_elem),
74	  __imm_addr(map_hash_48b)
75	: __clobber_all);
76}
77
78char _license[] SEC("license") = "GPL";
79